Personal Information: Key Federal Privacy Laws Do Not Require	 
Information Resellers to Safeguard All Sensitive Data (26-JUN-06,
GAO-06-674).							 
                                                                 
The growth of information resellers--companies that collect and  
resell publicly available and private information on		 
individuals--has raised privacy and security concerns about this 
industry. These companies collectively maintain large amounts of 
detailed personal information on nearly all American consumers,  
and some have experienced security breaches in recent years. GAO 
was asked to examine (1) financial institutions' use of 	 
resellers; (2) federal privacy and security laws applicable to	 
resellers; (3) federal regulators' oversight of resellers; and	 
(4) regulators' oversight of financial institution compliance	 
with privacy and data security laws. To address these objectives,
GAO analyzed documents and interviewed representatives from 10	 
information resellers, 14 financial institutions, 11 regulators, 
industry and consumer groups, and others.			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-674 					        
    ACCNO:   A55942						        
  TITLE:     Personal Information: Key Federal Privacy Laws Do Not    
Require Information Resellers to Safeguard All Sensitive Data	 
     DATE:   06/26/2006 
  SUBJECT:   Financial institutions				 
	     Information access 				 
	     Information security				 
	     Law enforcement					 
	     Privacy law					 
	     Privacy policies					 
	     Right of privacy					 
	     Information resellers				 
	     Personal information				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-674

     

     * Results in Brief
     * Background
     * Financial Institutions Use Information Resellers for Eligibi
          * Consumer Reports Sold by Credit Bureaus and Other CRAs Are U
          * Financial Institutions Use Information Resellers to Comply w
               * Complying with PATRIOT Act Requirements
               * Preventing and Detecting Fraud
               * Reducing Risk and Locating Individuals
          * Some Financial Institutions Use Information Resellers for Ma
     * Federal Privacy and Information Security Laws Apply to Many
          * Several Federal Privacy and Security Laws Apply to Personal
          * FCRA Applies Only to Consumer Information Used to Determine
          * FCRA Provides Access, Correction, and Opt-Out Rights for Con
          * GLBA Applies to Information Resellers That Are Financial Ins
               * GLBA Privacy Provisions
               * GLBA Safeguarding Provisions
          * No Federal Statute Requires Notification of Data Breaches
     * FTC Has Primary Responsibility for Enforcing Information Res
          * FTC Has Primary Federal Enforcement Authority over Informati
          * FTC Has Investigated and Initiated Formal Enforcement Action
          * FTC Cannot Levy Civil Penalties for GLBA Information Privacy
     * Agencies Differ in Their Oversight of the Privacy and Securi
          * Financial Institutions and Their Regulators Said They Do Not
          * Federal Banking Agencies Provide Guidance and Examine Regula
               * Regulations and Other Guidance
               * Examinations and Enforcement Actions
          * Securities Regulators Oversee GLBA Compliance of Securities
               * Regulations and Other Guidance
               * Examinations and Enforcement Actions
               * NASD and NYSE Regulation Oversee Compliance of Member Broker
          * State Insurance Regulators Require Insurers to Comply with I
               * NAIC Has Developed Model GLBA Privacy and Safeguarding Rules
               * Individual State Insurance Regulators Have Not Consistently
          * FTC Enforces GLBA and FCRA Compliance of Financial Instituti
          * NCUA, Securities, and Insurance Regulators Do Not Have Full
     * Conclusions
     * Matters for Congressional Consideration
     * Recommendation for Executive Action
     * Agency Comments
     * Appendix I: Scope and Methodology
     * Appendix II: Sample Information Reseller Reports
          * Sample Insurance Claims History Report
          * Sample Deposit Account History Report
          * Sample Identity Verification and OFAC Screening Report
          * Sample Fraud Investigation Report
     * Appendix III: Comments from the Federal Trade Commission
     * Appendix IV: GAO Contact and Staff Acknowledgments
          * GAO Contact
          * Staff Acknowledgments
               * Order by Mail or Phone

Report to the Committee on Banking, Housing and Urban Affairs, U.S. Senate

United States Government Accountability Office

GAO

June 2006

PERSONAL INFORMATION

Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard
All Sensitive Data

GAO-06-674

Contents

Letter 1

Results in Brief 3
Background 6
Financial Institutions Use Information Resellers for Eligibility
Determinations, Fraud Prevention, PATRIOT Act Compliance, and Marketing 10
Federal Privacy and Information Security Laws Apply to Many Information
Reseller Products, Depending on Their Use and Source 17
FTC Has Primary Responsibility for Enforcing Information Resellers'
Compliance with Privacy and Information Security Laws 32
Agencies Differ in Their Oversight of the Privacy and Security of Personal
Information at Financial Institutions 38
Conclusions 53
Matters for Congressional Consideration 56
Recommendation for Executive Action 56
Agency Comments 56
Appendix I Scope and Methodology 58
Appendix II Sample Information Reseller Reports 62
Sample Insurance Claims History Report 62
Sample Deposit Account History Report 64
Sample Identity Verification and OFAC Screening Report 65
Sample Fraud Investigation Report 65
Appendix III Comments from the Federal Trade Commission 68
Appendix IV GAO Contact and Staff Acknowledgments 70

Figures

Figure 1: Typical Information Flow through Resellers to Financial
Institutions 9
Figure 2: GLBA Privacy Provisions 26
Figure 3: Enforcement Responsibilities for Selected Financial Institutions
under FCRA and GLBA 39
Figure 4: Sample Insurance Claims History Report 63
Figure 5: Sample Deposit Account History Report 64
Figure 6: Sample Identity Verification and OFAC Screening Report 65
Figure 7: Sample Fraud Investigation Report 66

Abbreviations

CRA consumer reporting agency DISB District of Columbia's Department of
Insurance, Securities and Banking

FACT Act Fair and Accurate Credit Transactions Act

FCRA Fair Credit Reporting Act

FDIC Federal Deposit Insurance Corporation

FFIEC Federal Financial Institutions Examination Council

FRB Board of Governors of the Federal Reserve System

FTC Federal Trade Commission

FTC Act Federal Trade Commission Act

GLBA Gramm-Leach-Bliley Act

NAIC National Association of Insurance Commissioners

NCUA National Credit Union Administration

NYSE Regulation New York Stock Exchange Regulation

OCC Office of the Comptroller of the Currency

OFAC Office of Foreign Assets Control

OTS Office of Thrift Supervision

SEC Securities and Exchange Commission

USA PATRIOT ACT Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism Act

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

June 26, 2006

The Honorable Richard C. Shelby Chairman The Honorable Paul S. Sarbanes
Ranking Minority Member Committee on Banking, Housing and Urban Affairs
United States Senate

The growth in recent years of information resellers-companies that
collect, aggregate, and resell publicly available and private information
on individuals-has raised privacy and security concerns related to this
industry.1 Information resellers maintain and sell vast amounts of
detailed personal information on nearly all American consumers-including
such things as Social Security numbers, home and automobile values,
occupations and hobbies. In addition, security breaches at some of these
companies have raised concerns in light of the increasing problem of
identity theft. Some policymakers and consumer advocates believe that not
enough is known about these resellers and the information about consumers
that they maintain and share.

Information resellers include consumer reporting agencies (CRA), which
assemble and share credit histories and other personal information used to
help make important decisions about individuals, such as their eligibility
for financial services. Other companies, sometimes called "data brokers,"
collect personal information from a variety of sources for such things as
marketing and fraud prevention. Advances in technology and the
computerization of public records in recent years have fostered
significant growth in the size of the reseller industry and the amount of
personal consumer data that these companies assemble and distribute.

The primary federal laws governing the sharing and use of personal
information by private sector companies are the Fair Credit Reporting Act
(FCRA) and subtitle A of title V of the Gramm-Leach-Bliley Act (GLBA).2
Several federal and state agencies and self-regulatory organizations
enforce these laws, including the Federal Trade Commission (FTC); the
banking regulators-Board of Governors of the Federal Reserve System (FRB),
Office of the Comptroller of the Currency (OCC), Office of Thrift
Supervision (OTS), Federal Deposit Insurance Corporation (FDIC), and
National Credit Union Administration (NCUA); the securities
regulators-Securities and Exchange Commission (SEC), NASD (formerly known
as the National Association of Securities Dealers), and New York Stock
Exchange Regulation (NYSE Regulation); and state insurance regulators.

1This report uses "information resellers" to describe businesses that
collect and resell personal information, but there is no one commonly
agreed-upon term for such companies. FTC has sometimes used the term "data
brokers" but the companies themselves typically use other terms, such as
"information solutions providers."

Concerned about financial institutions' use of information resellers, you
asked us to examine (1) how financial institutions use data products
supplied by information resellers, the types of information contained in
these products, and the sources of the information; (2) how federal laws
governing the privacy and security of personal data apply to information
resellers, and what rights and opportunities exist for individuals to view
and correct data held by resellers; (3) how federal financial institution
regulators and the FTC oversee information resellers' compliance with
federal privacy and information security laws; and (4) how federal
financial institution regulators, state insurance regulators, and the FTC
oversee financial institutions' compliance with federal privacy and
information security laws governing consumer information, including
information supplied by information resellers.

To address these objectives, we gathered and analyzed documents, and
interviewed representatives from, 10 major information resellers; 14
financial institutions in the banking, securities, credit card,
property/casualty insurance, and consumer lending industry sectors; and
trade associations representing these firms. We also met with experts in
the area of privacy law and with consumer advocacy organizations active in
the field. Our audit work allows us to represent how financial
institutions that offer a sizable and diverse portion of financial
services in the United States use information resellers, and to describe
the types of information products offered by the information resellers
most commonly identified by these financial institutions. Our findings,
however, are not representative of all financial institutions and
information resellers. We also analyzed relevant laws, guidance, and
regulations. Finally, to describe federal and state enforcement and
supervisory activities, we interviewed and analyzed documents from FTC;
the five federal banking and three securities regulators; the National
Association of Insurance Commissioners (NAIC), which represents state
insurance regulators; and the District of Columbia's Department of
Insurance, Securities and Banking (DISB).

2The Fair Credit Reporting Act, Pub. L. No. 90-321, title VI (May 29,
1968) as added by Pub. L. No. 91-508, title VI, S: 601, 84 Stat. 1128
(Oct. 26, 1970) (codified at 15 U.S.C. S: 1681- 1681x); and Title V of the
Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999),
Pub. L. No. 106-102, title V, subtitle A, 113 Stat. 1338 (Nov. 12, 1999)
(codified at 15 U.S.C. S: 6801-6809). As discussed later in this report,
other federal laws-such as the Driver's Privacy Protection Act of 1994 and
the Health Insurance Portability and Accountability Act of 1996-also
govern the use and sharing of certain types of personal information.

We conducted our review from June 2005 through May 2006 in accordance with
generally accepted government auditing standards. A more extensive
discussion of our scope and methodology appears in appendix I.

                                Results in Brief

Financial institutions use data from information resellers to help
determine individuals' eligibility for credit and insurance, comply with
legal requirements, prevent fraud, and market products. Banks and other
lenders use reseller data to help make eligibility and interest rate
decisions for new applicants and existing customers, while insurance
companies use these data to help make underwriting decisions regarding
individual insurance applications. To meet PATRIOT Act requirements
designed to prevent money laundering and transactions with known
criminals, some financial institutions we spoke with use resellers to
confirm the identity of applicants. In addition, reseller data are used to
identify and investigate fraud, locate holders of delinquent accounts, and
conduct due diligence on individuals associated with new business
ventures. Many companies also use certain information reseller products
for marketing purposes-such as to target potential customers who have
certain characteristics or to gather additional information about existing
customers to offer additional products. The specific information
maintained by resellers varies depending on the nature of the reseller and
the types and purposes of its products. Their products often include
credit header data-identifying information at the top of a credit report
that includes such things as name, current and prior addresses, telephone
number, and Social Security number. Products used by lenders for
eligibility determinations typically also contain detailed credit
histories and scores, while products used by insurers may also contain
past insurance claims filed by applicants. Many reseller products,
particularly those used for fraud detection, include court and property
records and bankruptcy filings, motor vehicle records, names of family
members and associates, and professional licenses. Products used for
marketing often include demographic information as well as information on
individual consumers' interests and hobbies. Resellers' sources vary
depending on the product, but may include public records from government
agencies, publicly available information, such as telephone or business
directories, and nonpublic or proprietary information from credit bureaus
or provided to businesses directly by consumers.

The primary federal privacy and data security laws that apply to
information resellers are the Fair Credit Reporting Act (FCRA) and the
Gramm-Leach-Bliley Act (GLBA), but the applicability of these laws with
regard to information resellers is limited. FCRA requires companies to
safeguard and restrict their use and distribution of consumer information
collected or used to determine eligibility for such things as credit,
insurance, or employment, and provides rights to consumers to view and
rectify errors in databases containing such information. The applicability
of FCRA depends largely on the purpose for which the information is
collected, and its intended and actual use, rather than the origins or
nature of the information itself. Resellers offer many products from
databases they consider not subject to FCRA, such as those used for many
marketing and anti-fraud products. Information resellers vary in the
extent to which they voluntarily provide consumers additional
opportunities to view, correct, and opt out of the sharing of information
that is not subject to FCRA. GLBA's privacy provisions restrict the
sharing of nonpublic personal information collected by or acquired from
financial institutions, except in certain circumstances. However, these
provisions only apply to information resellers covered by GLBA's
definition of a "financial institution" or that maintain nonpublic
personal information originating from such a financial institution. GLBA's
safeguarding provisions require that steps be taken to ensure the security
and confidentiality of customers' nonpublic personal information, but
similarly this applies only to resellers that are GLBA financial
institutions. Because of the limited applicability of FCRA and GLBA to
information resellers, sensitive personal information these companies
maintain is often not covered by explicit statutory safeguarding
requirements. For example, some information resellers maintain data such
as Social Security numbers in anti-fraud databases or household incomes in
marketing databases that they do not consider subject to FCRA's or GLBA's
safeguarding provisions. Requiring information resellers to take steps to
prevent unauthorized access to all of the sensitive personal information
they hold would help ensure that explicit data security requirements apply
more comprehensively to a class of companies that maintains large amounts
of such data. In addition, no federal statute requires companies to
disclose breaches of sensitive personal information, although such a
requirement could provide incentives to companies to improve data
safeguarding and provide consumers at risk of identity theft or other
related harm with useful information.

FTC is the primary federal agency responsible for enforcing information
resellers' compliance with the privacy and information security
requirements of FCRA and GLBA. Because it is a law enforcement agency, as
opposed to a regulatory or supervisory agency, FTC does not routinely
monitor or examine resellers, but can initiate investigations based on
complaints and other sources. Since 1972, the agency has initiated formal
enforcement actions against more than 20 consumer reporting agencies,
including the three nationwide credit bureaus, for violating FCRA and the
Federal Trade Commission Act (FTC Act). For example, in January 2006,
ChoicePoint agreed to pay $10 million in civil penalties and $5 million
for consumer redress (damages to compensate consumers for losses) to
settle FTC charges that the company's security and record-handling
procedures allegedly violated FCRA and the FTC Act. Many of FTC's cases
involved companies alleged to have provided consumer report information
without adequately ensuring that their customers had a permissible purpose
for obtaining it. FTC cannot impose civil penalties for violations of
GLBA's privacy and safeguarding provisions, as it can under FCRA. FTC has
used its existing enforcement authority under GLBA to seek injunctions
against financial institutions that have violated that law, and it can
also seek redress for consumers. However, FTC staff have said that civil
penalties would be a more effective tool for violations involving breaches
of mass consumer data.

Federal and state regulators vary in the actions they take to oversee
financial institutions' compliance with federal privacy and information
security laws. In general, regulators told us that their oversight
activities focus on the protection of all sensitive data; they do not
typically distinguish whether the data were obtained from an information
reseller or some other source. The five federal banking regulators have
implemented and enforced GLBA and FCRA by issuing regulations and
guidance, by using their examination procedures to check compliance with
these laws, and by taking enforcement actions to address violations. SEC
has issued regulations to implement GLBA for broker-dealers, investment
companies, and SEC-registered investment advisers. SEC, NASD, and NYSE
Regulation have also issued guidance and examined securities firms for
compliance with GLBA's privacy and safeguarding provisions, and as
necessary have taken enforcement actions. State insurance regulators are
responsible for enforcing GLBA for their states' property-casualty
insurers. NAIC told us that state insurance regulators do not typically
focus in their examinations on privacy requirements, but that they did
recently participate in a multistate survey of insurance company
compliance with GLBA. The survey identified a number of areas of
noncompliance with GLBA, but the extent to which state regulators will be
addressing these problems is unclear. FTC enforces securities firms' and
insurance companies' compliance with FCRA and enforces both FCRA and GLBA
for all financial institutions not otherwise supervised by another
regulator. FTC has issued regulations to implement GLBA and initiated
enforcement actions against consumer finance companies for not ensuring
the security and confidentiality of sensitive customer information. Some
federal banking regulators have authority to examine third-party service
providers with which the banks may do business, and regulators have
examined a limited number of information resellers under this authority.

