Database debacles: individuals' privacy is rapidly eroding as more and more of their most intimate information is collected and sold by data brokers that have little oversight and few restrictions.This year is shaping up to be a banner year for identity thieves. Already in 2005, there have been three big, headline-grabbing cases in which thousands of individuals' private information, including Social Security numbers and addresses, have been stolen or lost. In February, ChoicePoint Inc. revealed that an identity-theft ring accessed tens of thousands of its electronic documents, which contain information such as driving and property records and insurance claims. Critics say the breach put more than 450,000 individuals at risk of identity theft. Also in February, the Bank of America
Bank of America (NYSE: BAC TYO: 8648 ) is the largest commercial bank in the United States in terms of deposits, and the largest company of its kind in the world. revealed that data tapes containing personal information about 1.2 million federal charge card holders had been lost or stolen. In March, LexisNexis, a worldwide leader in global legal and business data, discovered that thieves had stolen data--including names, addresses, and Social Security and drivers' license numbers--on up to 310,000 U.S. consumers. These incidents have raised new warnings about companies that sell private data and their growing banks of personally identifiable information In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. pertaining per·tain intr.v. per·tained, per·tain·ing, per·tains 1. To have reference; relate: evidence that pertains to the accident. 2. to millions of individuals' lives. Many, including lawmakers, are now saying the data-broker industry has too little government oversight and contending that such databases should fall under regulations that govern credit reports. The ChoicePoint Calamity ChoicePoint, one of the largest information brokers, revealed that scammers posing as legitimate Los Angeles-area businesses opened 50 fraudulent accounts and accessed various databases used for pre-employment background checks and public records searches. They paid fees of $100 to $200 and provided fake documentation to identify their businesses as insurance agencies, check-cashing companies, and other organizations that would have normally been allowed to subscribe to Verb 1. subscribe to - receive or obtain regularly; "We take the Times every day" subscribe, take buy, purchase - obtain by purchase; acquire by means of a financial transaction; "The family purchased a new car"; "The conglomerate acquired a new company"; ChoicePoint's services. After setting up accounts and gaining access to ChoicePoint databases, thieves were able to gather a treasure trove TREASURE TROVE. Found treasure. 2. This name is given to such money or coin, gold, silver, plate, or bullion, which having been hidden or concealed in the earth or other private place, so long that its owner is unknown, has been discovered by accident. of information--including addresses, phone and Social Security numbers, credit files, and even names of relatives and neighbors--on at least 145,000 people. Investigators said they believe up to 400,000 individuals' records may have been compromised, but ChoicePoint contends that the breach affected only about 145,000 personal records, some of which are duplicates. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. police records, the account holders then made unauthorized address changes on at least 750 people. This is a trick identity thieves often use to establish credit accounts that they can use to make fraudulent charges. However, it is not clear whether any false charges were made in these specific cases before the fraud was discovered. U.S. investigators alerted ChoicePoint to the security breach in October 2004, but the company did not send out notification letters to its 30,000 consumers in California--the only U.S. state A U.S. state is any one of the fifty subnational entities of the United States, although four states use the official title "commonwealth". The separate state governments and the federal government share sovereignty, in that an American is a citizen both of the federal entity and that requires database firms to notify consumers of a security breach--informing them that their privacy had been breached until late February 2005. A California woman has filed suit against ChoicePoint and is seeking class-action status, arguing that the five-month delay between the company's knowledge of the breach and its notifying customers is unacceptable. A Nigerian man plead no contest to a single count of unlawful use of personal information in the case and has been sentenced to 16 months in California state prison for his role. Police are seeking others involved in the alleged scare. More Breaches In February, Bank of America lost computer data tapes containing personal information on more than 1 million federal employees, including some U.S. senators. The data, presumably pre·sum·a·ble adj. That can be presumed or taken for granted; reasonable as a supposition: presumable causes of the disaster. lost in transit to a backup center, included Social Security numbers and account information that would be valuable to identity thieves. The missing tapes included information on federal employees who use Bank of America "SmartPay" charge cards for travel and expenses. The U.S. government's charge card program has more than 2.1 million members and annual transactions totaling more than $21 billion, according to the General Services Administration The General Services Administration (GSA) was established by section 101 of