This page considers pretexting in the USA.
It covers -
In the US federal law prohibits pretexting for financial
information, but prior to 2007 did not specifically ban
the practice in relation to phone records or forbid online
sale of phone records. Carriers are required by the Telecommunications
Act of 1996 to protect Customer Proprietary Network Information
(CPNI) and have accordingly claimed on occasion that they
are victimised by pretexters.
EPIC commented that
the commercial sale of private consumer information
is a necessary complement to banning pretexting, as
it would "dry up the market" for illegally
obtained telephone records. Such a prohibition would
also allow consumers and consumer protection agencies
to go after those who advertise privacy-invasive services
without having to prove the specific techniques that
the data brokers have used
of the Gramm-Leach-Bliley Act (15 USC) makes
it a crime to commit pretexting against a financial institution,
broadly defined under the Act, but does not provide for
private action: enforcement is a federal responsibility.
The FTC has initiated a handful of enforcement actions
under that Act, notably against a Canadian company, generally
resulting in administrative penalties. Critics have accordingly
argued that federal legislation must specify that pretexting
to obtain mobile phone records - or other records where
there is no financial loss - is just as serious as pretexting
for financial data.
Supporters of the pre-2007 US regime noted that breaking
into online accounts violates the Computer Fraud &
Abuse Act (18 USC 1030), although a caution is supplied
in Jennifer Granick's 2006 article
Faking It: Calculating Loss in Computer Crime Sentencing.
It has been argued that pretexting that deceives network
operators to provide 'private' information violates the
Wire Fraud Act (18 USC 1343).
In 2007 the federal Telephone Records & Privacy
Protection Act of 2006 (TRPPA)
came into force, providing up to 10 years imprisonment
for anyone who pretends to be someone else, or otherwise
employs fraudulent tactics, to persuade phone companies
to hand over what is supposed to be confidential data
about customers' calling habits. There have been proposals
to phone and internet providers to implement new safeguards
against unauthorized access to their customers' records,
with provision for consumers to sue those who managed
to secure their records without permission.
The legislation was underpinned by FCC rules in April
2007 that require landline and mobile phone network operators
to adopt safeguards to protect personal telephone records
from being disclosed to unauthorised people. Carriers
are prohibited from releasing (over the phone or online)
sensitive personal data such as call detail records unless
the customer provides a password.
The carriers are also required to notify customers immediately
when changes are made to their account and to notify customers
in the event of a breach of confidentiality. Those carriers
must annually certify compliance with the rules, inform
the FCC of any action they taken against data brokers
and provide a summary of complaints received regarding
unauthorised release of personal customer information.
They are also required to notify law enforcement agencies
before customers when they suspect breaches are suspected.
An industry spokesperson, critical of restrictions on
telcos providing marketers with customer information,
sniffed that "this is an extremely anticonsumer outcome".
There have however been no definitive cases regarding
pretexting in relation to the pre-2007 enactments or the
FTC's broader power to prevent "unfair, deceptive
or fraudulent business activities", including anti-phishing
cases highlighted here.
The weakness of US privacy law means that data
brokers can buy and mine a wealth of private consumer
information such as
recent purchase information
address, birth date and Social Security number
credit reporting agencies, retailers, publishers and other
companies. That information can be aggregated
with public and quasi-public information from -
state and local government agencies (including land
registries and offender registers)
professional and other directories
and corporate sites.
Points of entry to the literature include -
Garcia's 2007 'Data Protection, Breach Notification
and the Interplay between State and Federal Law: The
Experiments Need More Time' in 17 Fordham Intellectual
Property, Media & Entertainment Law Journal
(Spring 2007), 693-726
White's 2005 'The Recognition of a Negligence Cause
of Action for Victims of Identity Theft: Someone Stole
My Identity, Now Who is Going To Pay For It?' in 88
Marquette Law Review, 847-866
Ludington's 2006 'Reining in the Data Traders: A Tort
for the Misuse of Personal Information' in 66 Maryland
Law Review, 140-192
next page (Europe)