Privacy Advisor

Privacy News

May 1, 2007

New Identity Theft Scam Targets Executives
Debix, the Identity Protection Network, is warning corporate executives to be aware of identity theft specifically targeted to them.

Debix, joined by LooksTooGoodTo BeTrue.com, a Web site funded by the United States Postal Inspection Service, the Federal Bureau of Investigation and the Merchant Risk Council, are advising executives and businesses to take precautions to prevent fraudsters from accessing their lines of credit by stealing the identity of their business executives.

Working with industry and law enforcement, the groups have found a scam in which an ID thief defrauds businesses by stealing the identity of a business executive at a publicly traded company, where personal information such as date of birth, address and phone number are easily accessible in public records. The fraudster then applies for a new credit account at an online retail store in the name of the company and uses the executive's information as a personal guarantee.

The fraudster then orders costly equipment, such as computers, which would quickly deplete the credit line. By the time the retailer sends the delinquent account to collections, the criminal has moved on to the next victim.

"Because these are business lines of credit, often in excess of $20,000, the fraud losses are quick and substantial," said Julie Fergerson, VP of Emerging Technologies at Debix and Co-Founder and Board Member of the Merchant Risk Council. "The good news is executives and business can both take simple steps to protect themselves."

Debix and the Merchant Risk Council, a non-profit organization dedicated to helping merchants prevent fraud, recommend that executives place a fraud alert on their credit files. After a request is made for credit, the creditor would be required to contact the telephone number placed in the executive's credit file before issuing new lines of credit.


Class Action Lawsuits Cropping Up Over Credit Card Receipts
Companies that collect or process credit cards should be aware of a new set of lawsuits related to the printing of credit card numbers on receipts, advises Kirk J. Nahra, CIPP, of Wiley Rein LLP and Editor of The Privacy Advisor.

In a recent communication, Nahra informed clients that a new series of class action lawsuits - brought primarily in California, but expanding around the country - stem from section 1681c(g) of the Fair Credit Reporting Act, a new requirement from the Fair and Accurate Credit Transactions (FACTA) law that prohibits the printing of full credit card numbers on receipts.

Plaintiffs' class action lawyers are taking the position that FACTA permits statutory damages of up to $1,000 per willful violation of the law, as a means of attempting to avoid more common problems related to a lack of damages in certain privacy and security cases.  

The Bureau of National Affairs reports that more than 100 of these suits have been filed in California. A limited number of cases have been filed in other states.

While these suits are new, there has been one early decision testing part of this theory. In a case involving Ikea (Eskandari v. Ikea U.S. Inc, C.D. Call. No. 8:06-cv-01248-JVS-RNB (March 12, 2007), the court issued the first decision in this area, ruling on Ikea's assertion that the Fair Credit Reporting Act did not create a private cause of action for violation of this FACTA provision. The court, in a brief decision, held that the "plain language" of the statute "provides a private right of action for consumers." Accordingly, while this is only the first step in what is likely to be a much more significant battle, the court has allowed this case to go forward.

Companies should review promptly their policies related to credit card receipts, Nahra said. They also should begin to review more aggressively the overall requirements of the FACTA law, including such broadly applicable provisions as the "disposal rule" related to the disposal of consumer report information.


Richard Thomas Reappointed as UK Information Commissioner
Richard Thomas has been reappointed to a second term as Information Commissioner for the UK. Thomas' current five-year term expires in Nov-ember 2007, after which he will serve another two years until June 2009.

"I am obviously very pleased to be asked to continue for the next two years," Thomas told the IAPP. "It is a real privilege to lead the ICO and a very satisfying and rewarding role to ensure that both Freedom of Information and Data Protection are being taken seriously and bring real benefit to the public. I have also very much enjoyed my contact with the international privacy and data protection community and look forward to this further period of cooperation."

Thomas was a keynote speaker at the IAPP Privacy Summit 07 in Washington, D.C. His previous career has included serving as Director of Public Policy at Clifford Chance (the international law firm), Director of Consumer Affairs at the Office of Fair Trading, Head of Public Affairs and Legal Officer at the National Consumer Council and Solicitor with the Citizens Advice Bureau Service. He also has held various public appointments, including membership of the Lord Chancellor's Civil Justice Review Advisory Committee and the Board of the Financial Ombudsman Service.


Most Trusted Companies for Privacy Receive Accolades
TRUSTe and the Ponemon Institute have announced the results of the 2007 Most Trusted Companies for Privacy Study, an annual evaluation of how consumers perceive organizations that collect and manage their personal information. The study ranks companies and federal agencies by industry and compile a list of the overall top performing companies.

For the second year in a row, American Express was rated the top company for privacy trust, followed by Charles Schwab and IBM. Last year's top three were American Express, Amazon and Procter & Gamble. Previous years' winners have included E-Loan, Hewlett-Packard and eBay.

The survey is a Web-based study that gathers information from participants over a six-week period, which ended in February 2007. Responses related to more than 200 companies were analyzed and ranked.

"The Most Trusted Companies for Privacy Study is one of the most interesting and important studies of the year as it gives us a picture of how the public's perceptions change from year-to-year and how different companies respond to evolving privacy challenges," said Larry Ponemon, CIPP, Chairman and Founder, Ponemon Institute. "While we read the bad news in the headlines, it is clear that there are many companies that have put on the mantle of privacy leadership, and that are setting a stellar example for others to follow with their superlative privacy and data security programs."

The executive summary and survey results can be found at www.truste.org/ pdf/2007_Most_Trusted_Companies.pdf.