April 15, 1997
RE: Data Base Study -- Comment, P974806
CDB Infotek, based in Santa Ana, California, is the nation's leading provider of public record information. As a member of the information industry, CDB Infotek is a business-to-business provider of public record information products. The company was founded in 1979 as a licensed private investigative firm but discontinued offering these services in 1991 to focus on providing on-line public record information to the business community. In 1996, a majority interest in CDB Infotek was obtained by ChoicePoint, formerly the Insurance Services Group within Equifax, and today the nation's leading provider of personal information for insurance and risk management decisions. CDB Infotek provides access to its public record information products to selected organizations with legitimate business purposes in the following sectors.
CDB Infotek is submitting these comments in response to the Federal Trade Commission's March 6, 1997 Federal Register request for comments regarding computerized data bases containing sensitive consumer identifying information, the subject of Session One of the FTC's June, 1997 public workshop. CDB Infotek hereby submits comments in response to Questions 1.5, 1.10, and 1.27.
"Do the data bases contain identifying information that consumers regard as sensitive? What identifying information is considered to be sensitive? Why is such information regarded as sensitive? Please provide specific examples."
The information industry, including CDB Infotek, collects and maintains a variety of personal information in a variety of data base products. Depending upon the data base, this information may include name, address, prior addresses, place of employment, age and a full or a truncated Social Security Number. The vast majority of this information comes from public record sources or publicly available sources. This information is used by government and businesses for a wide array of important and socially beneficial purposes, including:
The staff of the Board of Governors of the Federal Reserve System has just completed a report concerning the availability of consumer identifying information and financial fraud.(1) That report concluded that a "determination of what is sensitive information is largely subjective. What is sensitive in one context may not be sensitive in another." (Page 15.) Attempting to define "sensitivity" is not a useful exercise. Rather, it is important to emphasize that the information which the information industry customarily maintains, while not without privacy implications, is materially and dramatically different, from a privacy standpoint, from the personal information maintained in data bases which are customarily subject to federal or state privacy legislation. Federal and state privacy legislation customarily addresses the collection, maintenance, use and disclosure of medical information, genetic information, credit card information, credit report information and information which may reveal intimate lifestyle preferences. Most of the personally identifiable information maintained by the information industry, including CDB Infotek, is either identifying information or information which has been obtained from entirely public record sources, such as court records.
As such, the information is either already in the public domain and/or the information merely identifies the individual without providing information about status or performance.
"Do these data bases create an undue potential for theft of consumers' credit identities? How is such potential for theft created?"
The Federal Reserve Board study concluded that, "There is little hard evidence on how fraud due to the usage of sensitive information occurs, the frequency with which it occurs, or the amount of associated losses." (Page 21.) The report goes on to say that losses attributed to identity theft do not pose a significant risk to insured depository institutions, but may pose a growing risk for consumers and other financial institutions.
Two points should be made in addition to noting that the Federal Reserve Board has been unable to conclude that these data bases pose a risk of identity fraud. First, CDB Infotek, and most of the information industry, does not provide access to its data bases to the general public or to consumers. Instead, CDB Infotek's data bases are available only to legitimate businesses for business purposes. CDB Infotek knows its customers and has a reasonable basis to believe that customer access to its data bases is for legitimate business purposes. Second, an individual who is intent on violating the law and another individual's privacy by assuming that individual's identity can use government repositories to obtain all of the information necessary to attempt to assume an individual's identity. Indeed, given that the general public is not able to obtain personally identifiable information from CDB Infotek and the information industry, a criminal who is intent on committing identification fraud is far more likely to use government repositories and public record sources than any source provided by the information industry.
"Have data base operators undertaken self-regulatory efforts to address concerns raised by the collection, compilation, sale, and use of sensitive consumer identifying information?"
Until recently, organizations maintaining computerized data bases of personally identifiable information within the information industry have not thought of themselves as a distinct industry. Indeed, organizations maintaining computerized data bases of personally identifiable information run the gamut from electronic white pages and telephone directories, to automated newspaper morgues and reference services, to data bases serving specific industries such as lawyers and law firms, to public record companies, to government repositories.
At least in part because of the Federal Reserve Board and now the Federal Trade Commission studies, the information industry is becoming organized. Many members of the industry are currently at work attempting to develop industry-wide, voluntary privacy principles and guidelines. It is intended that this effort will be completed in time for the FTC June hearings. In addition, CDB Infotek is bringing together in one document all of the current privacy and security protections which CDB Infotek employs. CDB Infotek is hopeful that it will be able to supplement this submission prior to the June hearings; CDB Infotek has requested an opportunity to participate in these hearings; and CDB Infotek anticipates that significant further attention and effort to privacy issues will be ongoing beyond the June FTC hearings.
Enclosed are six copies of these comments as well as a 3 1/2" disk (WordPerfect 5.1) on which the comments have been saved.
Brenton S. Bean
1. Board of Governors of the Federal Reserve System, Report to the Congress Concerning the Availability of Consumer Identifying Information and Financial Fraud, March, 1997; submitted to the Congress pursuant to Section 2422 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996.