Choice or consequences: Protecting privacy in commercial information

University of Chicago Law Review

Volumn 75, Issue 1, 2008, Pages 109-136

  Beales III, J Howard ^a,b   Muris, Timothy J ^b,c  

^a GEORGE WASHINGTON UNIVERSITY   (United States)

^b FTC 2001 2004

^c GEORGE MASON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 42349116295     PISSN: 00419494     EISSN: None     Source Type: Journal    
DOI: None     Document Type: Conference Paper

References (102)

1. A wide variety of information products exist, offering substantial benefits. These products include tools to reduce the risk of fraud, facilitate credit-granting decisions, and locate individuals. Information tools also offer easier access to public records, thus helping to monitor official conduct, protect our most vulnerable citizens from criminals and sexual predators, monitor land use and development, and determine whether licensed professionals are who they claim to be.
2. According to LexisNexis, the risk management sector includes identity authentication, fraud prevention, and credit and security risk products. Reed Elsevier, Reed Elsevier Announces the Acquisition of Seisint, Inc. for $775 Million (July 14, 2004), online at http://www.reed-elsevier.com/ index.cfm?Articleid=965 (visited Jan 12, 2008).
3. KPMG Corporate Finance, Background Screening *1 (Fall 2003), online at http:// web.archive.org/web/20060706171129/http://www.kpmgcorporatefinance. com/us/pdf/bkgd_screen.pdf (visited Jan 12, 2008).
4. The data-matching process used in credit reporting is discussed in detail in FTC, Report to Congress under Sections 318 and 319 of the Fair and Accurate Credit Transactions Act of 2003 36-46 (2004), online at http://www.ftc.gov/reports/facta/041209factarpt.pdf (visited Jan 12, 2008).
5. Studies of unemployment insurance records, for example, suggest that the error rates in entering social security numbers range from 0.5 to 4 percent. Id at 39. Unlike credit card numbers, social security numbers do not include a "checksum" digit, which can be derived mathematically from the other digits in the number. Thus, a computer can check to ensure the credit card number is internally consistent, which substantially reduces the chances of undetected typographical errors.
6. The consequences of either incompleteness or inaccuracy depend on the particular item of information involved. Either type of error about a recent bankruptcy filing, for example, is more serious than if the information is about a recent account that was paid on time.
7. Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information, hearing before the Senate Committee on Banking, Housing, and Urban Affairs, 4 (Mar 10, 2005) (statement of the FTC), online at http://ftc.gov/os/testimony/050310idtheft.pdf (visited Jan 12, 2008).
8. Many uses of information are restricted under various federal statutes. Under § 604 of the Fair Credit Reporting Act (FCRA), Pub L No 91-508, 84 Stat 1128, codified in relevant part at 15 USCA § 1681b (2007), for example, information that constitutes a "consumer report" can be used only for a narrowly drawn list of permissible purposes.
9. A major national credit card issuer with approximately forty-five million accounts, growing by about ten thousand accounts a day, realized a 13 percent decrease in application fraud losses and annual savings of $18 million by implementing a basic identity authentication tool. Similarly, a national wireless telecommunications provider reduced its fraud losses per handset by 55 percent and decreased the time it took to confirm fraud records by 66 percent. FTC, Panel on the Costs and Benefits of the Collection and Use of Consumer Information for Credit Transactions 11-12 (June 18, 2003) (testimony of Laura DeSoto, Senior Vice President, Credit Services, Experian).
10. Better targeting would reduce the marginal cost of acquiring a new customer, which would mean that sellers would seek to acquire more customers. This expansion in the amount of marketing would tend to increase the number of solicitations received. On the other hand, the increased productivity of marketing means that it takes fewer solicitations to generate a customer, which would reduce the number of solicitations received. Which factor would predominate is not obvious a priori.
11. See FTC, Email Address Harvesting: How Spammers Reap What You Sow 1 (Nov 2002), online at http://library.findlaw.eom/2003/Aug/8/132973.pdf (visited Jan 12, 2008).
12. Report of the Secretary's Advisory Committee on Automated Personal Data Systems, US Department of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens (1973), online at http://www.epic.org/privacy/ hew1973report (visited Jan 12, 2008).
