Red Flags and Privacy: FTC Insights from Joel Winston
In an exclusive interview, the FTC's Joel Winston discusses:
Winston is Associate Director of the Division of Privacy and Identity Protection of the Federal Trade Commission's Bureau of Consumer Protection. That Division has responsibility over consumer privacy and data security issues, identity theft and credit reporting matters, among other things. Mr. Winston serves on the federal government's Identity Theft Task Force, which was created by President Bush in March 2006. He also is a member of the Advisory Board for the BNA Privacy & Security Law Reporter, and served on the Editorial Board and as an author for a treatise published in 2009 by the American Bar Association, "Consumer Protection Law Developments." In 2008, Mr. Winston received the Presidential Rank Award of Meritorious Executive, one of the highest honors given to members of the federal government's Senior Executive Service.
TOM FIELD: Hello, I'm Tom Field, Editorial Director with Information Security Media Group. We are talking today with Joel Winston, Associate Director of the Division of Privacy and Identity Protection with the Federal Trade Commission. Joel, thanks so much for joining me today.
JOEL WINSTON: Thank you.
FIELD: Just to give our audience a little bit of context here, tell us a bit about yourself and your role within the FTC's Division of Privacy and Identity Protection.
WINSTON: I have been with the FTC for 33 years in a variety of roles and for the last five years or so I have been head of this relatively new division at the FTC, which focuses on issues of privacy, data security, identity theft and credit reporting.
FIELD: So within that division Joel what would you say are your areas of greatest focus this year that are getting the most attention?
WINSTON: It would be best to go through it subject by subject. In terms of general privacy, what is going on out there is the development of a lot of new technologies that may offer consumers many benefits but raise certain privacy issues; and we have been focusing a lot on these new technologies and the privacy implications of those.
For example, one area where we are spending a lot of focus right now is online behavioral advertising. That is where your activities online, the Web sites you visit, the search terms you put into your search engines, etc. are being tracked, collected and compiled and then used to target advertising back to you, which for some people is a good thing. It results in ads that are more interesting to them. On the other hand, to some people it is frightening that this much information about their behavior is being collected. It is an example of a new kind of technology that has privacy implications as well.
In the area of data security, we are continuing to bring a lot of cases against companies that do not have adequate data security and are not using reasonable measure to secure data. We all read about the data breaches that are occurring seemingly every week at major institutions and we are trying in many ways to get the message across to the business community about the importance of securing sensitive consumer information.
In the area of identity theft this continues to be a major problem that affects millions of consumers every year. We have a very active program to help consumers avoid identity theft and, if they become victims, to recover from that and we have a number of activities ongoing there.
Finally, we are focusing on the area of credit reporting given current economic conditions, particularly consumers having trouble getting credit, getting employment, getting insurance; the accuracy of your credit report is all the more important than it has ever been. So we enforce the Fair Credit Reporting Act which is designed to both protect the privacy of consumers' credit information as well as to ensure that the information is as accurate as possible.
So we have an active law enforcement program where we are in the midst of bringing a number of cases against businesses, credit reporting agencies and others who did not comply with their obligations under the Fair Credit Reporting Act. We have a number of rulemakings ongoing that Congress has given to us and that is really where our focus is right now.
FIELD: When you mention the economy, it struck me while you were talking that in some ways it is the best of times/worst of times. Worst of times obviously economically but best of times for people in terms of the amount of information and access that they have to information. With this comes risk. Where do you see consumers at the greatest risk of information security compromises?
WINSTON: You make a good point that our economy really depends on the flow of information between government and businesses. The reason that you can go down to a car dealership, buy a car and drive off the lot with it is that the car dealership is able to access a lot of information about your credit history and credit worthiness instantaneously. So there are a lot of benefits to this flow of information.
But as more and more information is being collected, compiled and maintained, the risks grow for data breaches. And we really have seen kind of an explosion in data breaches and the damage that those can cause.
I think where consumers are at greatest risk is really at both ends. First, many consumers are not doing enough to protect their own data, whether it is their computers preventing phishing attacks or making sure they have good antivirus software and good protections in place, as well as information that is not online; making sure that they shred documents with sensitive information on them, not giving out their Social Security numbers unless absolutely necessary. That sort of thing. Consumers need to do a better job at that.
At the other end of the spectrum I think there are risks that come from the failure of organizations, including businesses and government organizations, to adequately protect data. We have seen a lot of government data breaches recently, one at the National Archives a few weeks ago for example. There seems to be this constant threat to consumers' data from more sophisticated hackers and often people from overseas who have become very adept at breaking down the defenses that the organization has put in place. It is a constantly evolving situation that companies and organizations need to be constantly vigilant of to make sure that they are recognizing and defending against the latest threats.
FIELD: Joel, earlier you mentioned education and I am a big fan of the Web site materials you have that educate consumers on identity theft and different information security risks. Now that is for people that reach out to you; what are ways that the FTC reaches out to consumers and helps to educate them?
