Index: [thread] [date] [subject] [author]
  From: Steve McBride <spm2101@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Wed, 09 Mar 2005 00:00:35 -0500

Paper 1: Legislative Solutions to Protecting Personal Data

Paper 1: Legislative Solutions to Protecting Personal Data
Steve McBride

After reading the book No Place To Hide [1], my main concern was the lack 
of legislation protecting citizens from improper uses of their data, 
whether by the government, corporations, or identity thieves.  While I 
don't expect civil actions for negligent behavior on the part of data 
miners to force Acxiom or Choicepoint to change their behavior, I do 
believe that targeted legislation in areas of concern offer the most 
realistic route to ensure an acceptable level of privacy for the average 
citizen.  At least we could curb the most egregious privacy abuses. 
Negligence actions against data miners would provide compensation to 
victims.  Other regulation, such as more enforcement against identity 
thieves and restrictions against uses by law enforcement would offer 
deterrent effect.  Individuals should have the ability to get any 
information a company has on them at request, as well as a process for 
correcting or deleting any mistakes.  Finally, in some cases, certain types 
of data collection may need to be restricted altogether.

Consumers should be able to sue companies based on negligently using 
information.  Data collection companies should be required to verify the 
legitimacy of clients requesting consumer information or face liability to 
consumers.  This would make companies like Choicepoint take more safeguards 
in selling sensitive data.  Much of the cost would be passed along to 
consumers in the form of higher prices, but some new safety guards would be 
implemented simply because they prevent enough suits to save the companies 
money.

One of the most disturbing examples in No Place to Hide was Michael Berry 
[2].   The fact that a victim of identity theft cannot even get police to 
investigate the crime when he knows the address of the thief is amazing.  I 
don't want to get too specific in trying to structure a better law 
enforcement regime but I want to point out that law enforcement needs a 
cohesive strategy for policing identity theft that is lacking today. 
Legislation should provide police a framework for law enforcement to 
investigate and prosecute identity theft.  Obviously, enforcement wouldn't 
stop all identity theft, but it would deter a significant amount, and give 
the consumer some cushion against misuse of their identity.

Sticking with law enforcement, there also needs to be some legislation into 
what law enforcement can and cannot do with information, and there need to 
be penalties for misuse.  Although sweeping restrictions on data use by 
police seems unlikely in the near future, limitations on extreme misuses 
are feasible.  Procedures for who can use sensitive information and for 
what purposes need to be laid out and followed more closely.

Most importantly in guaranteeing some measure of electronic privacy, 
individuals need the ability to monitor and correct information that third 
parties have collected about them.  To a limited extent, this already 
exists with the Fair Credit Reporting Act, but the FCRA is not extensive 
enough to provide adequate consumer protection [ 3].  Something similar 
needs to be extended to any information gathered about people through any 
company.  Consumers need absolute authority to review, correct, and delete 
any information that any third party has about them.  Corporations should 
be required to report on stolen data to consumers, similar to the 
California identity theft statute that required Choicepoint to report 
stolen data to all affected Californians [4].  This report should include 
not only whose information was stolen, but also specifically what 
information was stolen.

Eventually, I believe that collecting certain types of personal information 
may be totally banned.  Today, this type of legislation is probably 
unrealistic, but after twenty or thirty years of experience with broad data 
collection, society will learn by trial and error what kinds of data 
collection lead to problems and will move to limit their collection [5]. 
My guess would be financial data like credit card numbers will go first as 
corporations are slow to react to better identity thieves.  If data 
modeling gets too good, data collection of information like purchasing 
history may also need dealt with.

Alternate strategies such as a constitutional amendment or sweeping, broad 
legislation on data collection may be more philosophically satisfying than 
industry endorsed legislation, but in my opinion are not realistic 
alternatives.  I don't think Congress would ever pass a broad ban on this 
type of operation.  For one thing, a large portion of the public likes and 
benefits from data collection.  I derive value from getting lower interest 
rates because of a good credit rating.  Shoppers at Rite Aid get discounts 
on products because of their club cards.  The loss of privacy incurred from 
the data collection is real, but the average American has proven she will 
gladly sacrifice some privacy for a price break.  On the corporate side, a 
huge industry has sprung up around data collection, with an effective 
lobbying group to go along with it.  Acxiom is not going to be put out of 
business without a fight, and Kroger will spend millions to be able to 
continue handing out Kroger cards.  Given the lack of public interest and 
the strong financial stakes to the data collection industry, I don't think 
we can reverse what has been done.  The genie is out of the bottle.

In my opinion the most realistic solution to issues of privacy raised by 
data collection is targeting legislation at specific problems that evolve 
as we learn the pitfalls of having so much information collected about us. 
It gives the advantage of being able to curb the worst abuses while keeping 
the benefits we gain from the use of this data.  Possibly in the future we 
will have learned enough about the ups and downs of data collection that we 
can formulate a simple rule to satisfy all interested parties.  At the 
present, however, the interests of industry and privacy are too far apart, 
and we're still not sure what the social value of data collection can be. 
Targeting legislation to deal with the most obvious problems seems to me to 
be the best solution.

Notes:

[1]  Robert O'Harrow, Jr., No Place To Hide (2005).
[2]  Id. at 74-78 and Chapter 3 in general.  When an identity thief began 
opening up credit cards under Berry's name, police refused to investigate 
due to jurisdiction issues and lack of resources.
[3]  15 U.S.C. § 1681-1681u.  The FCRA only covers credit reporting 
agencies and it is up to the credit reporting agency's discretion to 
investigate and correct any mistakes on your report.
[4] The California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. 
Code § 22575 - 22579 (2004).  For discussion of the Choicepoint fiasco, see 
Tom Zeller, Jr., Breach Points Up Flaws in Privacy Laws, NY Times, Feb 24, 
2005.
[5] Choicepoint is already curbing its sales of Social Security Numbers and 
Driver's Licenses in an attempt to slow the upcoming legislative backlash 
against it.  See Margaret Kane and Matt Hines, "Choicepoint Faces Inquiry, 
Will Curtail Data Sales", CNET (March 4, 2005); available at: 
http://news.com.com/ChoicePoint+faces+inquiry%2C+will+curtail+data+sales/21
00-1029 3-5599516.html




-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list



Index: [thread] [date] [subject] [author]