GPSOLO July/August 2007
Benefits and Challenges of Publicly Available Information
In my role as litigation technology support coordinator for the firm where I practice, I am often asked to conduct background checks on various individuals. Background checks are one of the most efficient ways to obtain comprehensive information on those involved in lawsuits. Criminal records, property ownership, driver’s licenses, family members’ relationships, and professional licensures are just a few of the items a background check can reveal. More often, however, I am asked simply to find the last known address of an individual in order to locate the current whereabouts of a party or witness.
When conducting these searches, I typically use a service such as Accurint (www.accurint.com), a database of public records information. I ask the lawyers for as much identifying information as possible: full name, last known address, and birthdate are the most common. But if one simple number—the Social Security Number (SSN)—is available, no other information is necessary for a successful search. The SSN is the unique identifier that can conclusively establish the identity of someone I’m trying to locate. Whereas a search for a specific name will likely return several results, an SSN eliminates the need for even the person’s name.
Services such as Accurint are really “aggregators” of information that pull information from millions of public records and make them available in an easily searchable database. These services are used by employers, insurers, landlords, law enforcement, and anyone permitted by law to obtain background information on the individuals they do business with, hire, or serve.
In the past few years, however, data-bases of publicly available information have come under fire for disseminating personal information that could, and does, fall into the hands of identity thieves. The Better Business Bureau estimates that identity theft cost consumers more than $55 billion in 2006; as information is increasingly digitized, that number is only expected to increase. The one piece of personal information most necessary for identity thieves is the SSN. Although knowing an individual’s name, address, and phone number will not usually help an identity thief, combining those with just one numeric identifier (SSN, driver’s license, bank account, PIN, credit card, security code, etc.) can enable a thief to create fraudulent accounts in his or her name.
Governmental agencies are now engaged in broad attempts to remove personal identifiers from public records, but this conversion takes time. This article discusses the dilemmas posed by the availability of personal information, current privacy laws, the disastrous consequences of database breaches, the ways states have responded to the threat, and what you and your clients can do now to protect yourselves from identity theft.
Public Records and Privacy Rights
As you might expect, a public record is exactly that—public. Few laws prohibit the disclosure or dissemination of information contained in public records: driving and voting records; birth, marriage, and death certificates; and property, court, divorce, and arrest records are all generally considered to be public information. Other records, such as medical, tax, and school records, are typically classified as confidential and thus not available to the public.
Two federal laws deal with the privacy of your personal information. The Privacy Act of 1974 (5 U.S.C. § 552a) primarily deals with keeping federal government records containing personal information confidential. Under the Privacy Act, you may access your own personal information upon request, but you may not see the personal information of others unless you meet an exception for such reasons as statistical research, law enforcement purposes, or a court order. The second law is the better-known Freedom of Information Act, which allows individuals to apply for information about the government and its operations. Many states have enacted privacy laws similar to these two; they generally, however, do not apply to the types of public records described above.
During the past few years, data breaches have increased in number and scope. The Privacy Rights Clearinghouse (www.privacyrights.org) maintains a chronology of data breaches and estimates that since January 2005, more than 104 million records have been exposed to potential theft. These breaches have occurred in various ways: hacker attacks on computer networks; thefts of computers and hard drives; lost computers, backup tapes, and hard drives; compromised passwords; dishonest insiders; and bogus accounts, to name a few.
One of the first data-theft cases to make a splash in the news involved ChoicePoint, an Alpharetta, Georgia, corporation that is one of the largest data warehousing companies in the world, providing access to more than 19 billion public records. Most of ChoicePoint’s customers are other companies, but in recent years the federal government has increased its use of ChoicePoint’s databases to track terrorists and other bad guys. The government allegedly has access to an “exclusive” data-search program provided by ChoicePoint. Such use raises the concern that federal investigative agencies are not being held accountable to the federal Privacy Act—which protects private information residing in federal, but not commercial, databases. In February 2005 ChoicePoint discovered that identity thieves had accessed its databases by creating fraudulent customer accounts; approximately 163,000 records were affected. The Federal Trade Commission (FTC) levied a total of $15 million in civil penalties and consumer remedies, and victims are being reimbursed for their out-of-pocket losses. In response ChoicePoint offered credit monitoring to those affected by the breach and set up ChoiceTrust (www.choicetrust.com), where consumers can check and challenge inaccuracies in their files. Such services, although helpful, can be costly and may not be offered by smaller data brokers.
The ChoicePoint scandal merely brought the issue of data breaches to the forefront—the Privacy Rights Clearinghouse lists hundreds of data breaches on its website, including the following notable incidents:
• ‑In January 2005 individuals obtained passwords to Accurint by planting “Trojan horse” programs in the computer system of a police department, affecting 280,000 records.
• ‑In February 2005 a backup tape for Bank of America was lost; it contained 1.2 million records.
• ‑In 2006 a laptop with the records of 27 million U.S. veterans was reported stolen from the house of a Veterans Affairs employee who had taken the laptop home from work.
• ‑The FTC reported that identity theft was the top consumer complaint in 2006, with more than 255,000 complaints.
• ‑The Social Security Administration reported in August 2006 that prison inmates in 13 states have access to individuals’ SSNs through their prison jobs, which generally involve data entry and scanning of public records for state agencies. (Only state correctional facilities have such access; federal prisons do not permit access to SSNs.)