WINSTON: We do a tremendous amount of outreach. As you said, we have a lot of materials on our website that are very popular. For example, we have a program called On Guard Online, which is a how to guide for consumers protecting their data online, and we have had over 9.5 million separate visitors to that part of our website.
We also do a lot of educating of the educators. We have training kits. We go around the country helping to train the people who are educating consumers more directly about how to protect themselves, whether it is local community-based organizations, police departments or legal aid attorneys. We put out a lot of advice and guidance to them on that.
We are a small agency with a relatively limited budget but what we try to do is leverage our resources by working with partners, both in the public and private sector, to get the message out. We often co-brand it with those partners so that we increase the reach of our information.
FIELD: Last year the big news was about the identity theft Red Flags Rule and we spoke about it a lot in terms of what financial institutions needed to do. What do you find to be the state of compliance with non-financial institutions, or non-banking entities specifically?
WINSTON: It is important to remember that the non-banking institutions which are subject to FTC jurisdiction are not yet legally required to comply with the Red Flags Rule until August 1st. We have put the deadline back a couple of times so we haven't done any sort of survey or other investigation on the degree of compliance.
I think the reason we have extended this deadline a couple of times is that we found that there were a lot of particularly small institutions out there who wouldn't necessarily realize that they were covered by this Rule. They are not that familiar with the FTC at all, and they just didn't know about it so they weren't in compliance. We have been using this time to do a tremendous amount of outreach on the hundreds of different kinds of businesses that are actually subject to this rule because it is a very broad rule and we are trying to make sure everybody is aware of it.
FIELD: What do you find to be the areas that generally need the most attention when you reach out to educate these entities?
WINSTON: There has certainly been a lot of confusion about the coverage. In particular the rule covers, as Congress directed, all creditors but the definition of creditors is extremely broad. It basically covers anyone who accepts payment over time. So if you have a lawn care service and they mow your lawn and you pay them at the end of the month, that lawn care service is now a creditor covered by the Red Flags Rule. So again, there are a lot of businesses out there that are not traditional types of creditors (they don't lend money, they don't provide mortgages) who don't even realize they are covered by the rule.
The other concern that has been raised is that they don't really understand how they are supposed to comply. The Rule is very flexible and it doesn't have a lot of very specific requirements. It basically says that you have to put in place reasonable measure to detect identity theft, to identify it and to mitigate it. What exactly that means is going to depend on your business and the kinds of risks you face.
We do provide a lot of guidance and there are a number of possible Red Flags that we have listed in our guidelines for businesses to consider, but the businesses do have to exercise some discretion and do some thinking before they put together their program. I think some of them are really struggling with that.
FIELD: So August 1st is the magic date now?
WINSTON: That's the magic date.
FIELD: Now you spoke earlier about the responsibility of businesses and it struck me that financial institutions and government agencies really can leverage the FTC. In what ways can businesses and agencies turn to you for help in fighting identity theft and some of the other information security threats that we have spoken about?
WINSTON: Again, we put out a tremendous amount of guidance on that and continue to do outreach. I, and many others here, are on the road a lot talking to business organizations and helping to advise them on what they need to do.
We have also put out a very good brochure that is available on our Web site, a small business guide on data security. It is very good.
We have an online tutorial that follows the brochure and runs you through various data security scenarios and what you should do in this situation or that situation. We find that is very useful for companies to use to train their own employees.
And we have also gone around the country doing a series of workshops for small businesses in five cities. We are planning on more. They have been very well attended and received.
So again, given the limits of our resources, we think it is critical that we do whatever we can to help businesses protect data, and I think we have been pretty successful in doing that.
FIELD: When you get out on the road Joel, what is the most common issue you are asked about?
WINSTON: Businesses are a little schizophrenic about what they want. What I often hear is, "I don't really understand what the Rules say. The Rules say I have to have reasonable procedures to protect sensitive data so what exactly does that mean? Do I have to encrypt my consumer data? Can I use laptops? Can I take home data on laptops? What exactly should I be doing?"
But at the same time they don't want to be told exactly what they have to do and they want to have some flexibility. They want to be able to adapt the rules to their business models and the sorts of things that they face. So we have tried to find a happy medium.
The data security rules are pretty flexible. These are process-oriented and it recognizes that there is no "one way" to do data security. There are a lot of ways you can do it, but at the same time we try to provide as much advice as possible. The Rule doesn't specifically say you have to encrypt data, but if you have sensitive data that you are sending out over the internet, it is probably a good idea to encrypt it in some fashion and that sort of thing.
So we try to give guidance without a lot of rigid rules that would quickly become outdated.
FIELD: Flexibility is good. Security is better.
WINSTON: Right. Well put.
FIELD: Joel, thanks so much for your time and insight today.
WINSTON: You're welcome.
FIELD: We've been talking with Joel Winston of the FTC. For Information Security Media Group, I'm Tom Field. Thank you very much.