Policing the Information BrokersThe high-profile theft of personal information from ChoicePoint raises questions about how information brokers do their business.
Anush Yegyazarian, PC World
Got a question or comment? Write to Anush Yegyazarian.
If knowledge is power, and money is power, then knowledge is also money. Though that particular bit of associative logic might not hold up to rigorous analysis, in practice it often seems to apply, especially in today's information age. That perception was reinforced in the wake of the scams targeting ChoicePoint, an information brokerage firm. The scams placed tens of thousands of personal records--everything from Social Security numbers to credit reports--in the hands of criminals, who have defrauded an estimated 750 people thus far. At least 145,000 are still at risk.
Companies such as Acxiom, ChoicePoint, and LexisNexis gather and sell all sorts of personal information for all sorts of legitimate reasons--background checks on prospective hires or tenants, insurance evaluations, and more. They make a tidy profit at it, too. But how safe are those records? Who, exactly, can buy my credit history or my driving record? How often does my Social Security number change hands? And what obligation do any of these companies have to inform me when their security has been breached?
These and other questions are alive and well in the minds of consumer advocates and lawmakers as they debate new legislation and hold hearings to try to find answers.
Flurry of New Bills
It might surprise you to know that companies are not required by federal law to inform you if your personal information has been compromised. People living in California do get such notification, thanks to a state law (SB 1386) that went into effect in July 2003. Not surprisingly, one of the new bills before the U.S. Congress, the Notification of Risk to Personal Data Act (S. 115), would make that type of requirement nationwide.
Unfortunately, the proposed bill suffers from some of the same weaknesses that the California law has: It exempts companies that encrypt their data; and it requires that a person's last name be linked with a Social Security number, or other government identification number such as a driver's license, or a credit card or account number with password, to constitute a breach. This doesn't protect us from breaches involving other types of sensitive data, such as insurance records or health records, that might be compromised as well. As with the California law, giving notice to affected individuals may be delayed if law enforcement agencies ask the company to keep things under wraps as they investigate.
Moreover, says Beth Givens, director of the Privacy Rights Clearing House, a nonprofit consumer advocacy group, the Notification of Risk to Personal Data Act builds in provisions that remove any requirement for notification unless there's proof of fraud. She points out that identity thieves may sit on the data they collect for months before they use it, and even when there's proof of fraud, most of those affected can't trace which company or event may have caused or led to the breach of security. Givens says she's not sure if the federal bill, as written, would have produced the kind of disclosure from ChoicePoint that the California law required--which means a lot of people might be placed at risk without a single hint that they're in jeopardy.(The Privacy Rights Clearing House and other consumer advocates made additional recommendations about data privacy at the opening of the Identity Theft Summit in Sacramento, California.)
A second bill, the Privacy Act of 2005 (S. 116), would go considerably further. Introduced at the end of January by Senator Diane Feinstein (D-California), who also sponsored the Notification of Risk to Personal Data Act, this bill covers the sale of personal information to third parties that aren't related to the company that collects the data. It has a huge section on Social Security numbers and how and where they may be displayed, sold, or otherwise distributed. The Privacy Act also has provisions about health, financial, and driver's license records that supplements existing federal laws dealing with privacy for these types of data.
Feinstein also introduced a separate bill, the Social Security Number Misuse Prevention Act (S. 29), that focuses solely on privacy and security issues relating to Social Security numbers.
Frankly, the privacy and notification bills really should be one. We need a cohesive, encompassing law that applies at the federal level so that every person gets the same degree of protection. However, like the Notification of Risk to Personal Data Act, the Privacy Act has its own limitations; it's a good first step, but perhaps not the final draft of such a comprehensive law.
For example, the Privacy Act requires companies to disclose what kind of information they're collecting about you before you do business with them, and how that information might be used, sold, or passed around. You're also told what parts of the information are must-haves for the company before it will do business with you, and what might be optional. You can opt out of the transaction and the sharing of your information. However, this notification is quite general: You're told only about the kinds of agencies that might get their mitts on your data at some unspecified time in the future. And there's no provision for conditional consent; for example, "yes, share my data with people who want to lease me an apartment, but don't give it to telemarketers who want to call and give me quotes on new insurance or mortgage rates and the like." It's all or nothing.
The Privacy Act's section on Social Security numbers makes up nearly half the text of the bill. It goes into a lot of fine detail, including a call for a study on how Social Security numbers are used, how much it would cost to get them out of general circulation, and more. That level of attention should have been paid to other bits of personal information.
And while I like having one unified code of privacy protection, I don't want to bar individual states from offering a little more. Both the privacy and notification bills would supersede any state laws, so they would become the ceiling for privacy protection, not the floor.
Moreover, neither bill discusses who should be getting access to what data and how easily. That was part of the problem for ChoicePoint: Clever scam artists usurped the identities of legitimate businesspeople, created new companies, and simply bought the information they wanted. Perhaps we need to create new rules that set minimum standards for background checks by the companies that sell sensitive data to make sure the wrong people aren't getting carte-blanche access to the billions of bits of information that a company like ChoicePoint holds.
Representative Joe Barton (R-Texas), chair of the Energy and Commerce Committee, has made statements supporting restrictions on Social Security number distribution and use, as well as tougher safeguards on the privacy of personal data. He hasn't made any concrete proposals as yet, though. Also, Senator Charles Schumer (D-New York) has said he will propose a law dealing with the issue; and Senator Arlen Specter (R-Pennsylvania), chair of the Judiciary Committee, has promised to hold hearings on the topic.
Significant, serious attention is being paid to these issues. That's the bright side. Now we need significant, serious action that truly protects consumers and gives us real control over the information we're providing for someone else's gain.
A Further Word on TV
Last month I discussed some developments in TV, including new gear that will be able to handle one-way CableCards (such cards are meant to replace set-top boxes from your cable company). These cards, because they're one-way, don't readily allow for the kinds of interactivity that many of us have grown used to, such as interactive program guides and pay-per-view ordering via our remotes.
Gary Merson, editor of the HDTV Insider newsletter, points out that, contrary to my assessment, there are a number of digital TV sets with CableCard support that still offer interactive program guides via other technology. Thanks for the correction.