No product or service can completely "prevent" or "guarantee against" identity theft or an information security breach due to a wide array of potential activities that are beyond the control of any consumer, business, product, or service. However, many products or services can effectively manage or significantly reduce or mitigate the associated risks. The Identity Theft Protection Association and its Service Provider members believe it is critically important for consumers and businesses who consider utilizing such products and services to be provided with clear and accurate information upon which they can make an informed buying decision.
The following ITPA Service Provider Standards and Best Practices are established to provide a framework for ITPA industry Service Provider members to follow in order to help: safeguard the public from unfair, deceptive, and misleading practices; promote transparency and appropriate understanding through clear and accurate disclosure; ensure responsible marketing practices; establish standards and accountability; and maintain public trust and industry integrity. In joining the ITPA, Service Provider members are industry leaders that make a public commitment to adhere to these standards and best practices.
Responsible Marketing Practices
Provide Customers/Subscribers with Full and Appropriate Disclosure
Provide Clear Explanations of Risk Management Protections and Limitations
Protect and Limit Collection and Sharing of Customer Information
I. RESPONSIBLE MARKETING PRACTICES
Advertising and marketing must not be deceptive or misleading.
- Advertisements and marketing for consumer products or services should not make claims, express or implied, that the product or service can completely "prevent" or otherwise guarantee complete protection from identity theft or fraudulent activity, nor claim to prevent or provide complete protection against all forms of identity theft or fraudulent activity.
- Advertisements and marketing for business risk management products or services should not make claims, express or implied, to guarantee regulatory compliance, to guarantee "safe harbor" status, to provide complete defense from civil or regulatory penalties, or to completely prevent an information security breach.
- Service Providers should not misrepresent or overstate the scope of the identity theft problem, the risk or potential loss or harm that could result from victimization, or the degree of likelihood of victimization (e.g. - inflated, misleading, or deceptive statistics and "scare tactics" should not be used.)
- Advertising or marketing comparisons of a product or service to other competing products or services in the marketplace should be factual based upon side-by-side comparison of all features and pricing.
(e.g. - an "apples-to-apples" comparison based upon actual features and pricing without an intentional omission or over/under statement of features designed to inappropriately skew the comparison or mislead a prospective buyer.)
- Statistical representations and survey results used to support the marketing or promotion of a product or service offering should be factually accurate, verifiable, and should clearly identify the source, nature, date, and scope of the statistics or survey results presented.
- Unsolicited or unpaid customer testimonials used for marketing or promotional purposes should be factually accurate, reasonably current, and accompanied by appropriate disclosures if the reported results are a-typical. Likewise, paid endorsements by customers, non-customers, or celebrities should be clearly and conspicuously identified as such.
- Claims of product or service offering "success" rates or accomplishments should be factually accurate and substantiated, with clear disclosure of the definitions and methods or calculations upon which such representations are based.
- Service Providers that utilize third-parties such as channel partners, affiliates, and independent sales representatives should establish and communicate clear advertising and marketing guidelines. The Service Provider should require such third parties to comply with the Service Provider's guidelines, and regularly review the marketing methods and materials used by those third parties to ensure that the information presented is clear and accurate, and not directly or indirectly misleading, unfair, or deceptive.
II. PROVIDE CUSTOMERS / SUBSCRIBERS WITH FULL AND APPROPRIATE DISCLOSURE
- Customers should be informed of free and other low cost options available to them under law (e.g. the right to free annual credit file disclosures, state and federal Do Not Call registries, opportunities to opt-out of pre-screened credit offers and major marketing lists, etc.)
- If a product or service "guarantee" or "warranty" is made, the nature, coverage, conditions, and exclusions or limitations should be clearly and accurately stated, and easily accessible to customers prior to and after purchase.
- Special, promotional, and complimentary service offers should clearly state:
- The terms and conditions of the offer or promotion, including any requirements to receive the offer or promotion (e.g. - "Offer valid only with purchase of XYZ product" or "1 year enrollment in XYZ service is required.")
- The ongoing costs and requirements once the offer or promotion period ends (e.g. - "Free for first 30 days, then $xx.xx per month thereafter for 1 year or until cancelled.")
- In circumstances that involve a period of complimentary coverage (such as in the case of a data breach at the expense of the breached entity), the customers provided the complimentary coverage should be contacted by the Service Provider prior to the expiration of the coverage period. The Service Provider should not automatically renew coverage at the customers' expense; but rather, should provide clear and accurate information regarding renewal costs and provide the customer with the option to approve or decline the renewal.