13. Other FIPs include access and correction (the notion that consumers should be able to examine and correct information about them). In some contexts (like credit reporting), these approaches are helpful, but in others they can create problems. Consider, for example, a database of identities that have been used to commit frauds. The only person with a real interest in examining and correcting such a database is the thief who used that identity once and would like to use it again. Similarly, the fact that one person's name has at some point been used with another person's social security number looks like an error to each of them, but knowing that fact helps creditors reduce the risk of, fraudulent applications, thereby protecting both. FIPs also require that information holders protect the information, a notion that we explore at some length below.
14. The most that even diligent readers of financial privacy disclosures might learn is that information "may" be shared to process a transaction. Plainly, such an incantation does not cure any privacy problem that would otherwise exist.
15. See Susan E. Henrichsen, What Privacy Notice?, Presentation at Interagency Public Workshop on Financial Privacy Notices, slide 3 (Office of the Attorney General, California, Dec 4, 2001) (reporting that according to a May 2001 American Bankers Association survey, 41 percent of consumers did not recall receiving the notice, 22 percent had received but not read the notice, and 36 percent had read the notice).
16. The situation is no different with respect to internet privacy notices. Although the vast majority of websites have privacy policies, there is little evidence that consumers actually click on them, let alone read them. In a survey by the Privacy Leadership Initiative, a group of corporate and trade association executives, only 3 percent of consumers read websites' privacy policies carefully, and 64 percent only glanced at-or never read-websites' privacy policies. Privacy Leadership Initiative (PLI), Privacy Notices Research: Final Results (Dec 2001), online at https:// www.bbbonline.org/ UnderstandingPrivacy/library/datasum.pdf (visited Jan 12, 2008).
17. In many contexts, consumers can use the market to substitute money for time, hiring an agent to perform a task that would otherwise require their own time. It is difficult to imagine a practical market substitute for reading privacy notices and exercising choice, however.
18. See Eric Johnson and Daniel Goldstein, Do Defaults Save Lives?, Science 1338, 1339 (Nov 21, 2003). Under the European Union's Privacy Directive, all EU members have an opt-in default rule for information sharing. Consumers are presumed willing to share their organs, but not their information.
19. Richard Posner, Organ Sales - Posner's Comment, The Becker-Posner Blog (Jan 1, 2006), online at http://www.becker-posner-blog.com/archives/2006/ 01/organ_salesposn.html (visited Jan 12, 2008).
20. Of course, some consumers care intensely about privacy issues and are willing to bear the decisionmaking costs of processing and deciding about privacy notices. Default rules should be designed to impose those costs on consumers who think they are worth paying. An opt-out default rule means that consumers who do not think that decisionmaking costs are worthwhile do not need to bear those costs. Consumers who care intensely, however, will face the costs of making a decision. In contrast, an opt-in default rule frees those who care the most about the issue to avoid the decision costs, because the default will accord with their preferences.
21. See generally John M. Barron and Michael Staten, The Value of Comprehensive Credit Reports: Lessons from the U.S. Experience (2000), online at http://privacyalliance.org/resources/staten.pdf (visited Jan 12, 2008) (discussing the benefits of the US system of comprehensive credit reporting, and offering the US system as a model for credit reporting systems in other countries that currently do not fully realize the benefits of comprehensive credit reporting due to varying limitations from country to country on lenders' access to personal credit history for the purpose of assessing risk).
22. In 1970, when the Fair Credit Reporting Act was enacted, outstanding consumer credit in constant dollars was $556 billion. Fair Credit Reporting Act, hearing before the House Committee on Financial Services (July 9, 2003) (statement of the FTC), online at http://www.ftc.gov/os/2003/07/fcratest. html (visited Jan 12, 2008).
23. In 2002, it was $7 trillion. Fred H. Cate, et al, Financial Privacy, Consumer Prosperity, and the Public Good: Maintaining the Balance ii (AEI-Brookings Joint Center for Regulatory Studies, Mar 2003).
24. The percentage of families in the lowest income quintile with a credit card has increased from 2 percent in 1970 to 38 percent in 2001. The Information Policy Institute, The Fair Credit Reporting Act: Access, Efficiency & Opportunity - The Economic Importance of Fair Credit Reauthorization ("IPI Report") 5 (June 2003).
