Data Brokers Sitting on a Powder Keg?

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
You can hardly pick up a newspaper or read an online news outlet withoutseeing another story about how somebody's personally identifiableinformation -- maybe even yours -- was lost, stolen, or otherwisemishandled, by companies in the rapidly expanding ''data aggregation''business.

Data aggregation is one of the many euphemisms for an industry built uponscrounging up every last shred of your personal, professional, financial,and medical information, and then selling it to the highest bidder. Othereuphemisms for the industry include data brokers, data warehousers, anddata merchants.

But with the growing number of high-profile privacy breaches, perhaps themost appropriate term would be data losers.

The latest poster child for how not to be a data aggregator isChoicePoint. The Alpharetta, Ga.-based data aggregator is in the businessof, according to its Website, providing ''decision-making informationthat helps reduce fraud and mitigate risk''. Specifically, they offerservices to help businesses ferret out criminals, avoid deadbeatcustomers, and steer clear of untrustworthy vendors.

Unfortunately, ChoicePoint failed to avail itself of its own services andfound itself hoodwinked by a handful of identity thieves who boughtdetailed dossiers containing the personal information of more than140,000 consumers around the U.S.

In no other business could a broker, warehouser, or merchant be socareless with their primary assets and still be in business. Yet, unlikethe securities held by a stock broker or the operator of warehouse fullof televisions, data brokers are trading in bits and bytes that neverspoil and can be given away freely without ever diminishing the size oftheir holdings.

On the best of days, a reasonable person could expect that if you have anasset that doesn't lose its value, even after being resold a thousandtimes over, such a scenario might breed a certain level of complacency.And you'd be right, because it appears that the data aggregation businesshas a level of tolerance for negligence and incompetence that isbreathtakingly dangerous.

Further compounding the problem is that very few laws apply to the dataaggregation industry, meaning that the only real law that companies likeChoicePoint have to deal with is the law of supply and demand.

The reality of the data aggregation industry is that their business isbased upon buying and selling an asset that they don't own, that theydon't have to work remarkably hard to get, and, until recently, came withfew tangible consequences for screwing up.

The data aggregation business is founded on the principal that, whiledata is a very valuable asset, the only people who don't have a right tocontrol that asset are the people described by the data. If you askcompanies like ChoicePoint or Acxiom, to show them your dossier, they'llgive you a puzzled look. If you ask them to delete you from theirdatabase, they'll double over in laughter.

Fundamentally, the business of a data aggregator is to exploit whateverdata comes their way, and to maximize the return for shareholders byselling as much information as fast as they can.

If there's any good news that has come from the recent spate of privacybreaches, however, it's that the cavalier manner in which dataaggregators have treated people's private information has earnedChoicePoint a trip to the woodshed, courtesy of a number of very angrylegislators.

Once members of Congress have had a chance to browbeat the dingbats atChoicePoint and other data aggregation services, the more difficult taskwill be to craft some legislative solutions. Many are calling for dataaggregators to be regulated in much the same way as their brethren, thecredit bureaus, have been for several decades now.

Unfortunately, the track record of government agencies holding creditbureaus accountable is less than comforting.

After decades of lawsuits by regulators for anti-consumer behavior, thecredit bureaus are as defiant as ever. Even today, credit bureaus canmake you wait months to correct bogus information -- only to see itreappear a few months later. Yet, when a paying customer comes calling,they can slice, dice, and ship off your data at the drop of a hat.

While it is an encouraging sign that ChoicePoint's stock price has fallensome 20 percent, punished by the market, there's little to suggest thatthe rest of the industry is sufficiently chastened by that financialsetback. What really has the industry worried, however, are a number ofclass action lawsuits by identity theft victims that are now workingtheir way through the courts.

When I was in law school, we learned in Torts that businesses can be heldto account for their negligent behavior, especially when somebody hasbeen hurt as a result. We also learned that, for certain industriesengaged in high-risk work (the classic example being a dynamite factory),the standard for determining what constituted reasonable versus negligentbehavior was set much higher because of the risk of greater publicdanger.

Perhaps it's time for our legislators to pass a law that tells the dataaggregators that if they want to toss around people's personalinformation in a reckless fashion, they're welcome to do so. But theyshouldn't be surprised when their carelessness blows up in their face.

Ray Everett-Church is a principal with ePrivacy Group, a privacy and anti-spam consultancy. He is a founder of CAUCE, an anti-spam advocacy group, and he is co-author of ''Internet Privacy for Dummies.''