'Perfect storm' for new privacy laws?

[R.A. Hettinga]

<http://news.com.com/2102-1029_3-5593225.html?tag=st.util.print>

CNET News
     http://www.news.com/


 'Perfect storm' for new privacy laws?

 By Robert Lemos
http://news.com.com/Perfect+storm+for+new+privacy+laws/2100-1029_3-5593225.html

 Story last modified Tue Mar 01 04:00:00 PST 2005



A series of security break-ins is kick-starting a political drive to
reshape federal laws that dictate how companies protect personal
information--and what they have to do if that data leaks out.

 What began with the leak of tens of thousands of records from data broker
ChoicePoint earlier this month was quickly compounded by a series of
rapid-fire incidents involving Bank of America, Science Applications
International Corp., an online payroll services company and the T-Mobile
Sidekick of hotel heiress Paris Hilton.

 That avalanche of high-profile breaches in the last month has captured the
attention of a growing number of U.S. senators, mainly Democrats, who have
called for new laws as a response. Sen. Arlen Specter has pledged to
convene hearings in his Judiciary committee, often an initial step in the
legislative process. An aide to the Pennsylvania Republican said Monday
that a hearing is being scheduled and is expected to be held soon.
 News.context

What's new:
 An avalanche of high-profile breaches in the last month has captured the
attention of a growing number of U.S. lawmakers.

 Bottom line:Advocates hope it will spur greater regulation of the shadowy
industry that creates digital dossiers on Americans.

 More stories on data theft

"Ten days after the ChoicePoint breach of personal data involving between
145,000 and 500,000 people was revealed, today another breach of data was
revealed, this time by loss," Sen. Dianne Feinstein, a California Democrat,
said in response to Bank of America's admission that it had misplaced
backup tapes containing 1.2 million customer records. "These two instances
dramatize the need to take steps for the protection of an individual's
personal data. The Congress needs to address it."

 At the federal level, privacy laws tend to be created erratically, spurred
by one well-publicized emotional anecdote after another. Congress approved
the Video Privacy Protection Act in 1988 after a newspaper published
Supreme Court nominee Robert Bork's video rental records. The murder of
actress Rebecca Schaeffer, whose killer found her address through DMV
records, led to the Drivers Privacy Protection Act.

 Advocates of greater regulation are hoping the latest security breaches
will be just as politically potent. "I don't think Congress can ignore
what's happened," said Marc Rotenberg, executive director of the Electronic
Privacy Information Center (EPIC) in Washington, D.C. "This may be the
first mass disclosure of personal information that triggers congressional
action."

 For ChoicePoint and similar data aggregators, including Acxiom and Westlaw
(a research service operated by Thomson West), the recent breaches could
hardly come at a worse time. The start of a new congressional session often
leaves politicians casting about for new issues, and a pair of recent books
has cast a critical light on the typically shadowy industry that creates
digital dossiers on Americans.

 The price of ChoicePoint shares have plummeted about 15 percent, from a
high of nearly $48 to around $40, since the scandal became public. Rival
Acxiom's shares also have suffered, and a Westlaw "People-Find" service
came under attack last week from Sen. Charles Schumer, Democrat of New York.

 An "Exxon Valdez of privacy"?
 "I don't think it's right to wait until there's an Exxon Valdez of
privacy," Sen. Ron Wyden, a Democrat from Oregon, said nearly five years
ago, back when Congress was more concerned with Web companies than data
brokers. Now that kind of privacy disaster finally has arrived, at least
according to congressional Democrats.

 One possible response from Congress would be an attempt to extend an
existing federal law, the Fair Credit Reporting Act (FCRA), which deals
with credit-reporting agencies such as Equifax, to cover data-  aggregators
like ChoicePoint and Acxiom. "Records that look a lot like credit
reports--which is the basis of ChoicePoint and Acxiom's business
model--have escaped regulation," EPIC's Rotenberg said.

 Democratic Sen. Bill Nelson of Florida is readying legislation to revise
the FCRA, which Congress already altered last year. Earlier this month,
Nelson wrote to the Federal Trade Commission to ask for its help in
revising the FCRA "to reflect the modern information age, where consumer
information can be transmitted and assembled electronically and cheaply"
(PDF here).

 Data breaks

High-profile breaches are finally waking lawmakers up to the need to make
sure personal data is securely protected on computers.
ChoicePoint
Date: February 2005
Incident: Data collection company confirms that information from its
consumer database has been stolen.
At risk: Names, addresses and Social Security numbers of more than 150,000
Americans.
Bank of America
Date: February 2005
Incident: Bank loses backup tapes detailing the financial records of credit
cards held by federal employees.
At risk: More than 1.2 million records in SmartPay charge card program,
which has annual transactions totaling more than $21 billion.
PayMaxx
Date: February 2005
Incident: Flaws in the online W-2 service of PayMaxx expose customers'
payroll records.
At risk: Discoverer of the flaws claims they affect more than 25,000
people. PayMaxx says only a small number of companies is involved.
T-Mobile: Paris Hilton
Date: February 2005
Incident: Information from heiress Paris Hilton's Sidekick is posted
online. Breach comes amid reports that a flaw opens up T-Mobile voice mail.
 At risk: Phone numbers and e-mail addresses of celebrities such as Eminem
and Lindsay Lohan.
SAIC
Date: February 2005
Incident: Desktop computers are stolen from the offices of Science
Applications International Corp.
 At risk: Personal information of current and past stockholders in the
government contractor.
T-Mobile
Date: January 2005
Incident: The carrier admitted that a hacker had gained access to
customers' personal information.
At risk: Names and Social Security numbers of 400 T-Mobile subscribers.
George Mason University
Date: January 2005
Incident: Attackers broke into a server that held details used on identity
cards at the Virginia school.
At risk: Names, photos and Social Security numbers of more than 30,000
students, faculty and staff.
California Department of Social Services
Date: October 2004
Incident: Breach of a researcher's computer at the University of California
at Berkeley exposed personal data related to the state's In Home Support
Services.
At risk: Contact information and Social Security numbers of up to 1.4
million providers and clients.