the Federal Property and Administrative Services Act of 1949 (40 U.S.C.A. § 751). The GSA sets policy for and manages government property and records. . Sen. Charles Schumer (D-N.Y.) said he was told baggage handlers In the airline industry, a baggage handler is a person who loads and unloads baggage (suitcases or luggage), and other cargo (airfreight, mail, counter-to-counter packages) for transport via aircraft. likely stole the data backup tapes See tape backup. from a commercial plane in December 2004. Bank spokeswoman Eloise Hale told MSNBC MSNBC Microsoft/National Broadcasting Company that the system of shipping backup tapes is "an industry practice and a routine bank practice. As a safety precaution measure, backup tapes are stored in different locations." In a news release, the bank said that its investigation has found no evidence that the tapes or their content have been accessed or misused, and it now presumes the tapes are lost. Bank of America would not comment on the format of the data on the tapes and would not say whether the data was encrypted. Hale said, however, that it would be "virtually impossible" for anyone who found the tapes to access the data. More recently, LexisNexis, a company that provides searches of legal and business data, discovered that cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. criminals had hacked into its computer systems and stolen data files on as many as 310,000 U.S. customers. The stolen files included names, addresses, Social Security numbers, and driver's license Noun 1. driver's license - a license authorizing the bearer to drive a motor vehicle driver's licence, driving licence, driving license license, permit, licence - a legal document giving official permission to do something information. The information was stolen from Seisint, a LexisNexis subsidiary. LexisNexis detected the security lapse in a review of procedures at Seisint. The Dangers of Data-mining The commercial data-broker industry collects and sells information for profit. ChoicePoint, for example, aggregates data on millions of Americans from hundreds of sources. The reports are then sold to thousands of companies and government agencies that want to learn more about their clients, customers, or employees. ChoicePoint has acquired more than 50 companies since its founding in 1997 and now has access to 19 billion records. Its customers include Fortune 500 companies, insurance agencies, corporate employee screeners, check-cashing companies, media outlets, private investigators, law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). , and the U.S. government. According to The New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of Times, "if a person has held a job, held a lease, obtained a driver's license, carried a credit card, been fingerprinted, taken a drug test, gone to court, or simply received mail," it is likely that all that information and much more is stored in one or more consumer databases and available for sale. Westlaw, another information database company, provides the Social Security numbers of millions of Americans to its subscribers. Its "People-Find" feature allows some Westlaw users to type in any name and receive personal data about that individual, including addresses and Social Security numbers, that have been culled from public records. Sen. Schumer called it an "egregious e·gre·gious adj. Conspicuously bad or offensive. See Synonyms at flagrant. [From Latin " invitation to identity theft. Westlaw said Social Security information is restricted to government agencies and a small number of corporations that need it, such as insurance companies. There are hundreds of data brokers like Westlaw, and consumers have no way of knowing what information such companies possess and whether it is protected. The LexisNexis Group provides information services See Information Systems. to legal, media, government, and academic markets. Acxiom, another data broker, serves the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. , insurance, direct marketing, publishing, retail, and telecommunications industries. Existing Laws Are Inadequate Companies that buy and sell data operate with little oversight and, therefore, have little impetus to protect personal information. Existing laws do not help consumers protect themselves in a world where private information is collected in huge databases and then bought and sold with minimal rules or restrictions. The biggest problem may be that not one but many legal and government authorities oversee the commercial collection and distribution of private information. According to the Times, current laws were not created to address, and do not regulate, "the current power of data gatherers to amass and distribute vast digital dossiers on ordinary citizens." State and federal regulators and lawmakers are now calling for those rules to be updated. Among the pertinent federal rules are the following: * The Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) is legislation embodied in title VI of the Consumer Credit Protection Act (15 U.S.C.A. § 1681 et seq. [1968]), which was enacted by Congress in 1970 to ensure that reporting activities relating to various consumer transactions are conducted in a of 1970 and its 2003 version, the Fair and Accurate Credit Transactions Act Under the Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA, Pub.L. 108-159) which was passed by the United States Congress on December 4 2003 as an amendment to the Fair Credit Reporting Act, consumers can request and obtain a free credit report establish rules for access to and distribution of consumer reports and requires credit report providers to