25. Recently, some states have enacted so-called "freeze" laws, allowing consumers to block access to their credit reports. Generally, these statutes include exceptions that effectively limit their applicability to when the consumer is applying for a new account. Freezes, for example, do not block access to credit reports for purposes of risk management or pricing a note or obligation in a transaction. Moreover, various hurdles have made requesting a freeze difficult, and only about 50,000 consumers have so requested. See Brian Krebs, States Offer Consumers New Tool to Thwart Identity Theft: Consumers Largely Unaware of Credit Freeze, washingtonpost.com (May 9,2007), online at http://www.washingtonpost.com/wp-dyn/content/article/2007/05/09/ AR2007050900427.html (visited Jan 12, 2008). More importantly for our argument, they do not allow consumers choice about what information is included in their credit file.
26. Although creditors could demand access to a credit report as a condition of granting credit, they could no longer distinguish between the consumer who has no report because he has no prior experience with credit and the very different consumer who has a bad credit history but has blocked reporting of any information. Both consumers would have no file. Or, a deadbeat with choice might maintain one account in good standing and repeatedly open and default on other accounts without allowing reporting. The result would have elements of a "lemons" market. See George A. Akerloff, The Market for "Lemons": Quality Uncertainty and the Market Mechanism, 84 Q J Econ 488,490-92 (1970) (demonstrating that asymmetrical information can lead to market conditions wherein poor-quality products drive out high-quality products). Choice would undermine the mechanism that allows lenders to differentiate consumers based on risk. A likely response of lenders would be to rely more heavily on their own experience with a consumer, thus tying consumers more tightly to a particular lender and reducing willingness to lend to strangers.
27. See generally IPI Report (cited in note 23) (analyzing the many benefits of comprehensive credit reporting).
28. Richard R. Powell and Michael Allan Wolf, ed, 14 Powell on Real Property § 82.01[3] at 82-12 (Matthew Bender 2007).
29. See Dwyer v American Express Co, 652 NE2d 1351, 1354 (Ill App 1995) (dismissing the plaintiff consumer's challenge to American Express's practice of renting lists compiled from information contained in its own records, because by using the American Express card, the consumer voluntarily gave the information to American Express, which simply compiled and analyzed that information);
30. Shibley v Time, Inc, 341 NE2d 337, 339-40 (Ohio App 1975) (upholding the defendant's practice of selling subscription lists to direct mail advertisers when subscribers' profiles were used only to determine what type of advertisement was to be sent).
31. Moreover, consumers' preferences regarding a seller's use of transaction information for other purposes may differ. See Shibley v Time. Inc, 321 NE2d 791,797 (Ohio Ct Com Pl 1974) (noting that large portions of the class may have preferred receiving the unsolicited mail and supported the sale of mailing lists).
32. According to the March 2003 Westin/Harris Interactive poll, 64 percent of adults polled are "privacy pragmatists" who are often willing to permit the use of their personal information if they are given a rationale and tangible benefits for such use and if they sense that safeguards are in place to prevent the misuse of their information. See Humphrey Taylor, Most People Are "Privacy Pragmatists" Who, While Concerned about Privacy, Will Sometimes Trade It Off for Other Benefits, The Harris Poll No 17 (Mar 19, 2003), online at http://www.harrisinteractive.com/harris_poll/index.asp?PID=365 (visited Jan 12, 2008). In a notice and choice system, however, most of these consumers are unlikely to take the time and effort in individual transactions to understand the benefits and costs of a specific sharing of information.
33. The rulemaking record contained thousands of comments from individual consumers, often with extremely colorful descriptions of the unwanted practices of telemarketers. See FTC, Telemarketing Sales Rule, 16 CFR. Part 310, online at http://www.ftc.gov/bcp/rulemaking/ tsr/tsrrulemaking/index.shtm (visited Jan 12, 2008) (linking to public comments).
34. For the final rule, see FTC, Telemarketing Sales Rule, 68 Fed Reg 4580 (2003) (amending 16 CFR Part 310).
35. See Mainstream Marketing Services, Inc v FTC, 358 F3d 1228, 1237-38 (10th Cir 2004) (upholding the constitutionality of the national Do Not Call Registry and its fees against a challenge by telemarketing companies and a trade association alleging that the Do Not Call Registry violated the challengers' First Amendment free speech rights). The court explained that [o]ne important aspect of residential privacy is protection of the unwilling listener. . . .[A] special benefit of the privacy all citizens enjoy within their own walls, which the State may legislate to protect, is an ability to avoid intrusions. Thus, we have repeatedly held that individuals are not required to welcome unwanted speech into their own homes and that the government may protect this freedom.
