Taking Back Our Information

Demanding Disclosure from Banks

March 2007
We’ve been reduced to this.  Four years after California passed the first state law in the country requiring companies to notify consumers when a security breach might expose their personal information to identity thieves, consumer advocates are still begging and cajoling Congress to pass a similar law nationwide.  This is pitiful, really.  Breach notification, after all, is just the bare minimum protection consumers have against identity theft – once they’re notified, it’s usually still the consumers’ responsibility to monitor their own credit and fight the creditors if any fraudulent charges are discovered.

After many failed attempts, Senator Dianne Feinstein (D – CA) has introduced two bills that could help prevent identity theft.  But mindful that her bill will likely need support from  at least a few Republicans to pass, Feinstein has included several business-friendly exceptions that could seriously weaken both bills’ effectiveness.   The most important of the two laws would create a national breach notification standard for companies.  But the proposal contains a troubling loophole.  Businesses could avoid notifying the public completely if they conduct a risk assessment to see whether there’s any chance that consumers could actually be affected by the breach, and if they give the assessment results to the Secret Service.

Feinstein’s other bill limits the situations in which companies can ask customers for their Social Security numbers, and prohibits the sale or display of Social Security numbers to the public without each individual’s consent.  This is obviously a step in the right direction.  The big problem here, however, is that the bill specifically exempts data aggregators, companies that buy and sell vast databases of personal information, including Social Security numbers, to the highest bidder.  Passing a law on data security that leaves out data aggregators is like passing a law to ban slavery that exempts slave traders.  It makes virtually no sense.

And yet even after these massive compromises, passing either of Feinstein’s bills will be no easy task.  “It’s been difficult to get the notification bill passed, even though on its face it’s the right thing to do,” said Scott Gerber, Spokesman for Senator Feinstein.

Which is why the work of Chris Jay Hoofnagle is so refreshing. Hoofnagle is a senior fellow at the Center for Law and Technology at the University of California-Berkeley.  In March he testified before the Senate Judiciary Committee, of which Senator Leahy is the chair, about a new proposal for how to track and hopefully deter identity theft.  A major problem, Hoofnagle says, is that we currently have no reliable way to quantify identity theft.  When it comes to data breaches, each state’s law is different in its definition of what constitutes a breach and when it must be reported.  Creating a unified list of breaches, a total number of consumers affected and a breakdown of how the breaches happened would be impossible.  If passed as written, Feinstein’s law would allow many companies to keep their breaches secret, adding to the difficulty of quantifying security-breach trends.

Currently, we only have two ways to try and understand the scope of identity theft as a crime epidemic.  First, the Federal Trade Commission records consumer complaints, and year after year identity theft is the most-reported scourge.  Second, we can track identity theft through representative polling of consumers.  Neither method is particularly effective.  Both depend on consumers knowing they’ve been victimized, which is becoming increasingly difficult as crooks employ sophisticated tactics such as synthetic identity theft, where they pick data from multiple victims to create an entirely new, fake identity.
   

Hoofnagle’s suggestion

Before we go creating laws willy-nilly, we need a better understanding of the problem.  And the people who actually know what’s happening are the banks, credit card companies and other lenders, which all maintain sophisticated fraud monitoring systems.  Hoofnagle’s proposal:  Congress should force financial institutions to disclose how many of their customers have suffered identity theft, the kind of fraud involved and the amount stolen.  “Access to basic information about who has experienced breaches and how the breaches occurred will provide important guidance about how to improve the information security landscape,” Hoofnagle told the committee.

The New York Times called Hoofnagle’s proposal “a radical new idea on a way to obtain reliable numbers on the extent of identity theft.”

In addition, publishing this data would create valuable public information about which companies are serious about stopping fraud.  This in turn would create a stronger financial incentive for companies to elevate their data security.

The powerful financial services industry would strongly oppose such a plan.  Banks already trade identity theft data among themselves to help develop stronger antifraud measures, Doug Johnson, a senior policy adviser at the American Bankers Association, told the Times.  He believes public disclosure of the numbers would be a distraction.  “We should be watching what's happening today, not what happened in the past,” Johnson told the paper.

This is a weak argument.  The banks already watch what happened in the past to develop future safeguards.  What they really fear is consumers and legislators looking at the numbers, too, because that could bring added regulations.  The banks and credit card companies aggregate consumers’ personal data to come up with their numbers on identity theft.  What they fail to remember is that the data belongs to us, the consumers.  They fail to remember that transparency always cures waste.

Given Congress’s glacially slow pace in addressing identity theft, it’s unlikely that bold proposals like Hoofnagle’s will gather traction anytime soon.  What Hoofnagle really has done is broaden the terms of the debate.  For years there have been only two poles in the national discussion of identity theft: Either we take baby steps, or we do nothing at all.  Hoofnagle’s proposal is so different, and yet so utterly practical, that it could shift the paradigm.  Financial institutions have the information we need to keep us safe, and that information belongs to us.  Perhaps it’s time we take it back.