Wednesday, March 09, 2005

Recent Information Security Breaches Raise Privacy Concerns

CDT POLICY POST Volume 11, Number 6, March 8, 2005

A Briefing On Public Policy Issues Affecting Civil Liberties Online
from The Center For Democracy and Technology

Recent Information Security Breaches Raise Privacy Concerns

(1) Recent Information Security Breaches Raise Privacy Concerns
(2) Congress Considers Range Of Policy Responses
(3) The Overlooked Issue - Government Access and Use
(4) Congressional Hearings Planned
(5) O'Harrow Book Maps Data Landscape

---------------------------
(1) Recent Information Security Breaches Raise Privacy Concerns

Recent stories about security breaches at ChoicePoint and Bank of
America Corp. and about the accessibility of Social Security Numbers
through WestLaw have renewed concerns regarding the privacy of
personal information, producing a flurry of calls for investigations
and legislation at the state and federal level.

Discerning the appropriate policy response requires parsing the
issues involved, including computer security, the privacy issues
associated with data aggregation and sale, and the crime of identity
theft. Perhaps one of the most important issues is in the background
of recent stories: Under what circumstances and for what purposes
does the government access the growing amount of data compiled by
commercial entities?

The issues go well beyond any of the specific companies involved, but
here are the basic facts: Last month, ChoicePoint announced that
thieves posing as legitimate businesses had purchased access to its
vast database of more than 19 billion public records. ChoicePoint, an
information broker that aggregates and sells personal information to
private companies, law enforcement agencies and the US government,
possesses personal information about virtually every US citizen.
ChoicePoint's security breach affected approximately 145,000 people.
California law requires information brokers like ChoicePoint to
notify California citizens whose personal information has been
stolen. No other state has such a law, but ChoicePoint ultimately
notified all those whose data had been fraudulently purchased and
offered them free credit watch services for one year.

Also last month, Bank of America announced that, in December 2004,
someone stole backup tapes of customer data that it was shipping by
commercial aircraft. These backup tapes contained the Social Security
Numbers and other personal financial information of as many as 1.2
million federal employees, including some members of Congress,
rendering these individuals vulnerable to identity theft.

In the wake of these stories, Sen. Charles Schumer (D-NY) publicly
criticized WestLaw for what he called "egregious loopholes" in its
data services that allow subscribers to obtain Social Security
numbers and other personally identifiable information. WestLaw
responded that it has strict policies that limit access to sensitive
personal information and that such information is not available to
the general public.


---------------------------
(2) Congress Considers Range Of Policy Responses

Lawmakers are exploring a range of policy responses to the issues
posed by these recent breaches and to the broader issues associated
with the dramatic expansion over the past decade of the marketplace
for personally identifiable information. Among the ideas being
discussed:


- Federal Security Breach Notification: US Senator Dianne Feinstein
(D-CA) has introduced legislation (S. 115), modeled on the California
disclosure law, that would require data brokers and other holders of
sensitive personal information to notify people whose personal
information might have been stolen. [Senator Patrick Leahy (D-VT) has
drafted similar legislation that requires notice of security breaches
and improper access to, or misuse of, personally identifiable
information.] Senator Jon Corzine (D-NJ) is planning to reintroduce
legislation that would require financial institutions to notify
customers, law enforcement agencies and credit agencies in the event
of a security breach that puts customers' data at risk.

Notice aids consumers by allowing them to take protective action when
their data has been compromised and seems to be a step that some in
the information industry would embrace. However, while such
legislation would be helpful in mitigating the damage and might prod
companies to improve security proactively, it would not directly
prevent the theft of personal information nor would it address the
issues associated with government's growing use of commercial data
post 9/11.

- Tighter Controls on Use, and Stiffer Penalties for Misuse, of
Social Security Numbers: The Social Security Number (SSN) has become
a de facto national identifier, serving as the key that unlocks many
corporate and governmental databases. Accordingly, it is a major
facilitator of identity theft. Sen. Feinstein has introduced
legislation (S. 29 and S. 116) that would restrict the display, sale
and purchase of SSNs without consent, limit the circumstances under
which commercial entities could require individuals to provide their
SSNs, and prohibit the use of the numbers on drivers' licenses. Rep.
Ed Markey (D-MA) also has introduced legislation that would make it a
crime to sell or purchase Social Security Numbers. And Rep. Rodney
Frelinghuysen (R-NJ) has introduced similar legislation that
prohibits "interactive computer services," like WestLaw, from
disclosing SSNs to third parties without written consent.

Skeptics worry that such legislation would not be enacted without
numerous exceptions. Moreover, given the ubiquity of Social Security
Numbers in the public domain, criminals could still acquire them from
other sources. Finally, tighter controls on Social Security Numbers
would not prevent identity thieves from acquiring and using other
personal identifiers to perpetrate fraud.

- Extend Fair Credit Reporting Act Concepts to Data Brokers: The
Fair Credit Reporting Act (FCRA) is one of the most important privacy
laws on the books, affording consumers the right to access and
challenge their credit reports and requiring credit reporting
agencies to maintain accurate data. The FCRA is complicated and
always highly contested, so there is little taste for extending the
Act itself to data brokers.

However, Senator Bill Nelson (D-FL) and Congressman Markey have
introduced the Information Protection and Security Act, which would
regulate "information brokers" under a legal framework akin to the
Fair Credit Reporting Act. This bill would subject information
brokers like ChoicePoint to federal regulation by the Federal Trade
Commission (FTC). The FTC would be required to issue new fair
information practice rules that would do the following: (1) require
information brokers to develop procedures to guarantee maximum
possible accuracy of their data, prevent and detect fraudulent,
unlawful or unauthorized use or disclosure of personally identifiable
information and mitigate potential harm to individuals from threats
to privacy and security; (2) allow individuals to access information
about themselves held by data brokers and the identity of each entity
that purchased their personally identifiable information; and (3)
require information brokers to authenticate users before allowing
access to their databases.