There is no denying that the federal government is responsible for many reported data breaches. In response, more than 200 separate pieces of legislation have been introduced during the past three sessions of Congress to deal with some aspect of identity theft. In early 2007 Sen. Patrick Leahy of Vermont introduced S.B. 495, the Personal Data Privacy and Security Act of 2007, intended to “ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.” The law would require government agencies to establish rules protecting privacy and security when hiring data brokers and to conduct regular audits of those contracts, among other provisions. As of this writing, the bill is still in Senate committee.
The states are taking a slightly different approach to dealing with personal information in public records, and the results may not be to everyone’s liking. In February 2007 the California controller ordered the removal of SSNs from state tax liens (more than 153,000 total records). The Texas attorney general issued an order, also in February 2007, emphasizing that state law prohibited county clerk records from displaying the SSNs of living people from appearing in data available to the general public. (The order was abated for 60 days, after clerk offices statewide protested the logistical difficulties of redacting hundreds of thousands of documents.) The Arkansas Supreme Court issued an administrative order excluding SSNs, account numbers, and PINs from sealed and open court records. These examples are indicative of a determined effort nationwide to eliminate SSNs and other personal information from public records.
Although these actions on the part of various state governments demonstrates a clear (if belated) concern for the privacy of its citizens, there’s a definite downside for lawyers, investigators, employers, and others who make use of information contained in databases offered by companies such as ChoicePoint and Accurint. If SSNs are eliminated, the databases will be unable to provide results that conclusively verify an individual’s identity. And if that information doesn’t exist on the original records, the data brokers won’t have it, either. This will make verification of an identity or background very difficult, if not impossible. As Tamara Thompson of the PI Buzz blog (http://pibuzz.com) opines, a more logical course of action would be to make only part of the SSN visible; this is currently the policy followed by federal government agencies. Such a change would provide privacy yet allow investigators and others to conclusively verify an individual’s identity.
Protecting Your Privacy
There is not much you can do to prevent a lot of your personally identifiable information from making its way into a database somewhere. When you obtain a mortgage, get a traffic ticket, or register to vote, your name and other information will likely wind up in a public document. Many states are now passing laws that require notification to individuals when their personal information has been potentially disclosed by a data breach. But having received notice, what should you or your clients do next if they discover their personal information has been compromised? Here are a few steps to consider:
• ‑Identify the type of information breached. If only a specific credit card or bank account was implicated, you may simply need to monitor that account for suspicious activity. However, if your SSN was disclosed, the thief will be able to create new accounts using your name, and you may never know about them if the statements are delivered to the thief’s address.
• ‑Establish a fraud alert. Contact one of the three major credit reporting agencies—Equifax (www.equifax.com), Experian (www.experian.com), or TransUnion (www.transunion.com)—to set up a fraud alert. When new accounts are applied for, creditors will be notified to contact you before extending credit to the applicant.
• ‑Review your credit report. When you set up a fraud alert, you’ll also receive a free copy of your credit report. Examine it carefully to determine whether any institution has made inquiries regarding information or transactions or new accounts have been opened. If the report shows that a thief has indeed opened fraudulent accounts, act quickly; see the sidebar “Further Resources” below for more information on dealing with the FTC and credit bureaus. And continue to monitor your credit reports; an initial clean report is not a guarantee you are in the clear. Credit issuers don’t always pay attention to fraud alerts, or the thief may simply wait awhile to use your information. To receive a free credit report each year, go to www.annualcreditreport.com.
• ‑Initiate a security freeze. The Privacy Rights Clearinghouse reports that 12 states now allow consumers to place a “security freeze” on their credit reports, preventing anyone from accessing the credit file without express authorization. The freeze applies only to new accounts and does not affect existing accounts already in your name. The security freeze is typically free to identity theft victims and requires a modest fee to everyone else.
• ‑Report the theft to authorities. File a report with at least two different entities: the Federal Trade Commission, which prosecutes identity theft, and your local police department. Depending on the type of information stolen or accounts created, you may need to contact credit card companies or other applicable agencies as well.
• ‑Opt out. Can you simply choose not to have your personal information included in brokers’ databases? Yes and no. The Privacy Rights Clearinghouse provides a listing of those companies that provide opt-out policies and those that do not. However, the site cautions that an opt-out does not guarantee that your personal information will not be included the next time the service updates its database. You may have to opt out again and again, which may ultimately become a fruitless venture.
There’s no question that lawyers and individuals in other professions benefit from increasing access to publicly available information. The ability to verify a criminal background or determine whether someone has prior judgments or liens is highly useful when evaluating employees or opposing parties in a lawsuit. Although recent state legislation to eliminate personal information such as SSNs from public record databases is well intentioned, it may affect access to legally available information that helps investigators do their jobs. A balance must be struck that effectively protects the rights of privacy while still allowing valuable information to remain available.
For more information on responding to identity theft and protecting your privacy, visit the Privacy Rights Clearinghouse (www.privacyrights.org) or the Federal Trade Commission’s Identity Theft site (www.ftc.gov/idtheft). They include step-by-step instructions on dealing with identity theft, including sample forms and letters to use when cleaning up your credit record.
Tom Mighell is senior counsel and litigation technology support coordinator at Cowles & Thompson in Dallas, Texas. He is a frequent speaker and writer on the Internet, legal technology, and e-discovery issues, and is Chair of the 2008 ABA TECHSHOW legal technology conference. He may be reached at firstname.lastname@example.org.