WASHINGTON – The House Energy and Commerce Committee revived its efforts today to include telecom carrier data security obligations as part of legislation targeting pretexting. Last year, Congress approved legislation that only dealt with those who do the pretexting.
The Prevention of Fraudulent Access to Phone Records Act would require the Federal Trade Commission (FTC) to develop more stringent security standards for carriers holding sensitive consumer data. The bill would also prohibit carriers from sharing personal data with third parties other than affiliates without the express prior consent of a consumer.
Pretexting is the practice of using false pretenses to obtain the telephone records of another person. The practice gained widespread notoriety last year when Hewlett-Packard revealed it used pretexting to obtain the personal telephone records of board members and the media as part of its efforts to investigate boardroom leaks.
“Rather than going after the criminals after the crime occurs, wouldn’t it make more sense to reduce the risk that our personal information will be wrongfully disclosed?” Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC), told the panel.
Rotenberg found few on the committee who disagreed. The panel approved identical legislation last year but carrier opposition kept it from going to the full House for a vote. Instead, Congress passed legislation establishing criminal fines and prison terms for pretexters and the buying and selling of telephone records.
“Although Congress’ recognition of the seriousness of pretexting, and its efforts to criminalize it, are important, nothing in the law that was passed puts a duty on the telephone companies…to increase their security measures,” Rotenberg said.
In the aftermath of the HP pretexting scandal, former Chairman Patricia Dunn, general counsel Ann Baskins and HP lawyer Kevin Hunsaker all resigned. Dunn and Hunsaker are facing criminal charges under California law while HP paid a $14.5 million fine for its role in the scandal.
Representatives of both wireline and wireless telephone associations voiced opposition to the bill on the same grounds they did last year: increased security measures by the carriers renders the bill unnecessary.
“While it is the exceptions that generate headlines, I am pleased to tell you that since I last appeared before the committee on this subject, much progress has been made to ensure CPNI (customer proprietary network information) is protected,” Steve Largent, president and CEO of the wireless association CTIA, told lawmakers.
Largent said wireless carriers now employ a “broad range of security measures” to prevent unauthorized access to consumer records. The wireless industry did not wait idly by for someone else to solve the problem,” he said.
Wireline trade association boss Walter McCormick added, “We educate and train our customer service representatives, we observe strict security protocols and we tightly define our agreements with marketing firms.”
Both Largent and McCormick said their groups oppose the opt-in requirements for sharing consumer data.
“While the bill appears to permit some sharing of information with third parties to initiate, render, bill and collect for services and to provide customer services, this exemption is potentially compromised by the sweeping restrictions on disclosures elsewhere in the bill,” Largent said.
McCormick said the proposed opt-in scheme will “neither increase customer security not reduce the amount of marketing materials customers receive.”
Committee members on both sides of the aisle seemed to disagree.
“There is still a lack of respect for the privacy of Americans,” Rep. Ed Markey (D-Mass.) said. Florida Republican Cliff Stearns told the witnesses, “There is a longtime agreement [on the committee] that this should pass.”