- Requiring Data Brokers to Formally Address Security: Pursuant to
the Gramm-Leach-Bliley Act (GLB) financial institutions are already
under information security requirements, and the Health Insurance
Portability and Protection Act (HIPPA) imposes similar requirements
on health care companies. Data brokers similarly could be required to
conduct risk assessments, develop and implement security plans, and
regularly audit their security procedures. Requiring data brokers to
develop and implement security procedures, however, would not limit
the sale of personal data to commercial entities.

- Holding Data Brokers Liable for Security Breaches: Most if not all
of the proposed federal bills contain liability provisions that would
give the FTC and/or the Attorney General enforcement power to bring
actions against violators, and some bills give consumers private
rights of action. A California woman whose personal information was
purchased from ChoicePoint by the fraud artists has filed suit
against ChoicePoint in Los Angeles Superior Court alleging fraud and
negligence. There is, however, no established standard of care for
information security at this time.

- Imposing a "Know Your Customer" Requirement on Data Brokers: Data
brokers are in the best position to verify the identity of their
customers and they could be prohibited from selling information to
customers whom they are unable to verify. The bill proposed by Sen.
Nelson and Rep. Markey requires information brokers to authenticate
purchasers of their data before granting them access. It is unclear,
however, what risk factors data brokers would use to assess potential
customers.

Some solutions pose their own risks to privacy. In the area of
identity fraud, some approaches may require more personal information
to be collected and more authentication to be demanded to prevent
unauthorized access and establishing identity of users.

CDT will track progress of relevant federal bills at its legislative
page: http://www.cdt.org/legislation/109/3


---------------------------
(3) The Overlooked Issue - Government Access and Use

Even before September 11, the federal government was developing and
implementing new ways to use commercially aggregated data. Since
2001, this process has accelerated. The new data environment has two
defining features: the depth and breadth of personally identifiable
information available in commercial databases, and the capacity to
analyze such data and draw from it patterns, inferences, and
knowledge.

This area should not be ignored. By and large, the rules for the
government's use of databases for counterterrorism purposes are
fragmentary and unresponsive to the new kinds of screening
applications that are being developed. The Privacy Act does not apply
when the government subscribes to a commercial database and federal
privacy laws for financial and medical records have broad exemptions
for national security. Consequently, there is no framework addressing
key questions: When should the government access commercial
databases? How will the government use "knowledge" generated by
computerized analysis of data? Could the analysis trigger a criminal
or intelligence investigation? Will it be used for screening
purposes-to trigger a more intensive search of someone seeking to
board an airplane, to keep a person off an airplane, to deny a person
access to a government building, to deny a person a job? What rights
does an individual have in these contexts?

In December 2004, Congress adopted and the President signed the
Intelligence Reform and Terrorism Prevention Act of 2004. Section
1016 of the Act requires the President to create an "information
sharing environment" for the sharing of terrorism information among
all appropriate Federal, State, local, and tribal entities, and the
private sector. The ISE, as the information sharing environment is
known, is supposed to incorporates protections for individuals'
privacy and civil liberties and strong mechanisms to enhance
accountability and facilitate oversight, including audits,
authentication, and access controls, but so far, those procedures are
unwritten.

The Markle Foundation Task Force on National Security in the
Information Age and the Defense Secretary's Technology and Privacy
Advisory Committee (TAPAC) recommended some standards, including
senior level and sometimes judicial approval for access, permission
controls on sharing, auditing, and redress.

CDT has compiled two charts outlining the patchwork of laws governing
commercial data, one focusing on commercial use and one on
governmental uses: http://www.cdt.org/security/guidelines/

For further information:

- James X. Dempsey and Lara M. Flint, Commercial Data and National
Security, The George Washington Law Review (August 2004):
http://www.cdt.org/publications/200408dempseyflint.pdf

- Markle Task Force on National Security in the Information Age:
http://www.markletaskforce.org/


---------------------------
(4) Congressional Hearings Planned

Members of Congress have responded to the recent spate of security
breaches by preparing for hearings on the subject of data privacy.
The first will be March 10, before the Senate Banking Committee,
chaired by Senator Richard Shelby (R-AL). Senate Judiciary Committee
Chairman Arlen Specter (R-PA) has announced his intention to also
hold hearings on the issue. Congressman Joe Barton (R-TX), Chairman
of the House Energy and Commerce Committee, has asked his staff on
the to examine the issue of data storage and privacy. In addition,
several members of Congress are planning to ask the Government
Accountability Office to investigate the US government's contracts
with data brokers.


---------------------------
(5) O'Harrow Book Maps Data Landscape

In "No Place to Hide" (Free Press 2005), Washington Post reporter
Robert O'Harrow, Jr., lays out in extensive detail the post-9/11
marriage of private data companies and government anti-terror
initiatives. Drawing on years of investigation, O'Harrow shows how
the government is using private databases to promote homeland
security and fight the war on terror.

O'Harrow builds his book with stories of key players in this new
world, from software inventors to counterintelligence officials.
While O'Harrow offers few policy recommendations, his book is a
indispensable introduction to the new world of high-tech data
collection and analysis. "More than ever before," O'Harrow concludes,
"the details of our lives are no longer our own. They belong to the
companies that collect them, and the government agencies that buy or
demand them in the name of keeping us safe." He quotes Viet Dinh,
often credited as the author of the PATRIOT Act: "The leap in
technology has not been met with a proportionate response in terms of
how we think of this technology. We need to think more creatively.'"

------------------------------
Detailed information about online civil liberties issues may be
found at http://www.cdt.org/.