This report suggests that Congress consider requiring information
resellers, and potentially a broader class of entities, to safeguard all
sensitive personal information they hold. We also suggest that Congress
consider providing FTC with civil penalty authority for its enforcement of
GLBA's privacy and safeguarding provisions. In addition, we recommend that
state insurance regulators, individually and in concert with NAIC, take
additional measures to ensure appropriate enforcement of insurance
companies' compliance with GLBA's privacy and safeguarding requirements.
We provided a draft of this report to FDIC, FRB, FTC, NAIC, NASD, NCUA,
NYSE Regulation, OCC, OTS, and SEC, which provided technical comments that
were incorporated as appropriate. In addition, FTC provided written
comments, in which the agency noted that it agreed with our suggestions to
Congress.

                                   Background

"Information reseller" is an umbrella term used to describe a wide variety
of businesses that collect and aggregate personal information from
multiple sources and make it available to their customers. The industry
has grown considerably over the past two decades, in large part due to
advances in computer technology and electronic storage. Courthouses and
other government offices previously stored personal information in
paper-based public records that were relatively difficult to obtain,
usually requiring a personal visit to inspect the records. Nonpublic
information, such as personal information contained in product
registrations or insurance applications was also generally inaccessible.
In recent years, however, the electronic storage of public and private
records along with increased computer processing speeds and decreased data
storage costs have fostered information reseller businesses that collect,
organize, and sell vast amounts of personal information on virtually all
American consumers.

The information reseller industry is large and complex, and these
businesses vary in many ways. What constitutes an information reseller is
not always clearly defined and little data exist on the total number of
firms that offer information products. FTC and other federal agencies do
not keep comprehensive lists of companies that resell personal
information, and experts say that characterizing the precise size and
nature of the information reseller industry can be difficult because it is
evolving and lacks a clear definition. Although no comprehensive data
exist, industry representatives say there are at least hundreds of
information resellers in total, including some companies that provide
services over the Internet.3

We include in our definition of information resellers the three nationwide
credit bureaus-Equifax, Experian, and TransUnion, which primarily collect
and sell information about the creditworthiness of individuals-as well as
other resellers such as ChoicePoint, Acxiom, and LexisNexis, which sell
information for a variety of purposes, including marketing.4 Other
companies that sell information products include eFunds, which provides
depository institutions with information on deposit account histories;
Thompson West and Regulatory DataCorp, which help companies mitigate fraud
and other risks; and ISO, which provides insurers with insurance claims
histories and fraud prevention products. Information resellers sell their
products to a broad spectrum of customers, including private companies,
individuals, law enforcement bureaus and other government agencies.5
Although major information resellers generally offer their products only
to customers who have successfully completed a credentialing process, some
resellers offer certain products, such as compilations of telephone
directory information, to the public at large. All of these businesses
differ in nature, and they do not all focus exclusively on aggregating and
reselling personal information. For example, Acxiom primarily provides
customized computer services, and its information products represent a
relatively small portion of the overall activities of the company.

3For more information about Internet resellers, see GAO, Social Security
Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should
Consider Enacting Standards for Truncating SSNs, GAO-06-495 (Washington,
D.C.: May 17, 2006).

4We use "nationwide credit bureau" and "nationwide consumer reporting
agency" interchangeably in this report, and they have the same meaning as
the FCRA phrase "consumer reporting agency that compiles and maintains
files on consumers on a nationwide basis." FCRA defines this phrase as a
consumer reporting agency that regularly engages in the practice of
assembling or evaluating, and maintaining public record information and
credit account information for the purpose of furnishing consumer reports
to third parties bearing on a consumer's credit worthiness, credit
standing, or credit capacity. 15 U.S.C. S: 1681a(p).

5For information about federal agencies' use of information resellers, see
GAO, Personal Information: Agency and Reseller Adherence to Key Privacy
Principles, GAO-06-421 (Washington, D.C.: Apr. 4, 2006).

Information resellers obtain their information from many different sources
(see fig. 1). Generally, three types of information are collected: public
records, publicly available information, and nonpublic information.

           o  Public records are a primary source of information about
           consumers, available to anyone, and can be obtained from
           governmental entities. What constitutes public records is
           dependent upon state and federal laws, but generally these include
           birth and death records, property records, tax lien records, voter
           registrations, licensing records, and court records (including
           criminal records, bankruptcy filings, civil case files, and legal
           judgments).
           o  Publicly available information is information not found in
           public records but nevertheless publicly available through other
           sources. These sources include telephone directories, business
           directories, print publications such as classified ads or
           magazines, Internet sites, and other sources accessible by the
           general public.
           o  Nonpublic information is derived from proprietary or nonpublic
           sources, such as credit header data, product warranty
           registrations, lists of magazine or catalog subscribers, and other
           application information provided to private businesses directly by
           consumers.6

           Information resellers hold or have access to databases containing
           a large variety of information about individuals. Although each
           reseller varies in the specific personal information it maintains,
           it can include names, aliases, Social Security numbers, addresses,
           telephone numbers, motor vehicle records, family members,
           neighbors, insurance claims, deposit account histories, criminal
           records, employment histories, credit histories, bankruptcy
           records, professional licenses, household incomes, home values,
           automobile values, occupations, ethnicities, and hobbies.

           Figure 1: Typical Information Flow through Resellers to Financial
           Institutions

           The various products offered by different types of information
           resellers are used for a wide range of purposes, including credit
           and background checks, fraud prevention, and marketing. Resellers
           often sell their data to each other-for example, the credit
           bureaus sell credit header data to other resellers for use in
           identity verification and fraud prevention products. Resellers
           might also purchase publicly available information from one
           another, rather than gathering the information themselves. The
           nature of the databases maintained and products offered by
           information resellers vary. Credit bureaus maintain an individual
           file on most Americans containing financial information related to
           that person's creditworthiness. Most other resellers do not
           typically maintain complete files on individuals, but rather
           collect and maintain information in a variety of databases, and
           then provide their customers with a single consolidated source for
           a broad array of personal information.

           Financial Institutions Use Information Resellers for Eligibility
			  Determinations, Fraud Prevention, PATRIOT Act Compliance, and Marketing
			  
			  Financial institutions in the banking, credit card, securities,
           and insurance industries use personal data purchased from
           information resellers primarily to help make eligibility
           determinations, comply with legal requirements, prevent fraud, and
           market their products.7 Credit reports from the three nationwide
           credit bureaus help lenders determine eligibility for and the cost
           of credit, and reports on insurance claims histories from
           specialty CRAs help insurance companies make premium decisions for
           new applicants and existing customers. To meet certain legal
           requirements and detect and prevent fraud, financial institutions
           we studied also use reseller products to locate individuals or
           confirm their identity. In addition, certain reseller products
           containing demographic data and information on individuals'
           lifestyle interests and hobbies are used to help market financial
           products to existing or potential customers with certain
           characteristics.

           Consumer Reports Sold by Credit Bureaus and Other CRAs Are Used
			  to Make Credit and Insurance Eligibility Decisions
			  
			  Banks, credit card companies, and other lenders rely on credit
           reports sold by the three nationwide credit bureaus-Equifax,
           Experian, and TransUnion-when deciding whether to offer credit to
           an individual, at what rate, and on what terms. Banks use credit
           reports to help assess the credit risk of new customers before
           opening a new deposit account or providing a mortgage or other
           loan. Credit card companies use credit reports to determine
           whether to grant a credit card to an applicant, determine the
           terms of that card, and to adjust the account terms of current
           cardholders whose creditworthiness may have changed. In addition
           to lenders, insurance companies often use scores generated from
           credit report information to help determine premiums for the
           policies they underwrite.

           Credit bureaus receive the information in credit reports from the
           financial institutions themselves, among other sources. Credit
           reports consist of a "credit header"- identifying information such
           as name, current and previous addresses, Social Security number,
           and telephone number-and a credit history, or other payment
           history, designed to provide information on the individual's
           creditworthiness. The credit history might contain information on
           an individual's current and past credit accounts, including
           amounts borrowed and owed, credit limits, relevant dates, and
           payment histories, including any record of late payments. Credit
           reports also may include public record information on tax liens,
           bankruptcies, and other court judgments related to the payment of
           debts. Credit bureaus also sell credit scores, which are numerical
           representations of predicted creditworthiness based on information
           in credit reports, and are often used instead of full credit
           reports. For example, all three credit bureaus sell FICO(R) credit
           scores, which use factors such as payment history, amount owed,
           and length of credit history to help financial institutions
           predict the likelihood that a person will repay a loan.8

           Some financial institutions also use specialty CRAs, which
           maintain specific types of files on consumers, to help make
           eligibility decisions. Insurance companies commonly use products
           from ChoicePoint and ISO, which compile data from insurance
           companies on the claims that individuals have made against their
           homeowner's or automobile insurance policies.9 Most insurance
           companies provide these CRAs with claim and loss information about
           their customers, including names, driver's license information,
           type of loss, date of loss, and amount the insurance company paid
           to settle the claim. The CRAs aggregate this information from
           multiple insurance companies to create either full reports or risk
           scores designed to help assess the likelihood that an individual
           will file a claim. Insurance companies purchase reports, or in
           some cases scores, associated with individuals applying for
           insurance and the property being insured to help decide whether to
           provide coverage and at what rate. Insurance companies also use
           this information to help determine whether to extend coverage and
           set premiums for existing policy holders. (See app. II for a
           sample insurance claims history report.) Insurance industry
           representatives told us aggregated claims data provided by
           specialty CRAs are extremely useful in making coverage and rate
           determinations. They noted, for example, that past losses are the
           best indicator of future driving risk and thus are useful to firms
           that underwrite auto insurance.

           Banks and credit unions frequently assess applicants of new
           checking and other deposit accounts using products offered by
           resellers such as ChexSystems, a specialty CRA that is a
           subsidiary of eFunds. ChexSystems compiles information from banks
           and credit unions on accounts that have been closed due to account
           misconduct such as overdrafts, insufficient funds activity,
           returned checks, bank fraud, and check forgery. The company also
           aggregates available driver's license information from state
           departments of motor vehicles, and receives information from
           check-printing companies on check order histories, which can help
           identify fraud. Banks we spoke with said that the name and
           identifying information of a customer seeking to open a new
           deposit account is typically run through the ChexSystems database.
           The reports provided back to the financial institution by
           ChexSystems typically include identifying information, as well as
           information useful in assessing an applicant's risk, such as the
           applicant's history of check orders and the source and details of
           any account misconduct. (See app. II for a sample deposit account
           history report.)

           Financial Institutions Use Information Resellers to Comply with the
			  PATRIOT Act, Prevent Fraud, Mitigate Risk, and Locate Individuals
			  
			  Financial institutions use data purchased from information
           resellers to comply with legal requirements; detect, prevent, and
           investigate fraud; identify risks associated with prospective
           clients; and locate debtors or shareholders.

           Complying with PATRIOT Act Requirements
			  
			  Financial institutions we spoke with frequently use products
           provided by information resellers to comply with PATRIOT Act
           requirements.10 Congress intended these provisions to help prevent
           terrorists and other criminals from using the U.S. financial
           system to fund terrorism and launder money. The act requires
           financial institutions to develop procedures to assure the
           identity of new customers.11 Many resellers offer products that
           verify and validate a new customer's identity by comparing
           information the customer provided to the financial institution
           with information aggregated from public and private sources. Some
           financial institutions, particularly those that offer services by
           telephone, mail, or the Internet, often confirm customers'
           identities using these reseller products. Other companies may
           verify their customers' identity from a driver's license,
           passport, or other paper document, but use information resellers
           for additional verification.

           Financial institutions must also screen their customers to ensure
           they are not on the Department of the Treasury's Office of Foreign
           Assets Control (OFAC) Specially Designated Nationals and Blocked
           Persons List. The list includes individuals and entities that
           financial institutions are generally prohibited from conducting
           transactions with because they have been identified as potential
           terrorists, money launderers, international narcotics traffickers,
           or other criminals. Many information resellers offer products to
           financial institutions that screen new customers against the OFAC
           list; often this screening is packaged with identity verification
           in a single product. (See app. II for a sample identity
           verification and OFAC screening report.) The OFAC list is a
           publicly available government document, but financial institutions
           told us they use resellers for their screening because it allows
           them to do so more quickly and helps distinguish between common
           names on the list that might result in false matches. Some
           financial institutions use resellers to screen new customers
           against the OFAC list, while others periodically screen all of
           their existing customers. Some companies told us they do most of
           their OFAC screening internally, but sometimes use a reseller to
           gather additional information confirming whether a potential match
           is indeed an individual that is on the OFAC list.

           To verify a customer's identity or conduct an OFAC screening, a
           financial institution typically uses a Web-based portal to provide
           an information reseller with basic information about the
           individual being screened-such as the person's name, Social
           Security number, address, driver's license number, phone number,
           and date of birth. The reseller then checks the information
           against its own records, and typically provides a "pass" response
           if the information matches, or a "fail" response if, for example,
           the date of birth does not match the name. Resellers' screening
           products generally draw on credit header data purchased from the
           credit bureaus, along with publicly available data such as address
           and telephone records and drivers' license records from state
           agencies. Customer verification databases also include information
           that may indicate suspicious activity, such as prison or
           campground addresses, disconnected telephone numbers, and Social
           Security numbers of deceased individuals.

           Preventing and Detecting Fraud
			  
			  The financial institutions we reviewed use information reseller
           tools to assist their fraud prevention and detection efforts. For
           example, banks and credit card companies sometimes use information
           reseller products to authenticate the identity of existing
           customers who call to update or receive account information or to
           order a replacement credit card. Authentication products usually
           draw on information similar to that used for verification
           products, most commonly credit header data and public records.
           Some resellers offer products that also allow the financial
           institution to access the customers' credit history with their
           permission, which provides additional personal information that
           can be used to verify identity. For example, a customer might be
           asked the year an automobile loan was originated or the credit
           limit on a credit card.

           Fraud departments of financial institutions in our review also use
           more detailed products from information resellers to investigate
           suspected identity theft or account fraud, such as the use of a
           stolen credit card number. (See app. II for a sample fraud
           investigation report.) In these cases, a company's fraud
           department often purchases from information resellers detailed
           background information on a suspect's current and prior
           residences, vehicles, relatives, aliases, criminal records (in
           certain states), and other information that can be useful in
           directing an investigation. Examples of the uses of fraud products
           offered by resellers include

           o  obtaining detailed personal information about people associated
           with potential fraud, or their relatives and associates;
           o  detecting links between individuals who may be co-conspirators
           in fraud or misconduct;
           o  identifying multiple insurance claims made by the same person;
           o  identifying individuals who are associated with multiple
           addresses, telephone numbers, or vehicles in ways that indicate
           potential fraud;
           o  obtaining contact information for key individuals, such as
           witnesses to car accidents identified in police reports; or
           o  identifying instances where insurance policy applicants have
           failed to disclose certain required information.

           Reducing Risk and Locating Individuals
			  
			  Financial institutions also sometimes use reseller products to
           help identify potential reputational risk or other risks
           associated with new customers or business partners. For example,
           securities firms told us they screen individuals like prospective
           wealth management clients or merger partners to check for a
           criminal record, disciplinary action by securities regulators,
           negative news media coverage, and known affiliation with
           terrorism, drug trafficking, or organized crime.

           Financial institutions we spoke with also often use information
           resellers to locate individuals. For example, lenders use reseller
           products to find customers who have defaulted on debts, and some
           mutual fund companies use these products to locate lost
           shareholders. The information provided by products used for this
           purpose is derived largely from credit header data, telephone
           records, and public records data, and may include an individual's
           aliases, addresses, telephone numbers, Social Security number,
           motor vehicle records, as well as the names of neighbors and
           associates. For example, one financial institution told us its
           debt collectors use a ChoicePoint product called DEBTOR Discovery
           to get such information to help locate delinquent debtors.

           Some Financial Institutions Use Information Resellers for Marketing
			  
			  Some information resellers offer certain products that help
           financial institutions market their financial products and
           services to new or existing customers with specific
           characteristics. Databases held by resellers offering marketing
           products include a variety of information on individuals and
           households, such as household size, number and ages of children,
           estimated household income, homeownership status, demographic
           data, and lifestyle interests and activities. These databases
           derive their information from public records as well as nonpublic
           sources such as self-reported marketing surveys, product warranty
           cards, and lists of magazine subscribers, which may be used to
           provide financial institutions and other companies with lists of
           consumers meeting certain criteria.12 For example, a bank
           marketing a college savings account might request the names and
           addresses of all households in certain ZIP codes that have
           children under the age of 18 and household incomes of $100,000 or
           more. Financial institutions we studied also use certain reseller
           products to gather additional information on their existing
           customers to market additional products and services. For example,
           we spoke with an insurance company that used an information
           reseller to learn which of its existing customers owned boats, so
           those customers could be targeted for boat insurance. Similarly,
           one bank we spoke with used an information reseller to help market
           a sailing credit card to current customers who lived near bodies
           of water.

           Many companies that solicit new credit card accounts and insurance
           policies use nationwide credit bureaus for "prescreening" to
           identify potential customers for the products they offer.13 A
           lender or insurance company establishes criteria, such as a
           minimum credit score, and then purchases from a credit bureau a
           list of people in the bureau's database who meet those criteria.
           In some cases, the financial institution already has a list of
           potential customers that it provides to the credit bureau to
           identify individuals on the list who meet the criteria. Financial
           institutions sometimes also use a second information reseller to
           help them obtain from a credit bureau a list that includes only
           consumers meeting specific demographic or lifestyle criteria. For
           example, in marketing a home equity line of credit, a lender may
           use a second information reseller to work with a credit bureau to
           identify creditworthy individuals that are also homeowners and
           live in certain geographic areas, to which the lender will then
           make a firm offer of credit. Financial institutions sometimes use
           data from information resellers for models-developed by either the
           institution or the reseller-that seek to predict consumers likely
           to be interested in a new product and unlikely to present a credit
           risk. For example, a firm we spoke with that was marketing credit
           cards to college students used reseller data to determine the
           characteristics of college students that indicate they will be
           successful credit card borrowers.

