The Senate Banking, Housing and Urban Affairs Committee will meet on Thursday to ponder what it politely called “Recent Developments Involving the Security of Sensitive Consumer Information.”
Those developments include unauthorized access of the personal records of 32,000 consumers stored by Seisint, a division of Reed Elsevier
, revealed yesterday; fraudulent access of information on 145,000 consumers in the databases of ChoicePoint
, which came to light in February; and the February 25 admission by Bank of America that it lost tapes containing the credit card numbers of 1.2 million federal employees.
California has a law requiring companies to inform consumers when their personal data may have been compromised. U.S. Senator Dianne Feinstein (D-Calif.) has been working to craft similar legislation at the national level.
Identity theft of all kinds is a major concern to consumers, as well as Congress. The irony is that in the case of ChoicePoint and Seisint, the “theft” consists of people using the data bureau’s information without paying for it.
Selling Social Security numbers — and other personal information — is big business for companies like Reed Elsevier and ChoicePoint. Some privacy activists say it’s got to stop.
“They shouldn’t be allowed to sell Social Security numbers,” said Beth Givens, head of the Privacy Rights Clearinghouse, an organization that advocates for consumers’ privacy rights. Moreover, she said, there should be limits on how much data one provider can amass. “There should be multiple data points,” she said.
Those who rely on these consumer databases to do their jobs worry about losing access. Francie Koehler, a licensed private investigator based in Oakland, Calif., said her organization, the California Association of Licensed Investigators, believes there should be stronger penalties for illegal access of databases and stronger requirements for access.
“Unfortunately, [the SS number] has become a national identifier and the only way we have of verifying someone is who they say they are. Private investigators spend a lot of time locating people. Unless you have a Social Security number, you can’t verify that is the correct person.”
For example, Koehler recently handled a background check of a potential witness who had falsified his graduate school credential. “Without a Social Security number, you can’t even check that,” she said. “To eliminate that as a possibility would create some problems within the legal community.”
Robert Townsend, director of the National Association of Licensed Investigators and a licensed PI in Dana Point, Calif., said database providers should do a “stop and knock” for every applicant.
“When someone initially applies for access, as opposed to relying on the telephone and fax, perhaps they should assign an investigator to knock on the applicant’s door to verify that it is their business and this is why they need the information,” he said.
Townsend said the companies should continue to monitor businesses that use their services. While it would certainly be costly to hire staff to vet applicants, he added, “I don’t know of a legitimate licensed investigator who would have any objection to the cost for this being passed onto them in some form.”
Pam Dixon, executive director of the World Privacy Forum, a public interest research organization, said that if companies are going to keep extensive dossiers on consumers, at least they should provide full transparency.
“We should have the legal right to know every scrap of data they have on us,” she said. “We also should have a legal right to know everyone they sell this to. Then, if there are any mistakes, we should have the right to demand a correction right at the data source. We deserve the right to know what these companies have and who they’re selling it to and when.”