How Data Brokers Should Handle the privacy of Personal Information

1
How Data Brokers Should Handle the privacy of
Personal Information

• Luai E Hasnawi

2
Agenda

• Background
• The Business of Information Sharing
• ChoicePoint
• The Case
• The Fraud Story
• Role of the Security Breach information Act
• FTC investigation
• Lawsuit
• ChoicePoint privacy policy before the breach

3
Agenda 2

• Policy Changes after the data breach
• ChoicePoint's online privacy policy
• How federal and state governments have reacted to
  the data breach
• Recommendations.

4
Background

• What is Data Brokering?
• It is a new industry that based on gathering,
  processing and selling personal information.
• Where do they get their information from?
• From three major category (locally and
  Nationwide). . .
• Public records.(records that are created and
  maintained by government agencies and are open
  for public inspection, e.g. real-estate records
  and marriage divorce)
• Publicly available information(information about
  an individual from non-governmental sources that
  is available to the general public, e.g.
  telephone directory and newspaper).
• Nonpublic information(information about an
  individual obtained from a source that is
  privately owned and is not available to the
  general public, e.g. Addresses and SSN).

source http//west.thomson.com/privacy/records.
aspx
5
The Business of Information Sharing

• companies or government agencies purchase from
  data brokers information about an individual -
  including his or her Social Security number - in
  order to conduct background checks or verify
  someones identity

Source CRS Report for Congress, Data Brokers
Background and Industry Overview, 2005
6
ChoicePoint

• 1997 ChoicePoint was separated from Equifax
  credit agency.
• ChoicePoint has acquired 60 companies and hundred
  of thousand of customers.
• ChoicePoint has 5,500 employees.
• CP sells data to more than 50 of the top 1,000
  US companies and has the largest background
  screening business.

7
ChoicePoint

• CP provide critical tasks such as
• Employee screening.
• Homeland security
• Mortgage processing
• Commercial insurance
• CP has more than 19B public record.

8
The Case

• In 14 February 2005, MSNBC reported unauthorized
  access to ChoicePoints Database.
• Up to 35,000 Californians might have been
  affected.
• After one week, data breaches affected consumers
  nationwide.
• At the end of 2005, CP notified 163,000 victims
  have been fraudulently accessed.

9
The Fraud Story

• The Fraud against CP started in 2003.
• The fraudster acquired fake business license to
  pose as check-cashing co. and debt-collection
  firm.
• The Business license were obtained by using a
  stolen identities.
• Application and business license were faxed to CP
  to get access account.
• CP run the routine background check and it was
  clear.
• Fraudster set up 50 accounts using the above
  procedure and got username and passwords every
  time.

10
The Fraud Story (cont.)

• 17,000 searched were performed in CP database
• Criminal Investigator discovered more than 800
  identity theft.
• The breaches cost 27.3M to recover legal fee,
  notify victims and seek audits in 2005 alone.

11
Role of the Security Breach information Act

• California state law require any organization to
  disclose data breaches to California residents
  when unauthorized access to unencrypted personal
  information.
• CP admitted that in this law does not exist, No
  one would ever know about the breach.

12
FTC investigation

• The US Federal Trade Commission (FTC) Concluded
  its investigation in 2006 by announcing a
  landmark US15M, 10M civil penalty and 5M fund
  to compensate identity theft victims.
• FTC claimed that CP violated the terms of the
  Fair Credit Reporting Act (FCRA) when it shared
  personal credit data with unauthorized users and
  misled customer in its privacy statement by
  claming that its database was secure

13
Lawsuits

• Goldberg v. CP. Failed within a week after the
  breach becoming public. The claim was Fraudulent
  and Negligent in its handle of the breach and
  employed unfair business Practice.
• Salladay v CP. Failed within a month after the
  public disclosure. The claim was violated the
  FCRA and various privacy right.
• Most of the lawsuit were failed due to the
  defendant's negligence without a showing of an
  actual occurrence of identity theft.

