How Data Brokers Should Handle the privacy of Personal Information

Luai E Hasnawi

AgendaAgenda

Background The Business of Information Sharing ChoicePoint The Case The Fraud Story Role of the Security Breach information Act FTC investigation Lawsuit ChoicePoint privacy policy before the breach

Background The Business of Information Sharing ChoicePoint The Case The Fraud Story Role of the Security Breach information Act FTC investigation Lawsuit ChoicePoint privacy policy before the breach

Agenda 2Agenda 2

Policy Changes after the data breachChoicePoint's online privacy policyHow federal and state governments

have reacted to the data breachRecommendations.

Policy Changes after the data breachChoicePoint's online privacy policyHow federal and state governments

have reacted to the data breachRecommendations.

BackgroundBackground What is Data Brokering?

It is a new industry that based on gathering, processing and selling personal information.

Where do they get their information from?From three major category (locally and Nationwide). . .

Public records.(records that are created and maintained by government agencies and are open for public inspection, e.g. real-estate records and marriage divorce*)

Publicly available information(information about an individual from non-governmental sources that is available to the general public, e.g. telephone directory and newspaper*).

Nonpublic information(information about an individual obtained from a source that is privately owned and is not available to the general public, e.g. Addresses and SSN*).

What is Data Brokering? It is a new industry that based on gathering, processing and selling personal information.

Where do they get their information from?From three major category (locally and Nationwide). . .

Public records.(records that are created and maintained by government agencies and are open for public inspection, e.g. real-estate records and marriage divorce*)

Publicly available information(information about an individual from non-governmental sources that is available to the general public, e.g. telephone directory and newspaper*).

Nonpublic information(information about an individual obtained from a source that is privately owned and is not available to the general public, e.g. Addresses and SSN*).* source: http://west.thomson.com/privacy/records.aspx

The Business of Information Sharing

The Business of Information Sharing

“companies or government agencies purchase from data brokers information about an individual - including his or her Social Security number - in order to conduct background checks or verify someone’s identity” *

“companies or government agencies purchase from data brokers information about an individual - including his or her Social Security number - in order to conduct background checks or verify someone’s identity” *

Source: CRS Report for Congress, Data Brokers: Background and Industry Overview, 2005

ChoicePointChoicePoint

1997 ChoicePoint was separated from Equifax credit agency.

ChoicePoint has acquired 60 companies and hundred of thousand of customers.

ChoicePoint has 5,500 employees.CP sells data to more than 50% of the

top 1,000 US companies and has the largest background screening business.

1997 ChoicePoint was separated from Equifax credit agency.

ChoicePoint has acquired 60 companies and hundred of thousand of customers.

ChoicePoint has 5,500 employees.CP sells data to more than 50% of the

top 1,000 US companies and has the largest background screening business.

ChoicePointChoicePoint

CP provide critical tasks such asEmployee screening.Homeland securityMortgage processingCommercial insurance

CP has more than 19B public record.

CP provide critical tasks such asEmployee screening.Homeland securityMortgage processingCommercial insurance

CP has more than 19B public record.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

The CaseThe Case

In 14 February 2005, MSNBC reported unauthorized access to ChoicePoint’s Database.

Up to 35,000 Californians might have been affected.

After one week, data breaches affected consumers nationwide.

At the end of 2005, CP notified 163,000 victims have been fraudulently accessed.

In 14 February 2005, MSNBC reported unauthorized access to ChoicePoint’s Database.

Up to 35,000 Californians might have been affected.

After one week, data breaches affected consumers nationwide.

At the end of 2005, CP notified 163,000 victims have been fraudulently accessed.

The Fraud StoryThe Fraud Story

The Fraud against CP started in 2003. The fraudster acquired fake business license to pose

as check-cashing co. and debt-collection firm. The Business license were obtained by using a stolen

identities. Application and business license were faxed to CP to

get access account. CP run the routine background check and it was clear. Fraudster set up 50 accounts using the above

procedure and got username and passwords every time.

The Fraud against CP started in 2003. The fraudster acquired fake business license to pose

as check-cashing co. and debt-collection firm. The Business license were obtained by using a stolen

identities. Application and business license were faxed to CP to

get access account. CP run the routine background check and it was clear. Fraudster set up 50 accounts using the above

procedure and got username and passwords every time.

The Fraud Story (cont.)The Fraud Story (cont.)

17,000 searched were performed in CP database

Criminal Investigator discovered more than 800 identity theft.

The breaches cost $27.3M to recover legal fee, notify victims and seek audits in 2005 alone.

17,000 searched were performed in CP database

Criminal Investigator discovered more than 800 identity theft.

