April 15, 1997
Secretary, Federal Trade Commission
RE: Data Base Study -- Comment, P974806
Dear Mr. Secretary:
In response to the Commission's Notice Requesting Public Comment and Announcing Public Workshop ("Notice"), issued March 4, 1997, the National Council of Investigation and Security Services, Inc. (NCISS) submits the following preliminary comments on issues relevant to the Commission's study on computerized databases containing sensitive consumer identifying information. By an accompanying separate letter, NCISS has requested the opportunity to participate in Session One of the Public Workshop on Consumer Information Privacy, scheduled for June 10, 1997.
NCISS is an association of about 1000 security and investigative companies, large and small, across the United States, serving individuals, businesses and government agencies. Our membership also includes the state associations representing all licensed private investigators and security services in 36 states. Founded in 1972, our mission focuses on training, education and advocacy on behalf of the private sector security and investigative industries. NCISS has participated actively in proceedings involving a number of state and federal privacy and information policy issues, including most recently the inquiry of the Board of Governors of the Federal Reserve System on the risks to insured depositary institutions of the availability of sensitive consumer identification information.
These preliminary comments focus on the issue posed in question 1.11 of the Commission's Notice: " How do the risks of the collection, compilation, sale and use of ... information [in these databases] compare with the benefits?" Our answer, in short, is that these risks are dwarfed by the benefits.
The experience of NCISS members in literally hundreds of thousands of background checks, fraud investigations, and financial "due diligence" projects is unequivocal. If the availability of personally identifiable information about individuals were drastically restricted, committing fraud would become more difficult. But preventing, detecting and combatting fraud would become virtually impossible. The net effect of such restrictions would be extremely harmful to American consumers, businesses, and the society as a whole.
NCISS member firms play a key role in preventing and investigating financial frauds carried out against American insurance companies, financial institutions, retail and wholesale commercial establishments, and other businesses. Our investigative work underlies the "due diligence" that American businesses perform in order to minimize the risk of fraud and loss in literally millions of transactions each year, ranging from individual employment decisions to the purchase and sale of entire businesses.
Year in and year out, the American marketplace is the field of a seemingly never-ending battle against a wide range of financial frauds, ranging from simple theft to complex white-collar scams, that taken together constitute a multi-billion dollar drag on the economy. It is neither realistic nor appropriate to expect law enforcement authorities to shoulder the full burden of this warfare. Without the efforts of private investigative firms, as well as the security departments of thousands of individual businesses, this rising tide of fraud would seriously damage many firms, large and small, and consequently threaten a risk of loss to the institutions which finance, insure, and extend credit to these businesses.
Those in the front lines of the battle against financial fraud -- including, but by no means limited to, NCISS members -- need timely and reliable access to accurate factual information about individuals to do our job. We use this information to verify the identities and check the backgrounds of job applicants, prospective business partners, and other participants in financial transactions; to conduct due diligence investigations of financial representations and claims made; to develop leads and identify and locate witnesses in insurance fraud investigations; and for a host of other purposes that help to prevent the commission of acts of fraud, to detect them when they do occur, and to positively identify those responsible.
NCISS member's investigative activities also advance many other important social goals. We help find missing and stolen children, stop spousal abuse, and locate deadbeat parents. All these investigations require considerable use of "sensitive data" on the parties involved or those who have information as to the whereabouts of individuals and witnesses. Governments will not, and many times cannot, get involved in these cases.
The vital services that NCISS members provide have been made easier and more efficient in recent years by ready access to current and updated electronic databases of personally identifiable information, including the "look up services" with which the Commission's study is concerned. This access lets us conduct the necessary investigations much faster and more economically than in the past. Our clients -- businesses, government agencies, and individual consumers and citizens -- are the beneficiaries of these improvements. Conversely, if changes in law or regulation made the compilation, maintenance and support of these databases illegal, or made access to them for legitimate investigative purposes more difficult, time-consuming or expensive, the defenses of financial institutions and other businesses against fraud would be weakened or compromised.
