Regulating Commercial Data Brokers in the Wake of Recent Identity Theft Schemes

• Author: Joshua Apfelroth
• Position: JD candidate at American University, Washington College of Law
• Pages: 08

Joshua Apfelroth is a third year JD candidate at American University, Washington College of Law. Mr. Apfelroth received his undergraduate degree from American University and is an Articles Editor on the Administrative Law Review. Mr. Apfelroth would like to thank Maya Grassi for her hard work in assisting with this piece. He would also like to acknowledge the support and encouragement received from his parents, Bruce and Debby Apfelroth. Mr. Apfelroth intends to pursue a career in commercial litigation.

Page 33

Introduction

TECHNOLOGY HAS INCREASED the ability of companies to compile and organize the personal information of individuals and organizations. Companies that market this type of personal information are often referred to as commercial data brokers (CDBs). Over the past year, the use of CDBs as a medium for criminals to obtain information for use in identity theft schemes has placed the security of these companies in the public spotlight. As a result of several high profile breaches in security, Congress is prepared to enact legislation to regulate the CDB industry, with the intention of tightening CDBs¥ privacy policies. Whereas Congress and CDBs agree that regulation of the industry is necessary, there is contention as to what type of legislation Congress should enact. While the CDB industry prefers legislation focusing mostly on punishing criminals who use their data to commit identity theft, many members of Congress believe that it is necessary to pass legislation that will regulate the manner by which CDBs collect and distribute information. Because of these competing interests, Congress is faced with the difficult task of regulating an industry that places consumers¥ identities at risk, while ensuring that the legislation they pass does not unduly burden CDBs? ability to provide important public benefits.

Identity Theft

THE TECHNOLOGICAL EXPLOSION of recent decades has resulted in the ability of CDBs to efficiently collect and organize the personal information of millions of Americans. This information ranges from general information, such as one¥s name, phone number and address, to specific information, such as the type of cars a person has owned, a person¥s credit history, and whether he or she has a criminal record.¹ Companies such as Choicepoint, Inc., Lexis- Nexis, Westlaw, Dun & Bradstreet and Experian, Inc. have made millions of dollars through the collection and sale of such personal information to individuals, businesses, and to local, state, and the federal government. The information is often packaged in ways that assist a particular industry or organization. ² Some of the largest markets for these services are small businesses, the insurance industry, the financial industry, and law enforcement.³ The government also frequently uses this data to investigate crimes, make employment decisions and fight terrorism. ⁴ Businesses, both large and small, access this information in order to screen new tenants, clients or employees.⁵

Unfortunately the services that CDBs provide are not always used for legitimate business means. There are people who use the CDBs¥ services as an intermediary to aid in identity theft schemes. Identity theft occurs when a person uses the identity of another in order to commit fraud.⁶ A type of identity theft frequently occurs when a person obtains the social security number of another and uses it to open new lines of credit, known as "tradelines."⁷ After opening a new tradeline under the guise of their victim, the identity thief can then obtain credit cards, wireless phone service, and utilities under the victim¥s name.⁸ Identity thieves also use their victims¥ information to engage in more complicated schemes. Such schemes include taking out an auto loan in a victim s name, filing bankruptcy to discharge debts incurred using the new identity, and obtaining a job and subsequently filing fraudulent tax returns under their victim¥s identity.⁹

"As a result of several high profile breaches in security, Congress is prepared to enact legislation to regulate the CDB industry, with the intention of tightening CDBs¥ privacy policies."