           Federal Privacy and Information Security Laws Apply to Many
			  Information Reseller Products, Depending on Their Use and Source
			  
			  The Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley
           Act (GLBA) are the primary federal laws governing the privacy and
           security of personal data collected and shared by information
           resellers. FCRA limits resellers' use and distribution of personal
           data, and allows consumers to access the data held on them, but it
           only applies to information collected or used primarily to make
           eligibility determinations. Unless FCRA applies to a product and
           its database, resellers typically provide only limited
           opportunities for the consumer to access, correct, or restrict
           sharing of the personal data held on them. GLBA's privacy
           provisions restrict the sharing of nonpublic personal information
           collected by or acquired from financial institutions, including
           resellers covered by GLBA's definition of financial institution
           (GLBA financial institutions). Further, GLBA's safeguarding
           provision requires resellers that are GLBA financial institutions
           to safeguard this information.

           Several Federal Privacy and Security Laws Apply to Personal Data
			  Held by Information Resellers
			  
			  No single federal law governs the use or disclosure of all
           personal information by private sector companies. Similarly, there
           are no federal laws designed specifically to address all of the
           products sold and data maintained by information resellers.14
           Instead, a variety of different laws govern the use, sharing, and
           protection of personal information that is maintained for specific
           purposes or by specific types of entities. The two primary federal
           laws that protect personal information maintained by private
           sector companies are FCRA and GLBA. FCRA protects the security and
           confidentiality of personal information that is collected or used
           to help make decisions about individuals' eligibility for, among
           other things, credit, insurance, or employment, while GLBA is
           designed to protect personal financial information that
           individuals provide to or that is maintained by financial
           institutions.

           In addition to FCRA and GLBA, other federal laws that directly or
           indirectly address privacy and data security may also cover some
           information reseller products.15 The Driver's Privacy Protection
           Act of 1994 regulates the use and disclosure by state motor
           vehicle departments of personal information from motor vehicle
           records.16 Personal motor vehicle records may be purchased and
           sold only for certain purposes-such as insurance claims
           investigations and other anti-fraud activities-unless a state
           motor vehicle agency has received express consent from the
           individual indicating otherwise.17 In addition, the Federal Trade
           Commission Act (FTC Act), enacted in 1914 and amended on numerous
           occasions, gives FTC the authority to prohibit and act against
           unfair or deceptive acts or practices.18 The failure by a
           commercial entity, such as an information reseller, to reasonably
           protect personal information could be a violation of the FTC Act
           if the company's actions constitute an unfair or deceptive act or
           practice. Finally, some federal banking regulators have authority
           to oversee their institutions' third-party service providers to
           ensure the safety and soundness of financial institutions.19 For
           example, if a vendor such as an information reseller did not
           employ reasonable safeguards to maintain a bank's records, federal
           banking regulators could examine the vendor to identify and remedy
           the risks.20

           FCRA Applies Only to Consumer Information Used to Determine Eligibility
			  
			  The Fair Credit Reporting Act (FCRA), enacted in 1970, protects
           the confidentiality and accuracy of personal information used to
           make certain types of decisions about consumers. Specifically,
           FCRA applies to companies that furnish, contribute to, or use
           "consumer reports"-reports containing information about an
           individual's personal and credit characteristics used to help
           determine eligibility for such things as credit, insurance,
           employment, licenses, and certain other benefits.21 Businesses
           that evaluate consumer information or assemble such reports for
           third parties are known as consumer reporting agencies, or CRAs.
           Consumer reports covered by FCRA comprise a significant portion of
           consumer data transactions in the United States. For example,
           according to an industry association that represents CRAs, the
           three nationwide credit bureaus sell over 2.5 billion credit
           reports each year on average. FCRA places certain restrictions and
           obligations on CRAs that issue these reports. For example, the law
           restricts the use of consumer reports to certain permissible
           purposes, such as approving credit, imposes certain disclosure
           requirements, and requires that CRAs take steps to ensure that
           information in these reports is not misused. It also provides
           consumers with certain rights in relation to their credit reports,
           such as the right to dispute the accuracy or completeness of items
           in the reports. Congress has amended FCRA a number of times, most
           recently with the Fair and Accurate Credit Transactions Act of
           2003 (FACT Act), which sought to promote more-accurate credit
           reports and expand consumers' access to their credit
           information.22

           Information resellers are subject to FCRA's requirements only with
           regard to information used to compile consumer reports-that is,
           reports used to help determine eligibility for certain purposes,
           including credit, insurance, or employment. Thus, FCRA applies to
           databases used to compile credit reports sold by the three
           nationwide credit bureaus, and its provisions apply both to the
           credit bureaus themselves as well as to other information
           resellers that purchase and resell credit reports for use by
           others. FCRA also applies to databases used to generate specialty
           consumer reports-which consist of such things as tenant history,
           check writing history, employment history, medical information, or
           insurance claims-that are used to help make eligibility
           determinations. For example, according to ChoicePoint, FCRA
           applies to the data used in most of its WorkPlace Solutions
           products, which employers use to make hiring decisions. Similarly,
           according to LexisNexis, FCRA applies to its Electronic Bankruptcy
           Notifier product data, which financial institutions use to
           determine whether to offer customers credit or other financial
           services. Overall, 8 of the 10 information resellers we spoke with
           said that at least some of their products are consumer reports as
           defined by FCRA. They said their contracts prohibit their
           customers from using their non-FCRA products for purposes related
           to making eligibility determinations.

           According to the information resellers included in our review,
           FCRA does not cover many databases used to create other products
           they offer because, as defined by the law, the information was not
           collected for making eligibility determinations and the products
           are not intended to be used for making eligibility
           determinations.23 For example, some of the information resellers
           we spoke with did not treat data in some products used to identify
           and prevent fraud as subject to FCRA. Similarly, resellers do not
           typically consider databases used solely for marketing purposes to
           be covered by FCRA. Because the definition of a consumer report
           under FCRA depends on the purpose for which the information is
           collected and on the reports' intended and actual use, an
           information reseller apparently may have two essentially identical
           databases with only one of them subject to FCRA.

           FCRA also restricts financial institutions and other companies
           that use consumer reports from using them for purposes other than
           those permitted in the law. Financial institutions must also
           notify consumers if they take an adverse action-such as denying an
           applicant a credit card-based on information in a consumer report.
           Under FCRA, companies that furnish information to CRAs also must
           take steps to ensure the accuracy of information they report.
           Further, users of consumer reports must properly dispose of
           consumer reports they maintain. The law also limits financial
           institutions and other entities from sharing certain credit
           information with their affiliates for marketing purposes. Final
           regulations to implement this statutory limitation have not yet
           been promulgated.

           FCRA Provides Access, Correction, and Opt-Out Rights for Consumer Reports
			  
			  FCRA is the primary federal law that provides rights to consumers
           to view, correct, or opt out of the sharing of their personal
           information, including data held by information resellers. Under
           FCRA, as recently amended by the FACT Act, consumers have the
           right to

           o  obtain all of the information about themselves contained in the
           files of a CRA upon request, including their credit history;
           o  receive one free copy of their credit file from nationwide CRAs
           and nationwide specialty CRAs once a year or under certain other
           circumstances;24 
           o  dispute information that is incomplete or inaccurate, and have
           their claims investigated and any errors deleted or corrected, as
           provided by the law; and
           o  opt out of allowing CRAs to provide their personal information
           to third parties for prescreened marketing offers.25

           Most of FCRA's access, correction, and opt-out rights apply not
           just to the three nationwide credit bureaus-Experian, TransUnion,
           and Equifax-but also to other CRAs, including nationwide specialty
           CRAs that provide reports on such things as insurance claims and
           tenant histories. The law imposes slightly different requirements
           on these entities with respect to free annual reports. For
           example, FCRA's implementing regulation requires Experian,
           TransUnion, and Equifax to create a centralized source for
           accepting consumer requests for free credit reports, which must
           include a single dedicated Web site, a toll-free telephone number,
           and mail directed to a single postal address where consumers can
           order credit reports from all three nationwide CRAs.26 Nationwide
           specialty CRAs are individually required to maintain a toll-free
           number and a streamlined process for accepting and processing
           consumer requests for file disclosures.27 Other CRAs must provide
           consumers with a copy of their report upon request (although in
           most cases they may charge a reasonable fee for it), and they must
           allow consumers to dispute information they believe to be
           inaccurate. In practice, consumers may find it difficult in some
           cases to effectively access and correct information held by
           nationwide specialty CRAs because there may be hundreds of such
           CRAs and no master list exists. For example, job seekers who want
           to confirm the accuracy of information about themselves in
           background-screening products would need to request their consumer
           reports from the dozens of such companies that offer such
           products.

           Consumers generally do not have the legal right to access or
           correct information about them contained in non-FCRA databases,
           such as those used for marketing purposes or, in some cases, fraud
           detection. The information resellers we studied varied in the
           extent to which they voluntarily provide consumers with additional
           opportunities to view, correct, and opt out of the sharing of
           information beyond what the law requires. The three nationwide
           credit bureaus allowed consumers to view only information that is
           subject to FCRA. However, three other information resellers we
           spoke with allowed consumers to order summary reports of some data
           maintained about them that was not subject to FCRA. These reports
           varied in length and detail but typically contained consumer data
           obtained from public records, publicly available information, and
           credit header information. Consumers did not typically have the
           right to see data maintained about them related to marketing, such
           as information on their household income, interests, or hobbies,
           which was often obtained from warranty cards or self-reported
           survey questionnaires.

           Information resellers told us that consumers who request
           correction of inaccurate data not covered by FCRA are typically
           referred to the government or private entity that was the source
           of the data. Many resellers told us that because their databases
           are so frequently updated, simply correcting their own databases
           would not be effective because it would soon be refreshed by new
           erroneous data from the original source. However, one reseller
           told us it has procedures that prevent such corrections from being
           overwritten. Some resellers offered limited opportunities for
           consumers to opt out of their databases even for data not covered
           by FCRA, but they typically allow this only for data used for
           marketing purposes. The five resellers we spoke with that maintain
           personal data used for marketing allowed consumers to request that
           their information not be shared with third parties. None of the
           resellers we spoke with offered all consumers the ability to opt
           out of identity verification or fraud products. They noted that it
           would undermine the effectiveness of the databases if, for
           example, criminals could remove themselves from lists of
           fraudsters. Some resellers do allow opt-out opportunities to
           certain individuals, such as judges or identity-theft victims, who
           may face potential harm from having their information included in
           reseller databases.

           Industry representatives, consumer advocates, and others offer
           differing views on whether the access, correction, and opt-out
           rights provided under FCRA should be expanded. Many consumer
           advocates and others have argued that these rights should not be
           limited to consumer information used for eligibility purposes, but
           should explicitly extend as well to databases not currently
           considered by resellers to be subject to FCRA, such as those used
           for some anti-fraud products. Proponents of this view argue that
           basic privacy principles dictate that consumers should have the
           right to know what information is being collected and maintained
           about them. In addition, they argue that errors in these databases
           have the potential to harm consumers. For example, an individual
           could be denied a volunteer opportunity or falsely pursued as a
           crime suspect due to erroneous information in a reseller database
           not covered under FCRA.

           In contrast, some information resellers, financial services firms,
           and law enforcement representatives have argued that providing
           individuals expanded access, correction, and opt-out rights is
           unnecessary and could harm fraud prevention and criminal
           investigations by providing individuals with the opportunity to
           see and manipulate the information that exists about them. They
           also note that expanding these rights could create new regulatory
           burdens. For example, firms maintaining databases for marketing
           purposes could face substantial costs and complications developing
           and implementing processes for consumers to see, challenge, and
           correct the data held on them. Information resellers noted that
           providing access and correction rights for personal information in
           marketing databases makes little sense because the accuracy of
           this information is much less important than for information used
           to make crucial eligibility decisions.

           GLBA Applies to Information Resellers That Are Financial Institutions
			  or Receive Information from Financial Institutions
			  
			  The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, limits with
           certain exceptions the sharing of consumer information by
           financial institutions and requires them to protect the security
           and confidentiality of customer information. Further, GLBA limits
           the reuse and redisclosure of the information for those receiving
           it. GLBA's key provisions with regard to information resellers,
           therefore, cover the privacy, reuse, redisclosure, and
           safeguarding of information.

           GLBA Privacy Provisions
			  
			  GLBA's privacy provisions generally limit financial institutions
           from sharing nonpublic personal information with nonaffiliated
           companies without first providing certain notice and, where
           appropriate, opt-out rights to their own customers and other
           consumers with whom they interact.28 GLBA distinguishes between a
           financial institution's "customers" and other individuals the
           financial institution may interact less with, which the law refers
           to as "consumers." Specifically, a consumer is an individual who
           obtains a financial product or service from a financial
           institution.29 On the other hand, a customer is a consumer who has
           an ongoing relationship with a financial institution. For example,
           someone who engages in an isolated transaction with a financial
           institution, such as obtaining an ATM withdrawal, is a consumer,
           whereas someone who has a deposit account with a bank would be a
           customer. While some GLBA requirements, such as the privacy
           requirements, apply broadly to cover consumer information in many
           cases, other provisions of GLBA apply only to customer
           information. For example, GLBA's safeguarding requirements oblige
           financial institutions to protect only customer information.

           GLBA requires financial institutions to provide their customers
           with a notice at the start of the customer relationship and
           annually thereafter for the duration of that relationship. The
           notice must describe the company's sharing practices and give
           customers, and in some cases consumers, the right to opt out of
           some sharing. GLBA exempts companies from notice and opt-out
           requirements under certain circumstances. For example, financial
           institutions and CRAs may share personal information for
           credit-reporting purposes without providing opt-out opportunities,
           and financial institutions and others may also share this
           information to protect against or prevent actual or potential
           fraud and unauthorized transactions.30 Thus, financial
           institutions are not required to provide their customers with
           opt-out rights before reporting their information to credit
           bureaus or sharing their information with information resellers
           for identity verification and fraud purposes. Under another GLBA
           exception, financial institutions are also not required to provide
           consumers with an opportunity to opt out of the sharing of
           information with companies that perform services for the financial
           institution.31

           GLBA's privacy provisions apply to information resellers only if
           (1) the reseller is a GLBA "financial institution" or (2) the
           reseller receives nonpublic personal information from such a
           financial institution (see fig. 2). The determination of whether a
           company is a financial institution under GLBA is complex and, for
           an information reseller, depends on whether the company's
           activities are included in implementing regulations issued by FTC.
           GLBA defines "financial institutions" as entities that are in the
           business of engaging in certain financial activities.32 Such
           activities include, among other things, traditional banking
           services, activities that are financial in nature on the FRB list
           of permissible activities for financial holding companies in
           effect as of the date of GLBA's enactment, and new permissible
           activities.33 While new financial activities may be identified,
           those activities are not automatically included in FTC's
           definition.34 FTC defines "financial institutions" as businesses
           that are "significantly engaged" in financial activities.35 For
           example, FRB's list of "financial activities" includes not only
           the activity of extending credit, but also related activities such
           as credit bureau services.36 Thus, the three nationwide credit
           bureaus are considered financial institutions subject to GLBA.37

6Credit header data are the nonfinancial identifying information located
at the top of a credit report, such as name, current and prior addresses,
telephone number, and Social Security number.

Financial Institutions Use Information Resellers for Eligibility Determinations,
            Fraud Prevention, PATRIOT Act Compliance, and Marketing

Consumer Reports Sold by Credit Bureaus and Other CRAs Are Used to Make Credit
and Insurance Eligibility Decisions

7This report focuses on how financial institutions use data from
information resellers in conducting transactions with consumers. We did
not review other ways that financial institutions use information
resellers, such as to screen their potential employees or to gather
information about other businesses.

8The three nationwide credit bureaus use software models developed by the
Fair Isaac Corporation to produce FICO(R) credit scores, which are credit
scores used by many financial services firms. In March 2006, the bureaus
announced they will begin selling a new credit score that they developed
jointly. The score will be calculated the same way for each credit bureau
to enhance consistency among all three bureaus.

9A nationwide specialty CRA is defined in FCRA to mean a CRA that compiles
and maintains files on consumers on a nationwide basis relating to medical
records or payments; residential or tenant history; check-writing history;
employment history; or insurance claims. 15 U.S.C. S: 1681a(w).

Financial Institutions Use Information Resellers to Comply with the PATRIOT Act,
Prevent Fraud, Mitigate Risk, and Locate Individuals

  Complying with PATRIOT Act Requirements

10Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of
2001, Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001). We will refer to
the act as the PATRIOT Act.