The breaches cost $27.3M to recover legal fee, notify victims and seek audits in 2005 alone.

Role of the Security Breach information Act

Role of the Security Breach information Act

California state law require any organization to disclose data breaches to California residents when unauthorized access to unencrypted personal information.

CP admitted that in this law does not exist, No one would ever know about the breach.

California state law require any organization to disclose data breaches to California residents when unauthorized access to unencrypted personal information.

CP admitted that in this law does not exist, No one would ever know about the breach.

FTC investigationFTC investigation

The US Federal Trade Commission (FTC) Concluded its investigation in 2006 by announcing a landmark US$15M, $10M civil penalty and $5M fund to compensate identity theft victims.

FTC claimed that CP violated the terms of the Fair Credit Reporting Act (FCRA) when it shared personal credit data with unauthorized users and misled customer in its privacy statement by claming that its database was secure

The US Federal Trade Commission (FTC) Concluded its investigation in 2006 by announcing a landmark US$15M, $10M civil penalty and $5M fund to compensate identity theft victims.

FTC claimed that CP violated the terms of the Fair Credit Reporting Act (FCRA) when it shared personal credit data with unauthorized users and misled customer in its privacy statement by claming that its database was secure

LawsuitsLawsuits

Goldberg v. CP. Failed within a week after the breach becoming public. The claim was Fraudulent and Negligent in its handle of the breach and employed unfair business Practice.

Salladay v CP. Failed within a month after the public disclosure. The claim was violated the FCRA and various privacy right. Most of the lawsuit were failed due to the defendant's negligence without a showing of an actual occurrence of identity theft.

Goldberg v. CP. Failed within a week after the breach becoming public. The claim was Fraudulent and Negligent in its handle of the breach and employed unfair business Practice.

Salladay v CP. Failed within a month after the public disclosure. The claim was violated the FCRA and various privacy right. Most of the lawsuit were failed due to the defendant's negligence without a showing of an actual occurrence of identity theft.

ChoicePoint privacy policy before the breach

ChoicePoint privacy policy before the breach

All potential customer were required to establish identity and reasons for seeking access.

This could be happened by mail or fax.CP check the identity of the request. Once new customer is verified, a username

and password sent to the customer to access the database.

Customers search and logging in history are not archived.

No supervision is held on any access.

All potential customer were required to establish identity and reasons for seeking access.

This could be happened by mail or fax.CP check the identity of the request. Once new customer is verified, a username

and password sent to the customer to access the database.

Customers search and logging in history are not archived.

No supervision is held on any access.

Policy Changes after the data breach

Policy Changes after the data breach

Close 50 suspicious accountsStopped accepting faxes and mails of

business licenseNongovernmental and private business

must attend personally to establish accounts.

Personal information would be sold under new conditions which are:Governmental requestsConsumer-Based transaction(e.g. home address

verification).

Close 50 suspicious accountsStopped accepting faxes and mails of

business licenseNongovernmental and private business

must attend personally to establish accounts.

Personal information would be sold under new conditions which are:Governmental requestsConsumer-Based transaction(e.g. home address

verification).

Policy Changes after the data breach (cont.)

Policy Changes after the data breach (cont.)

Masking part of SSN and driver’s license.Small-Business customer were cut-off the

DB.Private investigator, check-cashing and debt

collector are cut off the DB.CP created “Office of Credentialing

Compliance and privacy” to monitor the activities and report to its board of directors.

For example, on-site visits, establishing policies for compliance with privacy laws and regulation and improving screening.

Masking part of SSN and driver’s license.Small-Business customer were cut-off the

DB.Private investigator, check-cashing and debt

collector are cut off the DB.CP created “Office of Credentialing

Compliance and privacy” to monitor the activities and report to its board of directors.

For example, on-site visits, establishing policies for compliance with privacy laws and regulation and improving screening.

Policy Changes after the data breach (cont.)

Policy Changes after the data breach (cont.)

Offer victims one year of free credit-monitoring service.

CP brought outside help to evaluate its business privacy practice

CP hired Ernest &Young to review and improve the company practice

Offer victims one year of free credit-monitoring service.

CP brought outside help to evaluate its business privacy practice

CP hired Ernest &Young to review and improve the company practice

Choice point ‘s online Privacy policies

Choice point ‘s online Privacy policies

CP used a web based Privacy goal management tool (PGMT) to evaluate the online privacy policy and the result were

19 Vulnerabilities.34 Privacy protection goals.

The overall evaluation failed to provide consumers with information on how CP

will mange safeguard data that’s collected and sold both online and offline.