Another approach would be to borrow from the principles underlying a
current California law. The Security Breach Information Act requires
companies to disclose incidents in which a California resident's
confidential information has been jeopardized. Feinstein introduced such a
bill in Congress in June 2003, but without any luck so far. The bill's
backers now hope that it will enjoy a wider appeal.

 Called the Notification of Risk to Personal Data Act, Feinstein's measure
says that any corporation, government agency or person generally must
provide a written or e-mailed notice if "unencrypted personal information
was, or is reasonably believed to have been, acquired by an unauthorized
person." State attorneys general would be authorized to file lawsuits
against suspected violators.

 "The consumer data industry has been in the sights of proregulatory
activists for some time now," said Jim Harper, director of information
policy at the free-market Cato Institute. "And the ChoicePoint debacle
could not have been a fatter, slower pitch across the plate."

 Harper is skeptical of federal proposals to create more regulations,
saying that state laws tend to be more effective and have fewer loopholes.
Instead, Harper advocates the use of tort law, under which private citizens
can sue alleged wrongdoers for damages, to provide an incentive for
data-marts to strengthen security. A California woman, Eileen Goldberg, did
just that earlier this month in a suit she filed against ChoicePoint, with
her claim that the company was negligent in protecting consumers from scam
artists who purchased data from it.

 Not all privacy disasters result in federal legislation. In the case of
Amy Boyer, a woman shot by a stalker who obtained her work address from an
online investigation service, Sen. Judd Gregg, a New Hampshire Republican,
responded by introducing a proposal called "Amy Boyer's Law." Gregg's
legislation, which would have restricted the disclosure of Social Security
numbers, eventually was attacked by both industry groups and by privacy
advocates who said it didn't go far enough. It did not become law.

 Business lobbyists already are preparing for a defensive battle. "We're
all concerned about data security, especially when you're talking about
sensitive information getting out," said Michael Zaneis, director of
congressional and public affairs at the U.S. Chamber of Commerce. "We want
to make sure that we don't have any knee-jerk reactions leading to the
passage of quick legislation with unintended consequences."

 Another wrinkle in the political landscape is the growing reliance of
federal watchdogs, such as the Department of Homeland Security and the
Department of Justice, on identity-verification services purchased from
companies like ChoicePoint and Acxiom. That reliance may make the Bush
administration less willing to embrace aggressive regulation in the area.

 ChoicePoint declined to comment for this article, citing pending
litigation. However, in a statement posted to its site, the database
company stressed that it has entered discussions with other members of its
industry on how to minimize fraud, and has started re-verifying its
customers' credentials to weed out potentially fraudulent applicants.

 "We have already begun sharing our experiences, observations and ideas
with several of the other major corporations in our industry, and we will
seek to lead an industrywide initiative to develop, adopt and deploy new
measures that will identify and halt identity theft and fraud," ChoicePoint
said in the statement.

 In addition, ChoicePoint offered support for a broader national debate
that could include legislation to allow independent oversight and increased
accountability of entities that handle data, increased penalties for the
intentional misuse of personal information, and mandatory notification by
government and business of any unauthorized access to personal data.

 California as precedent?
 The current atmosphere at a national level is similar to the state of
affairs in California that led to the passage of the Security Breach
Information Act (S.B. 1386)--the law that recently forced ChoicePoint to
disclose the October breach.
 The ChoicePoint debacle could not have been a fatter, slower pitch across
the plate.
 --Jim Harper, director of information policy, the Cato Institute

 In April 2002, a hacker gained access to the state's Stephen P. Teale Data
Center, stealing the payroll information of California's more than 225,000
state employees, including legislators and their staff. The State
Controller's office discovered the breach in early May, but didn't notify
workers until May 25, leaving their financial identities open to misuse.

 Within four months, a bill authored by former state Sen. Stephen Peace and
then-Assemblyman Joseph Simitian had been signed by Gov. Gray Davis. The
bill took effect on July 1, 2003.

 Bank of America's recent admission that the company lost backup tapes with
as many as 1.2 million records could have similar scope as the Teale
breach, even though there is no evidence so far that the financial data has
been misused. The tapes contained information on the customers and accounts
of the U.S. government's SmartPay credit card program, which has more than
a 2.1 million cardholders and annual transactions totaling more than $21
billion, according to the General Services Administration.

 "There is a good chance we'll see some new regulations, especially because
the Bank of America incident hits closer to home--their (lawmakers')
information was included on the tapes that were lost," said Jordana Beebe,
communications director for the Privacy Rights Clearinghouse, a nonprofit
consumer group.

 If the industry does not lock down people's data, whether by legislative
mandate or by responding to customer concerns, business could suffer, said
Chris Voice, chief technology officer at security company Entrust.

 "It is becoming a matter of survival from a business perspective that if
your customers lose trust, they will go to someone who will guard their
information better," Voice said.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'