11Title III of the PATRIOT Act (cited as the "International Money
Laundering Abatement and Financial Anti-Terrorism Act of 2001") amended
the U.S. government's anti-money laundering regulatory structure. For
instance, section 326 added new requirements for the Secretary of the
Treasury and the federal financial regulators to issue regulations setting
forth minimum standards for financial institutions to (1) verify the
identity of persons seeking to open an account; (2) maintain records of
the information used to verify a person's identity, including name,
address, and other identifying information; and (3) consult lists of known
or suspected terrorists or terrorist organizations provided to the
financial institution by any government agency to determine whether a
person seeking to open an account appears on the list. See 31 U.S.C. S:
5318(l). Section 326 requirements for customer verification apply to
financial institutions broadly, including, among others, financial
institutions that are subject to regulation by one of the federal banking
regulators, as well as nonfederally insured credit unions, private banks
and trust companies; securities broker-dealers; futures commission
merchants and introducing brokers; and mutual funds. 31 U.S.C. S: 5312 and
31 C.F.R. S: Part 103.

  Preventing and Detecting Fraud

  Reducing Risk and Locating Individuals

Some Financial Institutions Use Information Resellers for Marketing

12A manufacturer may request that consumers submit their contact
information on a warranty card in the event of a product malfunction or
insurance claim. For marketing purposes, many warranty cards request
additional information on such things as the gender and age of household
occupants, occupation and income information, spending habits, and
lifestyle interests; this information is sometimes sold to information
resellers.

13The Fair Credit Reporting Act, described in more detail below, generally
permits prescreening only if the financial institution makes a firm offer
of credit or insurance for all consumers who meet the criteria for the
credit or insurance being offered. 15 U.S.C. S: 1681b(c)(1)(B).

Federal Privacy and Information Security Laws Apply to Many Information Reseller
                  Products, Depending on Their Use and Source

Several Federal Privacy and Security Laws Apply to Personal Data Held by
Information Resellers

14This report focuses on the use and sharing of personal information among
private sector entities, and therefore we only describe laws governing
these entities. Other laws, primarily the Privacy Act of 1974, govern the
collection and use of personal information by government agencies. See
Pub. L. No. 93-579, 88 Stat. 1896 (Dec. 31, 1974), codified at 5 U.S.C. S:
552a.

15The Health Insurance Portability and Accountability Act of 1996, Pub. L.
No. 104-191, S: 262, 110 Stat. 1936 (Aug. 21, 1996), codified at 42 U.S.C.
S:S: 1320d - 1320d-8, protects the privacy of individually identifiable
health information. The scope of this work did not include the collection
and use of health information.

16Pub. L. No. 103-322, title XXX, 108 Stat. 2099 (Sept. 13, 1994)
(codified at 18 U.S.C. S:S: 2721 - 2725).

1718 U.S.C. S: 2721(b)(11).

18Pub. L. No. 63-203, ch. 311, 38 Stat. 717 (Sept. 26, 1914) (codified at
15 U.S.C. S:S: 41 - 58).

19See 12 U.S.C. S: 1867 (FRB, FDIC, and OCC); and 12 U.S.C. S: 1464(d)(7)
(OTS).

20Although the scope of this report is limited to federal privacy and data
security laws, many states have laws of their own that apply to the
activities of information resellers. Many of these laws require companies
to notify consumers when their personal data may have been lost or stolen.
For example, in 2002, California enacted a database breach notification
act (Cal. Civ. Code S: 1798.82), which requires disclosure of any security
breach of data to any state resident whose unencrypted personal
information was, or is reasonably believed to have been, acquired by an
unauthorized person.

FCRA Applies Only to Consumer Information Used to Determine Eligibility

21FCRA defines a "consumer report" as "any written, oral, or other
communication of any information by a consumer reporting agency bearing on
a consumer's credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of living
which is used or expected to be used or collected in whole or in part for
the purpose of serving as a factor in establishing the consumer's
eligibility for (A) credit or insurance to be used primarily for personal,
family, or household purposes; (B) employment purposes; or (C) any other
purpose authorized under [15 U.S.C. S: 1681b]." 15 U.S.C. S: 1681a(d)(1).

22Pub. L. No. 108-159, 117 Stat. 1952 (Dec. 4, 2003) (codified at 15
U.S.C. S:S: 1681c-1, 1681c-2, 1681x, 1681s-3, 1681w).

23We did not determine which information reseller databases are subject to
FCRA. The information we include is based on what information resellers
told us about how FCRA applies to their activities.

FCRA Provides Access, Correction, and Opt-Out Rights for Consumer Reports

24Consumers also have the right to receive a free copy of their credit
file from CRAs when they have been victims of identity theft or are
subject to an adverse action as a result of information in their file, or
in certain other circumstances where they are unemployed, recipients of
public welfare, or have reason to believe that their file contains
inaccurate information due to fraud.

25FCRA also provides certain other opt-out rights concerning affiliate
sharing. See 15 U.S.C. S:S: 1681a(d)(2)(iii); and 1681s-3. In addition to
FCRA, GLBA requires that financial institutions allow their customers to
opt out of the sharing of their nonpublic personal information with
nonaffiliated companies, unless the sharing falls under an exception under
GLBA. See 15 U.S.C. S: 6802.

2616 C.F.R. S: 610.2.

2716 C.F.R. S: 610.3.

GLBA Applies to Information Resellers That Are Financial Institutions or Receive
Information from Financial Institutions

  GLBA Privacy Provisions

2815 U.S.C. S: 6802.

29See 15 U.S.C. S: 6809(9). GLBA defines a consumer as "an individual who
obtains, from a financial institution, financial products or services
which are to be used primarily for personal, family, or household
purposes." Thus, GLBA does not apply to a business customer, such as a
sole proprietor. 16 C.F.R. S: 313.3(e). A "customer" means a consumer who
has a "customer relationship"-that is, a continuing relationship with the
financial institution.

3015 U.S.C. S: 6802(e)(3)(B) and (6).

3115 U.S.C. S: 6802(e)(1)(A).

3215 U.S.C. S: 6809(3)(A).

3312 U.S.C. S: 1843(k). This is a list of nonbanking activities determined
by FRB as of the date of GLBA's enactment to be "so closely related to
banking or managing or controlling banks as to be a proper incident
thereto." See 12 C.F.R. S: 225.28 (1999). FDIC, FRB, NCUA, OCC, OTS and
SEC in their implementing GLBA regulations define the term "financial
institution" as those institutions in the business of engaging in
activities that are financial in nature or incidental to such financial
activities. See 12 C.F.R. S:S: 40.3(k)(1) (OCC), 216.3(k)(1) (FRB),
332.3(k)(1) (FDIC), 573.3(k)(1) (OTS), and 716.3(l)(1) (NCUA); and 17
C.F.R. S: 248.3(n)(1) (SEC). See 16 C.F.R. S: 313.3(k)(1) (FTC).

3416 C.F.R. S: 313.18(a)(2); and 65 Fed. Reg. 33646, 33654 (May 24, 2000).

Figure 2: GLBA Privacy Provisions

FTC staff told us that the determination of whether a specific information
reseller is a financial institution subject to GLBA depends on the
specific activities of the company. They said they determine whether GLBA
applies to an entity on a case-by-case basis and that it is difficult to
generalize what types of information resellers are GLBA financial
institutions. For example, CRAs other than the three nationwide credit
bureaus may not necessarily be subject to GLBA if, for example, their
activities do not fall under FRB's definition of credit bureau services or
they do not otherwise engage in any financial activity included in the
1999 FRB list. Only four resellers with whom we spoke-the three nationwide
credit bureaus and a specialty CRA that collects deposit account
information-told us they consider themselves financial institutions
subject to GLBA's privacy and safeguarding provisions. Moreover, we were
told that these provisions do not apply to the entire company but rather
only to those activities of the company that are deemed financial in
nature. For example, one credit bureau told us that its credit reporting
activities fall under GLBA, but that its marketing products, which are not
deemed financial in nature, do not fall under GLBA.38

3516 C.F.R. S:S: 313.3(k)(1) and (3)(iv).

3612 C.F.R. S: 225.28(b)(2)(v) (1999). FRB described credit bureau
services as those services "maintaining information related to the credit
history of consumers and providing the information to a credit grantor who
is considering a borrower's application for credit or who has extended
credit to the borrower."

37See Trans Union LLC v. FTC, 295 F.3d 42, 48 (D.C. Cir. 2002); and 16
C.F.R. S: 313.3(k).

GLBA not only limits how financial institutions share nonpublic personal
information with other companies, but it also restricts what those
companies subsequently do with the information. Under GLBA's "reuse and
redisclosure" provision and FTC's implementing rule, companies that
receive information from a financial institution are restricted in how
they further share or use that information.39 If a company receives
information under a GLBA exception, then the reseller can only reuse and
redisclose the information for activities that fall under the exception
under which the information was received.40 Alternatively, if a company
receives information from a financial institution in a way not covered by
an exception-where an individual has been provided with a GLBA notice and
has chosen not to opt out of sharing-then the information may be reused
and redisclosed in any way the original financial institution would have
been permitted.41

38A representative of the company noted that, as required by law, the data
used for these two products are kept in separate databases that are not
commingled.

3916 C.F.R. S: 313.11 (FTC); see also 12 C.F.R. S:S: 40.11 (OCC), 216.11
(FRB), 332.11 (FDIC), 573.11 (OTS), and 716.11 (NCUA); and 17 C.F.R. S:
248.11 (SEC). The regulations were upheld in Individual Reference Services
Group, Inc. v. FTC, 145 F. Supp.2d 6, 34 - 35 (D. DC 2002) ("the use
restrictions affirmatively imposed by the Regulations are consistent with
the purpose of the GLB Act").

40The FTC regulation states: "[y]ou may disclose and use the information
pursuant to [a GLBA exception] in the ordinary course of business to carry
out the activity covered by the exception under which you received the
information." 16 C.F.R. S: 313.11(a)(1)(iii).

As noted earlier, the nationwide credit bureaus sell credit header
data-identifying information at the top of a credit report-to other
information resellers for use in fraud prevention products.
Representatives of two of the credit bureaus and their industry
association told us that because credit header data contains information
from financial institutions, it is subject to GLBA's reuse and
redisclosure provisions. As a result, the credit bureaus can only sell
credit header data under the same GLBA exception under which they received
it. Credit bureau representatives said they receive the information from
financial institutions under both the consumer reporting and fraud
prevention exceptions, and then sell it under the fraud prevention
exception.

Also, some old credit header data may not be subject to GLBA at all. Prior
to GLBA's enactment in 1999, credit header information sold by credit
bureaus-which included names, addresses, aliases, and Social Security
numbers-could be used or resold by a third party for any purpose, as long
as the information was not used to make eligibility determinations. GLBA
placed restrictions on the sale of such nonpublic personal information
maintained by GLBA financial institutions. Further, as noted earlier,
reuse and redisclosure of the information is also restricted by GLBA. The
law's privacy restrictions generally became fully effective on July 1,
2001.42 A nationwide credit bureau told us that the restrictions did not
apply retroactively to credit header data that credit bureaus already held
at the time of GLBA's enactment in 1999. The nationwide credit bureau said
that just prior to GLBA's enactment, it created a new database containing
"pre-GLBA" credit header data and transferred those data to a separate
affiliated company.43 The company told us that because it gathered these
data prior to GLBA's enactment, the data are not subject to GLBA's privacy
and safeguarding provisions.

41See 15 U.S.C. S: 6802(c), which states: "[A] nonaffiliated third party
that receives from a financial institution nonpublic personal information
. . . shall not . . . disclose such information to any other person that
is a nonaffiliated third party of both the financial institution and such
receiving third party, unless such disclosure would be lawful if made
directly to such other person by the financial institution." This
provision is commonly referred to as GLBA's reuse and redisclosure
provision. See 16 C.F.R. S: 313.11(b)(1)(iii).

42See 15 U.S.C. S: 6801 note.

43The company said that it does not allow information collected for its
FCRA-regulated database to be used to update the "pre-GLBA" database.

  GLBA Safeguarding Provisions

The safeguarding provisions of GLBA require financial institutions to take
steps to ensure the security and confidentiality of their customers'
nonpublic personal information.44 Specifically, the agency regulations
provide that financial institutions must develop comprehensive written
policies and procedures to ensure the security and confidentiality of
customer records and information, protect against any anticipated threats
or hazards to the security or integrity of such records, and protect
against unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer.45
Although the privacy provisions of GLBA apply broadly to financial
institutions' consumers, GLBA's safeguarding requirements only establish
obligations on financial institutions to protect their customer
information.

Only information resellers defined as financial institutions under the law
are required to implement these safeguards. Several of the information
resellers we spoke with noted that although GLBA does not apply to all of
their products, they have policies and procedures to protect all of their
information in a way consistent with GLBA's safeguarding requirements.
Unlike GLBA's notice and opt-out requirements (privacy requirements), the
law's safeguarding provisions do not directly extend to third-party
companies that receive personal information from financial institutions.
However, federal agencies' provisions implementing GLBA safeguarding rules
require financial institutions to monitor the activities of their service
providers and require them by contract to implement and maintain
appropriate safeguards for customer information.46

Many commercial entities-including many information resellers-are not
subject to GLBA and therefore are not explicitly required by a federal
statute to have in place policies and procedures to safeguard individuals'
personal data. This raises concerns given that identity theft has emerged
as a serious problem and that breaches of sensitive personal data have
occurred at a variety of companies that are not financial institutions.
For example, in 2005, BJ's Wholesale Club, which is not considered a GLBA
financial institution, settled FTC charges that it engaged in an unfair or
deceptive act or practice in violation of the FTC Act by failing to take
appropriate security measures to protect the sensitive information of
thousands of its customers.47 FTC alleged that the company's failure to
secure sensitive information was an unfair practice because it caused
substantial injury not reasonably avoidable by consumers and not
outweighed by offsetting benefits to consumers or competition. Some
policymakers, consumer advocates, and industry representatives have
advocated explicit statutory requirements that would expand more broadly
the number and types of companies that must safeguard their data. Had
there been a statutory requirement for BJ's Wholesale Club to safeguard
sensitive information, FTC would have had authority to file a complaint
based on the company's failure to safeguard information. Expanding the
class of entities subject to safeguarding laws would impose explicit data
security provisions on a larger group of organizations that are
maintaining sensitive personal information. FTC has testified that should
Congress enact new data security requirements, FTC's safeguards rule
should serve as a model for an effective enforcement standard because it
provides sufficient flexibility to apply to a wide range of companies
rather than mandate specific technical requirements that may not be
appropriate for all entities.48 To be most effective, new data security
provisions would need to apply both to customer and noncustomer data
because the nature of information reseller businesses is such that they
hold large amounts of sensitive personal information on individuals who
are not their customers.

4415 U.S.C. S: 6801.

45See, for example, 16 C.F.R. S: 314.3 (FTC).

46See, for example, 16 C.F.R. S: 314.4(d).

No Federal Statute Requires Notification of Data Breaches

Currently, there is no federal statute requiring information resellers or
most other companies to disclose breaches of sensitive personal
information, although at least 32 states have enacted some form of breach
notification law.49 Policymakers and consumer advocates have raised
concerns that federal law does not always require companies to reveal
instances of the theft or loss of sensitive data. These concerns have been
triggered in part by increased public awareness of the problem of identity
theft and by a large number of data breaches at a wide variety of public
and private sector entities, including major financial services firms,
information resellers, universities, and government agencies. In 2005,
ChoicePoint acknowledged that the personal records it held on
approximately 162,000 consumers had been compromised. As part of a
settlement with the company in January 2006, FTC alleged that ChoicePoint
did not have reasonable procedures to screen prospective subscribers to
its data products, and provided consumers' sensitive personal information
to subscribers whose applications should have raised obvious suspicions.50
A December 2005 report by the Congressional Research Service noted that
personal data security breaches were occurring with increasing regularity,
and listed 97 recent breaches, five of which had occurred at information
resellers.51 Data breaches are not limited to private sector entities, as
evidenced by the theft discovered in May 2006 of electronic data of the
Department of Veterans Affairs containing identifying information for
millions of veterans.

47The settlement will require BJ's Wholesale Club to implement a
comprehensive information security program and obtain audits by an
independent third-party security professional every other year for 20
years. In the Matter of BJ's Wholesale Club, Inc., F.T.C. No. 0423160
(2005). A consent agreement does not constitute an admission of a
violation of law.

48Prepared Statement of the Federal Trade Commission on "Data Breaches and
Identity Theft" Before the Senate Comm. on Commerce, Science, and
Transportation, 109th Cong., 1st Sess. (2005).

49Although there is no applicable federal statute governing notification
of data breaches, the banking agencies have issued guidance to financial
institutions under their jurisdiction requiring them in some cases to
notify customers affected by a data breach. States that have enacted
breach notification requirements include Arizona, Arkansas, California,
Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho,
Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska,
Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio,
Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington,
and Wisconsin. Many other states have introduced legislation.

Congress has held several hearings related to data breaches, and a number
of bills have been introduced that would require companies to notify
individuals when such breaches occur.52 The bills vary in many ways,
including differences in who must be notified, the level of risk that
triggers a notice, the nature of the notification, exceptions to the
requirement, and the extent to which federal law preempts state law.
Breach notification requirements have two primary benefits. First, they
provide companies or other entities with incentives to follow good
security practices so as to avoid the legal liability or public relations
risks that may result from a publicized breach of customer data. Second,
consumers who are informed of a breach of their personal data can take
actions to mitigate potential risk, such as reviewing the accuracy of
their credit reports or credit card statements. However, FTC and others
have noted that any federal requirements should ensure that customers
receive notices only when they are at risk of identity theft or other
related harm. To require notices when consumers are not at true risk could
create an undue burden on businesses that may be required to provide
notices for minor and insignificant breaches. It could also overwhelm
consumers with frequent notifications about breaches that have no impact
on them, reducing the chance they will pay attention when a meaningful
breach occurs. At the same time, consumer and privacy groups and other
parties have warned against imposing too weak of a trigger for
notification, and expressed concerns that a federal breach notification
law could actually weaken consumers' security if it were to preempt
stronger state laws.53

50United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. Ga.,
Feb. 15, 2006). As part of the settlement, ChoicePoint admitted no
violations of law. According to ChoicePoint, the company has taken steps
since the breach to enhance its customer screening process and to assist
affected consumers.