- Advertising and marketing or promotional materials, both hardcopy and electronic formats, should include the company website and appropriate contact information.
- If services or coverage are provided by third parties, rather than the Service Provider selling the product or service, the organization(s) providing such services or coverage should be clearly disclosed.
III. PROVIDE CLEAR EXPLANATIONS OF RISK MANAGEMENT PROTECTIONS AND LIMITATIONS
Product or service features, including detailed descriptions of the type and extent of coverage or risk management protections provided, should be clearly and accurately explained. Applicable restrictions, exclusions, limitations, and special requirements should also be clearly stated.
- If monitoring of information is provided, the type, extent, and frequency of information monitored should be clearly stated (e.g. - Credit monitoring: one specific credit bureau, 3-bureau, or 3-bureau initial report followed by only one specific bureau thereafter, etc. Identity monitoring: DMV records (in states available only), public records databases, utilities, "black market underground", etc. Frequency: Scanned daily, weekly, once monthly, or "real time".)
- Limitations and exclusions of coverage and assistance or recovery services provided should be clearly stated (e.g. - Recovery services that are limited to financial / credit related incidents only; exclude acts by family members or incidents that involve a business; exclude incidents and related activities that occurred prior to purchase or enrollment; etc.)
- Limitations and exclusions of insurance or expense reimbursement coverage should be clearly stated (e.g. coverage provides reimbursement of only certain specified expenses vs. actual financial losses; pre-approval required for certain actions or reimbursement; not available in XYZ state; etc.)
- Any requirements necessary to receive certain features or benefits of the product or service, such as alerts, periodic reports, or access to resources should be clearly stated. (e.g. - a computer, email address, mobile telephone, etc.)
- If a Power of Attorney is required to perform services or activities on behalf of the subscriber (such as resolution/recovery assistance), that requirement should be clearly stated and the P.O.A. tightly controlled.
(The P.O.A. should be a Limited Power of Attorney only and should not be requested or obtained until necessary. When obtained, its purpose, duration, and scope should be clearly defined and narrowly constrained to only those services and/or activities specifically required. The subscriber should be able to revoke the P.O.A. at any time, and provided with clear instructions for doing so prior to executing the P.O.A. The P.O.A. should be automatically terminated and destroyed upon the subscriber's request, when no longer required, or upon cancellation of service.)
- Services that provide customer alerts of the detection of actual or potential fraudulent activity should:
Services that offer monitoring of the information of children and minors should clearly describe the nature and extent of the monitoring conducted. (e.g. - if the service is limited to periodic attempts to request the child's free annual credit file disclosure from the centralized source, rather than more frequent and broad monitoring of information from multiple sources, this should be clearly disclosed to the prospective customer / subscriber.)
Services that offer or promote "free" credit reports should not use consumers' free annual credit file disclosures under the Fair and Accurate Credit Transactions Act to provide such "free" reports. ("Free" credit reports that are offered as part of a paid service should be purchased by the Service Provider from one or more of the credit reporting agencies. The Service Provider should not merely request and provide consumers' with their free annual credit file disclosures, nor market such "free" credit reports, in any manner that misleads a consumer to believe that he or she would receive one or more free credit reports through the service in addition to his or her free annual credit file disclosures.)
- clearly describe the types and nature of alerts provided; and
- provide the customer the opportunity to establish preferences for the method(s) of receiving such alerts (e.g. home telephone, mobile telephone, text, email, etc); and
- include with the alert appropriate contact information and/or clear instructions or actions that the customer should take upon receipt of such an alert; and
- clearly state any restrictions or limitations of the alerts including inability to detect all types of fraudulent activity, timeliness of notification, delivery method limitations, etc.
IV. PROTECT AND LIMIT COLLECTION AND SHARING OF CUSTOMER INFORMATION
Service Providers should request and collect only that information which is necessary to provide the product or service, and carefully safeguard that information which is collected.
- When requesting personal and confidential information necessary to provide services, Service Providers should provide clear explanations as to why the information is requested and for what purpose(s) it will be used.
- Service Providers should implement and follow information security best practices and regulatory requirements to protect the confidential information that they collect, store, and transmit. Employees should also be appropriately screened and have access to such confidential information only as required in accordance with their job functions.
- Provide Clear and Conspicuous Opt-Out Choices - If marketing and promotion of additional products, services, or offers are conducted, customers/subscribers should be provided with clear opportunities and instructions for opting out of such offers, as well as the opportunity to opt-out of or restrict information sharing with affiliate and/or partner companies beyond that which may be specifically necessary to provide the product or service.