In 2003, a Federal Trade Commission (FTC) survey revealed that over a one year period, nearly ten million people discovered that they were victims of identity theft.¹⁰ In other words, 4.6% of the American adult population knowingly fell victim to identity theft.¹¹ This overwhelming statistic excludes those who are unaware that they are victims of identity theft; this is likely a large number considering the difficulty people have in detecting that they are victims of identity theft. These Page 34 crimes have translated into approximately $48 billion in business losses, $5 billion in losses to individuals, and nearly 300 million hours spent by victims trying to resolve the problem.¹²

Recent events at large CDBs, such as Choicepoint and Westlaw, accompanied by the overwhelming statistics stated above, have brought the issue of CDBs¥ role in identity theft to the forefront of the agenda of American politics, public policy organizations and citizens. As a result, Congress and consumer rights organizations are calling for stricter laws aimed towards defending the American public against identity theft.

What Type of Information Do CDBs Collect?

CDBS OBTAIN INFORMATION from many different sources. CDBs collect some information themselves and purchase other information. However, all of the information that CDBs gather can be classified under one of three categories: (1) Public Record Information, (2) Publicly-Available Information and (3) Non-Public Information. Public Record Information consists of that information which appears in public records,¹³ including birth and death records, tax lien records, property records, court records, voter registrations and licensing records.¹⁴ Publicly- Available Information differs from Public Record Information in that Publicly-Available Information is unavailable in public records; it is publicly available through other public mediums, such as print publications, telephone directories, and Internet sites.¹⁵ The most controversial of the information that CDBs collect is Non-Public Information, which is usually purchased from outside sources. Non-Public Information consists of identifying information, such as one¥s name, phone number, address, and social security number.¹⁶ Non-Public Information also includes a person¥s credit card number, magazine subscriptions, travel destinations and other records received during a person¥s business transaction.¹⁷ Finally, information gathered from a person¥s application for credit, employment or insurance application, and information obtained from an individual¥s website registration, contest or warranty is considered Non- Public Information.¹⁸

Events That Have Raised Questions About The Security of Information Held by CDBs

ONE OF THE MOST WELL KNOWN CASES of identity theft by thieves using fraudulently obtained personal records obtained through a CDB occurred in February 2005, at Choicepoint, Inc. One man led a ring of identity thieves and compromised more than 145,000 records.¹⁹ The ring obtained fraudulent business licenses and other fraudulent documents to open fifty accounts with Choicepoint. Ring members were able to pose as businesses seeking information about potential employees and customers. For over a year, the criminals had access to Choicepoint s collection of personal data, and for $100 to $200 per account, they were able to gain access to individuals¥ addresses, social security numbers and phone numbers.²⁰ Other incidents have also highlighted the need to ensure that personal information on computers is securely protected. In the past year, security breaches at LexisNexis, Westlaw, Bank of America, PayMaxx, T-Mobile, Science Applications International Corporation and George Mason University have put people at risk of identity theft.²¹

Current Laws In Place to Restrict the Sale of Personal Information

THERE IS NO SINGLE FEDERAL LAW that encompasses the sale of all consumer information. Instead, Congress passed industryspecific regulations governing the dissemination of personal information. Aside from scattered federal laws, limited state legislation exists to help minimize the risks associated with CDBs. As a result of this piecemeal legislation, CDBs have the ability to take advantage of the loopholes inherent in such legislation. The statutes already in place are too specific to ensure complete privacy of the records housed by CDBs. For example, the Fair Credit Reporting Act (FCRA) focuses on oversights of the credit reporting system and limits the sale of consumer information. ²² The FCRA prohibits, with several listed exceptions, the distribution of "consumer reports" by "consumer reporting agencies" (CRA) except for "permissible purposes," while ensuring that the consumer reporting agencies make reasonable Page 35 efforts to verify the identity of prospective recipients.²³ Consumer reports are defined as reports that contain information that is gathered and sold to businesses to facilitate consumerrelated decisions. The FCRA governs CDBs to the extent that the information they distribute constitutes a consumer report. To distribute "consumer reports," a CRA must meet one of the permissible purposes set forth in the FCRA. Most relevant to the distribution of data by CDBs is that under the FCRA, reports may be provided for a business to make credit, insurance or employment decisions. Another loophole that CDBs may take advantage of is that CRAs/CDBs may also distribute...