CXO

'Perfect storm' for new privacy laws?

High-profile breaches at ChoicePoint, Bank of America and other data holders spur legislators to action.

Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

By Declan McCullagh and Robert Lemos

A series of security break-ins is kick-starting a political drive to reshape federal laws that dictate how companies protect personal information—and what they have to do if that data leaks out.

What began with the leak of tens of thousands of records from data broker ChoicePoint earlier this month was quickly compounded by a series of rapid-fire incidents involving Bank of America, Science Applications International Corp., an online payroll services company and the T-Mobile Sidekick of hotel heiress Paris Hilton.

That avalanche of high-profile breaches in the last month has captured the attention of a growing number of U.S. senators, mainly Democrats, who have called for new laws as a response. Sen. Arlen Specter has pledged to convene hearings in his Judiciary committee, often an initial step in the legislative process. An aide to the Pennsylvania Republican said Monday that a hearing is being scheduled and is expected to be held soon.

"Ten days after the ChoicePoint breach of personal data involving between 145,000 and 500,000 people was revealed, today another breach of data was revealed, this time by loss," Sen. Dianne Feinstein, a California Democrat, said in response to Bank of America's admission that it had misplaced backup tapes containing 1.2 million customer records. "These two instances dramatize the need to take steps for the protection of an individual's personal data. The Congress needs to address it."

At the federal level, privacy laws tend to be created erratically, spurred by one well-publicized emotional anecdote after another. Congress approved the Video Privacy Protection Act in 1988 after a newspaper published Supreme Court nominee Robert Bork's video rental records. The murder of actress Rebecca Schaeffer, whose killer found her address through DMV records, led to the Drivers Privacy Protection Act.

Advocates of greater regulation are hoping the latest security breaches will be just as politically potent. "I don't think Congress can ignore what's happened," said Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC) in Washington, D.C. "This may be the first mass disclosure of personal information that triggers congressional action."

For ChoicePoint and similar data aggregators, including Acxiom and Westlaw (a research service operated by Thomson West), the recent breaches could hardly come at a worse time. The start of a new congressional session often leaves politicians casting about for new issues, and a pair of recent books has cast a critical light on the typically shadowy industry that creates digital dossiers on Americans.

The price of ChoicePoint shares have plummeted about 15 percent, from a high of nearly $48 to around $40, since the scandal became public. Rival Acxiom's shares also have suffered, and a Westlaw "People-Find" service came under attack last week from Sen. Charles Schumer, Democrat of New York.

An "Exxon Valdez of privacy"?
"I don't think it's right to wait until there's an Exxon Valdez of privacy," Sen. Ron Wyden, a Democrat from Oregon, said nearly five years ago, back when Congress was more concerned with Web companies than data brokers. Now that kind of privacy disaster finally has arrived, at least according to congressional Democrats.

One possible response from Congress would be an attempt to extend an existing federal law, the Fair Credit Reporting Act (FCRA), which deals with credit-reporting agencies such as Equifax, to cover data- aggregators like ChoicePoint and Acxiom. "Records that look a lot like credit reports—which is the basis of ChoicePoint and Acxiom's business model—have escaped regulation," EPIC's Rotenberg said.

Democratic Sen. Bill Nelson of Florida is readying legislation to revise the FCRA, which Congress already altered last year. Earlier this month, Nelson wrote to the Federal Trade Commission to ask for its help in revising the FCRA "to reflect the modern information age, where consumer information can be transmitted and assembled electronically and cheaply" (PDF here).

Data breaks

High-profile breaches are finally waking lawmakers up to the need to make sure personal data is securely protected on computers.

ChoicePoint
Date: February 2005
Incident: Data collection company confirms that information from its consumer database has been stolen.
At risk: Names, addresses and Social Security numbers of more than 150,000 Americans.
Bank of America
Date: February 2005
Incident: Bank loses backup tapes detailing the financial records of credit cards held by federal employees.
At risk: More than 1.2 million records in SmartPay charge card program, which has annual transactions totaling more than $21 billion.
PayMaxx
Date: February 2005
Incident: Flaws in the online W-2 service of PayMaxx expose customers' payroll records.
At risk: Discoverer of the flaws claims they affect more than 25,000 people. PayMaxx says only a small number of companies is involved.
T-Mobile: Paris Hilton
Date: February 2005
Incident: Information from heiress Paris Hilton's Sidekick is posted online. Breach comes amid reports that a flaw opens up T-Mobile voice mail.
At risk: Phone numbers and e-mail addresses of celebrities such as Eminem and Lindsay Lohan.
SAIC
Date: February 2005
Incident: Desktop computers are stolen from the offices of Science Applications International Corp.
At risk: Personal information of current and past stockholders in the government contractor.
T-Mobile
Date: January 2005
Incident: The carrier admitted that a hacker had gained access to customers' personal information.
At risk: Names and Social Security numbers of 400 T-Mobile subscribers.
George Mason University
Date: January 2005
Incident: Attackers broke into a server that held details used on identity cards at the Virginia school.
At risk: Names, photos and Social Security numbers of more than 30,000 students, faculty and staff.
California Department of Social Services
Date: October 2004
Incident: Breach of a researcher's computer at the University of California at Berkeley exposed personal data related to the state's In Home Support Services.
At risk: Contact information and Social Security numbers of up to 1.4 million providers and clients.

