March 1, 2005 4:00 AM PST

'Perfect storm' for new privacy laws?

(continued from previous page)

aggregators like ChoicePoint and Acxiom. "Records that look a lot like credit reports--which is the basis of ChoicePoint and Acxiom's business model--have escaped regulation," EPIC's Rotenberg said.

Democratic Sen. Bill Nelson of Florida is readying legislation to revise the FCRA, which Congress already altered last year. Earlier this month, Nelson wrote to the Federal Trade Commission to ask for its help in revising the FCRA "to reflect the modern information age, where consumer information can be transmitted and assembled electronically and cheaply" (PDF here).

Data breaks

High-profile breaches are finally waking lawmakers up to the need to make sure personal data is securely protected on computers.

ChoicePoint
Date: February 2005
Incident: Data collection company confirms that information from its consumer database has been stolen.
At risk: Names, addresses and Social Security numbers of more than 150,000 Americans.
Bank of America
Date: February 2005
Incident: Bank loses backup tapes detailing the financial records of credit cards held by federal employees.
At risk: More than 1.2 million records in SmartPay charge card program, which has annual transactions totaling more than $21 billion.
PayMaxx
Date: February 2005
Incident: Flaws in the online W-2 service of PayMaxx expose customers' payroll records.
At risk: Discoverer of the flaws claims they affect more than 25,000 people. PayMaxx says only a small number of companies is involved.
T-Mobile: Paris Hilton
Date: February 2005
Incident: Information from heiress Paris Hilton's Sidekick is posted online. Breach comes amid reports that a flaw opens up T-Mobile voice mail.
At risk: Phone numbers and e-mail addresses of celebrities such as Eminem and Lindsay Lohan.
SAIC
Date: February 2005
Incident: Desktop computers are stolen from the offices of Science Applications International Corp.
At risk: Personal information of current and past stockholders in the government contractor.
T-Mobile
Date: January 2005
Incident: The carrier admitted that a hacker had gained access to customers' personal information.
At risk: Names and Social Security numbers of 400 T-Mobile subscribers.
George Mason University
Date: January 2005
Incident: Attackers broke into a server that held details used on identity cards at the Virginia school.
At risk: Names, photos and Social Security numbers of more than 30,000 students, faculty and staff.
California Department of Social Services
Date: October 2004
Incident: Breach of a researcher's computer at the University of California at Berkeley exposed personal data related to the state's In Home Support Services.
At risk: Contact information and Social Security numbers of up to 1.4 million providers and clients.

Another approach would be to borrow from the principles underlying a current California law. The Security Breach Information Act requires companies to disclose incidents in which a California resident's confidential information has been jeopardized. Feinstein introduced such a bill in Congress in June 2003, but without any luck so far. The bill's backers now hope that it will enjoy a wider appeal.

Called the Notification of Risk to Personal Data Act, Feinstein's measure says that any corporation, government agency or person generally must provide a written or e-mailed notice if "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." State attorneys general would be authorized to file lawsuits against suspected violators.

"The consumer data industry has been in the sights of proregulatory activists for some time now," said Jim Harper, director of information policy at the free-market Cato Institute. "And the ChoicePoint debacle could not have been a fatter, slower pitch across the plate."

Harper is skeptical of federal proposals to create more regulations, saying that state laws tend to be more effective and have fewer loopholes. Instead, Harper advocates the use of tort law, under which private citizens can sue alleged wrongdoers for damages, to provide an incentive for data-marts to strengthen security. A California woman, Eileen Goldberg, did just that earlier this month in a suit she filed against ChoicePoint, with her claim that the company was negligent in protecting consumers from scam artists who purchased data from it.

Not all privacy disasters result in federal legislation. In the case of Amy Boyer, a woman shot by a stalker who obtained her work address from an online investigation service, Sen. Judd Gregg, a New Hampshire Republican, responded by introducing a proposal called "Amy Boyer's Law." Gregg's legislation, which would have restricted the disclosure of Social Security numbers, eventually was attacked by both industry groups and by privacy advocates who said it didn't go far enough. It did not become law.