51Congressional Research Service, Personal Data Security Breaches: Context
and Incident Summaries, Order Code RL33199 (Washington, D.C., Dec. 16,
2005).

52For example, Identity Theft: Recent Developments Involving the Security
of Sensitive Consumer Information: Hearing Before the Senate Comm. on
Banking, Housing, and Urban Affairs, 109th Cong., 1st Sess. (2005);
Securing Electronic Personal Data: Striking a Balance Between Privacy and
Commercial and Governmental Use: Hearing Before the Senate Comm. on the
Judiciary, 109th Cong., 1st Sess. (2005); Assessing Data Security:
Preventing Breaches and Protecting Sensitive Information: Hearing Before
the House Comm. on Financial Services, 109th Cong., 1st Sess. (2005);
Securing Consumers' Data: Options Following Security Breaches: Hearing
Before the Subcomm. On Commerce, Trade, and Consumer Protection of the
House Comm. on Energy and Commerce, 109th Cong., 1st Sess. (2005).

 FTC Has Primary Responsibility for Enforcing Information Resellers' Compliance
                   with Privacy and Information Security Laws

The Federal Trade Commission is the federal agency with primary
responsibility for enforcing applicable privacy and information security
laws for information resellers. Since 1972, FTC has initiated numerous
formal enforcement actions against information resellers for providing
consumer report information without adequately ensuring that their
customers had a permissible purpose for obtaining the data. FTC has civil
penalty authority for violations of FCRA and, in limited situations, the
FTC Act, but it does not have such authority for GLBA, which may inhibit
its ability to most effectively enforce that law's privacy and security
provisions.

53For more information on the key benefits and challenges associated with
notifying the public about security breaches, see GAO, Privacy: Preventing
and Responding to Improper Disclosures of Personal Information,
GAO-06-833T (Washington, D.C.: June 8, 2006).

FTC Has Primary Federal Enforcement Authority over Information Resellers

FTC enforces the privacy and security provisions of FCRA and GLBA over
information resellers. FCRA provided FTC with enforcement authority for
nearly all companies not supervised by a federal banking regulator.54
Similarly, GLBA provided FTC with rule-making and enforcement authority
over all financial institutions and other entities not under the
jurisdiction of the federal banking regulators, NCUA, SEC, the Commodity
Futures Trading Commission, or state insurance regulators.55 In addition,
the FTC Act provides FTC with the authority to investigate and take
administrative and civil enforcement actions against most commercial
entities, including information resellers, that engage in unfair or
deceptive acts or practices in or affecting commerce. According to FTC
officials, an information reseller could violate the FTC Act if it
mishandled personal information in a way that rose to the level of an
unfair or deceptive act or practice.

State regulators also play a role in enforcing data privacy and security
laws. FCRA provides enforcement authority to a state's chief law
enforcement officer, or any other designated officer or agency, although
federal agencies have the right to intervene in any state-initiated
action.56 In addition, GLBA allows states to enforce their own information
security and privacy laws, including those that provide greater
protections than GLBA, as long as the state laws are not inconsistent with
requirements under the federal law. Several states, including Connecticut,
North Dakota, and Vermont, have enacted restrictions on the sharing of
financial information that are stricter than GLBA.57 States can also
enforce their own laws related to unfair or deceptive acts or practices to
the extent the laws do not conflict with federal law.

54FCRA gives enforcement authority to FDIC, FRB, OCC, OTS, and NCUA over
their banks, thrifts, and credit unions, among other entities. FCRA
assigned regulatory authority to the Departments of Transportation and
Agriculture over entities under their jurisdiction. 15 U.S.C. S: 1681s.

5515 U.S.C. S: 6805. GLBA required FTC and other regulators with
responsibilities under the statute to issue consistent and comparable
regulations. 15 U.S.C. S: 6804.

5615 U.S.C. S: 1681s(c).

57Conn. Gen. Stat. Anno. S:S: 36a-41 - 44 (disclosure to broker-dealers or
investment advisers engaged in contractual networking arrangements with
the financial institution permitted after the customer is given notice and
an opportunity to opt out); N.D. Cent. Code S:S: 6.08.1-01 - 10; Vt. Stat.
Anno. Tit 8, S:S: 10201 - 10205.

FTC Has Investigated and Initiated Formal Enforcement Actions against
Information Resellers for FCRA and FTC Act Violations

Since 1972, FTC has initiated numerous formal enforcement actions against
at least 20 information resellers for violating FCRA and, in some cases,
the FTC Act.58 All of these companies were CRAs, and they included the
three nationwide credit bureaus as well as a variety of types of specialty
CRAs.59 In most of these cases, FTC charged that the companies provided
consumer report information without adequately ensuring that their
customers had a permissible purpose for obtaining the data. In many cases,
FTC alleged the companies sold consumer reports to users they had no
reason to believe intended to use the information legally, or didn't
require the users to identify themselves and certify in writing the
purposes for which they wished to use the reports. In addition, some
companies' reports allegedly included significant inaccuracies or obsolete
information; some companies also failed to reinvestigate disputed
information within a reasonable period of time.60

Among the most significant of these FTC enforcement actions against
information resellers are the following:

58For instance, FTC staff told us the agency filed suit in the following
cases: In the Matter of Credit Bureau of Lorain, Inc., 81 F.T.C. 381
(1972); In the Matter of Credit Bureau of Columbus, Inc., 81 F.T.C. 938
(1972); In the Matter of Credit Bureau of Greater Syracuse, Inc., 84
F.T.C. 1660 (1974); In the Matter of Robert N. Barnes, 85 F.T.C. 520
(1975); In the Matter of Filmdex Chex System, Inc., 85 F.T.C. 889 (1975);
In the Matter of Credit Data Northwest, 86 F.T.C. 389 (1975); In the
Matter of Interstate Check Systems, Inc., 88 F.T.C. 984 (1976); In the
Matter of Moore & Associates, Inc., 92 F.T.C. 440 (1978); In the Matter of
Howard Enterprises, Inc., 93 F.T.C. 909 (1979); In the Matter of Trans
Union Credit Information Co., 102 F.T.C. 1109 (1983); FTC v. TRW Inc., 784
F. Supp. 361 (N.D. Tex. 1991); In the Matter of I.R.S.C., Inc., 116 F.T.C.
266 (1993); In the Matter of CDB Infotek, 116 F.T.C. 280 (1993); In the
Matter of Inter-Fact Inc., 116 F.T.C. 294 (1993); In the Matter of
W.D.I.A.Corp., 117 F.T.C. 757 (1994); In the Matter of Equifax Credit
Information Services, Inc., 120 F.T.C. 577 (1995). See also United States
v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. Ga. Feb. 15, 2006);
United States v. Far West Credit, Inc., No. 2:06-cv-00041-TC (C.D. Utah
Jan. 17, 2006); and In the Matter of Southern Maryland Credit Bureau,
Inc., 101 F.T.C. 19 (1983).

59In 1996, TRW Inc. sold its credit reporting business to a group of
investors, who named the new company Experian.

60FTC has also enforced FCRA against resellers for other types of
violations. For example, in 2000 FTC settled with the three nationwide
credit bureaus after alleging that consumers were unable to adequately
access the companies' personnel by telephone to discuss or dispute
possible errors in their files. United States v. Equifax Credit
Information Services, Inc., No. 1:00-CV-0087 (N.D. Ga. 2000); United
States v. Experian Information Solutions, Inc., 3-00CV0056-L. (N.D. Tx.
2000); and United States v. Trans Union LLC, No. 00C 0235 (N.D. Ill.
2000). See http://www.ftc.gov/opa/2000/01/busysignal.htm. A consent
agreement does not constitute an admission of a violation of law.

           o  In 1995, FTC settled charges with Equifax Credit Information
           Services, the credit bureau subsidiary of Equifax Inc., for
           alleged violations of FCRA. FTC alleged that the company furnished
           consumer reports to individuals without a permissible purpose,
           included derogatory information in consumer reports that should
           have been excluded after it was disputed by the consumer, and
           failed to take steps to reduce inaccuracies in reports and
           reinvestigate disputed information. The consent agreement required
           Equifax to take steps to improve the accuracy of its consumer
           reports and limit the furnishing of such reports to those with a
           permissible purpose under FCRA.61 
           o  In 2000, FTC ordered the TransUnion Corporation, a nationwide
           credit bureau, to stop selling consumer reports in the form of
           target marketing lists to marketers who lack an authorized purpose
           under FCRA for receiving them. The company had been selling
           mailing lists of the names and addresses of consumers meeting
           certain credit-related criteria (such as having certain types of
           loans). FTC found that the lists were consumer reports and that
           the lists therefore could not be sold for target marketing
           purposes.62 
           o  In January 2006, FTC settled charges against ChoicePoint that
           its security and record-handling procedures violated federal laws
           with respect to consumers' privacy. FTC had alleged the company
           violated FCRA by providing sensitive personal information to
           customers despite obvious indications that the information would
           not be used for a permissible purpose. For example, ChoicePoint
           allegedly approved as customers individuals who subscribed to data
           products for multiple businesses using fax machines in public
           commercial locations. FTC also charged that the company violated
           the FTC Act by making false and misleading statements in its
           privacy policy, which said it provided consumer reports only to
           businesses that complete a rigorous credentialing process. Under
           the terms of the settlement, ChoicePoint agreed to pay $10 million
           in civil penalties-the largest civil penalty in FTC history-and to
           provide $5 million in consumer redress.63 ChoicePoint did not
           admit to a violation of law in settling the charges. A company
           representative told us it has taken steps since the breach to
           enhance its customer screening process and to assist affected
           consumers.

           FTC Cannot Levy Civil Penalties for GLBA Information Privacy
			  and Security Violations
			  
			  FTC is the primary federal agency monitoring information
           resellers' compliance with privacy and security laws, but it is a
           law enforcement rather than supervisory agency. Unlike federal
           financial institution regulators, which oversee a relatively
           narrow class of entities, FTC has jurisdiction over a large and
           diverse group of entities and enforces a wide variety of statutes
           related to antitrust, financial regulation, consumer protection,
           and other issues. FTC's mission and resource allocations focus on
           conducting investigations and, unlike federal financial
           regulators, FTC does not routinely monitor or examine the
           companies over which it has jurisdiction.

           If FTC has reason to believe that violations of laws under its
           jurisdiction have taken place, it may initiate a law enforcement
           action. Under its statutory authority, it can ask or compel
           companies to produce documents, testimony, and other materials.
           FTC may in administrative proceedings issue cease and desist
           orders for unfair or deceptive acts or practices. Further, FTC
           generally may seek from the United States district courts a wide
           range of remedies, including injunctions, damages to compensate
           consumers for their actual losses, and disgorgement of ill-gotten
           funds.64 Depending on the law it is enforcing, FTC may also seek
           to obtain civil penalties-monetary fines levied for a violation of
           a civil statute or regulation.

           Although FTC has civil penalty authority for violations of FCRA
           and in limited situations the FTC Act, GLBA's privacy and
           safeguarding provisions do not give it such authority.65
           Currently, FTC may seek an injunction to stop a company from
           violating these provisions and may seek redress-damages to
           compensate consumers for losses-or disgorgement. However,
           determining the appropriate amount of consumer compensation
           requires having information on who and how many consumers were
           affected and the harm, in monetary terms, that they suffered. This
           can be extremely difficult in the case of security and privacy
           violations, such as data breaches. Such breaches may lead to
           identity theft, but FTC staff told us that they may not be able to
           identify exactly which individuals were victimized and to what
           extent they were harmed-particularly in cases where the potential
           identity theft could occur years in the future. FTC could benefit
           from having the authority to impose civil penalties for violations
           of GLBA's privacy and safeguarding provisions because such
           penalties may be more practical enforcement tools for violations
           involving breaches of mass consumer data. FTC has testified that
           such authority is often the most appropriate remedy in such cases,
           and staff told us it could more effectively deter companies from
           violating provisions of GLBA. Unlike FTC, other regulators have
           civil penalty authority to enforce violations of GLBA. For
           example, OCC told us it can enforce GLBA privacy and safeguard
           provisions with civil money penalties against any insured
           depository institution or institution-affiliated party.66

           Agencies Differ in Their Oversight of the Privacy and Security of
			  Personal Information at Financial Institutions
			  
			  In enforcing privacy and security requirements, federal regulators
           do not distinguish between the data that regulated entities obtain
           from information resellers and other personal information these
           entities maintain. Federal banking regulators have overseen
           compliance with the privacy and security provisions of GLBA and
           FCRA by issuing rules and guidance, conducting examinations, and
           taking formal and informal enforcement actions when needed.
           Securities and insurance regulators enforce GLBA information
           privacy and security requirements in a similar fashion, but FTC is
           responsible for FCRA enforcement among these firms. FTC is also
           responsible for GLBA and FCRA enforcement for financial services
           firms not supervised by another regulator and has initiated
           several enforcement actions, though it does not conduct routine
           examinations. Credit union, securities, and insurance regulators
           told us that unlike most of the banking regulators, they do not
           have full authority to examine their entities' third-party service
           providers, including information resellers.

           Financial Institutions and Their Regulators Said They Do Not Distinguish
			  between Data from Information Resellers and Other Sources
			  
			  The information privacy and security provisions of GLBA and FCRA
           provide several federal and state agencies with authority to
           enforce the laws' provisions for financial institutions. As shown
           in figure 3, GLBA assigns federal banking and securities
           regulators and state insurance regulators with enforcement
           responsibility for the financial institutions they oversee, and
           FTC has jurisdiction for all other financial institutions. FCRA
           similarly assigns the federal banking regulators authority over
           the institutions they oversee and FTC with jurisdiction over other
           entities.67 FCRA assigns FTC with enforcement responsibility for
           securities and insurance companies and provides securities and
           insurance regulators with no statutory responsibilities to enforce
           FCRA.68

           Figure 3: Enforcement Responsibilities for Selected Financial
           Institutions under FCRA and GLBA

           Notes: The Commodity Futures Trading Commission, which was not
           identified as a functional regulator by GLBA, is nevertheless
           responsible for enforcing information privacy and security
           requirements among futures commission merchants, commodity trading
           advisers, commodity pool operators, and introducing brokers
           subject to its jurisdiction. See 7 U.S.C. S: 7b-2.

           aNCUA enforces GLBA at all federally insured credit unions and
           FCRA at all federally chartered credit unions. FTC has enforcement
           authority for all other credit unions not subject to NCUA's
           jurisdiction.

           bSEC is responsible for enforcing GLBA compliance for investment
           advisers registered with SEC; FTC is responsible for enforcement
           at all other investment advisers.

           cFTC is responsible for enforcing FCRA at securities firms and
           insurance companies, but it is not a supervisory agency and does
           not conduct routine examinations.

           Financial regulators told us that in their oversight of companies'
           compliance with privacy laws, they generally do not distinguish
           between data obtained from information resellers versus other
           sources. The nonpublic personal information maintained by
           financial institutions includes both data they collect directly
           from their customers as well as data purchased from information
           resellers, such as credit reports or marketing lists. Banking and
           securities regulators told us their efforts to oversee the privacy
           and security of nonpublic personal information do not focus in
           particular on data that came from information resellers but rather
           look holistically at a financial institution's information
           security and compliance with applicable laws. For example, OCC and
           FRB officials said their examiners enforce the privacy and
           safeguarding requirements of GLBA and FCRA regardless of whether
           the source of the data is an information reseller, a customer, or
           other source.

           GLBA's safeguarding requirements apply only to nonpublic personal
           information that financial institutions maintain on their
           customers and not to information they maintain about other
           consumers (noncustomers). However, representatives of financial
           institutions we interviewed said that as a matter of policy, they
           generally apply the same information safeguards to both customer
           and consumer information. They said that their information
           safeguards focus on the sensitivity of the information rather than
           whether the person is a customer. For example, files containing
           Social Security numbers would have more stringent safeguards than
           those containing only names and addresses. Officials of a global
           investment banking and brokerage firm told us that although their
           firm maintains separate databases on customers and consumers
           targeted for marketing, both databases use the higher security
           standard required for customer information. Another company with
           similar practices noted that it treats all information with higher
           standards rather than setting up many different safeguarding
           policies and procedures. Other companies noted that public
           relations and reputational risk concerns motivate them to maintain
           high safeguards to prevent any consumer information from being
           lost or stolen. Similarly, federal banking regulators told us that
           failing to safeguard consumer information may not be a violation
           of GLBA but is still taken very seriously because it represents a
           threat to a bank's safety and soundness, poses reputational risks,
           and reflects a weakness in a bank's corporate governance.

           Federal Banking Agencies Provide Guidance and Examine Regulated
			  Banking Organizations for GLBA and FCRA Compliance
			  
			  The banking regulators responsible for GLBA and FCRA enforcement
           have issued regulations and other guidance on information privacy
           and security requirements. The individual banking regulators
           examine the financial institutions under their jurisdiction for
           compliance with GLBA and FCRA information privacy and safeguarding
           requirements and have taken enforcement actions for violations.