Another approach would be to borrow from the principles underlying a current California law. The Security Breach Information Act requires companies to disclose incidents in which a California resident's confidential information has been jeopardized. Feinstein introduced such a bill in Congress in June 2003, but without any luck so far. The bill's backers now hope that it will enjoy a wider appeal.

Called the Notification of Risk to Personal Data Act, Feinstein's measure says that any corporation, government agency or person generally must provide a written or e-mailed notice if "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." State attorneys general would be authorized to file lawsuits against suspected violators.

"The consumer data industry has been in the sights of proregulatory activists for some time now," said Jim Harper, director of information policy at the free-market Cato Institute. "And the ChoicePoint debacle could not have been a fatter, slower pitch across the plate."

Harper is skeptical of federal proposals to create more regulations, saying that state laws tend to be more effective and have fewer loopholes. Instead, Harper advocates the use of tort law, under which private citizens can sue alleged wrongdoers for damages, to provide an incentive for data-marts to strengthen security. A California woman, Eileen Goldberg, did just that earlier this month in a suit she filed against ChoicePoint, with her claim that the company was negligent in protecting consumers from scam artists who purchased data from it.

Not all privacy disasters result in federal legislation. In the case of Amy Boyer, a woman shot by a stalker who obtained her work address from an online investigation service, Sen. Judd Gregg, a New Hampshire Republican, responded by introducing a proposal called "Amy Boyer's Law." Gregg's legislation, which would have restricted the disclosure of Social Security numbers, eventually was attacked by both industry groups and by privacy advocates who said it didn't go far enough. It did not become law.

Business lobbyists already are preparing for a defensive battle. "We're all concerned about data security, especially when you're talking about sensitive information getting out," said Michael Zaneis, director of congressional and public affairs at the U.S. Chamber of Commerce. "We want to make sure that we don't have any knee-jerk reactions leading to the passage of quick legislation with unintended consequences."

Another wrinkle in the political landscape is the growing reliance of federal watchdogs, such as the Department of Homeland Security and the Department of Justice, on identity-verification services purchased from companies like ChoicePoint and Acxiom. That reliance may make the Bush administration less willing to embrace aggressive regulation in the area.

ChoicePoint declined to comment for this article, citing pending litigation. However, in a statement posted to its site, the database company stressed that it has entered discussions with other members of its industry on how to minimize fraud, and has started re-verifying its customers' credentials to weed out potentially fraudulent applicants.

"We have already begun sharing our experiences, observations and ideas with several of the other major corporations in our industry, and we will seek to lead an industrywide initiative to develop, adopt and deploy new measures that will identify and halt identity theft and fraud," ChoicePoint said in the statement.

In addition, ChoicePoint offered support for a broader national debate that could include legislation to allow independent oversight and increased accountability of entities that handle data, increased penalties for the intentional misuse of personal information, and mandatory notification by government and business of any unauthorized access to personal data.

California as precedent?
The current atmosphere at a national level is similar to the state of affairs in California that led to the passage of the Security Breach Information Act (S.B. 1386)—the law that recently forced ChoicePoint to disclose the October breach.

The ChoicePoint debacle could not have been a fatter, slower pitch across the plate.
—Jim Harper, director of information policy, the Cato Institute

In April 2002, a hacker gained access to the state's Stephen P. Teale Data Center, stealing the payroll information of California's more than 225,000 state employees, including legislators and their staff. The State Controller's office discovered the breach in early May, but didn't notify workers until May 25, leaving their financial identities open to misuse.

Within four months, a bill authored by former state Sen. Stephen Peace and then-Assemblyman Joseph Simitian had been signed by Gov. Gray Davis. The bill took effect on July 1, 2003.

Bank of America's recent admission that the company lost backup tapes with as many as 1.2 million records could have similar scope as the Teale breach, even though there is no evidence so far that the financial data has been misused. The tapes contained information on the customers and accounts of the U.S. government's SmartPay credit card program, which has more than a 2.1 million cardholders and annual transactions totaling more than $21 billion, according to the General Services Administration.

"There is a good chance we'll see some new regulations, especially because the Bank of America incident hits closer to home—their (lawmakers') information was included on the tapes that were lost," said Jordana Beebe, communications director for the Privacy Rights Clearinghouse, a nonprofit consumer group.

If the industry does not lock down people's data, whether by legislative mandate or by responding to customer concerns, business could suffer, said Chris Voice, chief technology officer at security company Entrust.

"It is becoming a matter of survival from a business perspective that if your customers lose trust, they will go to someone who will guard their information better," Voice said.

Editor's Picks

Free Newsletters, In your Inbox