14
ChoicePoint privacy policy before the breach

• All potential customer were required to establish
  identity and reasons for seeking access.
• This could be happened by mail or fax.
• CP check the identity of the request.
• Once new customer is verified, a username and
  password sent to the customer to access the
  database.
• Customers search and logging in history are not
  archived.
• No supervision is held on any access.

15
Policy Changes after the data breach

• Close 50 suspicious accounts
• Stopped accepting faxes and mails of business
  license
• Nongovernmental and private business must attend
  personally to establish accounts.
• Personal information would be sold under new
  conditions which are
• Governmental requests
• Consumer-Based transaction(e.g. home address
  verification).

16
Policy Changes after the data breach (cont.)

• Masking part of SSN and drivers license.
• Small-Business customer were cut-off the DB.
• Private investigator, check-cashing and debt
  collector are cut off the DB.
• CP created Office of Credentialing Compliance
  and privacy to monitor the activities and report
  to its board of directors.
• For example, on-site visits, establishing
  policies for compliance with privacy laws and
  regulation and improving screening.

17
Policy Changes after the data breach (cont.)

• Offer victims one year of free credit-monitoring
  service.
• CP brought outside help to evaluate its business
  privacy practice
• CP hired Ernest Young to review and improve the
  company practice

18
Choice point s online Privacy policies

• CP used a web based Privacy goal management tool
  (PGMT) to evaluate the online privacy policy and
  the result were
• 19 Vulnerabilities.
• 34 Privacy protection goals.
• The overall evaluation failed to provide
  consumers with information on how CP will mange
  safeguard data thats collected and sold both
  online and offline.

19
How federal and state governments have reacted to
the data breach

• Legal Landscape
• In 2005, only California State has required
  notification to consumers in the event of
  unauthorized access to personal info.
• In September 2006, 33 additional states had
  passed similar regulation.

20
How federal and state governments have reacted to
the data breach (cont.)

• Consumer Rights and responsibilities.
• Generally consumers are excluded from every
  aspect of their operation, leaving them little
  access or control over their own personal
  information.
• Since data brokers do not interact with
  individuals consumers, there is no way for a
  consumer to prevent any kind of data breach.
• A research shows high error rate on CP records on
  individuals. 1 error in every 11 record.
• As result, CP announced planning to give
  individuals access to view their own personal
  information. However, since then, this service is
  still not available.

21
How federal and state governments have reacted to
the data breach (cont.)

• Consumer responsibilities to minimize the risk.
• Check credit report regularly for any
  unauthorized activity.
• Consumer must be diligent in attempting to
  opt-out of any undesired personal information.
• Consumers can contact each company with which
  they have relationship to request opting out of
  information transfer.
• By allowing consumer to access their information
• Consumer will strengthen goodwill and trust in
  their operation.
• Provide consumer a low-cost means of eliminating
  harmful error from their records

22
Recommendations

• Have a plan to deal with breaches.
• Companies handling sensitive data must realize
  the risk and plan accordingly.
• Any strategy should include a plan for notifying
  the public in the case of such data breach.
• Provide accurate notification.
• Many companies realized the need to promptly
  alert the public of data breaches before the news
  media could break the story.
• Companies that fully disclose verified data
  breach and announce the changes being made to
  address problems will soften the blow and likely
  maintain public trust in their operation

23
Recommendations

• Verify Customers identities to preserve privacy.
• you need to be confident that a business is
  legitimate and protect your companys assets and
  reputation
• Perform regular security audits.
• By performing such regular audits, companies
  would both fortify themselves against data
  breaches and provably maintain commercially
  reasonable security levels, which is the FTCs
  standard for negligence in data breaches.
• Maintain an audit trail
• Data broker should log all access to their
  database as well as all search history.

24
Recommendations

• Store personal information in encrypted form
• Encryption of sensitive data minimized the risk
  to that data if identity thieves acquire it.
• Express the companys overall privacy practice
  clearly
• make clear to both consumers and customers how it
  will store and protect sensitive information, and
  enumerate the rights that consumers have to
  protect the privacy of that information

25

• Thank you