Driver's Licenses and Personal Information
As you know, the driver's license has been a stable ID for the Check Guarantee Industry for over 30 years. Over the last few years, SCAN, as the industry's leading Verification company, has moved low ticket, high volume retailers toward MICR numbers (your account number and bank routing information) as an alternative ID due to speed of entry. Today many states are operating some very aggressive initiatives to make your driver's license as easily read by a point-of-sale terminal as a credit card, and with a great deal more information.
Fifteen states are already issuing driver's licenses with either magnetic strips or one- or two-dimensional bar codes which contain valuable marketing information. But merchants are leery of scanning this information and using it in their marketing efforts. Why?
There are a variety of reasons why merchants are dragging their heels, including the high cost of magnetic strip readers and lack of national standards for the strips. There is also the growing fear of identity theft and privacy issues which may be keeping merchants at arm's length for fear of alienating the consumer.
Is this really new information?
No, the data on the driver's license and it's availability really isn't anything new-this data has been out there for a long time and anyone could access it. It's just a little easier now and the consumer is providing it directly, rather than through a commercial entity.
Is anyone studying privacy information and the public's access to it? Yes, a report completed in March 1997 by the Board of Governors of the Federal Reserve to Congress addressed the availability of consumer identifying information and financial fraud. The study focused on the availability of "sensitive" information which identifies consumers.
The report found that while it's true that information about a consumer has value, that value is dependent on two things:
1. How descriptive the data is.
2. How the data can be used.
The more descriptive or unique a piece of data is, the more useful and valuable it becomes. For example, a Social Security Number in itself doesn't say much about a consumer, it is not descriptive. But, that number can be used to obtain other personal identifying information. Therefore, it has the potential of increased value and increased misuse.
The information industry, which is comprised of government entities, direct marketers, and reference services, has grown rapidly with the advent of on-line services because all three entities can now gather and distribute information quickly. Information which is gathered for one reason, such as the sale of a house, can be sold for something else, such as to a vendor of household products.
This is an example of how the value of a piece of information can be increased by combining it with other information. Why is this information so valuable? According to a 1996 Poll by the Gallup Organization, 77 percent of U.S. commercial firms use direct marketing, and so does the government.
Government
Does this sound strange- that the government would provide (either free or for a fee) information about you to a commercial entity? Well, take a look at some examples of items in the Public Record:
These records provide extensive information about a consumer, including race, gender, date of birth, date of marriage or divorce, place of business, assets, price of mortgage, etc. All of this data can be obtained via magnetic tape, in person, telephone, fax, and Internet from the government, a reference service, or a consumer reporting agency.
Although The Driver's Privacy Protection Act of 1994 goes into effect in September of this year, much of the information it is to protect is already public record somewhere else. The Act is loaded with exceptions to when DMV information is protected, so it doesn't seem information is protected at all. For example, data can be released by the DMV when it is:
Reference services
What is a reference service? A reference service offers one stop shopping for anyone looking for information on someone else. Internet reference services can provide virtual dossiers, including name, date of birth, Social Security Number, aliases, current and previous addresses, telephone number, family members, addresses of relative and neighbors, vehicle registration, and can be sold to anyone because it all comes from the public record.
Consumer Reporting Agencies
Consumer Reporting Agencies (CRAs) also called Credit Bureaus, have been getting a lot of negative publicity lately about invading privacy. They often have information about a person's financial life including employer, credit and loan account numbers, amount of available credit, amount of outstanding debt, payment history, default, judgments, and bankruptcy information. Under the Fair Credit Reporting Act these agencies are prohibited from disclosing this information to anyone without a permissible purpose.
Big sigh of relief, yes? Well, hold your breath because consumer reports contain "header information" which is not restricted. This information includes name, current and previous addresses, aliases, and, yes, the old Social Security Number, the number with which almost anything is possible.
Consumer agencies can sell this information and there aren't any laws to regulate how and to whom the information is provided (unlike the financial information contained in a consumer report.) Merge this with the information in public records and you have a pretty complete profile, although it may take some work.
While amendments made to the Fair Credit Reporting Act in 1996 will go into effect in September, some say the law may actually weaken consumers' protection because it prohibits federal agencies from examining whether banks, savings associations, and credit unions have complied with the law.
Questions and debate
Some of the questions around publicly available data and the risk of fraud arise because there is not a consensus on what is "sensitive" information.
Some define it to be Social Security Number, Mother's Maiden Name, Prior Address, and Date of Birth. Others think it should also include Place of Birth, Names of Family Members, Names of Schools Attended, Telephone Numbers (both listed and unlisted), Past and Present Employment Information, Medical Records, Voter Registration Information, Passport Number, Driver's License Number, Car Registration, Loan and Credit Card Numbers, PINs, and Insurance Policy Numbers.
Still others don't think information such as Social security Number should be considered "sensitive" because it appears on all sorts of documents, including driver's licenses, and is therefore shown to merchants all the time as ID.
In their study, the Federal Reserve defined "sensitive" as "that which is most commonly used to commit financial fraud." Those items most often include Social Security Number, Mother's Maiden Name, Prior Address, Date of Birth, Employment Information (including salary), and Credit Card, Loan and Financial Account Numbers.
The main reason these items were identified as "used to commit financial fraud" is because of the ease of which additional pieces of information can be obtained when initially just one piece of information is known.
What this proves is that the information on licenses and mag strips which people may be up in arms about, and what may be preventing merchants from using it for marketing efforts, already exists and is widely available from a variety of sources such as government and commercial services. There are few legal constraints currently in place regarding the collection, use, and dissemination of information and the study by the Federal Reserve found that "losses attributed to identity theft do not pose a significant risk to insured depository institutions."