Business lobbyists already are preparing for a defensive battle. "We're all concerned about data security, especially when you're talking about sensitive information getting out," said Michael Zaneis, director of congressional and public affairs at the U.S. Chamber of Commerce. "We want to make sure that we don't have any knee-jerk reactions leading to the passage of quick legislation with unintended consequences."

Another wrinkle in the political landscape is the growing reliance of federal watchdogs, such as the Department of Homeland Security and the Department of Justice, on identity-verification services purchased from companies like ChoicePoint and Acxiom. That reliance may make the Bush administration less willing to embrace aggressive regulation in the area.

ChoicePoint declined to comment for this article, citing pending litigation. However, in a statement posted to its site, the database

Previous page | CONTINUED:
Page 1 | 2 | 3

5 comments

Join the conversation!
Add your comment
Hmmm....
After reading this article how many people still believe that the "Real ID Act" proposal to link state databases is a good idea?

Real ID References:
<a class="jive-link-external" href="http://news.search.com/search?q=Real+ID+act&#38;x=0&#38;y=0" target="_newWindow">http://news.search.com/search?q=Real+ID+act&#38;x=0&#38;y=0</a>
Posted by (23 comments )
Reply Link Flag
It's PayMaxx
I wonder why PayMaxx is the only organization not specifically named in this article. It's referred politically-correctedly as " online payroll services company"...
Posted by 201293546946733175101343322673 (722 comments )
Reply Link Flag
Got You Coming And Going
In 1997 ChoicePoint was spun off from Equifax. Today, you can spend $120 a year with Equifax to monitor your personae for identity theft -- presumably from sloppy companies like Choicepoint that put your identity risk. Simultaneously, ChoicePoint sells your personae to other mega companies.

I'd like to know how much ChoicePoint makes off of each personal dossier they sell (over and over again). If you buy a product like insurance, you are going to pay a procesing fee, origination fee, call it what you want, that includes the cost of a personal report on YOU, from ChoicePoint. This is like triple-dipping, at a minimum.

So if you think Congress will pass legislation to protect you that in any way jeopardizes the credit compiling/credit selling gravy train, think again. It's going to take a heck of a lot of consumer activism to fight the powerful, well-heeled institutional lobbyists in Washington.

Something else that hasn't been discussed. What about all the personal information on you that is processed overseas? What protections are in place today to protect your identity? What protections would be in new legislation? If I were ChoicePoint, I would think about spinning off the operation and moving it offshore, away from U.S. rules and regs. This has worked marvelously for cruise ships, which are all registered in Liberia.


"Equifax Insurance Services Group soon will be known as ChoicePoint. Later this summer, pending an IRS ruling on a stock exchange, Equifax Insurance Services Group will be spun off from Equifax, becoming a separate, independent public company.

ChoicePoint will offer the same services as Equifax does today: risk management information to the commercial and personal lines insurance markets, and will be comprised of all the current Insurance Services operations."
Posted by Stating (869 comments )
Reply Link Flag
They have you harder than that...
Take a look and be scared.
<a class="jive-link-external" href="http://www.fbifile.com/fbifile-sample.html" target="_newWindow">http://www.fbifile.com/fbifile-sample.html</a>

Oops... Sorry about that ma'am but the contractor we hired accidently passed us bad information so you can't VOTE THIS YEAR.

Last I checked though we already had a Privacy law that covered this sort of datamining activity. Its called the 4th Amendment to the US Constitution. Contained some nonsense about people being "secure in their persons, houses, papers, and effects", probable cause and warrants supported by Oath or affirmation. At least I think that is what it says... If you want to verify it take a look:
<a class="jive-link-external" href="http://caselaw.lp.findlaw.com/data/constitution/amendment04/" target="_newWindow">http://caselaw.lp.findlaw.com/data/constitution/amendment04/</a>
Posted by (23 comments )
Link Flag
Bank of America files for bankruptcy?
WITHDRAW YOUR FUNDS NOW! BofA bankrupt? Bank of America president, Terry E. Perucca, announced in an emergency press conference today that Bank of America NA may be forced to file Chapter 7 bankruptcy. This was later confirmed by Richard M. DeMartini at 2:00pm Eastern.
In a statement from Louis W. Smith, retired president, "I'm not surprised. The unethical treatment of consumers was the main reason I left. It's about time the supreme court stepped in."
Posted by (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.