Access denied: the data industry may face new restrictions after privacy breaches
hen Reed Elsevier, the Anglo-Dutch publishing giant, announced last year that it would buy Seisint, a privately-owned data broker based in Boca Raton, Florida, to bolster itsLexisNexis legal division, it was eager to stress the crucial and lucrative role that Seisint was playing in helping law enforcement agencies across the US to track down all sorts of unsavourycharacters.
ADVERTISEMENT
Terrorist suspects, child molesters and fathers who missed child support payments were, proponents of the deal said, no match for Seisint's Accurint database, which was capable of processing billions of public records in seconds to identify and find people. The deal's importance to Reed Elsevier was proved when it reported a 20 per cent rise in profits in its risk management division just months after the acquisition was completed, reflecting strong demand for access to Seisint's database from insurance companies and other businesses seeking credit information and identity verification.
Less than a year after its $775m acquisition of Seisint, however, Reed Elsevier has been forced to acknowledge the darker side of the data brokerage industry. A series of high-profile database breaches and growing public anxiety about identity theft have put Reed and its rivals US companies such as ChoicePoint and Acxiom in a legal and legislative minefield.
After years of quietly collecting and selling information on individuals free from most of the data-related regulations that have restricted the financial services industry and after spending millions of dollars on lobbying campaigns in Washington in support of the status quo data brokers in the US will soon be subject to federal rules governing their behaviour, privacy experts believe. “The law is catching up with technology and business models. Initially, the companies said ‘Hey, we can self-regulate and treat information with sensitivity'. While that's true, the recent data breaches make it clear that it hasn't been sufficient,” says James Dempsey, executive director at the Center for Democracy and Technology, a Washington-based non-profit group campaigning for privacy rules.
The companies in effect secured the right to regulate themselves in 1997 from the Federal Trade Commission. But the question of whether data brokers have done it well enough is coming to the fore.
Last month Reed Elsevier disclosed that unauthorised people using the passwords of Seisint customers may have gained access to the personal information of up to 310,000 people in the US. In February ChoicePoint said that consumer data from 145,000 people had been stolen from its database.
But LexisNexis and other brokers that have disclosed breaches have been less forthcoming about how much information those databases contain. Most Americans also know little about where such information comes from.
Edmund Mierzwinski, consumer programme director at the US Public Interest Research Group, a lobbyist based in Washington, says data brokers use a variety of sources to compile their databases, usually turning first to credit agencies. Although credit agencies such as Experian the financial arm of GUS, the British retail giant are prohibited from selling individuals' financial data, they are allowed to sell non-credit related information, including a person's name and address, to data brokers. That information is then supplemented by publicly available records including, in some cases, records held by the Department of Motor Vehicles, which issues drivers' licences, and documents filed in courts around the US, which can be scanned by data brokers.
“What these companies do is pile the records all together and use them for purposes that are different from the reasons [the individual records] were originally made public. That profile is valuable,” says Mr Mierzwinski. Profiles are sold to customers including government agencies, financial institutions, researchers and other “legitimate businesses”.
Last year the Financial Times obtained a comprehensive report on one individual generated by Seisint's Accurint database. It included the person's Social Security number the most important piece of personal identification in the US and the key to gaining access to many other records along with political party affiliation, date of birth, every address at which the person had lived within the US, the names and birth dates of some neighbours, information about whether the individual had ever filed for bankruptcy and details of a property sale by a member of the person's family.
The report also included the names, previous and current addresses and telephone numbers of the individual's immediate family members; the first five digits of family members' Social Security numbers; the names and birthdates of their neighbours; and “neighbourhood profiles” the average age of residents in that neighbourhood, the average number of years of education, the median household income and the median home value.
Accurint also offered information on whether the individual had any registered motor vehicles or merchant vessels; whether they were certified by the Federal Aviation Administration; whether they had a criminal record or had committed any sexual offences; or whether they owned a hunting or fishing permit or a permit to hold a concealed weapon. Arlen Specter, the Republican chairman of the Senate judiciary committee, said at a hearing last month that some data brokers even owned data on insurance claims, fingerprints and DNA.
The data brokers maintain that their practices are justified. Andrew Prozes, chief executive officer of the LexisNexis Group, staunchly defends LexisNexis' right to collect and sell information about individuals for legitimate business purposes, such as credit checks and identity verification. “The term ‘privacy' is somewhat of an incendiary [word] and very readily and easily used, and one has to be careful to not label legitimate need for information as a privacy issue,” he says.
Mr Prozes says it is “easy to point the finger” at companies such as LexisNexis even though many breaches were the result of customers in many cases law enforcement agencies misusing their passwords (see below). “I would challenge you to find identity theft as a result of what we do,” he says. Mr Prozes says Reed Elsevier is not aware of any of the 310,000 people affected by the breach disclosed last month incurring any financial loss.
But there is clearly public concern. A recent survey of 5,000 US adults by Gartner found that unauthorised access to credit reports and other sensitive data is the biggest public concern regarding identity theft and fraud. “If someone steals your credit card, it is annoying and a hassle, but it is easier to deal with. When someone takes out a loan in your name or gets arrested in your name, it is assumed that you did it,” says Avivah Litan, a Gartner vice-president. “You are guilty until you are proven innocent and it is very difficult to clean it up.”
