Friday, April 07, 2006

Consumer Privacy and Information Security

The afternoon session today, "Consumer Privacy and Information Security: Does the Risk of Security Breaches Justify the Burden of Additional Safeguards," expressed the view that "who owns the data" is irrelevant. The salient issue is whether entities are using consumer information in ways that harm consumers (e.g., FTC case against Choicepoint). For a decade privacy issues have been about choice -- opt/in and opt/out -- but in terms of security there is movement away from innundating the public with notices that people do not read. Now if a party takes to store and use personal data it has a range of obligations, but knowing those is difficult, because of the sectoral approach in the United States. The FTC has used "fairness" power to go after companies whose errors included the storage of personal data that was not justified by any business or operating reason.

The IRS has proposed a rule that allows tax preparers to sell the information you give them provided the consumer consents. This has created an uproad during the past two weeks. Why should the tax preparers be allowed to use under any circumstances such information gather in that activity? Just because a firm prepares your taxes should not mean that by getting some kind of consent it should be allowed to sell your personal data to a Kleenex maker who wants to sell tissues to you. But consumers who put such freeze on their accounts often find they lack the key needed to lift the freeze within 15 minutes as needed to obtain, for example, of a car loan. Few consumers have taken advantage of this tool. There is federal legislation pending on this at this time.

Personal information, of course, covers a spectrum of increasingly sensitive information. The panel took the view that when you are developing safeguards for information you need to determine at the outset the sensitivity of the information. Social security numbers are among the most sensitive information collected by firms on US persons.

As a result, security and privacy cannot be cut in half or segregated, and their linkage is the underlying assumption of the Fair Credit Reporting Act. And yet, federal law protects personal information linked to a credit card than personal information linked to a debit card.

Another aspect of the kind of information issue is that a small amount of personal data gathered on many people can result in substantial harm to a large number of them, particularly when credit cards numbers are stolen and misused. One man in the last year took in $37 million by such identity theft -- and this occurred through a series of comparatively small charges $20 - $40 per transaction, repeated numerous times, that led to a small-fraud activity and large-fraud theft of funds by use of stolen identities. Such activity tends to escape the neural networks that the credit card companies created in order to detect abberant activity in card usage that would alert them to a misuse of the credit card.

Theft of debit card numbers is a growing problem that the banks do not like to disclose or discuss. Consumers who are victim of such activity often do not know that their funds are being stolen until the theives have vacumed out all of their funds.

One panelist argued that the best solution to Identity Theft is the tool known as a "security freeze," namely a freeze on a consumer's account for the creation of any new credit unless the consumer issues a temporary unfreeze order (requiring a string of security procedures).

(Unfortunately, the written materials which detail many of the state data breach reporting laws seem to have little, if any, relevance to this panel's discussion.)

No comments: