The Providence Journal
Last month, Atlanta-based ChoicePoint revealed that thieves had gained access to the personal data, including Social Security numbers, of some 145,000 people. Of these, at least 750 have been defrauded. This was not ChoicePoint's first data-theft experience: in 2002, up to 10,000 records were compromised by a similar security breach.
Also last month, Bank of America admitted to having lost computer tapes that held personal data (again including Social Security numbers) of more than a million federal employees - including some senators.
Companies that sell consumer data have enjoyed explosive growth in the past decade or so. But they are scarcely regulated. Other industries that also collect data (financial-services and health-care companies, for instance) are governed by a weak patchwork of laws. The result is that almost every American's personal information has been collected in huge databases, and is distributed repeatedly, to anyone willing to pay.
Not only have Americans suffered a profound loss of privacy. They are also vulnerable to loss of assets; ruined credit; and life-altering mistakes arising from identity theft. Often, they have little recourse. A recent Wall Street Journal report described how one victim of identity theft was fired after his employer confused him with a convicted felon. ChoicePoint, according to the man's lawsuit, refused to fix the data that had led to the mistake.
The Federal Trade Commission estimates that 10 million Americans annually become victims of identity theft. Yet the industries that trade in personal data clearly do not want the party to end. They have lobbied heavily to fend off regulation. Last year, ChoicePoint helped kill a federal measure that would have restricted the sale of Social Security numbers.
The FTC and others cheerfully advise consumers to keep shredders on hand and check their credit reports regularly. But such steps are mostly a joke; the electronic barn door is wide open. And those who profit would just as soon Americans did not know.
The first principle that must gain leverage: citizens should have some say in how their personal information is used. The second is that we need a nationwide set of rules governing data distribution. Weak security in one industry (or state) translates into weakness in all.
California is the only state that requires consumers to be notified when their data are compromised. Absent this requirement, ChoicePoint might well never have revealed what happened. (About 35,000 of the people affected were Californians.) This notification law should be made national, as Sen. Dianne Feinstein, D-Calif., has proposed.
But much more must be done. Data brokers have by default become a kind of private domestic-intelligence service. Even government agencies buy their wares. This may seem handy in an age of terrorism, but the lack of accountability is a recipe for trouble. ChoicePoint's failure is proof.