Financial Data Vulnerable; Acxiom Fights Against Bills
by April 25, 2005 12:00 am 168 views
Acxiom Corp.’s efforts to lobby against proposed federal data-protection legislation that it considers overly restrictive are being undermined by a continuing string of high-profile security breaches that have made corporate information security look like a sieve.
On April 12, the day before Acxiom’s chief privacy officer, Jennifer Barrett, testified before a Senate Judiciary Committee hearing about electronic data security, LexisNexis of New York revealed that a breach in one of its databases may have compromised sensitive information on about 310,000 Americans, more than 10 times more than the company first estimated.
The problem isn’t limited to data brokers, and financial information is clearly vulnerable: On April 19, the DSW Shoe Warehouse chain confirmed that a previously reported data breach threatened almost 1.5 credit card and check-transaction customers. Later the same day, discount broker Ameritrade said a backup computer tape containing personal information on about 200,000 current and former customers had been lost.
Congress is considering a series of bills aimed at keeping consumers’ most personal information from falling into the hands of potential identity thieves.
Though some privacy advocates question why companies like Acxiom have such information in the first place — more on that later — legislators seem most concerned with preventing identity theft. It is a crime that victimized nearly 10 million consumers and resulted in losses exceeding $50 billion in 2002, the time of the FBI’s last survey, and its frequency is on the rise.
Acxiom has sustained security breaches of its own, most recently in August 2003. But Barrett claims that none of Acxiom’s breaches have ever resulted in an identity theft.
Indeed, Acxiom boasts it is at the forefront of information security. The company spends “tens of millions of dollars” each year to secure its data, Barrett said. “And it gets bigger.”
In 1990, before most companies were acquainted with the Internet, Acxiom was making Barrett one of the business world’s first chief privacy officers. Over the years, the company has tried to stay ahead of the curve on securing its data, and the company says it already implements many of the security measures being proposed by Congress for legislation.
What’s more, the type of data under review represents but a fraction of Acxiom’s business.
But even though the company is downplaying the stakes of proposed legislation, its involvement is much closer than the sidelines.
Whose Business Is It?
In its 2004 fiscal year, Acxiom brought in more than $1 billion in revenue. Of that, $778 million came from its customized computer services and $233 million from its line of information products – data.
The data portion of Acxiom’s business is split into four categories: marketing products, directory products, management products and background screening products.
Two of those, background screening products and fraud management products, contain sensitive info such as Social Security numbers and driver’s license numbers — information Acxiom sells to businesses and government agencies.
It is here that Acxiom distinguishes itself from some other data brokers.
In her testimony to the Senate Judiciary Committee, Barrett said, “Acxiom’s fraud management products are sold exclusively to a handful of large companies and government agencies – they are not sold to individuals.”
In one high-profile case, ChoicePoint Inc. of Alpharetta, Ga., was duped by criminals posing as businesses, faxing phony business licenses and often having never had face-to-face contact with the data provider,
Acxiom’s clients have legitimate addresses and face-to-face contact with the company, Barrett said.
“We have a good understanding of who we do business with,” she said.
Still, even legitimate customers can breach security and steal data. They did with LexisNexis, and with Acxiom.
Last month, Daniel Baas of Milford, Ohio, was sentenced to 45 months in federal prison for stealing data from Acxiom between December 2002 and January 2003. At the time, Baas was working as a systems administrator for Market Intelligence Group, which was a legitimate Acxiom customer.
Prosecutors did not believe Baas did anything with the information he accessed, but the breach cost Acxiom $5.8 million.
During its investigation of Baas, the company discovered another breach that cost the company at least $7 million.
Last July, federal prosecutors indicted online advertiser Scott Levine, who ran Snipermail.com of Boca Raton, Fla., on 139 counts for accessing an Acxiom server used for file transfers, downloading an encrypted password file and accessing 8.2 gigabytes of data that included customer names, addresses, e-mail addresses and customer demographics. Prosecutors claim Levine then sold that information to be used for marketing; they do not believe it was used for identity theft.
At the time, Assistant U.S. Attorney Sandra Cherry of Little Rock said, “It may be the biggest cyber-crime ever prosecuted and investigated.”
Acxiom insists security weaknesses that made those two breaches possible have been corrected. ChoicePoint, LexisNexis and other companies whose breaches made headlines have made the same assurances.
Legislators are beginning to insist that data brokers need more regulations to prevent breaches and to make sure affected consumers are informed when they do happen.
Legislation
At the forefront of proposed data legislation is Sen. Diane Feinstein, D-Calif. Feinstein has already proposed three bills aimed at thwarting identity theft, which have been met with mixed reviews both from the Senate and from Acxiom.
A bill proposed by Feinstein that would require businesses and government agencies to notify customers when it appears a hacker has accessed their personal information died in the last congressional session thanks to opposition from banks and financial institutions.
Some form of a similar notification bill Feinstein introduced this month is expected to pass, but the details are still being debated.
One of Acxiom’s key objections with the bill is that it would not preempt other state legislation. Barrett describes the issue as a practical one.
“I think a national standard is in the best interest for the business community, so if you have to give a notice then you have to give the same notice to everybody,” she said.
When it comes to technology bills, Congress has historically enacted federal laws that prevent states from making stricter ones. But some argue that stricter state laws could prove more effective.
Vermont Attorney General William H. Sorrell said in his testimony to the judiciary committee that Congress should “allow states to enact laws that are more protective of consumers, thus ensuring that states can continue devising additional innovative solutions to this issue.”
Another provision in Feinstein’s bill requires notification even if the breached information was encrypted or was not used. Barrett took issue with that, saying, “I don’t know why she feels the need to report to the consumer gobbledygook.”
Ultimately, Acxiom supports some form of notification bill, but Barrett said she would like to see a bill that only requires consumer notification if there’s a risk of identity theft.
“It’s called a cry wolf syndrome,” she said. “Cry wolf too many times and people won’t listen.”
Barrett said Feinstein “comes really close” with her Social Security Number Misuse Prevention Act, which would prohibit the sale or display of Social Security numbers to the general public and require Social Security numbers to be taken off public records published on the Internet. But again, Barrett wants the law to preempt state laws, and she disagrees with some of the bill’s penalty provisions.
Privacy advocates have long railed against the widespread public use of Social Security numbers as identifiers. In 2003, for instance, the Arkansas General Assembly halted the use of Social Security numbers as driver’s license numbers.
James Dempsey, executive director of the Center for Democracy & Technology, told the Senate Judiciary, “Given the ubiquity of Social Security numbers in the public domain, it might not be possible to prevent criminals from acquiring them, but that does not mean we should give up trying to curtail the SSN’s overuse and misuse.”
Another piece of legislation proposed by Feinstein, The Privacy Act, requires companies to let consumers “opt in” before their sensitive info is shared and give them a choice to “opt out” when less sensitive information is shared.
Barrett said she was not familiar with that bill but that Acxiom already lets consumers opt out of its marketing data and allows them to look at reference products to make sure that data is accurate.
Democratic Senators Chuck Schumer of New York and Bill Nelson of Florida have proposed another more comprehensive bill that would include notification and crack down on the sale of Social Security numbers and also would regulate data brokers like credit bureaus and create a new Federal Trade Commission office to help identity-theft victims restore their identities.
Barrett seemed at best lukewarm about the bill, saying “the concepts aren’t particularly bad.” But she also wondered “how much of those need to be written into law and how much need to be part of a [company’s] code of conduct.”