INDUSTRY REPORT
Online Privacy Regulations Forcing Better Handling of Data

New electronic privacy laws are forcing businesses to rethink how they handle their digital data. The retail industry is now regulated by new privacy laws aimed at reducing the growth of identity theft and consumer fraud.

Congress passed The Fair and Accurate Credit Transactions Act, known as FACTA, in 2003. This law, which amended the Fair Credit Reporting Act (FCRA), calls for the proper disposal of information in consumer reports and financial records to protect consumers from unauthorized access to or use of the information. The initial regulations took hold in December of 2004.

The final round of FACTA regulations kicked in last month. Known as the Disposal Rule, this federal regulation requires businesses and individuals to ensure proper disposal of sensitive information from consumer reports. It subjects any business or individual who uses a consumer report for a business purpose to comply with stringent safeguards.

Security Issues Multiply

FACTA and the Disposal Rule are extensive regulations that have key implications for business. The combination of these two federal security standards for consumer privacy is the first major attempt by Congress to deal with identity theft, according to industry watchers. These policies include requirements that companies destroy electronic files or media containing consumer report information so that the information cannot be read or reconstructed.

One of the pressing issues Congress faces, said Barry Benjamin, an attorney with Pitney Hardin in New York, is that old technical problems reappear in new ways. Barry counsels clients on the development of data collection, as well as e-mail and privacy policies.

In essence, computerized banking transactions and Internet commerce practices have put new twists on old identity theft methods used by criminals. Federal guidelines are just now starting to focus on electronic processes that did not exist when other federal regulations were first designed.

"Consumer information breached via computer is dumpster diving in a new form," Benjamin told TechNewsWorld.

This dumpster diving effect, or criminals rummaging through discarded paperwork to find identity information, is compounded by the number of companies involved in handling computer records today.

"Companies really need craddle-to-grave procedures for data handling. This is a huge boon to the shredding machine concept," Benjamin said.

The size of major corporations and the amount of outsourcing they do contributes to the consumer information management problems. Benjamin said this creates a rippling effect of spreading customer data.

Filling a Void

Taken together, these issues pose a dilemma. How does the government get all these companies to comply with new consumer protection laws?

"Do the big corporations have to ensure third party companies are complying? Do they have to train them? This is a major problem for corporations now," Benjamin said.

Until now federal laws did not directly address the problems surrounding consumer notification when personal information was obtained from stolen computer records. Without clear federal guidelines, some states are passing laws that require companies to notify consumers in those states when computer records regarding them have been breached.

For instance, the California Information Practice Act of 2003 requires companies that own or have access to personal information of California residents to notify them if their information has or might have been accessed illegally. Other states are adopting similar laws. California was the first state to address the electronic consumer data issue, security experts said.

"Maybe as many as 20 to 25 states have breach notification statutes now. They are all different," said Richard Fisher, a nationally recognized expert on privacy and identification theft and partner in the Washington, D.C., office of Morrison & Foerster.

Having so many different state regulations is posing huge compliance problems for companies. However, lawyers say that the absence of adequate federal laws for electronic privacy protection leaves state legislators no other choice but to create their own protections.

Glaring Examples

"The only logical response for Congress is to create national rules. There are five Congressional committees working on this," Fischer told TechNewsWorld.

Some security experts see federal lawmakers using California's tough standards in setting federal breach notification and consumer privacy standards. The California Information Practice Act is so comprehensive, they say, that it creates a solid guideline for a national standard.

"There is a vacuum at the federal level regarding this. The California law goes a long way in solving this," Benjamin said.

Lawyers and security experts point to the security breach involving consumer records at ChoicePoint last year as a definitive marker for public reaction. A backlash developed when ChoicePoint notified only California residents that their information was exposed, Benjamin said.

"This brought the problem to light. Identity theft is such a big problem that all people affected need to be informed," Benjamin asserted

Another significant case regarding computerized consumer record thefts is the case involving BJ's Wholesale Club. In that case, the company's computer database was hacked, with intruders stealing thousands of financial files about customers' credit cards.

"BJ's had no idea they were collecting all this data on their members. As a result, companies are learning that they can not store all of this data," Fisher said. "Historically this practice has been a sleeping dog. Now the dogs are awakened."

No Silver Bullet

Fischer pointed out that companies involved in consumer information breaches face hefty penalties, as indicated in the BJ's case. He said BJ's must follow a 10-year security agreement and monitoring. BJ's had to post US$500,000 in reserve penalties for future lawsuits.

In order to protect itself, BJ's is suing IBM (NYSE: IBM), alleging the software BJ's used allowed hackers to intrude, Fischer said.

Some in the information technology field, however, are not convinced that FACTA alone will solve the identity theft problems. They see a movement in the industry to harden the electronic data process beyond what federal and state lawmakers call for.

Take, for instance, the view of J.C. Cannon, author of the book Privacy: What Developers and IT Professionals Should Know. He works at Microsoft (Nasdaq: MSFT) as a privacy strategist. The views expressed in his book, however, do not echo Microsoft policy, he said.

In order to have more secure computerized consumer records, the IT community needs better processes in place, Cannon told TechNewsWorld.

"In general, new laws won't work. Companies need to live up to their obligations to protect consumer information. Telling consumers after their information is gone is too late," Cannon said.

Better Data Protection Needed

Instead of worrying about breach notification, legislation needs to focus on having companies protecting customers' records better, Cannon explained.

"I'm opposed to these laws. But if the IT industry is not going to police itself, then the government has to step in by default," he said.

Cannon could be correct in this view. Attorney Benjamin said that before the California breach law thrust the consumer issue into the limelight, the problem was long known to companies handling electronic records.

"Before this California law, record theft incidents happened all the time, but nobody knew about them," Benjamin said.