Identity Theft - Congress Weighs In

by Trevor Bauknight

Published on this site: April 20th, 2005 - See more articles from this month...

About fifteen minutes after I posted last week's article ("First ChoicePoint, Now Lexis-Nexis - Your Identity Is For Sale" http://www.cafeid.com/art-newidtheft.shtml), I logged out of my computer and walked into my living room to relax. I sat down and turned on C-SPAN (what better way to relax, right?) and there on my screen was an April 13 Senate Judiciary Committee hearing on securing electronic personal data. You may view the entire 2.5 hour proceeding at http://www.c-span.org in the Video Archives section's Science & Technology category under the heading "Senate Hearing on Electronic Identity Theft" -- the real URL is too long to print. The work of the privacy advocate is never done.

High-level representatives of Lexis-Nexis (Kurt Sanford, President & CEO of U.S. Corporate & Federal Markets) and ChoicePoint (Douglas Curling, President, COO and Director) along with Deborah Platt Majoras, Chairman of the Federal Trade Commission, representatives from the FBI, Secret Service and the National Association of State Attorneys General and privacy advocates James Dempsey, Executive Director of the Center for Democracy & Technology and Robert Douglas, CEO of PrivacyToday.com, testified before a Senate Judiciary Committee in the early stages of preparing legislation dealing with identity theft and notification.

Senator Patrick Leahy (D - Vermont), a staunch defender of individual privacy rights and probably the Senate's most knowledgeable member with regard to technological issues, expressed his concerns in his opening statements: "Weaknesses in this data industry can jeopardize our law enforcement and our homeland security. Government contracts to provide critical data and processing tools have to get it right. Our hearing today is not about shutting down these data brokers or abandoning their services. It's about shedding a little sunshine on current practices and weaknesses. And, frankly in my estimation, these are very, very sloppy, sloppy business practices by some of these companies. And then also to establish a sound legal framework to ensure that privacy, security and civil liberties will not be pushed aside."

ChoicePoint and Lexis-Nexis have both been in the news in recent weeks because of breakdowns in the human element protecting the massive amounts of personal data about virtually every American kept and sold by these companies. Unauthorized people were able, through clever "social engineering," to obtain real ChoicePoint and Lexis-Nexis accounts that they were then able to use on nearly 100 occasions to grab personal data such as Social Security numbers, driver's license information, addresses, etc. about hundreds of thousands of people
across the country. Both companies, because of a unique California law, initially notified a small fraction of the people potentially affected and later revised their numbers upward to a combined total of nearly half a million. In addition, in the course of the hearing, both Sanford and Douglas admitted that their respective companies had experienced similar compromises prior to the passage of the California law and did not issue any such notification.

In light of the increasing scrutiny of these data merchants following recent events, there was near unanimity about the need for Federal regulation of the personal data industry. Not surprisingly, both ChoicePoint and Lexis-Nexis seemed willing to accept additional regulation of the industry they dominate, though there was some minor grumbling about the specific language of the various proposals and the difficulty implementing them given the number of transactions. Data merchants, however, are feeling the low heat of nascent public outrage and finding themselves testifying before Congress. Indeed, the revised estimate that some 300,000 Lexis-Nexis customers had been affected was announced the day before the scheduled Senate hearing.

The Committee posed hypothetical questions about potential legislation preventing the use and sale of our Social Security numbers for purposes other than those for which they were originally intended, the extension of the provisions of the Fair Credit Reporting Act to the personal data industry, the creation of a "one-stop shop" similar to the FTC website where consumers could get help getting their identities back, disclosure laws for companies that plan to sell
personal data and the closing of the loophole that allows government agencies to skirt compliance with existing privacy laws and privacy impact assessments by buying or subscribing to the same data through these data brokers.

Committee Chairman Arlen Specter (R - Pennsylvania) summarized in his plain-spoken way: "I believe there will be some firm Federal legislation coming out of this issue." These are excellent steps in the right direction; but they remain hypothetical at this point.

So What Is Happening?

Committee member Senator Dianne Feinstein (D - California) has introduced legislation (Senate Bill S-751) patterned after the California law that compelled ChoicePoint to notify a subset of those whose personal data was compromised. S-751 would require written notification to customers if certain categories of personal data are believed to have been compromised, unless there is a written request from law enforcement pending an investigation or a national security
issue involved. Most importantly, according to Feinstein, the Bill establishes national standards so that consumers across the country enjoy the same protections as Californians when it comes to their personal data.