vouch for vouch for verb 1. guarantee, back, certify, answer for, swear to, stick up for (informal) stand witness, give assurance of, asseverate, go bail for verb 2. the accuracy of their information. * The 1994 Drivers Privacy Protection Act protects driving records. * The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996 addresses the privacy of medical records. * The Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition of 1999 governs the use of personal information collected by financial institutions. State laws differ from state to state, sometimes conflict, and are highly inconsistent in the degree to which they protect the privacy of their residents. According to the Times, state laws have not kept pace with the emergence of data-mining companies because they focus too much on industry-specific uses of information such as credit reports or medical data rather than on protecting the privacy of individuals whose information is in the databases. Californians seem to be the best-protected U.S. residents. It was that state's unique law that prompted the disclosure of the ChoicePoint breach. More Regulations on the Horizon The ChoicePoint theft has grabbed the attention of lawmakers. Two Senate committees have held hearings to review the situation, and the Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ) is investigating whether ChoicePoint complied with federal consumer safety data regulations. Members of Congress have called for investigations and new legislation to better regulate the data-brokering industry. Sen. Dianne Feinstein Dianne Goldman Berman Feinstein (born June 22, 1933) is the senior U.S. Senator from California, having held office as a senator since 1992. She is a member of the Democratic Party. (D-Calif.) said, "existing laws no longer suffice when thieves can steal data not just from a few victims at a time but from thousands of people with vast, digitized efficiency." She introduced three consumer privacy bills in January, including one that would create a national version of California's security breach notification law. Another would give U.S. residents the right to know if their personal information has been stolen and used to commit a crime. Several states, including Georgia, New York, and Texas, are considering similar laws. Legislation working its way through the Colorado Senate would make notification mandatory and allow consumers to put a "freeze" on their credit reports, which would make it difficult for anyone to access them without the consumer's permission. Rep. Joe Barton Joseph Linus "Joe" Barton (born September 15, 1949) is a Republican politician, representing Texas's At-large congressional district (map) in the U.S. House of Representatives since 1985. Biography Barton was born in Waco, Texas to Bess Wynell Buice and Larry Linus Barton. (R-Texas), chairman of The U.S. Committee on Energy and Commerce, has directed his staff to investigate the storage and security practices of database companies. The Wall Street Journal reported that Sen. Bill Nelson (D-Fla.) will introduce legislation that would extend the provisions of the Fair Credit Reporting Act to govern commercial data brokers, giving the FTC jurisdiction over companies like ChoicePoint. Such a law would give consumers broad new protections. U.S. residents would be entitled to review data stored on data brokers' computers once annually for free and to correct any errors. Consumers would also be able to see a list of companies that have requested a look at their personal information. MSNBC.com reported that Nelson and House member John Conyers John Conyers, Jr. (born May 16, 1929) is a member of the United States House of Representatives representing Michigan's 14th congressional district, which includes all of Highland Park and Hamtramck, as well as parts of Detroit and Dearborn. (D-Mich.) will call for the General Accounting Office to investigate government contracts with commercial data brokers. Outrage over the recent high-profile data breaches may result in passage of a national notification law, which would require data brokers to notify individuals at risk following a data theft. ChoicePoint, meanwhile, has said it will start restricting who can buy the data it collects to reduce the likelihood that identity thieves will gain access to its databases. But for hundreds of thousands of consumers, the damage may have been done already. References Associated Press Associated Press: see news agency. Associated Press (AP) Cooperative news agency, the oldest and largest in the U.S. and long the largest in the world. . "Bank of America Loses Customer Data." MSNBC.com, 28 February 2005. Krim, Jonathan. "Databases Called Lax with Personal Information." The Washington Post, 25 February 2005. Lemos, Robert. "'Presumed Lost': 1 Million Bank of America Customer Records." CNETNews.com, 28 February 2005. Perez, Evan. "Identity Theft Puts Pressure on Data Sellers." The Wall Street Journal, 18 February 2005. Sullivan, Bob. "ChoicePoint Theft Prompts Senate Investigation." MSNBC.com, 28 February 2005. --. "ChoicePoint Files Found Riddled with Errors." MSNBC.com, 9 March 2005. Zeller Jr., Tom. "Breach Points up Flaws in Privacy Laws." The New York Times, 24 February 2005. Nikki Swartz is a freelance writer based in Kansas City Kansas City, two adjacent cities of the same name, one (1990 pop. 149,767), seat of Wyandotte co., NE Kansas (inc. 1859), the other (1990 pop. 435,146), Clay, Jackson, and Platte counties, NW Mo. (inc. 1850). , Mo., and former Associate Editor of The Information Management Journal. She may be contacted at nikkiswartz@hotmail.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion