The Federal Trade Commission recently announced that it had charged in a federal court complaint (FTC pdf; archive pdf) that data broker LeapLab “sold the sensitive personal information of hundreds of thousands of consumers — including Social Security and bank account numbers — to scammers who allegedly debited millions from their accounts.” There is an industry for gathering data on individuals — there are data brokers such as LeapLab, Acxiom and Choicepoint, along with individual companies tracking individuals’ online and offline behavior to create consumer profiles. (Here’s a great New York Times article from 2012 that takes an in-depth look at “How Companies Learn Your Secrets.”)
The FTC said, “data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.”
If LeapLab is guilty of these charges, it would not be the first data broker to do so, violating consumer privacy and the law. One of the most infamous incidents was in 2005, when data broker ChoicePoint sold the records of more than 163,000 Americans to a criminal ring engaged in identity theft. The public learned of ChoicePoint’s sale of sensitive data to criminals because California’s security breach law demanded it; federal law did not. ChoicePoint had to pay $15 million to settle the FTC investigation ($10 million in civil penalties and $5 million in consumer redress) in 2006. In 2009, ChoicePoint had to pay a fine and agreed to stronger data security protections “to settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft.”
Last year, the FTC investigated the practices of the data broker industry and found in a report, “Data Brokers: A Call for Transparency and Accountability” (FTC pdf; archive pdf), “that data brokers operate with a fundamental lack of transparency. The Commission recommends that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers.” The FTC had gathered information on nine data broker: Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future.
The FTC noted: “Data brokers collect consumer data from extensive online and offline sources, largely without consumers’ knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.” Since the report’s release, Congress has not passed legislation to give consumers more control over the vast amounts of personal data gathered and used by the data broker industry.