Information Brokers: Federal and State Laws

Order Code RS22087 Updated May 17,2005 CRS Report for Congress Information Brokers: Federal and State Laws Angie A. Welborn Legislative Attorney American Law Division Summary Introduction In February 2005, ChoicePoint announced that approximately 145,000 records had been improperly disclosed due to fraudulent information presented to ChoicePoint by a purchaser of its information services.' ChoicePoint made the announcement only after it was reported that the company had disclosed to residents of California that their information may have been compromised. While several states have recently enacted laws addressing security breaches, there are no federal laws that specifically relate to the information brokerage industry. However, there are other federal laws that could be For a detailed description of how the fraud was committed, see Robert 07Harrow, Jr. ChoicePoint Data Cache Became a Powder Congressional Research Service Prepared for Members and Committees of Congress applicable to information brokers2 depending on the type of information in question and the character of the entity collecting and disseminating the information. Federal Laws There are currently no federal laws specifically related to information brokers, nor is there a specific federal law that governs all uses of consumer information. There are several statutes and regulations that restrict the disclosure of consumer information and require entities that collect consumer information to institute certain procedures to insure the security of the information. These laws may be applicable to information brokers depending on the nature of the information they collect and disseminate and the character of the brokerage company. The laws specifically related to the security of consumer information are discussed below.3 Fair Credit Reporting Act Under the Fair Credit Reporting Act (FCRA), consumer reporting agencies have particular responsibilities with respect to ensuring that a consumer's information is used only for purposes that are permissible under the act, for protecting the consumer's information from potential identity thieves, and for correcting information in a consumer's report that may be incorrect or the result of fraud.4 The act and the requirements set forth therein only apply to entities that fall within the definition of a consumer reporting agency," and only to products that fall within the definition of a "consumer report." 66 The FCRA defines "consumer reporting agency" as "any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing 2 S. 500 and H.R. 1080, discussed infra, define "information broker" as "a commercial entity whose business is to collect, assemble, or maintain personally identifiable information for the sale or transmission of such information or the provision of access to such information to any third party, whether such collection, assembly, or maintenance of personally identifiable information is performed by the information broker directly, or by contract or subcontract with any other entity." For background on information brokers (or data brokers), see CRS Report RS22137, Data Brokers: Background and Industry Overview. Two other laws applicable to other types of information are not discussed in this report. The Driver's Privacy Protection Act (18 U.S.C. 2721 - 25) prohibits state motor vehicle departments from disclosing personal information in motor vehicle records, subject to certain exceptions. Under rules promulgated pursuant to the Health Insurance Portability and AccountabilityAct (45 C.F.R. Part 164), entities must take certain steps to ensure the privacy of medical records and are prohibited from disclosing certain information without the consent of the patient. 15 U.S.C. 1681 et seq. For a detailed discussion of the requirements imposed under the Fair Credit Reporting Act, see CRS Report RL31666, Fair Credit Reporting Act: Rights and Responsibilities. consumer reports."' Information brokers are arguably consumer reporting agencies within the context of the act as they do assemble and evaluate consumer credit and other information, and subsequently provide this information to third parties. However, even if the brokers may perform the same or similar functions as consumer reporting agencies, the products they provide must be consumer reports in order for the provisions set forth in the FCRA to be applicable. A "consumer report" is defined under the act as "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; or any other purpose authorized under section 604 [of the FCRA]."6 Information brokers have acknowledged that some of the products they provide are consumer reports. However, other data products, that are not used for any of the purposes outlined in the FCRA, are not consumer reports and are not subject to the protections afforded under the act. Gramm-Leach-BlileyAct Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA) prohibits financial institutions from sharing nonpublic personally identifiable customer information with non-affiliated third parties without giving consumers an opportunity to opt out. The act requires financial institutions to provide customers with notice of their privacy policies, and requires financial institutions to safeguard the security and confidentiality of customer inf~rmation.~ The requirements set forth in the act apply to "financial institutions," which are defined as "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956."8 These activities include those that are traditionally associated with banking, as well as activities such as credit reporting. If an information broker were engaging in consumer reporting activities, as discussed above, they could also fall within the definition of a financial institution for purposes of GLBA. Should information brokers fall within the definition of a financial institution under GLBA, they could be subject to both the privacy rule9 and the safeguard rule.'' If an information broker receives information from a credit reporting agency, they may also be 15 U.S.C. 1681a(f). The act also defines "consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" and "nationwide speciality consumer reporting agency." 