Question

Data for Sale  

Want a list of 3,877 charity donors in Detroit? You can buy it from USAData for $465.24 through USAData’s Web site, which is linked to large databases maintained by Acxiom and Dun & Bradstreet, anyone with a credit card can buy marketing lists of consumers broken down by location, demographics, and interests. The College Board sells data on graduating high school seniors to 1,700 colleges and universities for 28 cents per student. These businesses are entirely legal. Also selling data are businesses that obtain credit card and cell phone records illegally and sell to private investigators and law enforcement. The buying and selling of personal data has become a multibillion dollar business that’s growing by leaps and bounds. Unlike banks or companies selling credit reports, these private data brokers are largely unregulated.

There has been little or no federal or state oversight of how they collect, maintain, and sell their data. But they have been allowed to flourish because there is such a huge market for personal information and they provide useful services for insurance companies, banks, employers, and federal, state, and local government agencies. For example, the Internal Revenue Service and departments of Homeland Security, Justice, and State paid data brokers $30 million in 2005 for data used in law enforcement and counterterrorism.

The Internal Revenue Service signed a five-year $200 milllion deal to access ChoicePoint’s databases to locate assets of delinquent taxpayers. After the September 11, 2001 terrorist attacks, ChoicePoint helped the U.S. government screen candidates for the new federally controlled airport security workforce.

ChoicePoint is one of the largest data brokers, with more than 5,000 employees serving businesses of all sizes as well as federal, state, and local governments. In 2004, ChoicePoint performed more than seven million background checks. It pocesses thousands of credit card transactions every second. ChoicePoint builds its vast repository of personal data through an extensive network of contractors who gather bits of information from public filings, financial-services firms, phone directories, and loan application forms. The contractors use police departments, school districts, the department of motor vehicles, and local courts to fill their caches. All of the information is public and legal.

ChoicePoint possesses 19 billion records containing personal information on the vast majority of American adult consumers. According to Daniel J. Solove, associate professor of law at George Washington University, the company has collected
information on nearly every adult American and “these are dossiers that J. Edgar Hoover would be envious of.”

The downside to the massive databases maintained by ChoicePoint and other data brokers is the threat they pose to personal privacy and social well being. The quality of the data they maintain can be unreliable, causing people to lose their jobs and
their savings. In one case, Boston Market fired an employee after receiving a background check from ChoicePoint that showed felony convictions. However, the report had been wrong. In another, a retired GE assembly-line worker was charged a higher insurance premium because another person’s driving record, with multiple accidents, had been added to his ChoicePoint file.

ChoicePoint came under fire in early 2005 for selling information on 145,000 customers to criminals posing as legitimate businesses. The criminals then used the identities of some of individuals on whom ChoicePoint maintained data to open fraudulent credit card accounts.

Since then ChoicePoint curtailed the sale of products that contain sensitive data, such as social security and driver’s license ID numbers, and limited access by small businesses, including private investigators, collection agencies, and non-bank financial institutions. ChoicePoint also implemented more stringent processes to verify customer authenticity.

Marc Rotenberg of the Electronic Privacy Information Center in Washington, D.C., believes that the ChoicePoint case is a clear demonstration that self-regulation does not work in the information business and that more comprehensive laws are needed. California, 22 other states, and New York City have passed laws requiring companies to inform customers when their personal data files have been compromised. More than a dozen data security bills were introduced in Congress in 2006 and some type of federal data security and privacy legislation will likely result. Privacy advocates are hoping for a broad federal law with a uniform set of standards for privacy protection practices.

1) Discuss the issues raised by data brokers in the context of management, organization, and technology factors.

2)    Use a professional code of ethics to recommend solutions to the issues in 2.

Answer 1

1. The issues raised by data brokers are
   • Management: There has been little or no federal or state oversight of how they collect, maintain, and sell their data. But they have been allowed to flourish.
   • Organizational: The downside to the massive databases is the threat they pose to personal privacy and social well being. The quality of the data they maintain can be unreliable, causing people to lose their jobs and their savings.
   • Technological: How they analyse data and provide insight is also less regulated and hence that may lead to undesireable consequences.
2. The following points of ethics can be considered as a solution to the issues rised above:

• Ownership: Even if the organization collected the data, it should maitain that the owner of the data is the same person from which it has been collected. And the person should be able to see and delete the data they want.
• Transaction transparency: Every piece of data collected should be shown to the user in a user friendly manner so that user can make up as much from the data as feasiblly possible.
• Classification: The data maintained should be classified into various categories like sensitive, financial etc.
• Consent: If the organization wants to collect personal data, it must ask the user for consent and provide the information of where it will be kept, with whom it will be shared and what will be done with the data.
• Source: Whereever the database is maintained, the source of the data should also me mentioned.
• Privacy: If the data is being sold or shared, attempts must be maintained to preserve the privacy of its owner as much as possible.