By Stephen H. Wildstrom Americans seem to be concerned, but not outraged, by news in recent weeks that two big data collectors sold detailed personal information on nearly 500,000 people to buyers who had absolutely no business getting it. Maybe this is because we've become inured to the supposed inevitability of our personal data being available to anyone who looks hard enough.
But it's time for some outrage -- and long past time for the legal system to hold the people who assemble this information without our knowledge or consent accountable for what happens to it.
Given the current state of nonregulation of this industry, it's something of a wonder that we even know of the breaches. That we do is only because the California legislature passed a law in 2003 requiring companies to notify affected individuals of security compromises in computerized databases.
BOGUS BUYERS. Being required to notify California residents, it was hard for data collectors ChoicePoint (CPS) and LexisNexis, a unit of Reed Elsevier (ENL), to hide the fact that they had improperly given out data on 145,000 and 310,000 individuals, respectively.
Executives for LexisNexis and ChoicePoint told Congress during hearings held by the Senate Judiciary Committee on Apr. 13-14 that they would support a national disclosure law as long it prevented individual states from imposing even tougher requirements. They also apologized for the difficulties the breaches may have caused consumers.
In considering what to do to protect this data, it's important to understand exactly what happened in these cases. There was no hacker attack and no breach of the technical security of databases, though both factors have figured in other data losses. ChoicePoint and LexisNexis are supposed to sell the data they collect only to qualified businesses or government agencies, but it turns out that they did a terrible job of assessing their customers' qualifications.
RESTRICTED ACCESS. It's more than a little ironic that these companies, which see part of their mission as protecting people from identity theft, were fooled by thieves who helped themselves to the identities of real customers or set up accounts on behalf of nonexistent businesses. These data custodians lacked the wherewithal to tell the phony customers from real ones!
Since the problem isn't really technical, the solution won't be found in tech measures, though technology, such as stronger authentication before a customer can get data, certainly can help (see BW, 3/14/05, "New Weapons to Stop Identity Thieves"). The real issue is one of management and business practices. "We are seeing a connection between your business and your brand on the one hand, and security and governance on the other," says F. William Conner, CEO of Entrust (ENTU), a maker of information security systems in Addison, Tex.
ChoicePoint's response to the massive data loss suggests that embarrassment alone isn't going to make the custodians of personal data do the right thing. The company is restricting certain types of data sales to protect the most sensitive information. It's offering individuals whose data was lost a year's worth of free credit reports from Experian, one of the three national credit-reporting companies, and to send alerts to the credit bureaus. It will also donate $1 million over four years to the nonprofit Identity Theft Resource Center.
LexisNexis is making a similar offer for free credit reports to affected consumers through credit-reporting bureau Equifax. And it has also arranged for a fraud specialist to work one-on-one with consumers who may have been affected.
FIRST STEP. Of course, the victims of these losses aren't the data brokers' customers, nor do the victims have any say in whether their data can be collected or not. So it doesn't matter whether they find this halfhearted goodwill gesture satisfactory or not.
A real remedy requires much stronger stuff, both to make whole those whose data fall into the wrong hands and, much more important, to force companies to take the steps needed to protect the information. The sort of notification required by California is a necessary first step, and any federal requirement should be at least as tough as what California already has on the books. More, however, is needed.
At a time when the Bush Administration and the Republican majority in Congress have put tort reform high on their agenda, talking about new tort rights is distinctly unfashionable in Washington. But creating liability for companies that fail to take proper care of the data entrusted to them is probably the most efficient way to get businesses to do the right thing.
SEE YOU IN COURT? Companies possessing personal data should be required to take all reasonable steps to protect it along the lines already in place for financial data under the Sarbanes-Oxley Act and for medical records under the Health Insurance Portability & Accountability Act. Individuals whose information is lost because a custodian has failed to protect the data adequately should have the right to bring individual suits or class actions for damages.
Tort suits, especially class actions, are a blunt instrument for enforcing good behavior, and they can be abused. But liability is a language that business understands, and monetary disincentives are something corporations respond to. And cumbersome as the court system is, it can be faster and more effective than government civil penalties (criminal sanctions should be reserved for the most egregious cases). This is by no means a magic bullet, but would at least create a monetary incentive, where none now exists, for data companies to be careful.
The incidents of wrongfully obtained data from ChoicePoint and LexisNexis are only the most prominent in what's increasingly a mass assault on the privacy and security of our information. Clearly some government action is needed, mainly to give law enforcement better tools to prosecute obvious cybercrimes such as phishing.
CYBER STREET SMARTS. "We don't want legislation about every specific problem," says Arthur W. Coviello, CEO of RSA Security (RSAS), who was one of a group of tech-security CEOs in Washington, D.C. as part of a Cyber Security Industry Alliance lobbying campaign. "We want a comprehensive approach."
A top item on the agenda: Elevating the top cyber-security position at the Homeland Security Dept. -- a post currently vacant, as it has been through much of DHS's existence -- to the Assistant Secretary level.
Still, government can do only so much. Attacking the broad problem successfully will require action by both business and consumers. "We know how to behave in the physical world. For example, we know not to walk down certain streets at night," says John Thompson, CEO of Symantec (SYMC). "We don't have a clue how to behave in the cyber world. We need businesses to take a higher level of care. But we also need to bring public knowledge of the digital world to a much higher level." Wildstrom is Technology & You columnist for BusinessWeek. You can contact him at firstname.lastname@example.org