From: <sgr2105@columbia.edu>
  To  : <cpc@emoglen.law.columbia.edu>
  Date: Fri, 11 Mar 2005 15:57:16 -0500

First Paper

Proposed Legislation to Protect Personal Information
Sam Roseme
3/11/05

The headlines following the recent security breach of ChoicePoint,
in which the “personal identifiable information” (PII) of over
100,000 Americans was misappropriated, were predictable and
inevitable. The Associated Press titled its story, “Data Brokers
Could Face More Regulation.”[1]  The New York Times followed with
“Breach Points Up Flaws in Privacy Laws.”[2]  Data aggregators like
ChoicePoint were able to avoid any regulation so long as no one knew
of them—and few people did, until recently.

So now that the media has stated the obvious—that data aggregators
can expect some regulation in the near future, the question
remains, what will the regulation look like and what exactly will
it do. It will most likely not be as lenient as ChoicePoint would
hope. The company supports: independent oversight, increased
penalties for intentional misuse of PII, and mandatory notification
of when breaches occur.[3]  Nor will the regulation be as severe as
Henry Collison, a victim of ChoicePoint’s breach, believes it
should be. His reaction upon discovering the services ChoicePoint
provides was, “No one has the right to accumulate that much
information.”[4]

This paper analyzes three bills that have recently been introduced
in the Senate. The paper will then determine what, if anything, the
proposed legislation would do to prevent future breaches. An
examination of the bills shows that none would do anything to
prevent another breach like the one at ChoicePoint. However, the
legislation may indeed be a useful starting point in assisting
individuals in both preventing identity theft and reducing the
ensuing damage should identity theft occur.

All of the bills were introduced by Senator Dianne Feinstein (D-CA),
who has taken lead on the issue in the Senate. One bill would create
a national version of a current California law, which requires
businesses to notify individuals when their PII has been
misappropriated.[5]  California currently is the only state to have
such a law. Without California’s law the ChoicePoint breach would
likely never have been disclosed. Indeed, it was recently reported
that a similar—but previously undisclosed—breach occurred at
ChoicePoint in 2000, prior to the enactment of California’s law.[6]
 Sen. Feinstein’s federal version, if passed, would help victims
significantly reduce the amount of damage that can follow from
identity theft. Victims would be able to notify the credit agencies
that their PII has been stolen to put fraud alerts on their credit
reports, preventing companies from issuing credit to anyone using
the victim’s name.

	This is, obviously, a helpful first step. In fact, it is almost
surprising that this is not already required. However, this bill
would still do nothing to prevent the accumulation of one’s PII, or
even the subsequent theft of such PII from data aggregators.
Accordingly, it still leaves open the possibility for extensive
damage. For example, the recent ChoicePoint breach may have been
ongoing for several months before it came to ChoicePoint’s
attention. In cases like that, the required notification would come
after the damage to their credit has been completed.

A second bill seeks to address identity theft before it happens by
limiting the sale of people’s PII.[7]  However, it would have done
nothing to prevent the ChoicePoint security breach. At first, the
bill seems to be something with teeth. The bill would make it
“unlawful for a commercial entity to collect personally
identifiable information and disclose such information to any
nonaffiliated third party for marketing purposes or sell such
information to any nonaffiliated third party” without notifying the
individual.[8]  The exception to this is that “a commercial entity
may collect [PII] and use such information to market to potential
customers such entity’s product.” In addition, it allows for
companies to obtain and disclose PII from public records.
Therefore, the bill would continue to allow companies to collect
information about their customers—by tracking your purchases from
the store—but prevent them from then selling that information to
other companies. This would not have any affect on the breach from
ChoicePoint. Although ChoicePoint may purchase PII from other
companies, much of its information is culled from public records
which include people’s PII. ChoicePoint likes to boast that it has
19 billion public records on U.S. citizens.

The third bill, the Social Security Number Misuse Prevention Act,
would prohibit the public display, sale or purchase of a person’s
social security number without the person’s consent. However, the
bill includes several exceptions, including one that seems to
swallow the rule. The exception allows for the

“display, sale, or purchase of the number [if it] is for a use
occurring as a result of an interaction between businesses,
governments, or business and government (regardless of which entity
initiates the interaction), including , but not limited to—(A) the
prevention of fraud; (B) the facilitation of credit checks or the
facilitation of background checks of employees, prospective
employees, or volunteers; (C) the retrieval of other information
from other businesses, commercial enterprises, government entities,
or private nonprofit organizations; or (D) when the transmission of
the number is incidental to, and in the course of, the sale, lease,
franchising, or merger of all, or a portion
of, a business.”[9]

And just like the Privacy Act, this bill would also exempt the sale
of SSNs found on public records.
The language in this section leaves open many possibilities for the
sale of social security numbers. Additionally, since it allows for
the sale when concerning background checks and credit checks it
would do nothing to prevent another breach of ChoicePoint.
ChoicePoint was simply sending PII to what they believed was a
business conducting background checks.

An examination of these bills—which are so far the farthest reaching
proposals that, if passed, will be extremely watered down—raises a
question. In the age of “the digital person” do we simply have to
accept that data aggregation and identity theft are going to
happen—and frequently—and the best we can do as a society is help
the identity theft victim move to prevent additional damage as soon
as the theft becomes known? The answer seems to be “yes.”




[1] Harry R. Weber, Data Brokers Could Face More Regulation, AP,
Feb. 22, 2005
[2] Tom Zeller Jr., Breach Points Up Flaws in Privacy Laws, The New
York Times, Feb. 24, 2005
[3] See www.choicepoint.com
[4] Verne Kopytoff, Victims of ChoicePoint Breach Left Irate
Cleaning Up After Database Fraud Proves an Inconvenient Chore, San
Francisco Chronicle, Feb. 24, 2005
[5] The bill’s popular name is, “Notification of Risk to Personal
Data Act.”
[6] Report: ChoicePoint Had Theft Case Before, AP, Mar. 2, 2005
[7] The popular name of this bill is The Privacy Act of 2005.
[8] Privacy Act, Sec. 101(a)
[9] Social Security Act, Sec. 1028A(e)(5)


-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list