Data Brokers Sitting on a Powder Keg?


Modernizing Authentication — What It Takes to Transform Secure Access

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
You can hardly pick up a newspaper or read an online news outlet without seeing another story about how somebody's personally identifiable information -- maybe even yours -- was lost, stolen, or otherwise mishandled, by companies in the rapidly expanding ''data aggregation'' business.

Data aggregation is one of the many euphemisms for an industry built upon scrounging up every last shred of your personal, professional, financial, and medical information, and then selling it to the highest bidder. Other euphemisms for the industry include data brokers, data warehousers, and data merchants.

But with the growing number of high-profile privacy breaches, perhaps the most appropriate term would be data losers.

The latest poster child for how not to be a data aggregator is ChoicePoint. The Alpharetta, Ga.-based data aggregator is in the business of, according to its Website, providing ''decision-making information that helps reduce fraud and mitigate risk''. Specifically, they offer services to help businesses ferret out criminals, avoid deadbeat customers, and steer clear of untrustworthy vendors.

Unfortunately, ChoicePoint failed to avail itself of its own services and found itself hoodwinked by a handful of identity thieves who bought detailed dossiers containing the personal information of more than 140,000 consumers around the U.S.

In no other business could a broker, warehouser, or merchant be so careless with their primary assets and still be in business. Yet, unlike the securities held by a stock broker or the operator of warehouse full of televisions, data brokers are trading in bits and bytes that never spoil and can be given away freely without ever diminishing the size of their holdings.

On the best of days, a reasonable person could expect that if you have an asset that doesn't lose its value, even after being resold a thousand times over, such a scenario might breed a certain level of complacency. And you'd be right, because it appears that the data aggregation business has a level of tolerance for negligence and incompetence that is breathtakingly dangerous.

Further compounding the problem is that very few laws apply to the data aggregation industry, meaning that the only real law that companies like ChoicePoint have to deal with is the law of supply and demand.

The reality of the data aggregation industry is that their business is based upon buying and selling an asset that they don't own, that they don't have to work remarkably hard to get, and, until recently, came with few tangible consequences for screwing up.

The data aggregation business is founded on the principal that, while data is a very valuable asset, the only people who don't have a right to control that asset are the people described by the data. If you ask companies like ChoicePoint or Acxiom, to show them your dossier, they'll give you a puzzled look. If you ask them to delete you from their database, they'll double over in laughter.

Fundamentally, the business of a data aggregator is to exploit whatever data comes their way, and to maximize the return for shareholders by selling as much information as fast as they can.

If there's any good news that has come from the recent spate of privacy breaches, however, it's that the cavalier manner in which data aggregators have treated people's private information has earned ChoicePoint a trip to the woodshed, courtesy of a number of very angry legislators.

Once members of Congress have had a chance to browbeat the dingbats at ChoicePoint and other data aggregation services, the more difficult task will be to craft some legislative solutions. Many are calling for data aggregators to be regulated in much the same way as their brethren, the credit bureaus, have been for several decades now.

Unfortunately, the track record of government agencies holding credit bureaus accountable is less than comforting.

After decades of lawsuits by regulators for anti-consumer behavior, the credit bureaus are as defiant as ever. Even today, credit bureaus can make you wait months to correct bogus information -- only to see it reappear a few months later. Yet, when a paying customer comes calling, they can slice, dice, and ship off your data at the drop of a hat.

While it is an encouraging sign that ChoicePoint's stock price has fallen some 20 percent, punished by the market, there's little to suggest that the rest of the industry is sufficiently chastened by that financial setback. What really has the industry worried, however, are a number of class action lawsuits by identity theft victims that are now working their way through the courts.

When I was in law school, we learned in Torts that businesses can be held to account for their negligent behavior, especially when somebody has been hurt as a result. We also learned that, for certain industries engaged in high-risk work (the classic example being a dynamite factory), the standard for determining what constituted reasonable versus negligent behavior was set much higher because of the risk of greater public danger.

Perhaps it's time for our legislators to pass a law that tells the data aggregators that if they want to toss around people's personal information in a reckless fashion, they're welcome to do so. But they shouldn't be surprised when their carelessness blows up in their face.

Ray Everett-Church is a principal with ePrivacy Group, a privacy and anti-spam consultancy. He is a founder of CAUCE, an anti-spam advocacy group, and he is co-author of ''Internet Privacy for Dummies.''


Loading Comments...