Thursday, February 17, 2005

Dickie's Securities Update

Update: On Tuesday, I reported on ChoicePoint - a firm that gathers data on consumers and provides it to insurance companies, financial firms, etc. Basically, ChoicePoint builds a digital dossier on consumers including names, addresses, social security and other numbers as well as job histories. Businesses subscribing to ChoicePoint can then obtain that information to, for instance, decide whether or not to extend credit, etc. However, some thiefs decided to register as legitimate businesses and for seven months had access to records on tens of thousands of people. At least one identity theft has been reported and more are expected to follow.

Yesterday, ChoicePoint, who had announced that they would inform 35,000 California residents of the possible theft (as required by California state law) was dithering about whether or not they'd inform anyone else. Today they announced that 145,000 people will receive a letter notifying them of the possible theft of their data.

The short form of punishment for this crime is to go after the criminals. The next form of punishment to be handed out will likely come from a class action lawsuit against ChoicePoint. What should the next proposed actions be after punishment is meeted out?

For one thing, those consumers who receive these letters should be provided clear and extensive information on how to manage their digital dossiers. They should be informed what to look for in credit reports, how to change PINS, passwords, and accounts. These consumers need to find ways to mitigate the potential problems as much and as quickly as possible.

After that, laws need to be written that provide individuals with greater control over their digital dossiers and that restrict, in a meaningful way, how companies may share data as well as what data they may share and consumers should have meaningful tools to be involved in companies' abilities to share that data. Companies involved would not just be those in the financial world, but all aspects of data gathering including your grocery store and online retailers like Amazon.com. Now, most consumers will agree to sharing and compiling data on them if it enriches their shopping experience or their pocketbooks, but there should be ways that allow consumers to limit how this data is used. Consumers should also be better informed as to what's being gathered and how it all pieces together. The government should be in charge of this, perhaps with the assistance of some of the companies that gather this data (that would include virtually all retailers on the internet, since the internet's primary purpose has become information gathering and marketing with some retailers actually making more money selling their customer databases than selling goods online).

What's really interesting about the ChoicePoint case is how primitive the breach of security was. ChoicePoint never did a check to find out if these thiefs represented legitimate businesses. And that exposes another part of the real crime here: that there is no law or standard methodology requiring companies to follow basic security protocols when managing your data. It's a common joke these days to discuss how everything about you is now public thanks to the internet (it's not true, by the way...it's a bit like walking into a person's home and looking at the books on their shelves as well as their music collection and assuming that you know everything about her, but that's another topic). Most people blow it off without really considering the consequences. We assume that through some protective measures of our own that we'll be safe. After all, the law and companies' "good will" will work to safe guard our interests as well. Sadly, this is not the case and it is a greater burden to the victim than you might imagine. Just ask anyone whose been the victim of identity theft. They are the victims of both the thieves and are further victimized by a bureacratic system that is burdensome to deal with and change. Once that bogus data exists on your reports somewhere, it is extremely difficult to remove. In fact, it can take years.

1 comment:

Scott said...

SSN's used to be nothing more than your social security account number, and service numbers for the military. Corporations hijacked them as a convenient means of identification and means of sharing information. It seems to me every time someone has their identity stolen the banks, retailers, insurance companies, etc. which have access to your SSN should be held financially and criminally liable as they created the ease by which identities can be stolen for their own.

I believe with the tracking of customer clicks, constant video surveillance, credit scoring information which can be directly or indirectly linked to any individual should be limited. I'd like to see the maintaining of any specific or aggregate information which can be attributed to any individual cannot be retained for more than 60 days, without WRITTEN permission every 90 days. Violation should be a serious felony. Obviously for things like loans and insurance certain types of data would need to be retained for longer, but it should be extremely limited, and vigorously regulated.

Marketers in particular would be upset, but who cares if the dregs of society are bent out of shape? If you are not extremely cautious when asking insurance agents information, whether it be talking to other companies to compare rates or to ask your agent if something is covered your name (or identifying information) is entered into the industry database. I don't recall the name of the database, but your credit score drops appreciably with these type of queries, jacking up your rates with all insurance carriers. Just another argument that "credit score" is a euphemism for extortion.