Harnessing Data Brokers
Gail Hillebrand, senior attorney for the Consumers Union, said the new legislation is also notable in that it covers all industries and all forms of data, both analog and digital. "Its got one rule for all breaches, so theres no special exemption for the banking industry or any other industry," she said. "Its got no special exemption for a company to decide, Its not important, we dont have to tell anybody about it, which is one idea that the industry has been floating around Capitol Hill," Hillebrand said. "[Plus,] it covers security breaches of data held in paper form as well as computerized form. After all, a file cabinet with employee personnel files is as rich a source as a database. It covers both." According to the senators news release, the new bill would require businesses or government agencies to notify individuals in writing or e-mail when personal informationsuch as a Social Security number, drivers license or state identification number, or credit card or bank account informationhas been compromised.The federal government wants private-sector security data. Click here to read more. At this point, Californias statute is the only existing state law to require that businesses inform consumers if their data has been compromised. Feinsteins bill would be the first to take that to a nationwide level. But privacy experts say notification is only part of the problem. The other side of the coin involves unregulated data brokers. "Theyre running around outside of the law," said Edmund Mierzwinski, consumer program director at USPIRG (U.S. Public Interest Research Group). "The FTC [Federal Trade Commission] was caught asleep at the switch by allowing them to create a business model outside the law in the 1990s. Now, the FTCs kicking it home to roost, where we have unregulated data brokers in the center of the storm." That storm grew in severity on Tuesday, as data broker LexisNexis revealed that personal information on 310,000 U.S. citizens may have been stolen, or nearly 10 times the number of citizens whose information was believed stolen when the company announced a data breach last month. According to Reuters, the companys parent, Reed Elsevier, determined that its database had been breached 59 times with stolen passwords, leading to possible theft of addresses and Social Security numbers. As reported by Reuters, LexisNexis plans to notify an additional 278,000 individuals who might be victims of identity theft. Of the 32,000 already notified in last months effort, only 2 percent asked the company to conduct an investigation into their credit records. In those records investigated, no identity theft was evident, LexisNexis officials told Reuters. The problem is that data brokers such as LexisNexis can sell to anyone, said EPICs Hoofnagle. "Weve been saying this a long time: The data brokers, their business model is one where they make more money by selling more and more details of personal information to more and more people. Theres really no upper limit to data collection." As it now stands, Mierzwinski said, data brokers such as LexisNexis sell products that are virtually identical to credit reports and which are often used for the same purposes as credit reports, yet which are exempt from many credit laws. To address this, USPIRG is supporting legislation proposed by Sen. Bill Nelson (D-Fla.) and Rep. Edward Markey (D-Mass.) to regulate data brokers. Check out eWEEK.coms for the latest database news, reviews and analysis.
The only exceptions allowable under the new bill would be upon written request by law enforcement for purposes of a criminal investigation or for national security, according to the release.