36. Id, quoting Frisby v Schultz, 487 US 474, 484-85 (1988).
37. Ayres and Funk have argued that do not call lists are an all or nothing choice and that a mechanism to allow consumers to name a price at which they would be willing to accept calls would be an improvement. Ian Ayres and Matthew Funk, Marketing Privacy, 20 Yale J Reg 77, 106 (2003) (noting that potential recipients of marketing calls might prefer options between the extremes of all calls or no calls). In fact, however, the rule allows consumers to authorize any seller to call them, even if they are listed on the Do Not Call Registry. Some sellers have offered, for example, contests or drawings that allow consumers the chance to win a prize in exchange for express written authorization for telemarketing calls from that seller. The rule also permits consumers to allow most calls but request that specific companies not call them.
38. Of course, the Do Not Call Registry gives consumers a choice about receiving telemarketing calls. This choice is very different from the choice that FIPs contemplates, however. The choice pertains to the calls, not the information. It need be exercised only once every five years, rather than every time information is provided. Moreover, a FIPs choice that permits information sharing is difficult to reverse once the information has been shared and the consequences are known. A Do Not Call choice is easy to change.
39. See Willie Sutton and Edward Linn, Where the Money Was 119-21 (Viking 1976) (defining the so-called "Sutton Principle" and admitting that Sutton actually never uttered the oftquoted line).
40. See Attrition.org, DLDOS: Data Loss Database-Open Source, online at http://attrition.org/dataloss/dldos.html (visited Jan 12, 2008).
41. See Etoliated Consumer/Citizen, Statistics, online at http://www.etiolated.org/statistics (visited Jan 12, 2008).
42. Id. The data are based on when the incident was reported, rather than when the breaches occurred. The 2007 statistics, for example, include 45.7 million records compromised at TJ Maxx over a period that apparently began in July 2005. See Larry Greenmeier, Dubious Distinction: 45 Million Credit and Debit Card Records May Have Been Compromised, Info Week 21 (Apr 2, 2007), online at http://www.informationweek.com/showArticle.jhtml;jsessionid= 1TLIM4U3NUK3GQSNDLRCKH0CJUNN2JVN?articleID=198701551 (visited Jan 12, 2008).
43. See Attrition.org, Data Loss Database-Open Source Key, online at http://attrition.org/dataloss/dldoskey.html (visited Jan 12, 2008).
44. Beth Rosenberg, Chronology of Data Breaches 2006: Analysis (Privacy Rights Clearing-house, Feb 1, 2007), online at http://www. privacyrights.org/ar/DataBreaches2006-Analysis.htm (visited Jan 12, 2008). The numbers do not add to 100 percent due to rounding.
45. Id.
46. Information about an association may be sensitive in particular cases. For example, the fact that an individual had a customer relationship with a psychiatric hospital would be sensitive.
47. An analysis of seventy breaches publicly announced between February 15, 2005 and September 30, 2005 found that 77 percent were "identity- level" breaches that involved social security numbers. See ID Analytics, National Data Breach Analysis 10 table 3 (Jan 2006), summary online at http://www.idanalytics.com/assets/pdf/national-data-breach-analysis-overview. pdf (visited Jan 12, 2008).
48. Tom Zeller, Jr., UPS. Loses a Shipment of Citigroup Client Data, NY Times C1 (June 7, 2005).
49. ID Analytics, National Data Breach Analysis at 10 table 3 (cited in note 42). The distributions are similar for the number of consumers affected. A single large breach (the CardSystems breach) accounted for approximately 90 percent of the intentionally breached consumers. Excluding this breach, 11.4 percent of the compromised consumers were accidental breaches, and 54.3 percent were intentional. Eleven percent were incidental. Id.
50. A total of fourteen breaches were intentional, involving either hacking (eleven breaches), deceptions to obtain access to the data (two breaches), or employee theft (one breach). Thus, fraud occurred in 29 percent of the intentional breaches, and may have occurred in an additional 14 percent. Five breaches were incidental and four were accidental. One breach involved unrelated fraud charges against an employee with access to sensitive data, but there is no evidence that the data were compromised. See GAO, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown 26 table 1 (June 2007), online at http://www.gaagov/new.items/d07737.pdf (visited Jan 12, 2008).
