Terrorism, Profiling and the FCRA
The same thing may be about to happen again, only with a newer segment of the information industry. Because of increased security and vigilance resulting from concerns about terrorism, the government and others are making or considering greater use of private sector profiling services.
Choicepoint offers a good example. Its sale of information services to the FBI and other government agencies has received considerable publicity. Acxiom is another player. Shortly after Sept. 11, it announced that it was developing information verification to help airlines validate information from passengers.
These are the services offered by what used to be called the Information References Service Group.
The IRSG is disbanding, if it hasn't already disbanded. The stated reason is that it doesn't make sense to have a self-regulatory program because credit header information is now regulated under the Gramm-Leach-Bliley Act. I don't understand. The IRSG companies are, for the most part, not subject to GLB, and much of the information that they maintain remains unregulated. Last time I looked, only one Web site of an IRSG member mentions GLB at all.
The IRSG's death comes as the information services offered by member companies are being used increasingly by government and others to make major, substantive decisions about individuals. The industry's refusal to continue the minimal self-regulation represented by the IRSG shows an essential weakness of self-regulation. It can disappear at any time. In any event, self-regulation can't bring immunity, and that is what the new information industry desperately needs.
Years ago, it was possible to distinguish between marketing databases and other types of consumer information. Credit reporting was the most important source of consumer data, and that is why it was the first to be regulated. But the consumer information industry has evolved in the past two decades. It has become harder to distinguish between the various components. Once a company builds a profile about an individual, the profile can be used in many ways.
Information companies avoid credit reporting like the plague, lest they subject themselves to the FCRA. Credit header information, which long ago slipped out from under the FCRA net, has been pulled back in part because of the privacy regulation of financial institutions brought about by GLB. Everything else remains unregulated, though recent case law seems to be drifting toward expanded FCRA coverage. The reason is greater use of unregulated services for substantive activities.
Expanded use of unregulated databases will increase the pressure. For example, the IRSG companies refused to correct information. The companies insisted on the right to willfully and knowingly disseminate false public record information. Partly because of that refusal, and partly because of the limited quality of some information in their databases, bad data increasingly could be used to make real-time decisions.
Using a poor quality database to make marketing decisions has limited consequences. However, using that database to deny someone access to an airplane, hotel room, rental car or other elements of travel could be devastating. Imagine you are flying to a conference with your boss, but the airline rejects your identification based on a secret database that you can't see or correct. You will have no choice but to turn around and go home. Fixing the problem for next time could take months, if it is even possible. Consumers have few rights outside the credit reporting arena. It is only a matter of time before the horror stories emerge.
One solution is to expand the application of the FCRA to all companies that traffic in personal information. It might to possible to regulate a narrower segment of the industry, but only if it is possible to distinguish one activity from another. I am skeptical about that, but I need more facts before deciding.
The industry will hate the idea of being subject to the FCRA - until they start getting sued. Then they will realize that qualified immunity from lawsuits comes with the FCRA. Under the law, a credit bureau cannot be held liable for distributing false information unless the information was furnished with malice or willful intent to injure.
There are more wrinkles to these issues than will fit in this space. However, the qualified immunity under the FCRA has been the key to the credit reporting industry's viability. Without the immunity, credit bureaus probably would have been sued out of existence.
Without that same immunity, the rest of the personal information industry could find itself in trouble. Lawsuits brought by an executive prevented from making a business trip or by a mother who couldn't fly to her daughter's wedding could bring awful publicity and hefty verdicts.
That is why the industry eventually will welcome coverage by the FCRA or equivalent protection. If the industry doesn't embrace the idea, its insurers will insist. This will all take a few years to play itself out.