Commentary: Keeping A Grip On Identity

How to hold info brokers accountable for security without fouling up commerce

Venkatesh "Bunty" Pabbaraju's heart sank when he received the letter in early February. ChoicePoint Inc. (CPS ), the giant information broker, was warning him that a California fraud ring had gained access to his private financial data. It wasn't the first time the 43-year-old Atlanta resident had been on the wrong end of a scam: Less than a year earlier, someone had swiped his identity and run up $7,000 in unauthorized charges on one of his credit cards. While nothing like that has happened this time -- so far, at least -- Pabbaraju is furious that brokers like ChoicePoint could put him at risk again. While ChoicePoint says it was itself a victim of fraud, Pabbaraju says: "It's distressing that they could sell my data to two-bit criminals. There ought to be a law."

He may be right. If one thing became clear after the security breach, it's how little oversight government has to ensure that information brokers such as ChoicePoint adequately protect the financial data of millions of Americans. As if to hammer that home, on Mar. 9, Reed Elsevier Group PLC's LexisNexis unit disclosed that hackers had gained access to roughly 32,000 of its consumer accounts. And no one doubts that identity theft is a growing problem. In 2004, according to the Federal Trade Commission, there were 246,570 complaints of identity theft, up from a mere 1,380 in 1999. And the FTC in 2003 estimated that annual losses from such fraud stood at about $47.6 billion.

After the recent mischief, Congress has begun to pay attention. On Mar. 15 two congressional committees held hearings, during which several potential fixes were floated. They included giving the FTC regulatory authority over the information brokers, allowing consumers to restrict access to their personal information, and forcing data brokers to notify consumers when their information is compromised. But in the face of intense industry opposition, strong regulation is unlikely to materialize soon -- if ever.

That's not simply stonewalling. Finding the right balance between securing private data without irrevocably harming an industry that provides a vital service will be tricky. Data collected by ChoicePoint and its ilk allow financial institutions to make loans, landlords to assess the credit histories of prospective tenants, and employers to check out potential hires. Rein in the information brokers too hard, and conducting business would become less convenient and more expensive. Consumers could find it slower and tougher to get access to credit.

But there are ways to protect consumers without restricting the industry too harshly. For starters, Congress should follow the leads of California and Texas and allow individuals across the country to place a "security freeze" on their credit history. Since a freeze makes it hard for merchants and other providers of credit to review an applicant's credit history without permission, it would become nearly impossible for thieves to make an unauthorized application for credit. While industry lobbyists contend that freezing and then unfreezing data is more cumbersome than consumers realize -- and could deprive them of credit and other opportunities -- ultimately people should have the right to choose whether the extra security is worth the additional hassle.

Washington lawmakers also should pass national legislation similar to the two-year-old California law that requires information brokers to notify all residents of that state whose data file has been stolen. Without such a law, the data firms are unlikely to do so voluntarily. After all, according to California authorities, ChoicePoint didn't alert consumers when it suffered a similar incident in 2002. ChoicePoint has declined to discuss the incident. The only reason Pabbaraju got the bad news this time was that the California law forced ChoicePoint to send letters out to the 35,000 Californians whose information was compromised, and attorneys general from other states demanded similar disclosures for the rest of the nation. Industry lobbyists fret that automatic notification could create needless hysteria among consumers. After all, they argue, most security failures don't result in financial fraud. Perhaps, but better to know enough to start monitoring your credit than remain in the dark when someone has the information needed to empty your bank account.

The information brokers also should bear greater liability when a breach occurs. Up to now, courts have refused to allow defrauded consumers to bring suits against brokers like ChoicePoint. The reason: Since individual consumers aren't their customers, they have no business relationship with the brokers. But without the threat of fines or other financial penalties, the brokers have little economic incentive to beef up their security. Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., a Mountain View (Calif.) security company, notes that originally in Europe, consumers were liable for any ATM fraud unless they could show their bank was at fault. As a result, ATM security in Europe remained lax. It didn't improve until regulators started holding banks liable for customer losses, as was already the case in the U.S. "That's what regulation does," says Schneier. And given the difficulty information brokers have policing themselves, that may be what's needed once more.

By Dean Foust

Before it's here, it's on the Bloomberg Terminal. LEARN MORE