Data breaches are occurring more frequently for two reasons, Ms Litan says: because data brokers are failing properly to screen the customers they sell data to; and because they are not guaranteeing that access to a database is limited even when data is acquired by a legitimate business customer.
awmakers in Washington have registered public concern and say they are prepared to act. “We do need federal legislation, there needs to be uniformity as we approach an enormous problem of this sort,” Mr Specter said in April. Reed's Mr Prozes says his company is prepared to do “whatever is necessary” to make sure its data is used properly, including supporting proposals for federal legislation. Doug Curling, president and chief operating officer of ChoicePoint, said at a recent Senate hearing that ChoicePoint supported “additional regulations” that would help protect consumers.
But many privacy experts believe congressional action will not lead to a massive overhaul of the data brokerage industry or a significant change in rules governing the sale of personal information by brokers.
Instead, legislation is likely to focus on narrow issues that industry groups have agreed to support, including increased database safeguards and the creation of a nationwide notification rule. This would force companies to tell individuals if a breach involving their data put them at risk of identity theft.
California is the only state that requires data brokers to disclose breaches to consumers after legislation passed in 2003. Advocates for a tougher set of rules say data brokers have managed to keep federal legislation at bay because of their considerable lobbying firepower in Washington. Since the mid-1990s data brokerage companies have spent millions of dollars lobbying Congress and other government agencies, including the Department of Homeland Security, in support of their use of Social Security numbers to collect data. At the Senate hearing ChoicePoint's Mr Curling underscored how the company's products had helped Americans obtain fairly priced homes and car insurance or copies of family records.
Companies have emphasised the importance of identity verification for national security purposes, among other issues. “Our products have identified 11,000 undisclosed felons among those volunteering or seeking to volunteer with children,” Mr Curling said.
Reed Elsevier, which was involved in the data collection industry before acquiring Seisint, has spent about $16.5m on lobbying activities since 1998, according to the Center for Public Integrity, which tracks federal lobbying expenditure. The figure puts the media group in roughly the same league as the National Rifle Association, the pro-gun rights group, which has spent $1.4m less than Reed Elsevier over the same period. ChoicePoint and Acxiom have each spent about $2.6m since 1998 and 2000 respectively. While privacy-related issues have been high on Reed Elsevier's lobbying agenda, the company says it has also been educating lawmakers about other issues that affect its business portfolio, including copyright protection, tax issues and education policies.
Most privacy experts also blame the federal government's “light touch” approach to data brokers on a recommendation made by the FTC in 1997, which allowed a group of industry participants to draft self-regulatory “principles” in conjunction with the commission's staff.
Companies that signed the group's principles agreed to acquire information only from reputable sources; to restrict the distribution of non-public information; and to allow individuals access to information held about them if requested, unless the information was deemed to be “publicly available”. The FTC praised the guidelines as “innovative and far-reaching”.
The 1997 principles also allowed consumers to opt out of industry databases if they contacted the data brokers.LexisNexis said in congressional testimony last month, however, that it allowed consumers to opt out of its databases only if an individual could provide an explanation and supporting documentation for the request, such as being “at risk of physical harm” or being a victim of identity theft.
It is difficult to determine how influential the FTC's decision and the industry lobbying effort have been in creating and maintaining the virtually regulatory-free environment that exists today. But experts say it is clear that the government's lack of attention has been beneficial for the industry.
Mr Mierzwinski says that is best shown by a 1997 filing to the Securities and Exchange Commission by ChoicePoint, in which the company warned that “loss of access or the availability of data . . . due to increased government regulation” could have a “material adverse effect” on its financial condition. In a report filed in March the company also cautioned that legal and regulatory developments, including “changes in consumer and cultural attitudes to favour further restrictions”, could affect business.
Evan Hendricks, editor of Privacy Times, a pro-privacy newsletter, says: “They basically succeeded in getting the FTC to go along with a voluntary programme that averted legislation that would have imposed legal duties and liability on them, or required them to stop selling Social Security numbers. Once the agreement was reached these companies had a green light to go ahead and expand the way they did.”
Robert Pitofsky, who was chairman of the FTC when the 1997 principles were agreed, rejects any suggestion that the commission was overly influenced by the industry. “It was a new matter . . . we wanted to give the industry a chance to regulate its own house. I don't think it was a matter of industry lobbying or persuasion it was a matter of our own judgment. We felt that a better way of doing it was through self-regulation, which is more flexible. You don't have to amend a statute every time you want to add or subtract [a rule]. And they tried, I give them credit. I gave them good marks for effort,” Mr Pitofsky says.
But times have changed. Today, congressional lawmakers appear less inclined to trust data brokers to regulate themselves than in 1997, when few could have imagined how powerful and potentially dangerous the convergence of personal information and technology could become.
