Some of the companies facing criticism for letting consumer data fall into the hands of identity thieves are among the biggest backers of proposed federal rules to safeguard personal information.
The reason: The companies fear even tougher state rules.
Bills introduced in Congress after lapses at information broker ChoicePoint Inc., LexisNexis and elsewhere would supersede a growing number of state laws, many of which impose stricter standards on data brokers, banks and credit reporting agencies. Rigorous disclosure requirements in California’s law -- the first in the nation, in effect since 2003 -- brought many of the breaches to light.
Following California’s lead, the number of states requiring companies to disclose the loss of sensitive personal information -- credit card and Social Security numbers, for example -- has grown to 22. Twelve states, triple the number a year ago, allow some consumers to prevent credit applications from being made in their name or let consumers block access to their credit records.
“Many states are starting to deal with the problem,” said Susanna Montezemolo, a policy analyst for the nonprofit Consumers Union. “A national solution is great if done the right way, but it could actually set us back.”
Several of the federal bills have provisions that consumer advocates like, but the drafts keep changing and will probably be combined in the spring, said Chris Hoofnagle, West Coast director of the nonprofit Electronic Privacy Information Center. Some of the bills would force disclosure of an information breach only when the company involved decided there was a “significant” risk of fraud -- a loophole that Consumers Union said would have stopped disclosure in dozens of the big 2005 cases.
The American Bankers Assn. said a high threshold for notification was necessary because otherwise consumers would get so used to being warned that they wouldn’t take the notices seriously. Banks and information brokers also argue that without a uniform federal rule, most companies will end up complying with the toughest state law in order to have a uniform policy, in effect letting one state regulate national conduct.
Among the bills with powerful congressional supporters is one written by Sens. Arlen Specter of Pennsylvania and Patrick J. Leahy of Vermont, the Republican and Democratic leaders, respectively, of the Senate Judiciary Committee. That bill calls for notification except when companies, after consulting with law enforcement, say there’s no significant risk of fraud. It would also allow consumers to see what information data brokers like Alpharetta, Ga.-based ChoicePoint have on them.
A bill sponsored by Rep. Cliff Stearns (R-Fla.) of the House Energy and Commerce Committee would also require notification only in cases of significant risk. And in going further toward the industry’s positions, it would apply only when information was “acquired” by a third party, not in all cases of lost information, and generally only if the information wasn’t encrypted. Individual victims would have no right to sue under the law.
Both bills would trump state notification rules.
The spate of proposed laws follows continuing disclosures of big breaches. Identity theft is the most common fraud complaint to the Federal Trade Commission, which estimates that 10 million people a year have accounts falsely opened in their name or are otherwise cheated.
To press their case, companies and industry groups have testified and written to members of Congress and have underwritten studies that play down the threat of online identity theft.
In August, Indiana University law professor Fred H. Cate began circulating a paper arguing that some types of identity fraud were declining. Cate, a frequent congressional witness and widely quoted authority on data security, declared: “Information security breaches are among the least common ways that personal information falls into the wrong hands. In 2005, the most common source of personal information that resulted in an identity-based fraud, by a factor of two to one over any other category, was ‘lost or stolen wallet, checkbook or credit card.’ ”
A footnote attributed that statistic to its original source, a January 2005 study by Pleasanton, Calif.-based Javelin Strategy & Research. Javelin and several trade groups have trumpeted the finding for months, along with Javelin’s related conclusion that 72% of identify theft begins offline.
Cate failed to disclose that the relevant Javelin data came from the 54% of consumer fraud victims surveyed who said they knew how their personal information was taken. The remaining 46% had no idea.
Federal Trade Commission officials said this year that the latter group logically would include a much higher percentage of victims of major electronic security breaches, computer spyware and phishing, online come-ons that trick people into revealing their personal information.
“We have concerns with putting out, frankly, numbers like that,” said FTC Associate Director Lois Greisman. “I know if I’ve lost my purse. A big problem with phishing is that people have no idea they’ve been phished.”
The Federal Deposit Insurance Corp., which guarantees bank deposits, found the same fault with Javelin’s methods when the agency urged banks to do more to educate their customers on the risks of electronic transactions.
“The more technologically challenging the case, the less likely it is that the victim will understand the means of access,” the FDIC wrote in a report this summer. Javelin’s data “do not support the conclusion that ‘most thieves still obtain personal information through traditional rather than electronic means.’ ”
After a California privacy official complained to Cate that he hadn’t explained that his figures on where identity theft originates were only from victims who knew what had happened, he added that information in later drafts.
The Javelin study was funded by Visa USA, Wells Fargo & Co. -- both based in San Francisco -- and Norcross, Ga.-based online payment firm CheckFree Corp., all of which profit from Internet banking.
Cate is a paid advisor to an organization called the Center for Information Policy Leadership, based at the law firm of Richmond, Va.-based Hunton & Williams, which published the paper. The center describes itself as “member-driven.”
Those members include Costa Mesa-based Experian Inc., one of the three major credit bureaus selling detailed financial information on consumers to other businesses, and LexisNexis Group, a unit of London-based Reed Elsevier, and Acxiom Corp., based in Little Rock, Ark. LexisNexis and Acxiom are two of the largest brokers of financial data in the country.
LexisNexis said in June that thieves had used stolen passwords to obtain sensitive information on as many as 310,000 people. In August, a Florida spammer named Scott Levine was convicted of evading Acxiom security to gain access to 1.5 billion records, including credit card information and e-mail and street addresses.
Cate said his research wasn’t controlled by the center’s members and that his initial omission about the victim survey was an oversight. He stood by the rest of the paper.
“It’s an area of policy in which legislation is driven by hysteria,” Cate said. “There’s just very little theft of data going on that is actually being used to commit identity theft.”
Another study was announced this month by San Diego-based ID Analytics Inc., which described its findings in House testimony, to senators on two relevant committees and to the media. That generated news stories with such headlines as “ID Theft Fears Overblown, Study Says” and “Good News on ID Theft.”
The firm earns money by helping banks figure out whether credit card applications might be fraudulent, and banks are among the institutions most actively opposed to new notification requirements.
The company said it studied four major losses of personal information, which it didn’t identify or explicitly claim were representative, and found that less than one person in 1,000 was victimized by fraud as a result.
But ID Analytics looked only for what it called signs of “organized misuse” -- for example, if a criminal gave himself away by using the same contact telephone number for two people whose information had been obtained in the same breach. In an interview, ID Analytics Vice President Mike Cook said he didn’t know what proportion of fraud would leave that sort of fingerprint.
He also acknowledged that to be detected by the study, a criminal needed to seek credit or make a purchase from a client of ID Analytics -- largely unnamed banks and cellular phone companies.
“If someone steals identities and created checks, passed bad checks at a supermarket, we probably wouldn’t catch that,” Cook said.