15 U.S.C. 1681a(d). The act also defines "investigative consumer report." P.L. 106-102. For more information on the requirements imposed under GLBA, see CRS Report RS20185, Privacy Protection for Consumer Financial Information. 15 U.S.C. 6809(3)(A). Section 4(k) of the Bank Holding Act is codified at 12 U.S.C. 1843(k). 12 C.F.R. 225.28,225.86 16 C.F.R. Part 314. limited by GLBA's reuse and redisclosure provisions, which could limit the broker's use of that information. State Action In 2002, California enacted a law requiring a state agency, or any person or business that owns or licenses computerized data that includes personal information to disclose any breach of security of the data to any resident of the state whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The disclosure must be made in the "most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system."12 Following the announcement by ChoicePoint and other high profile cases involving information brokers, legislation was introduced in several other states. Georgia recently enacted a law similar to the California law discussed above.13 While the California law covers any person or business, including a state agency, the Georgia law applies only to "information brokers," which is defined to specifically exclude governmental agencies.14 Arkansas,151ndiana,I6Montana,17North Dakota,18and washington19 have enacted similar laws requiring notification by either business or state agencies, or both. Several other states are considering such legislation.20 Congressional Response S. 115, the Notification of Risk to Personal Data Act, was introduced prior to the incidents involving ChoicePoint and other information brokers. The bill, similar to the California law discussed above, would require "any agency, or person engaged in interstate commerce, that owns or licenses electronic data containing personal information" to "notify any resident of the United States whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized l1 SB 1386, codified at Cal. Civ. Code 1798.29 and 1798.82. "Cal. Civ. Code 1798.29(a); 1798.82(a). l3 SB 230, to be codified at O.C.G.A. 10-1-910 et seq. l4 O.C.G.A. 10-1-911(2). l5 Act 1526, 85" General Assembly, Regular Session, 2005. l6 Senate Bill 503, 114" General Assembly, First Regular Session (2005). The Indiana law appears to apply only to state agencies. l7 House Bill No. 732,2005 Montana Legislature. ls Senate Bill No. 2251, 59" Legislative Assembly of North Dakota, 2005. l9 Senate Bill 6043, Chapter 368, Laws of 2005, 59" Legislature, 2005 Regular Session. 20 For a complete list of pending state legislation, see the National Conference of State Legislatures [] (last visited May 17,2005). person" due to a security breach. Notification would be required "as expediently as possible and without unreasonable delay" following the discovery of the breach of security and any measures necessary to determine the scope of the breach, prevent further disclosures, and restore the integrity of the data system. Notification may be delayed for law enforcement purposes. S. 751, also entitled the Notification of Risk to Personal Data Act and introduced following the reports of major security breaches, is similar to S. 115, but would require notification when any information, whether or not held in electronic form, has been, or is reasonably believed to have been, acquired by an unauthorized person. S. 500, the Information Protection and Security Act was also introduced following the Choicepoint security breach. The bill would require the Federal Trade Commission to promulgate regulations "with respect to the conduct of information brokers and the protection of personally identifiable information held by such brokers." Such regulations must include a requirement that procedures for the collection and maintenance of data guarantee maximum possible accuracy of the information held by brokers; access by a consumer to information pertaining to him held by an information broker; a consumer's right to request and receive prompt correction of errors in information held by an information broker; a requirement that brokers safeguard and protect the confidentially of information; a requirement that brokers authenticate users before allowing access to information and that the broker ensure that the information will only be used for a lawful purpose; and a requirement that broker's establish procedures to prevent and detect fraudulent or unlawful access, use or disclosure of information. The regulations would be enforced by the Federal Trade Commission and in actions by state attorneys general. A consumer would also be allowed to bring a private right of action to recover actual monetary loss or up to $1000 in damages, whichever is greater. A companion bill, H.R 1080, was introduced in the House. S. 768, the Comprehensive Identity Theft Prevention Act, includes a number of provisions aimed at preventing identity theft, including the creation of an Office of Identity Theft in the Federal Trade Commission and efforts to protect a consumer's sensitive personal information. With respect to the information brokerage industry, the bill would require the Federal Trade Commission to promulgate regulations to enable the newly created Office of Identity Theft to protect sensitive personal information that is collected, maintained, sold, or transferred by commercial entities, such as information brokers. Information brokers, or data merchants, as defined in the legislation, would be required to register with the Office of Identity Theft, and would be required to follow rules promulgated by the Commission regarding the processes for protecting consumer information. Consumers would be given certain rights, similar to those afforded under the Fair Credit Reporting Act, with respect to their information held by a data merchant, and would be able to correct incorrect information and receive one free report from the data merchant each year. Commercial entities would be required to notify consumers of information breaches, and consumers would be able to have their information expunged from the information broker's records following notification of a security breach.