51. ID Analytics, National Data Breach Analysis at 10, 25 (cited in note 42).
52. The study assumed that the thief works 6.5 hours per day, five days per week, and fifty weeks per year. Markets for stolen information exist to reduce these logistical barriers. Numerous "carding sites" traffic in stolen credit card data, for example. The Secret Service estimates that the two largest carding cites currently have over 20,000 member accounts. The President's Identity Theft Task Force, Combating Identity Theft: A Strategic Plan 20 (2007), online at http://www.idtheft.gov/reports/StrategicPlan.pdf (visited Jan 12, 2008).
53. Id. Because the methodology only detects misuse that occurs among ID Analytics's subscribers, this figure is undoubtedly an understatement. Currently, the company evaluates almost 40 million transactions per month, and its risk scores are offered to card issuing banks through Visa USA. See ID Analytics, Strength in Numbers 2 (2006), online at http://web.archive. org/web/20061017120625/www.idanalytics.com/pdf/IDNetworkOverview.pdf.
54. Synovate, Federal Trade Commission: Identity Theft Survey Report ("FTC 2003 Identity Theft Survey Report") (Sept 2003), online at http://www.ftc.gov/os/2003/09/synovatereport.pdf (visited Jan 12, 2008).
55. Credit cards accounted for 67 percent of the misused existing accounts. Other accounts misused included checking or saving accounts (19 percent), telephone accounts (9 percent), internet accounts (3 percent), and insurance accounts (2 percent). Id at 33.
56. Id at 7. The incidence and cost figures are based on respondents who were victims of identity theft within the year prior to the survey. Other data are based on respondents victimized within the five years prior to the survey. The modal value of what the thief obtains with compromised existing accounts is $100-$499 (30 percent of victims). For new account fraud, the modal value is $5,000 or more (36 percent). Id at 41.
57. New account fraud also includes other misuses of identity that may have particularly serious consequences. For example, 4 percent of all victims (including existing account fraud victims) report that a crime was committed using their identity, 3 percent report that the thief obtained government documents, and 2 percent report that the thief filed tax returns in their name. Id at 37.
58. Id at 26. Moreover, 50 percent spent less than one hour to resolve the problem, versus only 15 percent for new account fraud. Id at 45.
59. Id at 43. Among victims of new account frauds, 16 percent experienced out-of-pocket losses of $1,000 or more, compared to only 3 percent of victims of credit card fraud.
60. Id at 7.
61. Credit card systems have reduced the fraud rate on general purpose credit cards in the United States from a high in 1992 of 15.7 cents per $100 of cash and spending to 4.7 cents in 2004, a 70 percent decline. Joe Majka and Sergio Pinon, Credit Card Fraud in the U.S.,The Nilson Report 8-9 (Mar 2005).
62. FTC 2003 Identity Theft Survey Report at 28 (cited in note 48).
63. Id at 28, 29.
64. Id at 28.
65. This category accounts for 23 percent of all victims who know the identity of the thief (33 percent of new account victims; 13 percent of credit card fraud victims). Id at 29.
66. See Mary T. Monahan, 2007 Identity Fraud Survey Report- Identity Fraud Is Dropping, Continued Vigilance Necessary 1 (Javelin Strategy & Research, Feb 2007), brochure online at http://www.javelinstrategy.com/uploads/ 701.R_20071dentityFraudSurveyReport_Brochure.pdf (visited Jan 12, 2008). The sample size was 5,006 consumers.
67. Id at 60. Javelin's estimate of total losses reported in the text is based on a three year moving average of total loss estimates. The actual survey estimate for 2007 was $34.5 billion.
68. Id at 19. Javelin reports that the incidence of new account fraud in 2003 was 1.0 percent. The FTC report, however, which is the source of the figure, reports the incidence as 1.5 percent. There was no change in methodology that would account for the discrepancy.
