A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology

Recent Information Security Breaches Raise Privacy Concerns

(1) Recent Information Security Breaches Raise Privacy Concerns

(2) Congress Considers Range Of Policy Responses

(3) The Overlooked Issue - Government Access and Use

(4) Congressional Hearings Planned

(5) O'Harrow Book Maps Data Landscape

 

(1) Recent Information Security Breaches Raise Privacy Concerns

Recent stories about security breaches at ChoicePoint and Bank of America Corp. and about the accessibility of Social Security Numbers through WestLaw have renewed concerns regarding the privacy of personal information, producing a flurry of calls for investigations and legislation at the state and federal level.

Discerning the appropriate policy response requires parsing the issues involved, including computer security, the privacy issues associated with data aggregation and sale, and the crime of identity theft. Perhaps one of the most important issues is in the background of recent stories: Under what circumstances and for what purposes does the government access the growing amount of data compiled by commercial entities?

The issues go well beyond any of the specific companies involved, but here are the basic facts: Last month, ChoicePoint announced that thieves posing as legitimate businesses had purchased access to its vast database of more than 19 billion public records. ChoicePoint, an information broker that aggregates and sells personal information to private companies, law enforcement agencies and the US government, possesses personal information about virtually every US citizen. ChoicePoint's security breach affected approximately 145,000 people. California law requires information brokers like ChoicePoint to notify California citizens whose personal information has been stolen. No other state has such a law, but ChoicePoint ultimately notified all those whose data had been fraudulently purchased and offered them free credit watch services for one year.

Also last month, Bank of America announced that, in December 2004, someone stole backup tapes of customer data that it was shipping by commercial aircraft. These backup tapes contained the Social Security Numbers and other personal financial information of as many as 1.2 million federal employees, including some members of Congress, rendering these individuals vulnerable to identity theft.

In the wake of these stories, Sen. Charles Schumer (D-NY) publicly criticized WestLaw for what he called "egregious loopholes" in its data services that allow subscribers to obtain Social Security numbers and other personally identifiable information. WestLaw responded that it has strict policies that limit access to sensitive personal information and that such information is not available to the general public.

 

(2) Congress Considers Range Of Policy Responses

Lawmakers are exploring a range of policy responses to the issues posed by these recent breaches and to the broader issues associated with the dramatic expansion over the past decade of the marketplace for personally identifiable information. Among the ideas being discussed:

• Federal Security Breach Notification: US Senator Dianne Feinstein (D-CA) has introduced legislation (S. 115), modeled on the California disclosure law, that would require data brokers and other holders of sensitive personal information to notify people whose personal information might have been stolen. Senator Jon Corzine (D-NJ) is planning to reintroduce legislation that would require financial institutions to notify customers, law enforcement agencies and credit agencies in the event of a security breach that puts customers' data at risk.
  
  Notice aids consumers by allowing them to take protective action when their data has been compromised and seems to be a step that some in the information industry would embrace. However, while such legislation would be helpful in mitigating the damage and might prod companies to improve security proactively, it would not directly prevent the theft of personal information nor would it address the issues associated with government's growing use of commercial data post 9/11.

• Tighter Controls on Use, and Stiffer Penalties for Misuse, of Social Security Numbers: The Social Security Number (SSN) has become a de facto national identifier, serving as the key that unlocks many corporate and governmental databases. Accordingly, it is a major facilitator of identity theft. Sen. Feinstein has introduced legislation (S. 29 and S. 116) that would restrict the display, sale and purchase of SSNs without consent, limit the circumstances under which commercial entities could require individuals to provide their SSNs, and prohibit the use of the numbers on drivers' licenses. Rep. Ed Markey (D-MA) also has introduced legislation that would make it a crime to sell or purchase Social Security Numbers. And Rep. Rodney Frelinghuysen (R-NJ) has introduced similar legislation that prohibits "interactive computer services," like WestLaw, from disclosing SSNs to third parties without written consent.
  
  Skeptics worry that such legislation would not be enacted without numerous exceptions. Moreover, given the ubiquity of Social Security Numbers in the public domain, criminals could still acquire them from other sources. Finally, tighter controls on Social Security Numbers would not prevent identity thieves from acquiring and using other personal identifiers to perpetrate fraud.

• Extend Fair Credit Reporting Act Concepts to Data Brokers: The Fair Credit Reporting Act (FCRA) is one of the most important privacy laws on the books, affording consumers the right to access and challenge their credit reports and requiring credit reporting agencies to maintain accurate data. The FCRA is complicated and always highly contested, so there is little taste for extending the Act itself to data brokers.
  
  However, Senator Bill Nelson (D-FL) and Congressman Markey have introduced the Information Protection and Security Act, which would regulate "information brokers" under a legal framework akin to the Fair Credit Reporting Act. This bill would subject information brokers like ChoicePoint to federal regulation by the Federal Trade Commission (FTC). The FTC would be required to issue new fair information practice rules that would do the following: (1) require information brokers to develop procedures to guarantee maximum possible accuracy of their data, prevent and detect fraudulent, unlawful or unauthorized use or disclosure of personally identifiable information and mitigate potential harm to individuals from threats to privacy and security; (2) allow individuals to access information about themselves held by data brokers and the identity of each entity that purchased their personally identifiable information; and (3) require information brokers to authenticate users before allowing access to their databases.