           Regulations and Other Guidance
			  
			  The banking agencies acting jointly and individually, and in
           coordination with FTC, have issued regulations and other guidance
           for financial institutions to follow in implementing the privacy
           and safeguarding requirements of GLBA.69 In 2000, following the
           law's passage, the banking agencies-OCC, FRB, OTS, FDIC, and
           NCUA-issued rules for compliance with the law's information
           privacy requirements.70 These rules helped financial institutions
           implement GLBA's notice and opt-out requirements. For example,
           they provided examples of types of information regulated by GLBA.
           In 2001, the agencies jointly issued guidelines establishing
           standards for GLBA's safeguarding requirements to assist financial
           institutions in establishing administrative, technical, and
           physical safeguards for customer information as required by law.71
           In addition to the guidelines that implement GLBA safeguarding
           requirements, these regulators have in some cases issued guidance
           to provide further assistance to their institutions. For example,
           the banking agencies issued a guide on small entities' compliance
           with GLBA's privacy provision to help companies identify and
           comply with the requirements. The banking agencies also have
           issued additional written interagency guidance for financial
           institutions relating to notification of their customers in the
           event of unauthorized access to their information where misuse of
           the information has occurred or is reasonably possible.72

           The banking regulators have also issued rules and regulations for
           their institutions to implement certain provisions of the Fair and
           Accurate Credit Transactions Act of 2003 (FACT Act), which amends
           FCRA.73 For example, in 2004, in coordination with FTC, these
           agencies issued a final rule to implement the FACT Act requirement
           that persons, including financial institutions, properly dispose
           of consumer report information and records.74 Some provisions-such
           as restrictions on how financial institutions can share data with
           their affiliates for marketing purposes-have yet to be finalized
           by the banking or other agencies.

           Through the Federal Financial Institutions Examination Council
           (FFIEC)-a formal interagency body comprising representatives from
           OCC, OTS, FRB, FDIC, and NCUA that coordinates examination
           standards and procedures for their institutions-the banking
           agencies have also issued guidance to help bank examiners oversee
           the integrity of information technology at their institutions. For
           example, FFIEC developed the FFIEC IT Examination Handbook, which
           is composed of 12 booklets designed to help examiners and
           organizations determine the level of security risks at financial
           institutions and evaluate the adequacy of the organizations' risk
           management. Representatives of banking regulators say their
           examiners rely on these booklets in addition to the GLBA and FCRA
           guidance when examining the integrity of an institution's
           information privacy and security procedures. Some of these
           booklets help examiners oversee financial institutions' use of
           information resellers and other third-party technology service
           providers by addressing topics such as banks' outsourcing of
           technology services, or banks' supervision of its technology
           service providers. Financial institution regulators told us their
           examiners use these booklets to oversee the soundness of their
           institutions' technology services and to address information
           security issues posed by third-party technology service providers
           such as information resellers.

           Examinations and Enforcement Actions
			  
			  Banking regulators regularly examine regulated banks, thrifts, and
           credit unions for compliance with GLBA and FCRA requirements.75
           Each regulatory agency told us that their agencies' safety and
           soundness, compliance, and information technology examinations
           include checks on whether their institutions are in compliance
           with GLBA's and FCRA's provisions related to the privacy and
           security of personal information. For example, OCC examination
           procedures tell examiners to review banks' monitoring systems and
           procedures to detect actual and attempted attacks on or intrusions
           into customer information systems. However, the scope of the
           regulators' reviews with regard to privacy and security matters
           can vary depending on the degree of risk associated with the
           institution examined.

           According to the banking agencies, their examinations of
           institutions' GLBA and FCRA compliance have discovered limited
           material deficiencies and violations requiring formal enforcement
           actions. Instead, they have mostly found various weaknesses that
           they characterized as technical in nature and required informal
           corrective action.76 FDIC officials said that between 2002 and
           2005, the agency took 12 formal enforcement actions for GLBA
           violations and no formal enforcement actions under FCRA. They
           noted that FDIC has also taken informal enforcement actions to
           correct an institution's overall compliance management system,
           which covers all of the consumer protection statutes and
           regulations in the examination scope.

           According to OCC officials, between October 1, 2000, and September
           30, 2005, the agency took 18 formal enforcement actions under GLBA
           and no formal enforcement actions under FCRA. OCC's actions in
           these cases resulted in outcomes such as cease and desist orders
           and civil money penalties levied against violators. The agency
           also informally required banks to take corrective action in
           several instances, such as requiring a bank to notify customers
           whose accounts may have been compromised, or requiring a bank to
           correct and reissue its initial privacy notice. According to OCC
           staff, OCC's examinations for compliance with GLBA's privacy
           requirements most commonly found that banks' initial privacy
           notices were not clear and conspicuous, and its examinations for
           compliance with GLBA's safeguarding requirements most commonly
           found cases of inadequate customer information programs, risk
           assessment processes, testing, and reports to the board.

           FRB officials said the agency has taken 12 formal enforcement
           actions in the past 5 years for violations of GLBA's
           information-safeguarding standards and no formal actions for FCRA
           violations. They said FRB has taken several informal enforcement
           actions, including three related to violations of Regulation P,
           which implements GLBA's privacy requirements, and five informal
           actions for violations of FCRA. According to FRB staff, FRB's
           examinations for compliance with the interagency information
           security standards have found cases of inadequate customer
           information security programs, board oversight, and risk
           assessments, as well as cases of incomplete assessment of physical
           access controls and safeguarding of the transmission of customer
           data. The most commonly found problem in FRB's examinations for
           compliance with Regulation P was banks' failure to provide clear
           and conspicuous initial notices of their privacy policies and
           procedures. With regard to FCRA compliance, the violations cited
           most frequently were the failure to provide notices of adverse
           actions based on information contained in consumer reports or
           obtained from third parties.

           Securities Regulators Oversee GLBA Compliance of Securities Firms
			  
			  SEC, NASD, and NYSE Regulation oversee securities industry
           participants' compliance with GLBA's privacy and information
           safeguarding requirements. Similar to the banking agencies, they
           have issued rules and other guidance, conducted examinations of
           firms' compliance with federal securities laws and regulations,
           and, if appropriate, taken enforcement actions.

           Regulations and Other Guidance
			  
			  In June 2000, SEC adopted Regulation S-P, which implements GLBA's
           Title V information privacy and safeguarding requirements among
           the broker-dealers, investment companies, and SEC-registered
           investment advisers subject to SEC's jurisdiction.77 Regulation
           S-P contains rules of general applicability that are substantively
           similar to the rules adopted by the banking agencies. In addition
           to providing general guidance, Regulation S-P contains numerous
           examples specific to the securities industry to provide more
           meaningful guidance to help firms implement its requirements. For
           example, the rule provides detailed guidance on the provision
           covering privacy and opt-out notices when a customer opens a
           brokerage account. It also contains a section regarding procedures
           to safeguard information, including the disposal of consumer
           report information.78

           Since Regulation S-P was adopted, SEC staff have issued additional
           written guidance in the form of Staff Responses to Questions about
           Regulation S-P. According to SEC staff, companies also receive
           feedback on Regulation S-P compliance during the examination
           process, as well as during telephone inquiries made to SEC
           offices. However, unlike the federal banking agencies, SEC has
           issued no additional written guidance on institutions notifying
           customers in the event of unauthorized access to customer
           information. SEC staff said they are considering possible measures
           that would address information security programs in more detail,
           including the issue of how to respond to security breaches.

           Examinations and Enforcement Actions
			  
			  SEC has examined registered firms for Regulation S-P compliance.
           SEC staff said compliance with Regulation S-P was a focus area in
           SEC examinations during the first 1 to 1 1/2 years after July
           2001, when it became effective. During this period, Regulation S-P
           compliance was reviewed in 858 broker-dealer examinations, of
           which 105 resulted in findings.79 Also, during this period,
           Regulation S-P compliance was reviewed in 1,174 investment adviser
           examinations, of which 128 resulted in findings, and 218
           investment company examinations, of which 17 resulted in findings.

           SEC staff said that more recently SEC has adopted a risk-based
           approach to determine the depth of a review of compliance with
           Regulation S-P. Under this approach, an initial review of
           compliance with Regulation S-P is done to determine if a closer
           look is warranted. During the past 2 1/2 years, compliance with
           Regulation S-P was reviewed in 1,891 investment adviser
           examinations, of which 301 resulted in findings, and 257
           investment company examinations, of which 20 resulted in findings.
           SEC staff said they had not broken out separate Regulation S-P
           examination findings of broker-dealer examinations for this period
           and could not provide those numbers. They said the most common
           deficiencies were failure to provide privacy notices, no or
           inadequate privacy policy, and no or inadequate policies and
           procedures for safeguarding customer information. SEC staff said
           they had not found any deficiencies during their exams that
           warranted formal enforcement actions. They told us they have dealt
           with Regulation S-P compliance more as a supervisory matter and
           required registrants to resolve deficiencies without taking formal
           actions.

           SEC staff also said that SEC is now conducting a special review
           coordinated with NYSE Regulation looking at how broker-dealers are
           outsourcing certain functions that involve customer information.
           They said they are concerned with how registrants are managing the
           outsourcing process, including, among other things, due diligence
           in contractor selection, monitoring contractor performance, and
           disaster recovery/business continuity planning.

           NASD and NYSE Regulation Oversee Compliance of Member Broker-Dealers
			  
			  NASD and NYSE Regulation also oversee Regulation S-P compliance
           among member broker-dealers. According to NASD officials, NASD
           took a two-pronged approach to ensure that its members understand
           their obligations under Regulation S-P and comply with its
           requirements. First, NASD issued guidance to its members regarding
           requirements of the regulation. For example, when Regulation S-P
           was adopted, NASD issued guidance to facilitate compliance by
           providing a notice designed to inform and educate its members
           about Regulation S-P.80 In the summer of 2001, NASD issued an
           article setting forth questions and answers regarding Regulation
           S-P and reminding members of the mandatory compliance deadline.81
           In July 2005, NASD issued another notice reminding members of
           their obligations relating to the protection of customer
           information.82 Second, according to NASD officials, NASD conducts
           routine examinations-approximately 2,500 per year-to check
           compliance with NASD rules and the federal securities laws,
           including Regulation S-P. Examiners check compliance with
           Regulation S-P using a risk-based approach in which examiners
           review certain information such as supervisory review procedures
           to assess the controls that exist at a firm. Depending on its
           findings, NASD determines whether to inspect in more detail the
           firm's Regulation S-P policies and procedures to ensure they are
           reasonably designed to achieve compliance with Regulation S-P,
           including its safeguarding and privacy requirements. Regulation
           S-P compliance was reviewed in 4,760 NASD examinations of
           broker-dealers between October 1, 2000, and September 30, 2005.
           These examinations resulted in 502 informal actions and two formal
           actions-called Letters of Acceptance, Waiver, and Consent-for
           Regulation S-P violations. According to NASD, in one formal
           action, it censured and fined the respondents a total of $250,000
           for various violations related to their failure to establish
           supervisory procedures and devote sufficient resources to
           supervision, including Regulation S-P compliance. In the other
           action, according to NASD, it censured and fined the firm and a
           principal associated person $28,500 and suspended the person for
           30 days for failing to provide privacy notices to its customers
           and for several other non-privacy-related violations.

           Similarly, NYSE Regulation issued guidance on Regulation S-P to
           its member firms and sent its members an information memo
           reminding them of Regulation S-P requirements shortly before they
           became mandatory.83 NYSE Regulation's Sales Practice Review Unit
           conducts examinations of member firms' compliance with Regulation
           S-P and other privacy requirements on a 1-, 2- or 4-year cycle, or
           when the member firm is otherwise deemed to be at a certain level
           of risk.

           State Insurance Regulators Require Insurers to Comply with Information
			  Privacy and Security Provisions, but Enforcement May Be Limited
			  
			  GLBA designates state insurance regulators as the authorities
           responsible for enforcement of its information privacy and
           safeguarding provisions among insurance companies. The individual
           states are responsible for enforcing GLBA with respect to
           insurance companies licensed in the state, and they may issue
           regulations.84 The National Association of Insurance Commissioners
           (NAIC) has issued model rules to guide states in developing
           programs to enforce GLBA requirements and has sponsored a
           multistate review of insurance companies' performance in this
           regard.

           NAIC Has Developed Model GLBA Privacy and Safeguarding Rules,
			  but Not All States Have Adopted GLBA Regulations
			  
			  NAIC has developed two model rules for states to use in developing
           regulations or laws to implement the GLBA information privacy and
           safeguarding provisions among the insurance companies they
           regulate. The first model rule, the Privacy of Consumer Financial
           and Health Information Regulation, issued in 2000, includes notice
           and opt-out requirements relating to insurance entities, and can
           be used by states as models for state laws and regulations. An
           August 2005 NAIC analysis showed that all states and the District
           of Columbia had adopted insurance laws or regulations to implement
           GLBA's requirements related to the privacy of financial
           information.85

           The second model rule, the Standards for Safeguarding Customer
           Information Model Regulation, issued in 2002, establishes
           standards for developing and implementing administrative,
           technical, and physical safeguards to protect the security,
           confidentiality, and integrity of customer information. In
           contrast to the privacy model, an October 2005 NAIC analysis
           showed that 17 states had yet to adopt a law or regulation setting
           standards for safeguarding customer information. In April 2002,
           GAO reported that insurance customer information and records in
           states that had not established safeguards may not be subject to a
           consistent level of legal protection envisioned by GLBA's privacy
           provisions.86

           Individual State Insurance Regulators Have Not Consistently
			  Examined for Privacy and Security Compliance
			  
			  Individual state insurance regulators have procedures for
           examining companies for compliance with information privacy and
           safeguarding requirements, but do not routinely do so. According
           to an NAIC official, NAIC's Market Conduct Examiners Handbook
           contains detailed examination procedures for reviewing information
           privacy requirements and its Financial Examiners Handbook has a
           segment devoted to security of computer-based systems. He said the
           individual state regulators can examine for compliance with
           privacy requirements as part of their comprehensive examinations
           of companies, but that states are focusing less on conducting
           comprehensive examinations and more on targeted examinations. As a
           result of a lack of complaints regarding privacy matters, however,
           he said the states are probably doing few targeted examinations of
           compliance with privacy requirements.

           To forestall possible multiple, overlapping, and inconsistent
           examinations by numerous states, NAIC in 2005 sponsored a
           multistate review to gather information on insurance companies'
           compliance with GLBA privacy and safeguarding provisions. The
           review team, led by the District of Columbia's Department of
           Insurance, Securities and Banking (DISB), with the participation
           of 19 states, covered more than 100 of the largest insurance
           groups, representing about 800 insurance companies operating in
           the United States.87 The review team administered a survey
           questionnaire, reviewed each insurer's responses to the
           questionnaire, and subsequently held conferences with
           representatives of the insurer. The review resulted in

           o  22 findings related to the risk assessment process, including
           failure to work toward a formalized assessment process to identify
           risks of internal and external threats and hazards to the
           safeguarding, confidentiality, and integrity of information;
           o  18 findings related to GLBA's requirements for information
           storage, transmission, and integrity;
           o  16 findings related to the delivery of privacy notices
           (although 12 of those findings related to the provision of the
           initial notice rather than recurring findings); and
           o  no findings related to GLBA procedures for providing opt-out
           notifications or procedures for collecting opt-out elections.

           These findings were similar to those of other financial
           regulators' examinations of GLBA compliance. However, unlike the
           other regulators, state insurance regulators do not have
           comparable examination programs to follow up to ensure that such
           findings are corrected and do not become more numerous. The DISB
           qualified the scope of its survey by noting that it did not
           include (1) a review of the insurer's efforts with respect to
           remediation activities, (2) a detailed analysis of the
           effectiveness of the insurer's plans to correct privacy problems
           or to protect the business against the consequences associated
           with any privacy-related occurrences, or (3) a determination of
           steps the insurer must take to become privacy compliant or
           maintain privacy compliance.

           Although this survey was not a substitute for regulatory
           examination of insurers' compliance with GLBA, it could serve as a
           basis for further examination of such compliance. Other financial
           regulators have gathered preliminary information that they then
           use as a basis for further examinations of regulated entities. For
           example, in 2003, SEC followed up on reports of abusive practices
           in mutual fund trading by requesting information from various
           mutual fund companies on these trading practices, and this served
           as a basis for further examinations of individual companies.
           According to NAIC officials, the DISB survey results were never
           reviewed by state insurance regulators as part of their
           examinations of insurance companies. NAIC officials said the
           survey results were reviewed by NAIC's Market Analysis Working
           Group and referred back to DISB to determine what, if any,
           additional follow-up was necessary. DISB staff told us that most
           state insurance regulators, as well as DISB, do not have staff
           with adequate expertise to actually examine insurers' information
           privacy and safeguarding programs. They said the states would have
           to contract with vendors to obtain this expertise.

