Tech.gov: Policing Information Brokers, the Sequel
Ameritrade, the Bank of America, ChoicePoint, LexisNexis, Time Warner ... the list of companies that have been robbed of, defrauded out of, or just plain lost sensitive personal information about thousands of people seems to grow by the month. Hundreds of consumers whose information has been compromised have also been victims of some form of identity theft. Since thieves can wait years until they use the data they have obtained--long after any evidence as to how they obtained it disappears--we may never know the final tally of victims.
In my March column, I discussed the first of the bills making their way through Congress that took a crack at the problem. Since then, security breaches have continued to make headlines, and Congress has drafted new bills and held hearings to try to determine what it or other government agencies should do to protect us. For the first time, there's a bill on the table that more directly addresses regulating information brokers, not just telling consumers about problems after the fact or setting standards for procedures like proper Social Security number use.
The first of the new bills is relatively simple and, like some in the last batch, was introduced in the U.S. Senate by Diane Feinstein (D-California). Bearing the same name--but not the same provisions--as an earlier Feinstein bill, the new Notification of Risk to Personal Data Act (S. 751) does exactly what it sounds like it would: It mandates notification of users when there has been theft or some other breach in security of their data. Unlike the last bill (S. 115), it does not require proof that the data theft has led to fraud before a company must notify consumers that the theft occurred, which is a great improvement. Other welcome changes: S. 751 covers theft in electronic or paper form, specifies that the notification include the kinds of data that were stolen, and obligates companies to inform credit reporting agencies of the breach.
However, the bill includes provisions that make it possible for a firm to get out of contacting individuals directly if more than 500,000 people must be notified or if sending out direct notifications would cost more than $500,000. In such cases, the company just has to post a notice on its Web site and alert major media outlets that it is asking people to call in to find out if their information has been stolen--which unfortunately puts the burden of learning about potential problems on the consumer. And section 5 of the bill negates any state laws relating to disclosure of data breaches, which means your state would not be able to require additional data protection--this bill would be it.
Regulating the Industry
The second bill is more ambitious. Introduced by Senator Bill Nelson (D-Florida), the Information Protection and Security Act (S. 500) directs the Federal Trade Commission to set up and enforce rules for information brokers. This bill does a good job of spelling out the things that need to be regulated, including a much-needed mechanism that would allow you and me to review and correct the data about us--much like we can for credit-rating data that financial firms trade and collect, which is covered by the Fair Credit Reporting Act.
Nelson's bill also stresses the need for standards for data security, checks on who buys the data, and mandates some follow-up procedures to make sure that the information someone buys won't be misused. The bill says there should be a way for you and me to find out what the company knows about us, and to whom it's been selling that information. Moreover, the bill clearly states that it does not supersede other state laws but will coexist with them, so states remain free to increase protection requirements if they so choose.
One thing that is missing, though, is any mention of conflict resolution. States and consumers can sue for violation of S. 500 (as they can under the Feinstein bill), but there's nothing in the bill about how to handle instances when an individual and a data brokerage disagree about facts in the database.
Still, to my mind, the main problem with S. 500 is that while it tells the FTC what to regulate, it allow the agency to decide all of the specifics. As with everything else in law, the devil is always in the details. If the FTC does a good job and sets appropriate standards, that's great--but otherwise, we're back to square one. It would have been nice to see things spelled out a bit more; for example, to require that corrections be made and shared with credit agencies within, say, 30 days. And really, Nelson's bill and the one that Feinstein is sponsoring should be folded into one bill: There's no reason why a bill on regulating the industry should skip the part about notifying users of problems.
Of course, not including the details may mean Nelson's bill will have a better chance of passing, since proponents and opponents could shift their fight from Capitol Hill to the backrooms of the FTC. That feels a bit like a cop-out--but not nearly as much of one as the recent California state bill (SB 550). That bill initially set forth regulations for disclosure of information gathered by data brokers to consumers, mechanisms for correcting that data, and more, but has since morphed to a simple declaration of intent to regulate consumer access to information held by data brokers. Gosh, I'm so glad to know there's a bill officially stating that my state legislature fully intends to tackle this problem--sometime, and maybe in this century.
A Complete Package
One other bill surpasses S. 751 and S. 500 in terms of scope, and includes the major provisions of both, but with more detail: the Comprehensive Identity Theft Prevention Act (S. 768). Sponsored by Senator Chuck Schumer (D-New York) among others, this bill would create a new Office of Identity Theft within the FTC. The new office would not only set standards for many of the issues covered in the Information Protection and Security Act, but it would also serve as a central assistance and information zone for consumers who want to find out more about identity theft, what they can do to help themselves, what they must do if they suspect they are victims, and the like.
The bill also spells out details left vague in the Information Protection and Security Act; for example, it specifies that consumers have the right to one free report with the information the data brokerage has about them (similar to our current right to a standard credit report, but with additional information). Disputes about items in the reports would be handled the same way they are under the Fair Credit Reporting Act: Consumers can write to the information broker, which must investigate an item within 30 days (some extensions may be granted). If the consumer is right, then the item must be deleted; if there is no way to determine its validity, the item must be deleted or modified; and if there's still a dispute, the item may stay in with the inclusion of the consumer's statement about it.
S. 768 also deals with the proper use and sharing of Social Security numbers, and gives the Office of Identity Theft the authority to coordinate worldwide efforts to combat identity theft. The bill also creates a group whose job it is to work on national cybersecurity issues, with provisions for sharing the assignment with nongovernmental companies.
The breadth of the Comprehensive Identity Theft Prevention Act is terrific--having an all-in-one can be more efficient when it comes to laws--but like the Feinstein bill, S. 768 would preempt states' laws. And it allows the FTC to let some companies off the hook on compliance if the agency finds that doing so benefits the public, or that the buying and selling of information is "incidental" to the company's primary business. That's a loophole waiting to be exploited.
In May, the Senate Committee on Commerce, Science, and Transportation--the committee in which both S. 768 and S. 500 ended up--held a hearing on identity theft and proposed solutions. Representatives from major data brokerage firms like Acxiom, ChoicePoint, and LexisNexis spoke at the hearing along with consumer advocates like the Electronic Privacy Information Center and Mari Frank, a lawyer who was a victim of identity theft. She has since become an expert on the topic and helps other victims. In her testimony, she goes into lots of detail points that she thinks laws should cover, many of which are in the bills I've mentioned in this column.
It's no surprise that the data brokers weren't all that keen on extensive regulations, although at least two of the companies had no objections to a law about disclosure of breaches (as long as it was a national standard) and also endorsed greater resources for law enforcement. The representative from Acxiom said the company also favors extending some existing laws to explicitly cover the information industry.
Both the Acxiom and LexisNexis representatives went into some detail about what each company had learned--and fixed--regarding security problems that had led to data leaks, and stressed the security and privacy standards the companies were each adhering to, above and beyond what they were required to do. Kurt Sanford, the CEO of U.S. Corporate and Federal Government Markets for LexisNexis, went to great length to point out the truly important and vital ways in which his company's information was being used to solve and prevent crimes or generally do good.
To my mind, though, the very fact these companies stress the crucial nature of their work and the additional steps each has taken to safeguard consumers and data makes it more, not less, vital that the federal government impose some standards on the industry as a whole. Not every data brokerage does what these firms do. The information in their databases can put people in jail, or deny them employment, homes, and insurance. There are real, severe consequences if that information is misused or incorrect--we can't simply hope that all the players in this field will voluntarily adopt the high standards that some have. That is why Congress must step in. We need the protection.