The free flow of information, including personally identifiable information provided by individuals or gleaned from public records, provides enormous benefits to the banking system, to business in general, and to society as a whole. These benefits are too often taken for granted. In conducting its study, the Commission must be sure to present the whole picture, and not focus solely on the possibilities for abuse.
NCISS is well aware of those possibilities; we see them realized every day. Too often -- because even once is too often -- personally identifiable information is accessed and disseminated, not for the legitimate investigative purposes outlined above, but for frivolous or malicious purposes. The availability of this data through online services and the Internet highlights this problem, but it certainly did not create it. Many of the anecdotal "horror stories" about abuse of personally identifiable information involve individuals who obtained the information over the counter at a government agency holding public records, or through fraudulent means unrelated to online access. No regulatory or statutory changes can ever entirely eliminate this vulnerability to abuse. Proposals to restrict access in ways that make such abuse less likely must be balanced against the social and economic costs of the restrictions, notably the reduced ability of financial institutions and other businesses to prevent, detect and combat fraud.
In the view of NCISS, new laws or regulations to constrict the flow of information that is so essential to the efficient functioning of the economy are not justified at this time. Instead, NCISS calls the FTC's attention to three alternative means of discouraging abuses while retaining the benefits of the status quo: adoption of sound business practices; vigorous enforcement of existing laws; and better education of all participants.
There are many steps the private sector can take to lessen the likelihood of abuses. For example, responsible database vendors conduct their own due diligence on parties seeking to obtain online access to personally identifiable databases that contain sensitive consumer identification information, including verification of the customer's claimed status and of the legitimate purpose for which access is sought. References may be demanded and checked; onsite inspections of the customer's premises are sometimes required. Actual use of the service can be carefully monitored to ensure that it conforms with the stated purpose for which access was sought. Failure to satisfy these criteria will result in a denial of service, or, if service has already been commenced, its immediate termination.
Furthermore, some investigative needs can be adequately satisfied through less than full access to the entire database. For example, obtaining part of an individual's social security number is rarely useful to someone seeking to commit a financial fraud. It may, however, be sufficient to allow a financial institution or other business to establish the approximate age or geographical origin of an individual, and thus assist in verifying whether other identifying information presented by an individual is real or bogus.
Providers of personally identifiable information who adhere to these practices significantly lessen the risk that this data will be used, not to protect consumers and businesses against fraudulent or illegal behavior, but to commit frauds or even criminal acts. NCISS is working actively with other industry participants to reach consensus on sound business practice guidelines. Although the industry is quite diverse, we are making real progress, on which we hope to report at the time of the FTC Public Workshop.
Of course, none of these practices can reduce that risk to zero. NCISS believes that, beyond the encouragement of responsible business practices in this field, the federal government can most constructively attack this problem by vigorously enforcing the laws already on the books. Those laws, including the Fair Credit Reporting Act, general criminal laws such as wire and mail fraud, and the new prohibitions contained in the Drivers' Privacy Protection Act, already forbid identity fraud and virtually all the other serious abuses that can be committed with the help of access to personally identifiable information. If any loopholes are identified, they should be closed. In any event, a focus on the specific fraud or other abuse that is actually carried out with the assistance of personally identifiable information is clearly preferable to a restrictive, regulatory approach that may prevent a few abuses, but also makes legitimate uses more difficult, more expensive, or even impossible.
Finally, the FTC and other federal agencies have a critical role to play in educating businesses, consumers, and the general public about prudent use of personally identifiable information. Most members of the public, and even many who are deeply engaged in the banking, credit, retail, and other industries with the most at stake, have little understanding about how personally identifiable information is collected, processed and used to deliver economic benefits. The private sector can and should shoulder a significant role in dispelling this ignorance.
NCISS appreciates this opportunity to comment on the issues raised in the Commission's Notice. We look forward to participating in Session One of the Commission's Public Workshop on June 10, and to supplementing these comments at a later point in these proceedings.
Gary H. Kuty, President
Jack H. Reed, First Vice President
Steven J. Metalitz