CDT's data privacy page

Industry Responds To Online Community's Outrage Over Widespread Availability Of Personal Information

Dec. 18, 1997 -- In the wake of last year's public uproar over the providing of unique, personal identifiers like Social Security numbers, unlisted phone numbers and birthdates over the Internet, the country's three leading credit bureaus and individual reference services have pledged to stop making that information available to the general public, according to a report the Federal Trade Commission (FTC) released yesterday. The Center for Democracy and Technology (CDT) applauds the FTC, the credit bureaus and the reference services for their work, but warns that it doesn't entirely solve the problem of protecting consumers at a time when Web sites that provide fast, easy access to public records containing personal information on individuals are proliferating.

The Individual Reference Services Group (IRSG)--an industry coalition composed of Experian, LEXIS-NEXIS, Equifax Credit Information Services, Inc., Trans Union Corp., and 10 other companies--has agreed to abide by a set of self-regulatory principles aimed at curbing access to sensitive private data on individuals. The issue of personal information made widely and easily available to the general public via the Internet first drew a public outcry in September 1996 when LEXIS-NEXIS began offering individuals' mothers' maiden names, Social Security numbers and dates of birth on its "P-Trak" database. At the height of the controversy Congress asked the Federal Reserve Board and the Federal Trade Commission to study the privacy implications of this practice. The FTC's ">report to congress is available. The Federal Reserve Board issued its report earlier this year.

"The companies involved in the IRSG's effort are to be commended for stepping up to the plate and crafting the most comprehensive set of self-regulatory guidelines of any US industry, however, a number of important consumer and privacy issues remain to be addressed before this can be considered a complete solution," said CDT Staff Counsel Deirdre Mulligan, who focuses on privacy issues.

COMPANIES' PROPOSAL RESPONDS TO PRIVACY CONCERNS

The IRSG proposal responds to concerns raised by Internet users and privacy advocates last September, available at http://www.cdt.org/privacy/issues/pii/, by: Experian, LEXIS-NEXIS and the other companies have promised to exchange database information only with other companies who also follow these principles, a decision that will increase the principles' effectiveness.

Signers of the IRSG proposal also agree to undergo yearly audits of their practices and to make those audits available to the public. The audit records and the principles will help the FTC investigate instances wherecompanies have not complied with the guidelines.

SEVERAL IMPORTANT AREAS STILL BE BE ADDRESSED BY GUIDELINES

The IRSG proposal falls short of providing complete protection for sensitive consumer information in a number of important areas, Mulligan said. They include the following: CDT believes that the companies should provide individuals full access to their own personal information. These companies have an important role to play--just as they serve as a one-stop shopping source for other businesses, they should allow individuals access to information from a centralized source. Many people are unaware that others are using information services to make decisions about them. If data in a company's file comes from inaccurate public records or has been inaccurately transcribed, a consumer could be harmed. People should be notified when information from the IRSG companies' files are used to make decisions about them so that they can correct inaccurate data, challenge inaccurate assumptions, or deal with real problems reflected in the data. CDT believes that accountability requires strict oversight over access to and use of personal information. When the end-users of sensitive personal data are law enforcement personnel, employers, or others who can exercise power over the consumer, an audit trail that documents the end-user's treatment of personal information would help curb abuses, prevent unauthorized access, and provide accountability to the system. The IRSG proposal doesn't provide a grievance process nor remedies for consumers who believe credit decisions have been made on the basis of inaccurate data. CDT hopes that the industry and the FTC will work to craft a grievance process and remedies that are responsive to consumers' needs.

CDT believes that the IRSG proposal is a noteworthy step towards meaningful self-regulatory guidelines. We commend the FTC for their work in this area and encourage the agency to continue to monitor not only further developments in this area, but also the implementation and compliance with the IRSG guidelines. Strong enforcement of the guidelines and consumer education are key to effective work in this area.

Still, as we noted last year, the wide spread availability and use of public record information is a continuing breeding ground for privacy concerns. See http://www.cdt.org/privacy/issues/ptrak/961008sen_letter.shtml. As the FTC notes in its report, "the easy availability of sensitive, unique identifiers (e.g. Social Security number, mother's maiden name, and date of birth) listed on public records increases the risk of serious harm."

Those IRSG companies with Web sites include: