Sunday, July 03, 2005

Privacy and the database industry

Information Today, May 2005 v22 i5 p17(2)
George H. Pike Full Text: COPYRIGHT 2005 Information Today, Inc.It has been a difficult couple of months for many of the data broker industry's heavyweights. In mid-February, ChoicePoint reported that credit reports and other data for more than 140,000 people were provided to criminals posing as legitimate businesses. Later that month, Sen. Charles Schumer, D-N.Y., chastised Westlaw for the ease in which sensitive records can be attained through "egregious loopholes" in its database access policies. Finally, LexisNexis reported that "potentially fraudulent access" may have compromised the records of 32,000 individuals.
These incidents have led to calls for increased regulation of data brokers and other consumer information companies, as well as to questions about privacy and the information that these brokers hold. Social Security numbers (SSNs) are of particular concern, since they are often the base on which identity fraud is built. But what about other information such as names, addresses, and phone numbers? Or more detailed information such as birth date, employer, income, marital status, and home value? Or potentially harmful or embarrassing information such as credit reports, criminal records, bankruptcies, or lawsuits? How does the law cover the creation and distribution of these records?
Privacy Is Not Absolute
Privacy is a complicated area of the law. The Constitution does not identify a specific right of privacy. The privacy rights that we enjoy are implied from a variety of sources and include the right to life and liberty, freedom from warrantless searches, and even the rarely mentioned 3rd Amendment right to not have soldiers "quartered in any house." Courts have also made it clear that privacy of personal information is not absolute. There are few facts about ourselves that are not divulged at one time or another. The more such facts are divulged in the normal course of life, the less privacy protection they receive.
Social Security numbers are especially problematic, since they can be used to forge new and illicit identities. There are contrasting popular views regarding the use of SSNs. One view is that they are only to be used for income tax and Social Security purposes. Another view perceives that they are national identification numbers, available for use by both public and private entities.
Social Security Numbers
The law, of course, lies in the middle. Social Security numbers are controlled by a number of federal statutes that dictate what they can be used for and under what circumstances they can be disclosed. Many government benefit programs require SSNs to determine eligibility. Obtaining a commercial driver's license requires an SSN, and people who pay child support are required to submit them in order to create tracking databases. Similar federal laws allow states to require SSNs on state documents such as professional and marriage licenses, vital statistics documents, and court filings. IRS regulations require private companies to obtain SSNs for any person receiving taxable income--such as wages, dividends, interest, or similar payments.
Many private companies, particularly financial companies, healthcare organizations, and insurers, use SSNs to verify identity. While laws exist that restrict how such companies can distribute SSNs, those laws do not necessarily regulate the right of the company to request an SSN. As a result, it has become common practice to require an SSN in order to obtain credit, participate in an HMO, or obtain insurance. The law, however, may not require the use of SSNs for these purposes.
A Variety of Data Sources
Several federal laws restrict access to SSNs and related personal information. Generally, these acts--which include the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (affecting financial institutions), and the Health Insurance Portability and Accountability Act--limit distribution to defined purposes or only those with specific consent. In addition, several states have additional laws restricting the display or use of SSNs. A California law requiring notification of leaked personal information is credited with compelling ChoicePoint to publicly acknowledge its stolen credit reports. Data brokers are required to comply with these laws for the information that they have in their files.
Data companies receive information from a number of sources. Newspapers, telephone directories, business and product registries, and other published resources provide some data. Other data is obtained from government sources such as property and court records, licensing bureaus, corporate filings, and deed and will registers. More restrictive sources of data are vital statistics registries, motor vehicle and drivers licensing bureaus, and criminal records. These sources have limited public availability, and how they are obtained and used may be restricted. Credit, tax, and financial records are generally nonpublic information, regardless of whether the source is government or nongovernment. Data brokers obtain such information by license from the original data gatherer and are subject to the same legal restrictions as the data source.
Practical Obscurity
Back in the old days, this information was cumbersome to obtain and gather. The searcher needed to go to courthouses, vital records bureaus, and secretaries of state and sort through city-by-city telephone directories and the like. There was an inherent privacy in these records that arose from what the courts called "practical obscurity," i.e., due to the sheer difficulty of creating a meaningful database, records were open but often in limited formats and locations. The age of computer filing reduced this difficulty by allowing for compiled databases. Networking allowing those databases to be shared reduced the difficulty further. Searching through multiple databases allowed multiple points of data to be collected about individuals with ease. Finally, the availability of these databases over the Internet--whether on public or proprietary platforms--opened these files to a global audience of both legitimate and illicit users.
There is value in having a database industry that can put collections of information together. Employers needing background checks, consumers applying for mortgages, and law enforcement agencies investigating crime all benefit from access to personal data. But that value comes at a price of increasing identity theft and a loss of privacy. Congressional hearings held in the wake of the Choice-Point and LexisNexis problems may result in additional restrictions on the use of sensitive personal information, particularly its use by data brokers. The data broker industry is still relatively young and is going through some growing pains. But the industry carries a great responsibility to millions and needs to demonstrate a continuing commitment to enhancing security and privacy. If it doesn't, the law will impose one.
George H. Pike is director of the Barco Law Library and assistant professor of Law at the University of Pittsburgh School of Law. His e-mail address is pike@law


Post a Comment

<< Home