Does digital age spell privacy's doom?
State laws help inform people when their personal data has been stolen, but some want stronger measures at the federal level.
"'The right to be let alone," Supreme Court justice Louis Brandeis once said, is "the right most valued by civilized men." That right seems under renewed attack today in a world where personal records are stored digitally and can be obtained by those clever enough to hack in or by simply grabbing a laptop computer. Nearly every day, a new headline tells of Americans' private information being stolen by criminals or combed through by government agencies seeking terrorists.
What's the outlook for privacy? It's probably going to get worse before it gets better, some experts say. But new protections, mostly enacted at the state level, are helping. Congress may finally get into the act as early as this week, though consumer advocates say new federal laws may actually weaken privacy protections, depending on how they are worded.
Congress is acting none too soon, say some observers. "The Congress is way late – a day late and a dollar short – when it comes to privacy," says Robert Gellman, a privacy and information policy consultant in Washington, D.C., who served for nearly two decades as a congressional aide focused on privacy issues. "All the creative things that have been going on in privacy have been going on at the state level."
Since February 2005, when data-aggregation company ChoicePoint revealed that scammers had tricked it into providing them with the private financial records of 163,000 people, at least 88 million individual records held by the government or private companies have been exposed to possible theft, according to the Privacy Rights Clearinghouse in San Diego. The incidents occurred in a variety of ways, from both government and private databases.
In one highly publicized case, the Social Security numbers and other personal information of some 28 million US military veterans were stolen from a government employee's home in May. In one of many private examples, 243,000 customer records of hotels.com were lost when a laptop computer was stolen from a vehicle in February. The drumbeat of losses continues: Last week, the US Agriculture Department said a hacker had broken into its computer system and may have stolen Social Security numbers and photos of 26,000 of the department's employees and contractors.
In addition, new questions are being raised about government eyes on personal data. An investigation by the Associated Press found that federal and local law enforcement agencies routinely mined telephone records of Americans without obtaining subpoenas or warrants. According to the AP, they did so by employing private data brokers, who used deceptive and questionable tactics to obtain the information.
On Monday, President Bush and Vice President Cheney blasted the New York Times for revealing a secret government program that, according to the Times, can track banking transactions made by Americans between US and foreign banks. They declared the effort to be legal and an important aid in the war on terrorism.
At this point, observers say, Congress seems unready to pick up the political hot potato of government snooping that serves national security interests.
But Congress is looking at safeguards against ordinary criminals. Businesses are frustrated by the crazy quilt of state and local privacy regulations they must know and observe. They'd like a clearer national standard. For that reason, many are backing a bill by Rep. Steven LaTourette (R) of Ohio. But consumer groups say that the bill as written would weaken consumer protections passed by states. They prefer a bill by Rep. Joe Barton (R) of Texas that contains more of the protections seen in state laws.
"The reason we know about ChoicePoint and the dozens and dozens of [privacy] breaches that have occurred after" is a California law that requires companies to notify customers if they believe customer data may have been stolen, says Susanna Montezemolo, a policy analyst at Consumers Union, a nonprofit consumer-advocacy group. Twenty-three states now have some form of notification law. "Today we have a de facto national standard" for notifying customers, Ms. Montezemolo says, since companies that operate in several states usually adhere to whatever is the strictest standard.
Companies that adhere to higher privacy standards also use that policy to competitive advantage, says Larry Ponemon, founder and chairman of the Ponemon Institute, an independent privacy research company in Elk Rapids, Mich. A survey by his firm found that 20 percent of Americans say they'd stop doing business with a company if they found out their personal data had been shared inappropriately.
Twenty states have enacted "security freeze" legislation that lets citizens lock their credit files against anyone trying to open a new account or gain new credit, Montezemolo says. That ability is important in keeping thieves from exploiting stolen Social Security numbers.
In a speech earlier this month, Sen. Hillary Clinton (D) of New York proposed a broad "privacy bill of rights" backed by a "privacy czar" reporting to the White House. Citizens should have the right to know, and to correct, information being kept about them by businesses, and to make decisions about how their information is used, Senator Clinton said.
"These rights should be basic to all of the commercial transactions we undertake and be part of a basic privacy bill of rights that has to be adhered to by every commercial information gatherer or marketer," she said.
Mr. Gellman, the privacy consultant, would like Congress to create an independent federal privacy agency, which could better enforce privacy laws already on the books. New legislation doesn't always help, he says. Take those privacy rights notices businesses must send to customers: "Nobody reads them. It costs [companies] a lot of money to send them. But they don't do anything at all for consumers," he says. "We end up with the appearance of a privacy law ... and no benefit for anybody."
While the ChoicePoint incident seems to have led to better notification of privacy breaches, Congress has yet to grapple with the question of financial privacy, Mr. Ponemon says: "What constitutes an acceptable level of security over the data that a company collects about you and your family?"
Just as technology has exacerbated privacy issues, it also may be the source of new solutions. The "anonymization" of data, for example, in which databases could be culled for specific information without revealing the individual identities of anyone but wrongdoers, could help national security and privacy exist side by side.
But Gellman suspects keeping private data private will always be a challenge. "When information sits anywhere," he says, "ultimately it gets used by somebody for some other purpose."
While Congress and state governments have passed some privacy legislation and are weighing more, Americans also can do much themselves to protect their financial records. For example:
• Check your credit report for inaccuracies or unusual activity. Federal law requires the three credit-reporting companies (Equifax, Transunion, and Experian) to give you a free look at your report once every 12 months. By applying to a different service every four months, you can get three per year. Call 877-322-8228, or visit www.annualcreditreport.com.
• Check bank and credit-card statements promptly when you receive them, and notify the company if you see what looks like fraudulent activity.
• When choosing Internet passwords or prompts for forgotten passwords, avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your Social Security number, your phone number, or a series of consecutive numbers. Use combinations of numbers, special keys (&, #, %, or $), and letters (both capital and lower-case) to make passwords more difficult to guess.
• Don't carry your Social Security card or number with you. Use other forms of identification whenever possible, such as your driver's license or insurance documents.
• Don't give out personal information over the phone, through the mail, or on the Internet unless you've initiated the contact or you know the person or company is reliable.
• Drop off outgoing mail at a post office or in a collection box, not in your unlocked mailbox. Pick up your mail deliveries promptly.
• When discarding mail or filed documents, shred those with information about you, such as charge receipts, credit applications, checks and bank statements, expired charge cards, and credit-card offers.
• Opt out of "preapproved" credit-card and insurance offers. Call 888-5-OPT-OUT (888-567-8688) or go to: www.optoutprescreen. com/opt_form.cgi (Thieves can steal these out of your trash and use the information on them to steal your identity.)
• Put your phone number on the Federal Trade Commission's National Do Not Call Registry, which prohibits many telemarketers, but not all, from calling you. Your state may have its own "do not call" list. Check www.ataconnect.org/GovernmentAffairs/ StateDoNotCallLists.html.
• Don't send in warranty cards that come with new products. They're used to gather data on you and aren't required to keep the warranty valid (but do keep your receipt).
These tips come from the Federal Trade Commission (www.consumer.gov/idtheft) and the book "Scam Proof Your Life," by Sid Kirchheimer. Both include many more tips and other useful information on how to keep your financial identity private.