The Senate Bill goes beyond California law, in addition, covering encrypted data as well as unencrypted data and non-electronic data as well as electronic data, in allowing consumers to place a 7-year fraud alert on their credit reports, in closing the loophole allowing companies to use weaker notification requirements where they exist and in providing for hefty fines when there is a compromise. The Bill
lays out specific requirements for what must be included in these notices, including a description of the data, a toll-free number to learn what information and which individuals may have been put at risk and the numbers and addresses of the three major credit reporting companies.

What Should You Do?

Urge your Congressional delegation to support this and future legislation regulating the personal data industry. This is not a partisan issue, and the burdens on business that may arise from such legislation are more than acceptable in light of the sensitivity of the information being bought and sold and the relative lack of concern the companies have shown in past instances in which criminals have been able to access their data.

You can keep up with Congressional activity in both houses at the Thomas website (http://thomas.loc.gov/home/thomas.html) and find out how to contact your representatives in Washington by visiting the VoteSmart website (http://www.vote-smart.org) and entering your nine-digit zip code in the top left corner. (Find out your nine-digit zip code if you don't already know it by entering your address at the USPS website (http://www.usps.com/zip4).

The FTC's Majoras described the patchwork of current Federal laws and regulations pertaining to the protection of personal data as well as their work in helping consumers who have been the victims of identity theft and those who wish to avoid becoming victims. The FTC website (http://www.ftc.gov) is an excellent place to start if you are among those groups. The Center for Democracy & Technology also maintains an excellent resource at its website (http://www.cdt.org). Another excellent repository of valuable information is the Electronic Privacy Information Center (http://www.epic.org); and we do our best here at Cafe ID (http://www.cafeid.com) to keep up with the fast-changing
nature of Online Identity and to keep our customers aware of threats and solutions.

Zealously guard your Social Security number and don't give it out, at least not in its entirety, to anyone who doesn't need it. Keep track of all three of your credit reports at the three major reporting companies. You will soon be able to do this free of charge by visiting a single clearinghouse website at
http://www.annualcreditreport.com (not yet available for users in the East or South). Don't respond to so-called "phishing" expeditions in your e-mail, asking you to visit a website and enter personal information (see http://www.cafeid.com/art-phishing.shtml) because legitimate companies won't make such a request. Make sure, when entering sensitive data online, that you are doing so over a secure connection. Look for the closed lock icon in your browser's status bar.

Keep your passwords, PINs and other account information safely locked away, in a safe. They can be a lot to remember, but it's worth the effort in the long run. I can't tell you how many times I've seen people's username and password combination scrawled on a Post-It note hanging on the front of their monitors. That won't really work to secure important data onboard that computer.

Most importantly, don't fall victim to social engineering. The infamous computer genius Kevin Mitnick details the practice in his groundbreaking book _The Art of Deception - Controlling The Human Element Of Security_. Essentially, a trusted user is conned by someone familiar enough with procedures, industry-specific jargon, etc. into giving out a "lost password" or some other vital piece of
data. The best security technology money can buy can't plug this hole -- only those entrusted with the keys to the data can. Implement policies and procedures for providing vital information to specific individuals in specific ways and don't vary from those policies under even the most innocent-sounding circumstances. It's difficult to work this way, but it's necessary when you are the only one standing between criminals and your customers' personal data.

What Is At Stake?

Robert Douglas of PrivacyToday.com related the sad story of Amy Boyer, who, in 1999, was fatally gunned-down by an obsessed stalker who was able to purchase her Social Security number, work address and other information for only $154 from a company called DocuSearch (still in business and recommended by Forbes Magazine as the #1 place to buy personal information (ahead of ChoicePoint). DocuSearch specialized, according to testimony, in actually circumventing security measures through social engineering and other methods in order to obtain the information it sold. This is what can be at stake in this debate -- personal information in the wrong hands can ultimately be a life and death problem. At the very least it can mean, as Sen. Leahy put it, "job refusals, or in many cases a life-consuming cycle of watching their credit unravel and undoing the damage caused by security breaches and identity theft."

Identity theft is a problem that isn't going away anytime soon, no matter how many laws our government passes. We can't police the world, and outsourcing the collection of personal data is a growing problem in its own right. You must take steps to protect yourself from identity theft at this point, and be vigilant in observing your credit reports, online accounts, etc. for abnormal activity. Go to
law enforcement if you think you may be a victim and watch this space for developing information. The Internet is changing the world at a rapid pace, and you simply can't afford to get left behind.

Trevor Bauknight is a web designer and writer with over 15 years of
experience on the Internet. He specializes in the creation and maintenance of business and personal identity online and can be reached at [email protected]. Stop by http://www.cafeid.com for a free tryout of the revolutionary SiteBuildingSystem and check out our Flash-based website and IMAP e-mail hosting solutions, complete with live support.