69. It is clear, however, that trends based on complaints about identity theft are not reliable. For example, the FTC received 214,905 identity theft complaints in 2003 and 246,035 complaints in 2006. FTC, Identity Theft Victim Complaint Data: January 1-December 31, 2006 3 (Feb 7, 2007), online at http//www.ftc.gov/bcp/edu/mkrosites/idtlwfdowruoads/clearinghouse_2006.pdf (visited Jan 12, 2008);
70. FTC, National and State Trends in Fraud & Identity Theft: January-December 2003 3 (Jan 22, 2004), online at http://www.consumer.gov/ sentinel/pubs/Top10Fraud2003.pdf (visited Jan 12, 2008). Nothing in the results from random samples of consumers would suggest the 14 percent increase in identity theft that the complaint data imply. The complaints are far more likely driven by increased consumer awareness of the problem and of the FTC as a place to complain.
71. The FTC survey estimated that the total amount of fraud in 2003 was $47.6 billion. The loss to victims (included in the total loss) was $5.0 billion. FTC 2003 Identity Theft Survey Report at 7 (cited in note 48).
72. Thomas M. Lenard and Paul H. Rubin, An Economic Analysis of Notification Requirements for Data Security Breaches, Progress on Point 12.12 (The Progress & Freedom Foundation, July 2005), online at http://www.pff.org/issues-pubs/pops/pop12.12datasecurity.pdf (visited Jan 12, 2008).
73. 15 USC § 1643(a)(1)(B) (2000).
74. FDIC Consumer News, It Pays to Ask Questions before Paying for Credit Card Insurance (Fall 2000), online at http://www.fdic.gov/CONSUMERS/ consumer/news/cnfall00/diduknw.html (visited Jan 12, 2008).
75. See David S. Evans and Richard Schmalensee, Paying with Plastic: The Digital Revolution in Buying and Borrowing 119 (MIT 2d ed 2005) ("The merchant is typically guaranteed payment even if a cardholder never pays their bill or the card is stolen-so long as the merchant follows the authorization procedures agreed to (such as comparing signatures on the slip and the card)."). Losses are allocated to the merchant when the card is not present.
76. Fraud rates are vastly higher in online transactions than offline. In 2002, fraud losses in online transactions were some thirty times higher than fraud losses offline - 2.1 percent of total credit card sales online, compared to only 0.07 percent offline. Despite a smaller transactions base, online losses accounted for one-third of total US credit card losses attributed to fraud in 2002. Celent Communications, via Lafferty Publications, as reported by Kalysis, Statistics for General and Online Card Fraud, US Credit Card Fraud Statistics, 2000-2007 (2007), online at http://kalysis.com/content/modules.php? op=modload&name=EasyContent&file=index&menu=410&page_id=109 (visited Jan 12, 2008).
77. See generally PCI Security Standards Council, Payment Card Industry (PCI) Data Security Standard (Sept 2006).
78. Pub L No 106-102, 113 Stat 1338 (1999), codified at 15 USCA § 6801-09 (2007).
79. See FTC, Standards for Safeguarding Customer Information, 67 Fed Reg 36484, 36485 (2002) (promulgating 16 CFR Part 314 (The Safeguards Rule)). Similar rules apply to financial institutions that are subject to other regulators such as the Federal Reserve or the Comptroller of the Currency.
80. The GLB definition of financial institutions is extremely broad. Accountants, mortgage brokers, and many other businesses that are not conventional "financial institutions" fall within the definition, because they offer services banks were permitted to offer prior to the GLB Act.
81. 15 USCA § 45(a) (2007).
82. A practice is deceptive if it is likely to mislead a consumer, acting reasonably in the circumstances, about a material fact. See FTC, The FTC Policy Statement on Deception (Oct 14, 1983), online at http://www.ftc.gov/ bcp/policystmt/ad-decept.htm (visited Jan 12, 2008);
83. Thompson Medical Co, Inc v FTC, 791 F2d 189, 193-94 (DC Cir 1986).
84. See Complaint, In the Matter of Guess?, Inc, and Guess.com, Inc ("Guess? Complaint"), No C-4091, *3 (July 30, 2003), online at http://www.ftc.gov/os/2003/08/guesscomp.pdf (visited Jan 12, 2008) (alleging that Guess?, Inc, wrongfully exposed consumers' personal information by maintaining a website that was susceptible to commonly known hacking techniques);
85. Complaint, In the Matter of Microsoft Corp ("Microsoft Complaint"), No C-4069, *2 (Dec 20, 2002), online at http://www.ftc.gov/os/caselist/0123240/microsoftcmp.pdf (visited Jan 12, 2008) (charging that Microsoft had deceived users of its online .NET Passport service when the company failed to maintain the security measures promised in its privacy policy).
