Transcript Document 7294912

How Data Brokers Should Handle the
privacy of Personal Information
Luai E Hasnawi
Agenda
 Background
 The Business of Information Sharing
 ChoicePoint
 The Case
 The Fraud Story
 Role of the Security Breach information Act
 FTC investigation
 Lawsuit
 ChoicePoint privacy policy before the breach
Agenda 2
Policy Changes after the data breach
ChoicePoint's online privacy policy
How federal and state governments have
reacted to the data breach
Recommendations.
Background

What is Data Brokering?
It is a new industry that based on gathering, processing and
selling personal information.

Where do they get their information from?
From three major category (locally and Nationwide). . .
1.
Public records.(records that are created and maintained by
government agencies and are open for public inspection, e.g. realestate records and marriage divorce*)
2.
Publicly available information(information about an
individual from non-governmental sources that is available to the
general public, e.g. telephone directory and newspaper*).
3.
Nonpublic information(information about an individual
obtained from a source that is privately owned and is not available
to the general public, e.g. Addresses and SSN*).
* source: http://west.thomson.com/privacy/records.aspx
The Business of Information Sharing
“companies or government agencies
purchase from data brokers information
about an individual - including his or her
Social Security number - in order to
conduct background checks or verify
someone’s identity” *
Source: CRS Report for Congress, Data Brokers: Background
and Industry Overview, 2005
ChoicePoint
1997 ChoicePoint was separated from
Equifax credit agency.
ChoicePoint has acquired 60
companies and hundred of thousand of
customers.
ChoicePoint has 5,500 employees.
CP sells data to more than 50% of the
top 1,000 US companies and has the
largest background screening business.
ChoicePoint
CP provide critical tasks such as
Employee screening.
Homeland security
Mortgage processing
Commercial insurance
CP has more than 19B public record.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
The Case
In 14 February 2005, MSNBC reported
unauthorized access to ChoicePoint’s
Database.
Up to 35,000 Californians might have
been affected.
After one week, data breaches affected
consumers nationwide.
At the end of 2005, CP notified 163,000
victims have been fraudulently
accessed.
The Fraud Story
 The Fraud against CP started in 2003.
 The fraudster acquired fake business license to pose
as check-cashing co. and debt-collection firm.
 The Business license were obtained by using a stolen
identities.
 Application and business license were faxed to CP to
get access account.
 CP run the routine background check and it was clear.
 Fraudster set up 50 accounts using the above
procedure and got username and passwords every
time.
The Fraud Story (cont.)
 17,000 searched were performed in CP database
 Criminal Investigator discovered more than 800 identity
theft.
 The breaches cost $27.3M to recover legal fee, notify
victims and seek audits in 2005 alone.
Role of the Security Breach
information Act
California state law require any
organization to disclose data breaches
to California residents when
unauthorized access to unencrypted
personal information.
CP admitted that in this law does not
exist, No one would ever know about
the breach.
FTC investigation
The US Federal Trade Commission (FTC)
Concluded its investigation in 2006 by
announcing a landmark US$15M, $10M civil
penalty and $5M fund to compensate identity
theft victims.
FTC claimed that CP violated the terms of the
Fair Credit Reporting Act (FCRA) when it
shared personal credit data with unauthorized
users and misled customer in its privacy
statement by claming that its database was
secure
Lawsuits
Goldberg v. CP. Failed within a week after the
breach becoming public. The claim was
Fraudulent and Negligent in its handle of the
breach and employed unfair business
Practice.
Salladay v CP. Failed within a month after the
public disclosure. The claim was violated the
FCRA and various privacy right.
Most of the lawsuit were failed due to the
defendant's negligence without a showing of
an actual occurrence of identity theft.
ChoicePoint privacy policy
before the breach
All potential customer were required to
establish identity and reasons for seeking
access.
This could be happened by mail or fax.
CP check the identity of the request.
Once new customer is verified, a username
and password sent to the customer to access
the database.
Customers search and logging in history are
not archived.
No supervision is held on any access.
Policy Changes after the
data breach
Close 50 suspicious accounts
Stopped accepting faxes and mails of
business license
Nongovernmental and private business must
attend personally to establish accounts.
Personal information would be sold under
new conditions which are:
Governmental requests
Consumer-Based transaction(e.g. home address
verification).
Policy Changes after the
data breach (cont.)
Masking part of SSN and driver’s license.
Small-Business customer were cut-off the
DB.
Private investigator, check-cashing and debt
collector are cut off the DB.
CP created “Office of Credentialing
Compliance and privacy” to monitor the
activities and report to its board of directors.
For example, on-site visits, establishing policies for
compliance with privacy laws and regulation and
improving screening.
Policy Changes after the
data breach (cont.)
Offer victims one year of free creditmonitoring service.
CP brought outside help to evaluate its
business privacy practice
CP hired Ernest &Young to review and
improve the company practice
Choice point ‘s online Privacy
policies
CP used a web based Privacy goal
management tool (PGMT) to evaluate
the online privacy policy and the result
were
19 Vulnerabilities.
34 Privacy protection goals.
The overall evaluation failed to provide
consumers with information on how CP will
mange safeguard data that’s collected and
sold both online and offline.
How federal and state governments
have reacted to the data breach
Legal Landscape
In 2005, only California State has required
notification to consumers in the event of
unauthorized access to personal info.
In September 2006, 33 additional states
had passed similar regulation.
How federal and state governments
have reacted to the data breach (cont.)
Consumer Rights and responsibilities.
Generally consumers are excluded from every
aspect of their operation, leaving them little access
or control over their own personal information.
Since data brokers do not interact with individuals
consumers, there is no way for a consumer to
prevent any kind of data breach.
A research shows high error rate on CP records
on individuals. 1 error in every 11 record.
As result, CP announced planning to give individuals
access to view their own personal information. However,
since then, this service is still not available.
How federal and state governments
have reacted to the data breach (cont.)
Consumer responsibilities to minimize the
risk.
 Check credit report regularly for any unauthorized
activity.
 Consumer must be diligent in attempting to opt-out of
any undesired personal information.
 Consumers can contact each company with which they
have relationship to request opting out of information
transfer.
By allowing consumer to access their information

Consumer will strengthen goodwill and trust in their
operation.

Provide consumer a low-cost means of eliminating
Recommendations
Have a plan to deal with breaches.
Companies handling sensitive data must realize
the risk and plan accordingly.
Any strategy should include a plan for notifying the
public in the case of such data breach.
Provide accurate notification.
Many companies realized the need to promptly
alert the public of data breaches before the news
media could break the story.
Companies that fully disclose verified data breach
and announce the changes being made to
address problems will soften the blow and likely
maintain public trust in their operation
Recommendations
Verify Customers’ identities to preserve
privacy.
“you need to be confident that a business is
legitimate and protect your company’s assets and
reputation”
Perform regular security audits.
By performing such regular audits, companies
would both fortify themselves against data
breaches and provably maintain commercially
reasonable security levels, which is the FTC’s
standard for negligence in data breaches.
Maintain an audit trail
Data broker should log all access to their
Recommendations
Store personal information in encrypted form
Encryption of sensitive data minimized the risk to
that data if identity thieves acquire it.
Express the company’s overall privacy practice
clearly
make clear to both consumers and customers how it
will store and protect sensitive information, and
enumerate the rights that consumers have to protect
the privacy of that information
Thank you
25