Personal Finance
    SAVE   |   EMAIL   |   PRINT   |   RSS  
Privacy experts' wish list
If privacy advocates had their way, consumers would gain far more control over their information.
May 13, 2005: 12:20 PM EDT
By Jeanne Sahadi, CNN/Money senior writer

NEW YORK (CNN/Money) Businesses, government agencies, private investigators and, frankly, anybody with a few dollars and a devious mind can get their hands on some of your most sensitive personal information.

Not that there aren't any laws regulating the collection and use of personal data.

But privacy advocates argue that these laws are so full of holes that those who buy and sell Americans' personal information can work around them without penalty.

In testimony before lawmakers, those advocates have called for Congress and businesses to better secure electronic personal data and restrict its use. And they've urged greater transparency among commercial data brokers that trade in personal data.

Two of those advocates Daniel Solove, assistant professor of law at George Washington University Law School, and Chris Hoofnagle, the West Coast director of the Electronic Privacy Center have come up with a proposal for privacy protection that they hope policymakers will consider in creating new regulations.

Here are some of their suggestions:

Grant more control to consumers

Many citizens may be aware that credit bureaus collect data on them, but most aren't aware of the vast number of commercial data brokers that do.

Until the well-publicized breaches at some of the major players this year, few people had heard of companies like ChoicePoint and Seisint, a unit of Lexis/Nexis.

Solove and Hoofnagle propose that companies that collect, maintain and/or sell personal data should register with the Federal Trade Commission, and make available on public FTC materials and Web sites the types information they collect, how the information is used, the types of clients they serve and how they screen those clients.

They also recommend that the FTC create a centralized do-not-share registry, much like the national Do Not Call list, that lets consumers tell companies they do not want their information shared with third parties.

Consumers should also be allowed to place freezes on their credit reports, they suggest. Currently, consumers are not notified when a creditor views their report. That can facilitate identity theft, since a lender might grant a thief credit in the victim's name without the victim's knowledge.

A freeze would mean a consumer would have to grant permission to any party wishing to view his credit report.

Right now, credit freezes are permitted in only four states -- California, Texas, Vermont and Louisiana.

Lastly, since reports from the data brokers are used to make important decisions regarding the consumer from employment to insurance to tenancy -- Solove and Hoofnagle believe consumers should have a centralized way to access the information brokers have on them and to correct errors.

Curb use of Social Security numbers and hold firms accountable

Identity theft is facilitated when a thief gets his hands on consumers' Social Security numbers, mothers' maiden names, and dates of birth. That's easy to do given how extensively they are used by businesses, financial institutions, schools and government agencies.

Hoofnagle and Solove call for a ban on their use as passwords and a requirement that companies develop methods of identifying consumers that are not based on publicly available data or data easily bought from brokers. Any passwords chosen could be changed easily by the consumer if need be.

According to Solove and Hoofnagle, nearly 50 percent of identity theft victims can't trace the source from where their information was illicitly obtained because companies in many instances are not required to notify those consumers whose records were violated.

Even when victims can trace the breach, they can't always prove monetary damages if their finances aren't tampered with. Yet they remain at risk of identity theft and lose time remedying the breach and monitoring their records.

Solove and Hoofnagle propose that companies be required to tell the individuals affected by a breach and give them a copy of the information that was lost or stolen.

One option for financial redress, they suggest, is that companies be fined when they violate their own privacy policy or experience a security breach due to negligence. The money could then go to a fund where individuals affected can seek reimbursement.


To learn more about the network that trades your personal information for profit, click here.

For steps to take if you learn your personal information has been lost or stolen, click here.  Top of page


Identity Theft
Do-not-call list
Federal Trade Commission (FTC)
Manage alerts | What is this?