给个人数据“上锁”(下)
华盛顿的立法者已留意到公众的担忧,并说他们已准备采取行动。“我们的确需要联邦法律,当我们处理这种大问题时,需要有个统一标准,”斯佩克特先生4月份表示。Reed的普罗泽斯先生说,他的公司已准备好做“任何必要的事”,以确保其数据被妥当使用,包括支持联邦立法的提案。ChoicePoint总裁兼首席运营官道格?柯林(Doug Curling)在最近一次参院听证会上说,ChoicePoint支持制定帮助保护消费者的“附加法规”。
但很多隐私专家相信,国会的行动不会导致对数据经纪业务进行规模庞大的全面整顿,也不会导致有关监管经纪商出售个人信息的规则出现重大改变。
相反,立法机构很有可能仅针对行业团体同意支持的少数议题,包括加强数据库的防护,并制定一项全国性通告规则。这将迫使企业告知人们,涉及他们数据的入侵行为,是否会给他们带来身份被盗风险。
加利福尼亚州在2003年通过一项立法,成为唯一做出以下规定的州:数据经纪商必须向消费者披露数据库入侵事件。提倡设立更严格规定的人士说,数据经纪商已成功制约了联邦立法,因为它们在华盛顿有相当大的游说力量。自90年代中期以来,数据经纪商花了数百万美元游说国会和其它政府部门,包括国土安全部,希望这些部门支持它们使用社会保障号来收集资料。在参议院的听证会上,ChoicePoint的柯林先生强调说,该公司的产品帮助美国人获得了公平定价的住房和汽车保险,或是家庭记录的副件。
各企业强调说,出于国家安全等目的,进行身份验证非常重要。“在那些志愿提供或者寻求与孩子一起志愿提供数据的人中,我们的产品识别出1.1万个未被发现的重罪犯,”柯林先生说。
游说金额超过枪支协会
Reed Elsevier在收购Seisint之前就介入资料收集行业,据追踪联邦游说支出的机构“公共廉洁中心”(Center for Public Integrity)统计,该公司自1998年以来共花了约1650万美元用于游说活动。这个数字使这家媒体集团与美国全国长枪协会(National Rifle Association)几乎不相上下。长枪协会是美国著名的持枪权利支持集团,它同期的游说费用比Reed Elsevier少140万美元。自1998年和2000年以来,ChoicePoint和Acxiom分别花费了约260万美元用于游说。尽管与隐私相关的事务一直处于Reed Elsevier游说议程的前列,但这家公司说,它也一直在对立法者进行其它议题的教育,范围涉及各项业务,包括版权保护、税务问题和教育政策等。
大多数隐私专家也指责联邦政府对数据经纪商采取“宽容”做法,这种做法是根据联邦贸易委员会在1997年提出的建议,允许一批行业参与者与联邦贸易委员会的人员一同起草自律“原则”。
签署这一团体原则的企业同意,将仅从声誉好的来源获取信息;限制非公共信息的散布;若个人提出要求,将允许他们访问有关自己的信息,除非这些信息被视为“可公开获取”。联邦贸易委员会赞扬这些指导原则“有创意且影响深远”。
1997年的原则还规定,消费者可以决定退出行业数据库,只要他们先同数据经纪商联系。但LexisNexis上月在国会作证时说,它允许个人离开数据库的前提是,个人必须提供这一请求的理由和支持文件,例如有“受到身体伤害”的危险,或是成了身份盗窃的受害者。
很难确定的是,在创立和维持基本上无监管的现有环境方面,联邦贸易委员会的决定和行业游说努力发挥了多大的影响力。但专家们表示,有一点很明确,即缺乏来自政府的关注对该行业很有利。
米尔茨文斯基先生表示,1997年ChoicePoint向美国证交会提交的一份文件很能说明问题。ChoicePoint在文件中警告说,“由于政府监管加强……(公司)无法访问或得到数据”,这可能对其财务状况产生“实质性的负面影响。”在今年3月份提交的一份报告中,该公司也警告说,一些法律和监管动向(包括“消费者和文化态度发生改变,更倾向于加强限制”)可能会影响公司的业务。
《隐私时代》(Privacy Times)是一份支持维护隐私权的时事通讯,该刊物的编辑伊万?亨得里克斯(Evan Hendricks)说:“它们基本上成功地让联邦贸易委员会支持了一个自愿方案,这一方案避开了某些立法,而这些立法原本可能使它们承担法律义务和责任,或要求它们停止销售社会保障号码。一旦协议达成,这些公司就被放行,继续做他们的事并进一步扩大业务。”
1997年的原则被通过时,罗伯特?皮托夫斯基(Robert Pitofsky)是联邦贸易委员会主席。他驳斥了该委员会受到这个行业过度影响的说法。“这是个新事物……我们想给这个行业一个监管自家事务的机会。我认为这与行业游说或劝说无关,这是我们自己判断的问题。我们感到,处理此事更好的办法是通过自我监管,这样更加灵活。你不必在每次想要增加或删减(一条规则)时修正法令。他们努力了,我相信他们。我对他们的努力给出了高分,”皮托夫斯基先生说。
但时代改变了。如今,国会立法者似乎不像1997年那么相信数据经纪商会自律了。当时,极少有人能想象,个人信息与技术的融合会变得多么强大、会有多么大的潜在危险。
