2 June
2007
this blog
about
site use
contact
archive
2007
2006
earlier
related
sites
Caslon
Ketupa
|
Data
Protection
Two perspectives on data protection and regulation today,
with news about enhanced practice at ChoicePoint and Ratsit.
Choicepoint
ChoicePoint Inc, the giant US "consumer data provider"
that attracted attention
after unauthorised disclosure of personal information in 2005,
has agreed to implement further safeguards as part of a settlement
with 43 states and the District of Columbia.
The US Federal Trade Commission (FTC) noted that ChoicePoint,
one of the dominant US data
traders, had provided criminals with access to its databases,
which contain information about several hundred million people.
Access was provided on a commercial basis, with the criminals
posing as small business customers and buying data in the
same way as major businesses, not-for-profit organisations
and US government agencies.
There is disagreement about how much data was exposed: initial
reports suggested that information on 145,000 people was accessed
by the offenders but recent statements suggest that access
involved 163,000 people. That is a small percentage of exposure
of personal information about literally hundreds of millions
of people in the US and elsewhere over the past three years
but is concern given past claims of best practice.
We know about that exposure because of mandatory reporting
by US enterprises regarding exposure of personal data through
improper sale, hacking by outsiders, failure to purge storage
devices, loss of computer tapes and theft of laptops (the
largest UK building society received a substantial penalty
after loss of a laptop exposed information about 11 million
customers). That reporting involves US federal and state law.
As noted in a presentation by Bruce Arnold to the Australia
and New Zealand Institute of Insurance & Finance last
month, there is no such mandatory reporting in Australia,
arguably leading to people to believe that data loss is not
a local problem. Does the lack of information about incidents
mean that they are not occurring?
The US reporting regime, unsurprisingly, has been accompanied
by class actions as vexed consumers - alerted to concerns
about identity
crime through campaigns by government agencies and by
'alert services' such as Equifax - have sued major businesses
and government agencies. Some US states, criticising weak
enforcement by the FTC, have moved to strengthen their legislation.
California in particular has led the rest of the US in articulating
expectations about corporate responsibility and encouraging
consumer self-help. ChoicePoint for example initially sent
notice of the exposure only to Californians; it appears to
have widened the alert after a media furore.
The FTC damned ChoicePoint for having ignored 'red flags',
failing to match statements with action and contining to furnish
consumer reports to clients "even after receiving subpoenas
from law enforcement authorities between 2001 and 2005 alerting
it to fraudulent accounts". Last year ChoicePoint agreed
to pay US$15 million to settle FTC charges that its security
and record-handling procedures violated consumers' privacy
rights. Visitors to Consumerist.com voted ChoicePoint the
second "worst company in America" and it received
the 2005 "Lifetime Menace Award" from Privacy International.
The settlement with the states and DC involves commitment
by ChoicePoint to adopt 'significantly stronger security measures',
including written certification for access to consumer reports
and (in some instances) onsite visits by ChoicePoint to ensure
the legitimacy of companies before they get to buy personally
identifiable information. There is no fine or penalty but
ChoicePoint will pay US$500,000 to the states, reflecting
arguments by state governments that ChoicePoint should bear
some enforcement costs.
Connecticut Attorney General Richard Blumenthal commented
that
This
step marks a historic first - the first time a data broker
has agreed to safeguard certain sensitive publicly available
information, including Social Security numbers, using the
same credentialing methods as it uses to safeguard private
financial information that is protected by law.
ChoicePoint notes that it has admitted no wrongdoing in the
settlement, commenting
The
changes we are making as a result of our conversations with
the states are clearly good for our business and, we expect,
will ultimately be where the entire industry finds itself.
In fact, we will be watching with interest as the attorneys
general expand their focus on these critical issues across
every sector of our economy.
US congressman Ed Markey, co-chair of the Congressional Caucus
on Privacy (and responsible for a report that cited discussion
on caslon.com.au of privacy), said
the
announcement is welcome news and should send a signal to
the data broker industry that it is no longer acceptable
to play fast and loose with Americans' sensitive information.
In the more than two years since fraudsters accessed thousands
of personal records held by ChoicePoint, 150 million data
records of U.S. residents have been exposed as a result
of security breaches at various institutions. Social Security
numbers, bank account numbers, addresses, credit card data
– this information is the key that unlocks the personal
lives of Americans.
We need a Fort Knox mentality when it comes to the protection
of Americans' private information, in place of the current
feeble approach that leaves consumers vulnerable to identity
theft or worse. Congress currently is considering several
data privacy and security bills to strengthen the safeguards
for personal information, including the Social Security
Number Protection Act which I introduced earlier this year.
The terms of the ChoicePoint settlement, including onsite
audits to ensure legitimate usage of personal information,
should provide additional momentum for our efforts to pass
comprehensive privacy and security reforms urgently needed
in the data broker industry.
Ratsit
In Sweden the National Taxation Board, counterpart of the
ATO, and Ratsit.se
have agreed that Ratsit will tighten restrictions regarding
online access to personal credit
reference information.
Since early last century Swedes have been able to access selected
information from each other's tax records - a joy for tabloid
journalists and neighbourhood snoops - on the basis that the
data is public information.
Ratsit enabled searching online, shortcutting the traditional
process of appearing at government desk with a request to
examine a particular profile. Consumers appear to have embraced
such searching with glee, with with 610,000 of Sweden's 9
million people registering as users and a Ratsit spokesperson
commenting
We had 1.4 million searches last week and we expect it to
reach 1.5 million a week before June 11. You almost start
to wonder if people are really working during the day.
The
Board politely commented that "we are obliged to supply
the information, but we have always had a choice on whether
we will supply it digitally or not". Ratsit and other
credit reference services have responded with rather weak
self-regulation. From 11 June individuals whose information
has been viewed online will be notified by mail of who checked
their details.
Ratsit will continue to provide the income information on
a commercial basis, with organisations able perform "legitimate"
credit checks for commercial reasons on an anonymous basis.
As of 11 June Ratsit and its peers will end free access to
that data. It is unclear whether the access fee will be sufficient
to deter what might be characterised as frivolous browsing
and will of course serve to enrich an organisation vending
data that many Australians would be amazed to see being released
at all.
::
|
recent
entries
do not call
|
