Federal Privacy Laws Don’t Require Resellers to Safeguard All Data

A recent report from the Government Accountability Office (GAO) found that federal privacy and data laws such as the Fair Credit Reporting Act (FCRA) and the Graham-Leach-Bliley Act (GLBA) have limited applicability to information resellers.

According to the GAO, the FCRA applies to information collected or used to determine eligibility for things such as credit cards and insurance, while the GLBA applies only to information obtained by or from a GLBA-defined financial institution. The GAO also wrote that while these laws do have provisions for privacy and security, consumers would be better off if requirements were expanded to all forms of sensitive personal data used by resellers.

The GAO also pointed that the Federal Trade Commission (FTC) is the primary agency to enforce reseller compliance with both acts, but it does not have civil penalty authority under the privacy and safeguarding provisions of GLBA. The report states this may reduce the FTC’s ability to enforce that law most effectively against certain violations, such as breaches of mass consumer data.

The GAO recommended that Congress consider requiring information resellers to safeguard all sensitive personal information and giving FTC civil penalty authority for enforcement of GLBA’s privacy and safeguarding provisions. Additionally, the GAO recommended that state insurance regulators ensure compliance with the GLBA.

Compiled by Paul Kerstein

Keep checking in at our Security Feed for updated news coverage.

Copyright © 2006 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.