ChoicePoint: . . . And Into the Fire
My last column began an examination of the privacy crisis brought about when it was revealed that an apparent identity-theft ring fraudulently obtained access to ChoicePoint databases. Partly because ChoicePoint handled the crisis so badly, the incident generated enormous publicity, and that produced the inevitable political responses.
One interesting aspect of the story is that ChoicePoint did a poor job screening its own customers. The criminals used fake documentation to open accounts by claiming to be businesses seeking information about potential employees and customers. Whatever happened, the screening done by ChoicePoint didn't work.
The real problem is that screening is what ChoicePoint promises to do for its clients. In his recent book, "No Place to Hide," author and reporter Robert O'Harrow described the company's business as assessing the background of virtually anybody. The company's databases supposedly let it determine whether someone is entitled to a job, access, the right to vote or some other activity.
The incident highlights fundamental problems with the screening model. It remains far from clear that the databases are demonstratively useful for the purposes for which they are touted. Regardless, part of screening's appeal is to let a company say that it did what it could. In effect, ChoicePoint's customers are buying a defense to a lawsuit.
They can argue that they diligently investigated backgrounds of clients and employees.
So how valuable is that defense if the screening company cannot screen its own customers effectively? We don't know what ChoicePoint did to screen its customers. It may be enough that it failed in this case. Imagine an employer that defends its hiring practices in a lawsuit by saying it relied on ChoicePoint's screening services. The plaintiff will proceed to put ChoicePoint on trial, asking how anyone can reasonably rely on its services given the company's own failures.
Data brokers have always defended the industry by arguing that it screens customers carefully so that only legitimate companies are allowed to use personal data for proper purposes. I never believed that you could trust all of these companies to turn down business. Anyone willing to pay for information likely will find a way to get it eventually.
In response to the crisis, ChoicePoint is changing business practices, restricting some sales of consumer information and intensifying internal controls. In effect, however, the company seems to be confirming that it can't reliably determine whether customers are legitimate. Why else would it decline to sell some services? ChoicePoint's decision to forgo millions in revenue and profit only underscores the lesson that screening does not work.
Let's look at the bigger picture. For a long time, credit bureaus were the main personal information brokers. Congress decided long ago that regulation was essential. Over three decades, Congress tightened the Fair Credit Reporting Act to give data subjects more rights and protections against the problems inherent in massive centralized databases.
In the past 10 years, policy wonks increasingly have realized that the unregulated part of the information industry now duplicates the problems that led to the FCRA in the first place. The Internet makes all of these problems worse. Privacy advocates despaired of getting the problem on the national agenda.
Now ChoicePoint has accomplished what the advocates could not. Congressmen are falling all over themselves to hold hearings and introduce bills. The politicians will rant for a while until they accomplish something.
But it isn't easy to write legislation because it's hard to decide who will be regulated. There is no clear definition of a personal information broker. Many businesses maintain and sell personal data about consumers. Consider the white pages of the telephone book, an encyclopedia, a newspaper or a plain vanilla mailing list. What do we do with an Internet search service that lets anyone retrieve personal information? Who should fall within the regulatory environment?
I have half an answer. Forget regulations. The federal government is a major customer for databases. Instead of trying to regulate the world, the feds should set standards for their own vendors. The government should refuse to do business with any personal information seller that does not maintain privacy practices consistent with fair information practices. The policy would not apply to products or services sold to the public. That neatly exempts newspapers, books and other troublesome services.
I said that I had half an answer because I know that this scheme would not be so easy in practice. Many details would need to be resolved, and it wouldn't be easy. Yet it would be possible given enough political will, and it would be easier than general regulations.
A federal security breach notice law is much more likely in the near term than data broker regulatory legislation. If Congress doesn't act, the states surely will. Industry will have to support a federal solution to head off state action.
An awful lot of privacy legislation originated with a horror story. Incidents involving Robert Bork (Video Privacy Protection Act) and Rebecca Schaeffer (Driver's Privacy Protection Act) led to legislation. It's ChoicePoint's turn.