• Requiring Data Brokers to Formally Address Security: Pursuant to the Gramm-Leach-Bliley Act (GLB) financial institutions are already under information security requirements, and the Health Insurance Portability and Protection Act (HIPPA) imposes similar requirements on health care companies. Data brokers similarly could be required to conduct risk assessments, develop and implement security plans, and regularly audit their security procedures. Requiring data brokers to develop and implement security procedures, however, would not limit the sale of personal data to commercial entities.
• Holding Data Brokers Liable for Security Breaches: Most if not all of the proposed federal bills contain liability provisions that would give the FTC and/or the Attorney General enforcement power to bring actions against violators, and some bills give consumers private rights of action. A California woman whose personal information was purchased from ChoicePoint by the fraud artists has filed suit against ChoicePoint in Los Angeles Superior Court alleging fraud and negligence. There is, however, no established standard of care for information security at this time.
• Imposing a "Know Your Customer" Requirement on Data Brokers: Data brokers are in the best position to verify the identity of their customers and they could be prohibited from selling information to customers whom they are unable to verify. The bill proposed by Sen. Nelson and Rep. Markey requires information brokers to authenticate purchasers of their data before granting them access. It is unclear, however, what risk factors data brokers would use to assess potential customers.

Some solutions pose their own risks to privacy. In the area of identity fraud, some approaches may require more personal information to be collected and more authentication to be demanded to prevent unauthorized access and establishing identity of users.

CDT will track progress of relevant federal bills at its legislative page: http://www.cdt.org/legislation/109/3

 

(3) The Overlooked Issue - Government Access and Use

Even before September 11, the federal government was developing and implementing new ways to use commercially aggregated data. Since 2001, this process has accelerated. The new data environment has two defining features: the depth and breadth of personally identifiable information available in commercial databases, and the capacity to analyze such data and draw from it patterns, inferences, and knowledge.

This area should not be ignored. By and large, the rules for the government's use of databases for counterterrorism purposes are fragmentary and unresponsive to the new kinds of screening applications that are being developed. The Privacy Act does not apply when the government subscribes to a commercial database and federal privacy laws for financial and medical records have broad exemptions for national security. Consequently, there is no framework addressing key questions: When should the government access commercial databases? How will the government use "knowledge" generated by computerized analysis of data? Could the analysis trigger a criminal or intelligence investigation? Will it be used for screening purposes-to trigger a more intensive search of someone seeking to board an airplane, to keep a person off an airplane, to deny a person access to a government building, to deny a person a job? What rights does an individual have in these contexts?

In December 2004, Congress adopted and the President signed the Intelligence Reform and Terrorism Prevention Act of 2004. Section 1016 of the Act requires the President to create an "information sharing environment" for the sharing of terrorism information among all appropriate Federal, State, local, and tribal entities, and the private sector. The ISE, as the information sharing environment is known, is supposed to incorporates protections for individuals' privacy and civil liberties and strong mechanisms to enhance accountability and facilitate oversight, including audits, authentication, and access controls, but so far, those procedures are unwritten.

The Markle Foundation Task Force on National Security in the Information Age and the Defense Secretary's Technology and Privacy Advisory Committee (TAPAC) recommended some standards, including senior level and sometimes judicial approval for access, permission controls on sharing, auditing, and redress.

CDT has compiled two charts outlining the patchwork of laws governing commercial data, one focusing on commercial use and one on governmental uses: http://www.cdt.org/security/guidelines/

For further information:

• James X. Dempsey and Lara M. Flint, Commercial Data and National Security, The George Washington Law Review (August 2004): http://www.cdt.org/publications/200408dempseyflint.pdf
• Markle Task Force on National Security in the Information Age: http://www.markletaskforce.org/

 

(4) Congressional Hearings Planned

Members of Congress have responded to the recent spate of security breaches by preparing for hearings on the subject of data privacy. The first will be March 10, before the Senate Banking Committee, chaired by Senator Richard Shelby (R-AL). Senate Judiciary Committee Chairman Arlen Specter (R-PA) has announced his intention to also hold hearings on the issue. Congressman Joe Barton (R-TX), Chairman of the House Energy and Commerce Committee, has asked his staff on the to examine the issue of data storage and privacy. In addition, several members of Congress are planning to ask the Government Accountability Office to investigate the US government's contracts with data brokers.

 

(5) O'Harrow Book Maps Data Landscape

In "No Place to Hide" (Free Press 2005), Washington Post reporter Robert O'Harrow, Jr., lays out in extensive detail the post-9/11 marriage of private data companies and government anti-terror initiatives. Drawing on years of investigation, O'Harrow shows how the government is using private databases to promote homeland security and fight the war on terror.

O'Harrow builds his book with stories of key players in this new world, from software inventors to counterintelligence officials. While O'Harrow offers few policy recommendations, his book is a indispensable introduction to the new world of high-tech data collection and analysis. "More than ever before," O'Harrow concludes, "the details of our lives are no longer our own. They belong to the companies that collect them, and the government agencies that buy or demand them in the name of keeping us safe." He quotes Viet Dinh, often credited as the author of the PATRIOT Act: "The leap in technology has not been met with a proportionate response in terms of how we think of this technology. We need to think more creatively.'"