           FTC Enforces GLBA and FCRA Compliance of Financial Institutions
			  within Its Jurisdiction
			  
			  As discussed earlier, FTC enforces GLBA for financial institutions
           not otherwise assigned to the enforcement authority of another
           regulator, and enforces FCRA for the same entities and others,
           including securities firms and insurance companies. FTC has issued
           rules implementing GLBA and FCRA information privacy and
           safeguarding requirements and developed other materials that
           provide detailed guidance for companies to implement the
           requirements. FTC issued two rules-referred to as the Privacy Rule
           and the Safeguards Rule-to implement GLBA's requirements for
           financial institutions not covered by similar regulations issued
           by the financial institution regulators. These rules provide
           examples to clarify things such as what constitutes a customer
           relationship and what types of information are covered under the
           law's sharing restrictions. FTC has also issued rules to implement
           the FACT Act amendments to FCRA, although some rules have not yet
           been issued in final form.88 FTC provides additional guidance to
           financial institutions on how to comply with GLBA and FCRA in the
           form of business alerts, fact sheets, frequently asked questions,
           and a compliance guide for small businesses. For example, FTC has
           issued alerts on safeguarding customers' personal information,
           disposing of consumer report information, and insurers' use of
           consumer reports.

           Between 2003 and 2005, FTC took enforcement actions against at
           least seven financial service providers for violations of GLBA
           information privacy and safeguarding requirements, resulting in
           settlement agreements with

           o  an Internet mortgage lender accused of false advertising and
           failure to protect sensitive consumer information;
           o  a credit card telemarketer that allegedly failed to notify
           consumers of its privacy practices and obtained information from
           consumers under false pretenses;
           o  two or more mortgage lenders charged with failing to protect
           consumers' personal information; and
           o  three nonprofit debt management organizations accused of
           failing to notify consumers how their personal information would
           be used, and other violations.89

           NCUA, Securities, and Insurance Regulators Do Not Have Full Authority
			  to Examine Third-Party Vendors, Including Information Resellers
			  
			  As part of their bank examinations, FRB, FDIC, OCC, and OTS have
           authority to examine third-party service providers, such as some
           information resellers with which banks may do business.90
           Technology service provider examinations are done under the
           auspices of FFIEC and coordinated with other regulators.91 Some
           vendors may be examined routinely; for example, officials of one
           information reseller providing services to banks told us that it
           is subject to periodic examinations under the auspices of FFIEC.
           In other cases, a service provider may be examined only once for a
           particular purpose. For example, OCC and FDIC examiners visited
           Acxiom, which provides a number of banks with information
           services, such as analyzing and enhancing customer information for
           marketing purposes. The examiners' visit focused on a security
           breach in which a client was granted access to information files
           obtained from other clients. According to Acxiom officials, this
           was a one-time review of the breach that occurred in its computer
           services operations and did not result in the company being added
           to a list of technology service providers that banking regulators
           routinely review.

           Unlike the banking regulators, NCUA does not have authority to
           examine the third-party service providers of credit unions,
           including information resellers.92 In 2003, we reported that
           credit unions increasingly rely on third-party vendors to support
           technology-related functions such as Internet banking, transaction
           processing, and fund transfers.93 With greater reliance on
           third-party vendors, credit unions subject themselves to
           operational and reputational risks if they do not manage these
           vendors appropriately. While NCUA has issued guidance regarding
           the due diligence credit unions should apply to third-party
           vendors, the agency has no enforcement powers to ensure full and
           accurate disclosure. As such, in 2003 we suggested that Congress
           consider providing NCUA with legislative authority to examine
           third-party vendors, and NCUA has also requested such authority
           from Congress. However, an NCUA official told us that few of these
           vendors are information resellers because credit unions typically
           do not use them to a great extent. He said that credit unions
           generally use methods other than resellers to comply with PATRIOT
           Act customer identification requirements, and credit unions'
           bylaws typically forbid sharing customers' personal financial
           information for marketing purposes.

           Similarly, federal securities regulators and representatives of
           state insurance regulators told us they generally do not have
           authority to examine or review the third-party service providers
           of the firms they oversee, including information resellers.
           According to SEC staff, the agency can examine the third-party
           vendor only if the firm also is an SEC-registered entity over
           which the agency has examination authority. However, they said
           that, to date, SEC has not seen sufficient problems with
           third-party vendors to justify requesting the authority to examine
           them at this time. They noted that in their examinations, they
           hold entities accountable for ensuring that personal information
           is appropriately safeguarded whether the information is managed
           in-house or by a vendor. Similarly, NASD officials said that
           although they do not have jurisdiction to oversee third-party
           vendors, their examiners review member firms' procedures for
           monitoring contractors, including whether such contracts contain
           clauses ensuring the privacy and security of customer information.
           In July 2005, NASD issued a Notice to Members reminding them that
           when they outsource certain activities as part of their business
           structure, they must conduct a due diligence analysis to ensure
           that the third-party service provider can adequately perform the
           outsourced functions and comply with federal securities laws and
           NASD rules.94 Similarly, NYSE Regulation examinations review
           third-party contracts to ensure that they contain confidentiality
           clauses prohibiting the contractor from using or disclosing
           customer information for any use other than the purposes for which
           the information was provided to the contractor. NYSE Regulation
           has proposed a rule governing its members' use of contractors,
           which, if adopted, will require member firms to follow certain
           steps in selecting and overseeing contractors, such as applying
           prescribed due diligence standards and the record-keeping
           requirements of the securities laws.95

           State insurance regulators generally do not have authority to
           examine information resellers and other third-party service
           providers. NAIC officials told us that state insurance regulators
           can only examine information resellers or other companies if they
           are registered as rating organizations-companies that collect and
           analyze statistical information to assist insurance companies in
           their rate-making process. For example, NAIC said state insurance
           regulators can examine ISO-one of the resellers included in our
           review-because it is registered with states as a rating
           organization.

           Conclusions
			  
			  Advances in information technology and the computerization of
           records have spawned the growth of information reseller
           businesses, which regularly collect, process, and sell personal
           information about nearly all Americans. The information maintained
           by resellers commonly includes sensitive personal information,
           such as purchasing habits, estimated incomes, and Social Security
           numbers. The expansion in the past few decades in the sale of
           personal information has raised concerns about both personal
           privacy and data security. Many consumers may not be aware how
           much of their personal information is maintained and how
           frequently it is disseminated. In addition, identity theft has
           emerged as a serious problem, and data security breaches have
           occurred at some major resellers. At the same time, however,
           information resellers also provide some important benefits to both
           individuals and businesses. Financial institutions rely heavily on
           these resellers for a variety of vital purposes, including credit
           reporting (which reduces the cost of credit), PATRIOT Act
           compliance, and fraud detection. As Congress weighs various
           legislative options, it will need to consider the appropriate
           balance between protecting consumers' privacy and security
           interests and the benefits conferred by the current regime that
           allows a relatively free flow of information between companies.

           No federal law explicitly requires all information resellers to
           safeguard all of the sensitive personal information they may hold.
           As we have discussed, FCRA applies only to consumer information
           used or intended to be used to help determine eligibility, and
           GLBA's safeguarding requirements apply only to customer data held
           by GLBA-defined financial institutions. Much of the personal
           information maintained by information resellers that does not fall
           under FCRA or GLBA is not necessarily required by federal law to
           be safeguarded, even when the information is sensitive and subject
           to misuse by identity thieves. Given financial institutions'
           widespread reliance on information resellers to comply with legal
           requirements, detect fraud, and market their products, the
           possibility for misuse of this sensitive personal information is
           heightened. Requiring information resellers to safeguard all of
           the sensitive personal information they hold would help ensure
           that explicit data security requirements apply more
           comprehensively to a class of companies that maintains large
           amounts of such data. Further, although the scope of this report
           focused on information resellers, this work has made clear to us
           that a wide range of retailers and other entities also maintain
           sensitive personal information on consumers. As Congress considers
           requiring information resellers to better ensure that all of the
           sensitive personal information they maintain is safeguarded, it
           may also wish to consider the potential costs and benefits of
           expanding more broadly the class of entities explicitly required
           to safeguard sensitive personal information. Any new safeguarding
           requirements would likely be more effectively implemented and
           least burdensome if, as with FTC's Safeguards Rule, they provided
           sufficient flexibility to account for the widely varying size and
           nature of businesses that hold sensitive personal information.

           The proliferation of sensitive personal information in the
           marketplace and increasing numbers of high-profile data breaches
           have motivated many states to enact data security laws with breach
           notification requirements. No federal statute currently requires
           breach notification, but such legislation could have certain
           benefits. Companies would have incentives to improve data
           safeguarding to reduce the reputational risk of a publicized
           breach, and consumers would know to take potential action against
           a risk of identity theft or other related harm. Congress has held
           many hearings related to data breaches, and several bills have
           been introduced that would require breach notification. We support
           congressional actions to require information resellers, and other
           companies, to notify individuals when breaches of sensitive
           information occur. In previous work, we have also identified key
           benefits and challenges of notifying the public about security
           breaches that occur at federal agencies. To be cost effective and
           reduce unnecessary burden on consumers, agencies, and industry, it
           would be important for Congress to identify a threshold for
           notification that would allow individuals to take steps to protect
           themselves where the risk of identity theft or other related harm
           exists, while ensuring they are only notified in cases where the
           level of risk warrants such action. Objective criteria for when
           notification is required and appropriate enforcement mechanisms
           are also important considerations. Congress should also consider
           whether and when a federal breach notification law would preempt
           state laws.

           FTC has taken many significant enforcement actions against
           information resellers and other companies that have violated
           federal privacy laws, and it is important that the agency have the
           appropriate enforcement remedies. Unlike FCRA, GLBA does not
           provide FTC with civil penalty authority, and agency staff have
           expressed concerns that the remedies FTC has available under
           GLBA-such as disgorgement and consumer redress-are impractical
           enforcement tools for violations involving breaches of mass
           consumer data. Providing FTC with the authority to seek civil
           penalties for violations of GLBA could help the agency more
           effectively enforce that law's safeguarding provisions.

           Federal financial regulators generally appear to provide suitable
           oversight of their regulated entities' compliance with privacy and
           information security laws governing consumer information. The
           regulators do not typically distinguish between data that entities
           receive from resellers and other sources, but this seems
           reasonable given that the sensitivity, rather than the source, of
           the data is the most important factor in examining data security
           practices. However, state insurance regulators do not have
           comparable examination programs to other financial regulators to
           ensure consistent GLBA compliance. This may be a source of concern
           given the recent multistate survey that identified deficiencies in
           GLBA compliance at insurance companies.

           Matters for Congressional Consideration
			  
			  Safeguarding provisions of FCRA and GLBA do not apply to all
           sensitive personal information held by information resellers. To
           ensure that such data are protected on a more consistent basis,
           Congress should consider requiring information resellers to
           safeguard all sensitive personal information they hold. As
           Congress considers how best to protect data maintained by
           information resellers, it should also consider whether to expand
           more broadly the class of entities explicitly required to
           safeguard sensitive personal information. If Congress were to
           choose to expand safeguarding requirements, it should consider
           providing the implementing agencies with sufficient flexibility to
           account for the wide range in the size and nature of entities that
           hold sensitive personal information.

           To ensure that the Federal Trade Commission has the tools it needs
           to most effectively act against data privacy and security
           violations, Congress should consider providing the agency with
           civil penalty authority for its enforcement of the
           Gramm-Leach-Bliley Act's privacy and safeguarding provisions.

           Recommendation for Executive Action
			  
			  We recommend that state insurance regulators, individually and in
           concert with the National Association of Insurance Commissioners,
           take additional measures to ensure appropriate enforcement of
           insurance companies' compliance with the privacy and safeguarding
           provisions of the Gramm-Leach-Bliley Act. As a first step, state
           insurance regulators and NAIC should follow up appropriately on
           deficiencies related to compliance with these provisions that were
           identified in the recent nationwide survey as part of a broader
           targeted examination of GLBA privacy and safeguarding
           requirements.

           Agency Comments
			  
			  We provided a draft of this report to FDIC, FRB, FTC, NAIC, NASD,
           NCUA, NYSE Regulation, OCC, OTS, and SEC for comment. These
           agencies provided technical comments, which we incorporated, as
           appropriate. In addition, FTC provided a written response, which
           is reprinted in appendix III. In its response, FTC noted that it
           has previously recommended that Congress consider legislative
           actions to increase the protection afforded personal sensitive
           data, including extending GLBA safeguarding principles to other
           entities that maintain sensitive information. FTC also noted that
           it concurs with our finding that a civil penalty often is the most
           appropriate and effective remedy in cases under GLBA privacy and
           safeguarding provisions.

           As agreed with your offices, unless you publicly announce its
           contents earlier, we plan no further distribution of this report
           until 30 days from the report date. At that time, we will provide
           copies to other interested congressional committees, as well as
           the Chairman of the Board of Governors of the Federal Reserve
           System, the Acting Chairman of the Federal Deposit Insurance
           Corporation, the Chairman of the Federal Trade Commission, the
           President of the National Association of Insurance Commissioners,
           the Chairman and Chief Executive Officer of NASD, the Chairman of
           the National Credit Union Administration, the Chief Executive
           Officer of New York Stock Exchange Regulation, the Comptroller of
           the Currency, the Director of the Office of Thrift Supervision,
           and the Chairman of the Securities and Exchange Commission. We
           will also make copies available to others upon request. In
           addition, the report will be available at no charge on GAO's Web
           site at http://www.gao.gov.

           If you or your staff have any questions about this report, please
           contact me at (202) 512-8678 or [email protected]. Contact points for
           our Offices of Congressional Relations and Public Affairs may be
           found on the last page of this report. GAO staff who made key
           contributions to this report are listed in appendix IV.

           Yvonne D. Jones Director, Financial Markets and Community
           Investment

           Appendix I: Scope and Methodology
			  
			  Our report objectives were to examine (1) how financial
           institutions use data products supplied by information resellers,
           the types of information contained in these products, and the
           sources of the information; (2) how federal laws governing the
           privacy and security of personal data apply to information
           resellers, and what rights and opportunities exist for individuals
           to view and correct data held by resellers; (3) how federal
           financial institution regulators and the Federal Trade Commission
           (FTC) oversee information resellers' compliance with federal
           privacy and information security laws; and (4) how federal
           financial institution regulators, state insurance regulators, and
           FTC oversee financial institutions' compliance with federal
           privacy and information security laws governing consumer
           information, including information supplied by information
           resellers.

           For the purposes of this report, we defined "information
           resellers" broadly to refer to businesses that collect and
           aggregate personal information from multiple sources and make it
           available to their customers. The three nationwide credit bureaus
           were included in this definition. Our audit work focused primarily
           on larger information resellers and did not cover smaller
           Internet-based resellers because these companies were rarely or
           never used by financial institutions from which we collected
           information. Our scope was limited to resellers' use and sale of
           personal information about individuals; it did not include other
           information that resellers may provide, such as data on commercial
           enterprises. Our review of financial institutions covered the
           banking, securities, property and casualty insurance, and consumer
           lending and finance industries, but excluded life insurance and
           health insurance companies because they use health data that are
           covered by federal laws that were outside the scope of our work.
           In addition, we included financial institutions' use of reseller
           information for purposes related to customers and other consumers,
           but excluded their use of reseller products for screening their
           own employees or making business decisions such as where to locate
           a facility.

           To address all of the objectives, we interviewed or received
           written responses from 10 information resellers-Acxiom, eFunds,
           ChoicePoint, Equifax, Experian, LexisNexis, ISO, Regulatory
           DataCorp, Thompson West, and TransUnion. We also reviewed
           marketing materials, sample contracts, sample reports, and other
           items from these companies that provided detailed information on
           the data contained in their products. These companies were
           selected because, according to the financial institutions, trade
           associations, and industry experts we spoke with, they constitute
           most of the largest and most significant information resellers
           offering services to the financial industry sector, and
           collectively they represent a variety of different products. The
           information resellers we included and the products they offer do
           not necessarily represent the full scope of the industry. We also
           spoke with representatives of the Consumer Data Industry
           Association and the Direct Marketing Association, trade
           associations that represent portions of the information reseller
           industry.

           To determine how financial institutions use data products supplied
           by information resellers and the types and sources of the data, we
           also interviewed or received written responses, and collected and
           analyzed documents, from knowledgeable representatives at
           financial institutions in the banking, securities, property and
           casualty insurance, and consumer lending and finance industries.
           We gathered information from Bank of America, Citigroup, and
           JPMorgan Chase, which are the three largest U.S. bank holding
           companies by asset size, as well as Goldman Sachs, Morgan Stanley,
           and Merrill Lynch, which are the three largest global securities
           firms by revenue. We also interviewed representatives at American
           International Group, State Farm, and Allstate, which are the three
           largest U.S. insurance companies and include the two largest
           property/casualty insurers. We also interviewed representatives at
           GE Consumer Finance, one of the world's 10 largest consumer
           finance companies, and four other financial institutions-American
           Express, Wells Fargo Financial, Security Finance, and Check into
           Cash-which together offer a variety of consumer lending products,
           including automobile financing, credit cards, and payday loans. We
           also interviewed officials at trade associations representing
           these financial services industries, including the American
           Bankers Association, Independent Community Bankers of America,
           Securities Industry Association, Investment Company Institute,
           American Insurance Association, and American Financial Services
           Association.

