Just as I was in the process last week of asking whether we can trust industry self-regulation of privacy, ChoicePoint did us all the favor of providing a resounding answer to that question. The revelation that there are companies out there casually buying and selling our most sensitive personal information - companies that we never had business dealings with, companies that we were never given a chance to send an "opt-out" request, companies that won't let us see all the data they have on us, companies that are virtually unregulated in their privacy practices - should at least have one beneficial result. The public is now going to demand that our lawmakers get serious about protecting our privacy.
But I hope people realize that merely copying California's SB 1386 -- the law that forced ChoicePoint to spill the beans -- will not be sufficient. Don't get me wrong -- as a Californian, I'm proud that our Left Coast laws helped bring this situation to light. (And I can't help but wonder whether ChoicePoint would still have felt bound to inform Californians had the criminal investigation not happened to have been centered here.) A legal requirement that companies notify customers of a security breach that puts their personal information at risk is a no-brainer. And if your state's leaders don't now quickly enact a reasonable facsimile of SB 1386, you might want to borrow another page from the California book of tricks and dust off your recall provisions. (Which raises another interesting question: Gray Davis was the Governor who signed SB 1386 - would Arnie have signed it over the loud protests of industry?).
What the ChoicePoint fiasco really shows we need, however, are baseline federal privacy standards that apply to all industries. Although it's certainly ironic that the "nation's leading provider of identification and credential verification services" couldn't figure out it was selling our info to a ring of criminals, the real problem is that data brokers like ChoicePoint can legally sell our information to just about whomever they please. As the Electronic Privacy Information Center (EPIC) detailed recently for the FTC, right now there are no rules or regulations keeping any scumbag with a laptop from learning everything the data brokers know about you (including perhaps your family, job, and medical history) as he or she stands outside your door.
In that regard, another side benefit of the ChoicePoint fallout will hopefully be that the politicians and bureaucrats will now pay more attention to what EPIC has to say. EPIC has been sounding the alarm about ChoicePoint for many months -- not because it knew ChoicePoint was selling data to identity thieves, but because it knew the data broker business is out of control in its use and potential abuse of our personal information. And EPIC has already laid out a road map that should help guide lawmakers to the goal we should all share now of creating real privacy protection for the American public. A simple first step -- perhaps only requiring the FTC to clarify its rules -- would be to make sure that data broker businesses must comply with the Fair Credit Reporting Act the same way the credit reporting agencies do. That way we would at least have the right to see what information these companies have about us. If we don't want there to be more and even worse episodes than last week's, the companies that traffic in our privacy need to have a lot less privacy themselves.
Read and post comments about this story here.
9:31:19 AM 
|
