Custom Search

Sunday, February 24, 2008

And Who's Looking at YOUR Private Information?

At what point does Freedom of Information become too much availability of information? Where is the line drawn that prevents your personal information from falling into the hands of someone you might not want to have it? And how much responsibility does an entity, be it private or public, bear when your information is mishandled by those who have access to it because of their positions?

These questions are being faced by Milwaukee-based WE Energies after the Associated Press obtained documents from them in an employment case, and show a disturbing trend in the practice of "lifting" information from utility, telecommunications, and accounting industries by employees of their clients.

In one case, a landlord was able to access financial information of his tenants, in another, a woman accessed her ex-boyfriends financial accounts repeatedly after they had broken up. Other cases have allowed for individuals to be stalked or suffer from identity theft. And there is little that is done to stop it, privacy experts say.

Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information.

Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes.

"The vast majority of companies are doing very little to stop this widespread practice of snooping," said Larry Ponemon, a privacy expert who founded The Ponemon Institute, a Traverse City, Mich.-based think tank.

What if the snooping is done with the intention of committing a crime? Isn't it too late, once a crime has been committed, to deal with the situation? Jay Foley, executive director of the Identity Theft Resources Center, agrees, stating, "Something needs to be done at the state level to make sure this is illegal." His solution? Tracking software that can tell which employees have accessed customer accounts, and intervention by state regulators and lawmakers if companies are less than vigilant in safeguarding the private information of their customers.

The problem with this solution, however, is knowing which software to choose, and which software is also available on the market that might be used to counter it.

The issue came to light in 2004 when acting mayor Marvin Pratt lost to his rival, current mayor Tom Barrett, in a heated Milwaukee mayoral election, after an employee helped to leak information to the media regarding Pratt, including that Pratt was often late in paying his utility bills. Pratt is convinced the incident cost him the race and damaged his reputation, and recently has met with top WE executives, who have assured him that the problem has been stopped "as much as possible." He has dropped plans for a possible lawsuit against WE.

The employee who leaked Pratt's information has been terminated, by that hasn't ended the problem. Between 2005 and 2007 at least 17 employees have been terminated or faced disciplinary action for breaking client confidentiality. Another was suspended in 2005 for accessing Pratt's account unrelated to company business, but was allowed to keep her job.

But it doesn't stop with WE. The IRS handled 219 disciplinary actions last year alone, a number double the previous year. Minnesota Department of Public Safety said that two of it's employees had accessed information on 400 residents through it's driver's license database, leading to disciplinary action that was not disclosed because the investigation is ongoing.

Nor is the problem limited to the United States. In a 2006 Australian case, 111 people resigned or were terminated from their positions with Centrelink:

There were 790 security breaches at government agency Centrelink involving 600 staff. Staff were found to have inappropriately accessed databases containing citizens' information. The databases are used to administer social security, pension and unemployment benefits. Prime Minister John Howard is said to be considering a proposal which would use this database for a new national identity card which is under consideration.

In total 19 Centrelink employees have been sacked and 92 others have resigned. Police are conducting investigations into five employees, they said.

According to testimonies and depositions, the employees don't generally see anything wrong with accessing this information, either. Employees see nothing wrong with pulling up information on a customer out of curiosity to see a little bit into their private lives.

Perhaps it is nothing more than a little fascination and idle curiosity in the majority of cases. Humans are curious creatures, and when they have the means to satisfy their certain curiosities, they will apply them. A little snooping can't cause any harm, right? But suppose, just for the sake of argument, that someone was snooping for more than just idle curiosity. What happens in these cases? Is allowing employee snooping of customer information a powder keg that is waiting to explode? Or is it just something that happens, and isn't much to really worry about?

What do YOU think? Do you know who's accessing your personal information and what they're doing with what they find?

Points to definitely ponder.

Once and Always, an American Fighting Man