honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Monday, August 1, 2005

Make companies liable for the data entrusted to them

By Mark Moses

spacer

Identity theft is a huge nationwide problem, the fastest-growing crime in the United States, according to the FBI. Last year alone, more than 9.9 million Americans were victims of identity theft, which resulted in the loss of roughly $5 billion.

In Hawai'i recently, a student worker within the University of Hawai'i-Manoa library system and her husband were arrested and indicted for obtaining student loans using other people's Social Security numbers and birth dates. The student had free access to the information in the university's database of 150,000 students, faculty, staff and library patrons at all 10 UH campuses. UH officials have warned those possibly affected to take proper precautions.

Nationally, two major data-collection companies recently revealed that they had improperly sold detailed personal information on hundreds of thousands of individuals.

ChoicePoint admitted that it had been tricked into providing information on 145,000 people to a group of bogus companies, and corporate officers of LexisNexis reluctantly disclosed under investigative pressure that it had improperly sold data on 310,000 individuals. The information was then used to set up bogus accounts on behalf of nonexistent businesses.

For companies in the data-collection business, personal information about individuals is viewed as nothing more than a commodity to be bought and sold, and these data-collection companies intentionally sold personal information to third parties without the consent of the affected individuals.

The companies offered little more than an apology for the inconvenience to those whose lives may have been disrupted or ruined by the fraudulent or criminal use of their personal data.

Personal data can also end up in the wrong hands if not properly handled or stored. CitiFinancial, the consumer finance division of Citigroup Inc., reported that it lost information about the accounts of 3.9 million U.S. customers, including Social Security numbers and payment histories, that was being sent by courier to a credit bureau.

In another recent case, information on more than 40 million credit and debit cards, including individuals' names, card numbers and security codes, was lost when hackers accessed credit data that should have been discarded but was instead kept in an unencrypted form by Atlanta-based processor CardSystems Solutions.

Information about you can also end up in the wrong hands when it's stolen from companies that fail to take needed precautions. Bank of America reported the loss of credit data on 1.2 million federal employees when hackers accessed their computers utilizing a technique known as "phishing."

Hawai'i has few laws in place to protect the collection, storage, selling and safeguarding of personal information, or requiring notification when data is lost. Our state needs stronger laws to protect individuals from the disclosure of personal information that makes the crime of identity theft possible.

We should require companies to notify potential victims whenever the loss of personal information is detected or suspected, and to make those who accumulate and maintain databases containing personal information strictly liable to victims of identity theft resulting from the improper disclosure of personal information.

Victims of even a suspected identity theft, where no financial loss has yet been occasioned, nevertheless have to go through the inconvenience of changing credit cards, bank account numbers and reviewing their credit reports, and these victims should not have to bear the burden of proof. Strict liability would place the burden on the database owner to take adequate precautions to safeguard the personal data of individuals entrusted to them.

New legislation is needed to prevent companies from keeping information on individuals that is not absolutely necessary for business purposes, and requiring them to protect the information they do keep.

Making companies strictly liable for the data entrusted to them is probably the most effective way to get businesses to be more responsible. Criminal sanctions may be appropriate where misconduct has occurred, or the lack of corporate responsibility and due diligence is egregious and flagrant.

Republican Mark Moses represents the 40th state House District (Makakilo, Kapolei, Royal Kunia).