86. See, for example, Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information, hearing before the Senate Committee on Banking, Housing, and Urban Affairs 14 n 42 (Mar 10, 2005) (statement of the FTC) ("It is important to note, however, that there is no such thing as perfect security, and breaches can happen even when a company has taken every reasonable precaution."), online at http://www.ftc.gov/os/testimony/ 050310idtheft.pdf (visited Jan 12, 2008);
87. Identity Theft, hearing before the House Financial Services Committee 15 (Apr 3, 2003) (statement of the FTC), online at http://www.ftc.gov/os/2003/04/ bealesidthefttest.pdf (visited Jan 12, 2008):
88. It is important to note that the Commission is not simply saying "gotcha" for security breaches. While a breach may indicate a problem with a company's security, breaches can happen even when a company takes all reasonable precautions. In such instances, the breach does not violate the laws that the FTC enforces. Instead, the Commission recognizes that security is an ongoing process of using reasonable and appropriate measures in light of the circumstances.
89. Complaint, In the Matter of Eli Lilly and Co, No C-4047, *3-4 (May 8, 2002), online at http://www.ftc.gov/os/2002/05/elilillycmp. htm (visited Jan 12, 2008) (alleging that the defendant had deceived customers in not maintaining the data privacy policies that were promised in the company privacy policy).
90. Microsoft Complaint at *2.
91. Guess? Complaint at *3.
92. Id. The same issue, and the same vulnerability, was involved in Decision and Order, In the Matter of Petco Animal Supplies, Inc, No C-4133, *3-4 (Mar 4,2005), online at http://www.ftc.gov/ os/caselist/0323221/ 050308do0323221.pdf (visited Jan 12, 2008) (alleging that Petco failed to take reasonable and appropriate precautions against SQL injection attacks, a well known and easy to correct vulnerability).
93. Complaint, In the Matter of MTS, Inc, No C-4110, *3-4 (May 28, 2004), online at http://www.ftc.gov/os/caselist/0323209/040602comp0323209. pdf (visited Jan 12, 2008).
94. Id.
95. See 15 USC § 45(n) (2000): The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.
96. Complaint, In the Matter of BJ's Wholesale Club, Inc, No C-4148, *3 (Sept 20, 2005), online at http://www.ftc.gov/os/caselist/0423160/ 092305comp0423160.pdf (visited Jan 12, 2008) (alleging that the "failure to employ reasonable and appropriate security measures to protect personal information and files caused ... substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers").
97. Id.
98. The Commission also brought a substantially similar case against DSW. Complaint, In the Matter of DSW, Inc, No C-4157, *3 (Mar 7, 2006), online at http://www.ftc.gov/os/caselist/0523096/0523096c4157DSWComplaint.pdf (visited Jan 12, 2008).
99. Complaint, In the Matter of CardSystems Solutions, Inc, No C-4168, *2-3 (Sept 5, 2006), online at http://www.ftc.gov/os/caselist/0523148/ 0523148CardSystemscomplaint.pdf (visited Jan 12,2008) (alleging that CardSystems was unreasonably vulnerable to attack by hackers, and that this vulnerability was unfair).
100. Data Security Roundtable: The Threats to Data Security: What's Here, What's Ahead, Am Banker 10 (Nov 23, 2005) (reporting the CardSystem breach as the largest data theft to date).
101. Stipulated Final Judgment and Order for Civil Penalties, Permanent Injunction, and Other Equitable Relief, United States v ChoicePoint, Inc, No 1 06-CV-0198, *14-16 (ND Ga Feb 15, 2006), online at http://www.ftc.gov/os/caselist/choicepoint/stipfinaljudgment.pdf (visited Jan 12, 2008) (ordering ChoicePoint to implement a variety of precautions in processing requests for credit reports).
102. See J. Howard Beales, The FTC's Use of Unfairness Authority: Its Rise, Fall, and Resurrection, 22 J Pub Policy & Marketing 192 (2003) (suggesting parameters for FTC use of the "unfairness authority").