           These financial institutions from which we gathered information
           conduct a significant portion of the transactions in the financial
           services sector. For example, they collectively own 9 of the 50
           largest commercial depository institutions, holding about 20
           percent of total domestic deposits, as well as 8 of the 10 largest
           credit card issuers. The insurance companies we spoke with
           represent about a quarter of the U.S. property and casualty
           insurer market share. In most cases, we selected these financial
           institutions by determining the largest companies in each of the
           four industries, based on data from reputable sources. In two
           cases, we spoke with firms because they were recommended by
           representatives of their trade association. Our findings on how
           financial institutions use information resellers are not
           representative of the entire financial services industry. However,
           we believe they accurately represent institutions' use of
           resellers because our findings from discussions with these
           companies and their representatives were corroborated by
           discussions with information resellers, regulators, legal experts,
           and privacy and consumer advocacy groups.

           To identify how federal privacy and data security laws and
           regulations apply to information resellers and individuals' rights
           and opportunities to view and correct reseller data, we reviewed
           and analyzed relevant federal laws, regulations, and guidance. We
           also met with staff of the Board of Governors of the Federal
           Reserve System, Federal Deposit Insurance Corporation, Federal
           Trade Commission, National Credit Union Administration, Office of
           the Comptroller of the Currency (OCC), Office of Thrift
           Supervision, and Securities and Exchange Commission, as well as
           the National Association of Insurance Commissioners (NAIC), NASD
           (formerly known as the National Association of Securities
           Dealers), New York Stock Exchange Regulation (NYSE Regulation),
           and the District of Columbia's Department of Insurance, Securities
           and Banking (DISB). In addition, we interviewed three legal
           experts in the area of privacy law that work in academia or
           represent financial institutions and information resellers. We
           also interviewed and collected documents from information
           resellers, financial institutions, federal regulators, and a
           variety of privacy and consumer advocacy groups, to gather views
           on the applicability of laws to information resellers and the
           adequacy of existing laws.

           To describe how regulators oversee information resellers' and
           financial institutions' compliance with federal privacy and data
           security laws, we met with the federal agencies, financial
           institutions, information resellers, and other parties listed
           above. We also reviewed federal agencies' guidance, examination
           procedures, settlement agreements, and other documents, as well as
           relevant reports and documents from NAIC, NASD, and NYSE
           Regulation. To help illustrate regulators' examination activities
           in this area, we also met with OCC staff who conduct examinations
           at three national banks and reviewed their examination workpapers.
           We also gathered data from regulators about the number and nature
           of examination findings, where applicable.

           To describe the efforts of state insurance regulators to oversee
           insurance companies' compliance with the Gramm-Leach-Bliley Act
           (GLBA), we also reviewed the DISB survey report of insurance
           companies' implementation of GLBA policies and procedures. DISB
           used the survey responses to determine findings for each company
           on the level of compliance with GLBA and related NAIC model rule
           provisions. The DISB review defined a "finding" as an occurrence
           of a perceived gap between a company's privacy practices and
           procedures and the guidelines outlined in one of the model acts or
           regulations of NAIC. The findings were derived from responses to
           the survey questions. The companies DISB surveyed comprised major
           companies, including property and casualty insurance groups with
           2002 gross written premiums of approximately $250 million or more;
           life insurance groups with 2002 gross written premiums of
           approximately $200 million or more; and health insurance groups
           with 2002 gross written premiums of approximately $500 million or
           more. This initial list contained 129 insurance groups. After the
           initial list was compiled, 26 groups were exempted from the survey
           examination for one of three reasons: (1) there was a prior,
           ongoing, or upcoming examination of the group that included (or
           would include) a comprehensive review of the group's privacy
           policy (23 groups); (2) the group engaged primarily or solely in
           reinsurance (2 groups); or (3) the state insurance regulator for
           the company's state of domicile requested that the group be
           exempted (1 group). The survey questionnaire included 93 questions
           asking for detailed documentary and testimonial evidence of
           companies' level of compliance with GLBA and related NAIC model
           rule provisions.

           We conducted our review from June 2005 through May 2006 in
           accordance with generally accepted government auditing standards.

           Appendix II: Sample Information Reseller Reports
			  
			  This appendix provides examples of reports from different types of
           products sold by information resellers. These sample reports,
           which are reprinted with permission, contain fictitious data and
           have also been redacted to reduce possible coincidental references
           to actual people or places.

           Sample Insurance Claims History Report
			  
			  This sample insurance claims history report from ChoicePoint
           provides insurers with insurance claims histories on individuals
           applying for coverage.
			  
			           Sample Insurance Claims History Report

Figure 4: Sample Insurance Claims History Report

                     Sample Deposit Account History Report

ChexSystems, a subsidiary of eFunds, offers a product that assesses risks
associated with individuals applying to open new deposit accounts. The
report includes information on an applicant's account history, including
accounts closed for reasons such as overdrafts, returned checks, and check
forgery. The report may include a numeric score representing the
individual's estimated risk.

Figure 5: Sample Deposit Account History Report

             Sample Identity Verification and OFAC Screening Report
				 

ISO, a company that provides information services to insurance companies,
offers this product for screening new customers and verifying their
identities. It provides a "pass" or "fail" response to indicate whether
information provided by the applicant matches information maintained by
the company.

Figure 6: Sample Identity Verification and OFAC Screening Report

                       Sample Fraud Investigation Report

Below are selected excerpts from a sample report of ChoicePoint's
AutoTrack XP product, which helps users such as corporate fraud
investigators and law enforcement agencies conduct investigations, locate
individuals and assets, and verify physical addresses.

Figure 7: Sample Fraud Investigation Report

Appendix III: Comments from the Federal Trade Commission Appendix III:
Comments from the Federal Trade Commission

Now on p. 56.				 


61In the Matter of Equifax Credit Information Services, Inc., 120 F.T.C.
577 (1995). A consent agreement does not constitute an admission of a
violation of law.

62In the Matter of Trans Union Corp., F.T.C. No. 9255, 2000 WL 257766
(2000), petition for review denied, 245 F.3d 809 (D.C. Cir. 2001).

63United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. Ga.,
Feb. 15, 2006).

64Injunctions are judicial orders commanding a party to take an action or
prohibiting a party from doing or continuing to do a certain activity.
Disgorgement is having to give up profits or other gains illegally
obtained.

6515 U.S.C. S: 1681s and 15 U.S.C. S: 45(l) and (m). Regarding GLBA's
prohibition against fraudulent access to financial information where a
person obtains financial information relating to another person under
false pretences (pretext provisions), GLBA allows FTC to seek civil
penalties for violations. Specifically, FTC has authority to enforce the
GLBA pretext provisions in the same manner and with the same power and
authority as it has under the Fair Debt Collection Practices Act (codified
at 15 U.S.C. S:S: 1692 - 1692o). 15 U.S.C. S: 6822(a). A violation of the
Fair Debt Collection Practices Act is deemed by federal law to be an
unfair or deceptive act or practice in violation of the FTC Act, which
means that FTC may impose civil penalties. 15 U.S.C. S: 1692l(a); and
United States v. National Financial Services, Inc., 98 F.3d 131, 139 - 141
(4th Cir. 1996). According to FTC officials, they do not have similar
civil penalty authority for violations of GLBA's privacy and safeguarding
provisions.

6612 U.S.C. S: 1818(i)(2)(A)(i).

67Some exceptions may exist. For example, section 411 of the FACT Act
(which amended section 604(g) of FCRA (12 U.S.C. 1681b(g))), generally
limits with certain exceptions creditors' ability to obtain or use medical
information pertaining to a consumer for credit purposes. This section
requires the banking regulatory agencies and NCUA to issue regulations
relating to the use of medical information in credit transactions. The
regulations apply broadly, and the exceptions therein are available to all
creditors, not just the financial institutions supervised by those
agencies. See final rule published at 70 Fed. Reg. 70664, 70665 - 6 (Nov.
22, 2005).

68In addition to the responsibilities assigned to financial institution
regulators and FTC, FCRA assigns enforcement authority to the Departments
of Transportation and Agriculture for entities subject to their oversight,
such as transportation carriers.

69The various banking agency GLBA and FCRA regulations can be found at 12
C.F.R. Parts 40 and 41 (OCC); 12 C.F.R. Parts 216, 222, and 232 (FRB); 12
C.F.R. Parts 332 and 334 (FDIC); 12 C.F.R. Parts 573 and 571 (OTS); and 12
C.F.R. Parts 716 and 717 (NCUA).

7065 Fed. Reg. 35162 (June 1, 2000); and 65 Fed. Reg. 31722 (May 18,
2000). OCC, FRB, OTS, and FDIC issued their rules jointly. All of the
rules were substantively identical but contained differences to account
for differences between the agencies' legal authorities and, as
appropriate, for the types of institutions within each agency's
jurisdiction.

7166 Fed. Reg. 8616 (Feb. 1, 2001) ("Interagency Guidelines Establishing
Standards for Safeguarding Customer Information") (renamed "Interagency
Guidelines Establishing Information Security Standards," 70 Fed. Reg.
15736 (Mar. 29, 2005)).

7270 Fed. Reg. 15736 (Mar. 29, 2005) ("Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and Customer
Notice").

73Pub. L. No. 108-109, 117 Stat. 1952 (Dec. 4, 2003).

74See 15 U.S.C. S: 1681w; 69 Fed. Reg. 77610 (Dec. 28, 2004); and 69 Fed.
Reg. 68690 (Nov. 24, 2004).

75The examinations are risk-based and conducted in cycles depending on the
institution's condition and size. Banking regulators are required by law,
12 U.S.C. S: 1820(d), to examine insured institutions for safety and
soundness at least once during each 12-month period, except for smaller
institutions that meet specified conditions that can be examined each
18-month period. We use the term "thrifts" to refer to savings
associations.

76Banking regulators have broad enforcement powers and can take formal
actions (cease and desist orders, civil money penalties, removal orders,
and suspension orders, among others) or informal enforcement actions (such
as memoranda of understanding and board resolutions). Informal actions are
generally not publicly disclosed.

7765 Fed. Reg. 40334 (June 29, 2000), codified at 17 C.F.R. Part 248. SEC,
NASD, and NYSE Regulation regulate broker-dealers by, among other things,
examining their operations and reviewing customer complaints. SEC
evaluates the quality of NASD and NYSE oversight in enforcing their
members' compliance with federal securities laws through self-regulatory
organization oversight inspections and broker-dealer oversight
examinations. SEC is the primary regulator of investment companies and
investment advisers registered with the SEC.

7817 C.F.R. S: 248.30.

79An examination finding would be any compliance deficiency (including an
internal control weakness) or violation requiring corrective action.

80NASD Notice to Members 00-66 (September 2000).

81NASDR Regulatory and Compliance Alert (Summer 2001).

82NASD Notice to Members 05-49 (July 2005).

83NYSE Information Memoranda Nos. 01-10 (June 19, 2001) and 01-13 (June
21, 2001).

8415 U.S.C. S: 6805(a)(6). State insurance authorities may enforce GLBA
and may establish privacy regulations. However, GLBA mandates that state
insurance authorities establish standards for safeguarding customer
information and that the standards be implemented by rules. 15 U.S.C. S:S:
6801(b) and 6805(b)(2). Moreover, if a state insurance authority fails to
adopt regulations to carry out GLBA's privacy and safeguarding provisions,
the state forfeits its eligibility under GLBA to override certain customer
protection regulations promulgated by the federal depository institution
regulators applicable to insurance sales by or at depository institutions.
15 U.S.C. S: 6805(c).

85We did not corroborate or independently verify NAIC's analysis.

86GAO, Financial Privacy: Status of State Actions on Gramm-Leach-Bliley
Act's Privacy Provisions, GAO-02-361 (Washington, D.C.: Apr. 12, 2002).

87District of Columbia, Department of Insurance, Securities and Banking,
Preliminary Report: Status of Insurance Industry Practices and Procedures
to Protect the Privacy of Customer Information (September 2005). According
to department staff, the final report is pending. The staff said the
preliminary and final results should not differ because the preliminary
results included responses of more than 90 percent of the companies,
including all of the large companies.

88FTC's GLBA and FCRA regulations can be found at 16 C.F.R. Parts 313 and
314 and 16 C.F.R. Parts 600 through 698.

89FTC v. 30 Minute Mortgage, Inc., No. 03-60021-CIV (S.D. Fla. 2003); FTC
v. Sainz Enterprises LLC, No. 04WM-2078 (CBS) (D. Co. 2004); In the Matter
of Superior Mortgage Corp., F.T.C. No. 052- 3136 (2005); In the Matter of
Sunbelt Lending Servs., FTC No. C-4129 (2005); In the Matter of Nationwide
Mortgage Group, Inc., F.T.C. No 9319 (2005); FTC v. Nat'l. Consumer
Council, Inc., No. SACV04-0474CJC (JWJX) (C.D. Cal. 2005); FTC v. Debt
Mgmt. Found. Serv., Inc., No. 8:04-cv-01674-EAK-MSS (M.D. Fla. 2005). A
consent agreement does not constitute an admission of a violation of law.

90See 12 U.S.C. S: 1867 (FRB, FDIC, and OCC); and 12 U.S.C. S: 1464(d)(7)
(OTS).

91In January 2006, we reported on contractors' access to and sharing of
Social Security numbers and federal oversight of regulated entities that
contract for services. See GAO, Social Security Numbers: Stronger
Protections Needed When Contractors Have Access to SSNs, GAO-06-238
(Washington, D.C.: Jan. 23, 2006).

92NCUA had temporary authority to examine third-party service providers
under the Examination Parity and Year 2000 (Y2K) Readiness for Financial
Institutions Act, Pub. L. No. 105-164, 112 Stat. 32 (Mar. 20, 1998) but
that authority expired as of December 31, 2001. 12 U.S.C. S: 1786a(c) and
(f).

93GAO, Credit Unions: Financial Condition Has Improved, but Opportunities
Exist to Enhance Oversight and Share Insurance Management, GAO-04-91
(Washington, D.C.: Oct. 27, 2003).

94NASD Notice to Members 05-48 (July 2005).

95SR-NYSE-2005-22, Proposed Rule 340, Outsourcing: Due Diligence and
Conditions in the Use of Service Providers, and Proposed Amendments to
Rule 342, Offices - Approval, Supervision and Control (Mar. 16, 2005).

Appendix IV: A Appendix IV: GAO Contact and Staff Acknowledgments

                                  GAO Contact

Yvonne D. Jones, (202) 512-8678 or [email protected]

                             Staff Acknowledgments

In addition to the contact named above, Jason Bromberg, Assistant
Director; Katherine Bittinger; David Bobruff; Randy Fasnacht; Evan Gilman;
Marc Molino; David Pittman; Linda Rego; and David Tarosky made key
contributions to this report.

(250249)

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt? GAO-06-674 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Yvonne D. Jones at (202) 512-8678 or
[email protected].

Highlights of GAO-06-674 , a report to the Committee on Banking, Housing
and Urban Affairs, U.S. Senate

June 2006

PERSONAL INFORMATION

Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard
All Sensitive Data

The growth of information resellers-companies that collect and resell
publicly available and private information on individuals-has raised
privacy and security concerns about this industry. These companies
collectively maintain large amounts of detailed personal information on
nearly all American consumers, and some have experienced security breaches
in recent years.

GAO was asked to examine (1) financial institutions' use of resellers; (2)
federal privacy and security laws applicable to resellers; (3) federal
regulators' oversight of resellers; and (4) regulators' oversight of
financial institution compliance with privacy and data security laws. To
address these objectives, GAO analyzed documents and interviewed
representatives from 10 information resellers, 14 financial institutions,
11 regulators, industry and consumer groups, and others.

What GAO Recommends

Congress should consider (1) requiring information resellers to safeguard
all sensitive personal information they hold, and (2) giving FTC civil
penalty authority for enforcement of GLBA's privacy and safeguarding
provisions. GAO also recommends that state insurance regulators ensure
compliance with GLBA.

Financial institutions such as banks, credit card companies, securities
firms, and insurance companies use personal data obtained from information
resellers to help make eligibility determinations, comply with legal
requirements, prevent fraud, and market their products. For example,
lenders rely on credit reports sold by the three nationwide credit bureaus
to help decide whether to offer credit and on what terms. Some companies
also use reseller products to comply with PATRIOT Act rules, to
investigate fraud, and to identify customers with specific characteristics
for marketing purposes.

GAO found that the applicability of the primary federal privacy and data
security laws-the Fair Credit Reporting Act (FCRA) and Gramm-Leach-Bliley
Act (GLBA)-to information resellers is limited. FCRA applies to
information collected or used to help determine eligibility for such
things as credit or insurance, while GLBA only applies to information
obtained by or from a GLBA-defined financial institution. Although these
laws include data security provisions, consumers could benefit from the
expansion of such requirements to all sensitive personal information held
by resellers.

The Federal Trade Commission (FTC) is the primary federal agency
responsible for enforcing information resellers' compliance with FCRA's
and GLBA's privacy and security provisions. Since 1972, the agency has
initiated formal enforcement actions against more than 20 resellers,
including the three nationwide credit bureaus, for violating FCRA.
However, FTC does not have civil penalty authority under the privacy and
safeguarding provisions of GLBA, which may reduce its ability to enforce
that law most effectively against certain violations, such as breaches of
mass consumer data.

In overseeing compliance with privacy and data security laws, federal
banking and securities regulators have issued guidance, conducted
examinations, and taken formal and informal enforcement actions. A recent
national survey sponsored by the National Association of Insurance
Commissioners (NAIC) identified some noncompliance with GLBA by insurance
companies, but state regulators have not laid out clear plans with NAIC
for following up to ensure these issues are adequately addressed.

Typical Information Flow through Resellers to Financial Institutions
*** End of document. ***