CP used a web based Privacy goal management tool (PGMT) to evaluate the online privacy policy and the result were

19 Vulnerabilities.34 Privacy protection goals.

The overall evaluation failed to provide consumers with information on how CP

will mange safeguard data that’s collected and sold both online and offline.

How federal and state governments have reacted to

the data breach

How federal and state governments have reacted to

the data breachLegal Landscape

In 2005, only California State has required notification to consumers in the event of unauthorized access to personal info.

In September 2006, 33 additional states had passed similar regulation.

Legal LandscapeIn 2005, only California State has

required notification to consumers in the event of unauthorized access to personal info.

In September 2006, 33 additional states had passed similar regulation.

How federal and state governments have reacted to the

data breach (cont.)

How federal and state governments have reacted to the

data breach (cont.)Consumer Rights and responsibilities.

Generally consumers are excluded from every aspect of their operation, leaving them little access or control over their own personal information.

Since data brokers do not interact with individuals consumers, there is no way for a consumer to prevent any kind of data breach.

A research shows high error rate on CP records on individuals. 1 error in every 11 record.As result, CP announced planning to give individuals

access to view their own personal information. However, since then, this service is still not available.

Consumer Rights and responsibilities.Generally consumers are excluded from every

aspect of their operation, leaving them little access or control over their own personal information.

Since data brokers do not interact with individuals consumers, there is no way for a consumer to prevent any kind of data breach.

A research shows high error rate on CP records on individuals. 1 error in every 11 record.As result, CP announced planning to give individuals

access to view their own personal information. However, since then, this service is still not available.

How federal and state governments have reacted to the

data breach (cont.)

How federal and state governments have reacted to the

data breach (cont.)Consumer responsibilities to minimize the

risk.Check credit report regularly for any unauthorized

activity.Consumer must be diligent in attempting to opt-

out of any undesired personal information.Consumers can contact each company with which

they have relationship to request opting out of information transfer. By allowing consumer to access their information

Consumer will strengthen goodwill and trust in their operation.

Provide consumer a low-cost means of eliminating harmful error from their records

Consumer responsibilities to minimize the risk.Check credit report regularly for any unauthorized

activity.Consumer must be diligent in attempting to opt-

out of any undesired personal information.Consumers can contact each company with which

they have relationship to request opting out of information transfer. By allowing consumer to access their information

Consumer will strengthen goodwill and trust in their operation.

Provide consumer a low-cost means of eliminating harmful error from their records

RecommendationsRecommendations

Have a plan to deal with breaches.Companies handling sensitive data must realize the

risk and plan accordingly.Any strategy should include a plan for notifying the

public in the case of such data breach. Provide accurate notification.

Many companies realized the need to promptly alert the public of data breaches before the news media could break the story.

Companies that fully disclose verified data breach and announce the changes being made to address problems will soften the blow and likely maintain public trust in their operation

Have a plan to deal with breaches.Companies handling sensitive data must realize the

risk and plan accordingly.Any strategy should include a plan for notifying the

public in the case of such data breach. Provide accurate notification.

Many companies realized the need to promptly alert the public of data breaches before the news media could break the story.

Companies that fully disclose verified data breach and announce the changes being made to address problems will soften the blow and likely maintain public trust in their operation

RecommendationsRecommendationsVerify Customers’ identities to preserve privacy.

“you need to be confident that a business is legitimate and protect your company’s assets and reputation”

Perform regular security audits.By performing such regular audits, companies would

both fortify themselves against data breaches and provably maintain commercially reasonable security levels, which is the FTC’s standard for negligence in data breaches.

Maintain an audit trailData broker should log all access to their database as

well as all search history.

Verify Customers’ identities to preserve privacy.“you need to be confident that a business is legitimate

and protect your company’s assets and reputation” Perform regular security audits.

By performing such regular audits, companies would both fortify themselves against data breaches and provably maintain commercially reasonable security levels, which is the FTC’s standard for negligence in data breaches.

Maintain an audit trailData broker should log all access to their database as

well as all search history.

RecommendationsRecommendations

Store personal information in encrypted formEncryption of sensitive data minimized the risk

to that data if identity thieves acquire it. Express the company’s overall privacy

practice clearlymake clear to both consumers and customers

how it will store and protect sensitive information, and enumerate the rights that consumers have to protect the privacy of that information

Store personal information in encrypted formEncryption of sensitive data minimized the risk

to that data if identity thieves acquire it. Express the company’s overall privacy

practice clearlymake clear to both consumers and customers

how it will store and protect sensitive information, and enumerate the rights that consumers have to protect the privacy of that information

25

Thank you Thank you