Submission - Credit Reporting Regulatory Framework: Submission to ALRC Privacy Inquiry (December 2007)

2.5. Security of data

Potential consumer harm relating to the security of credit reporting information includes concerns regarding the amount of data (in that it may become an attractive target for fraud), data breaches, unauthorised use, data retention and destruction policies.

However, the ALRC in DP72 believes that security concerns in credit reporting do not require specific regulation:

Proposal 54-9: The proposed Privacy (Credit Reporting Information) Regulations should contain no equivalent to s 18G(b) and (c), dealing with the security of credit information files and credit reports, as these obligations are adequately covered by the proposed ‘Data Security’ principle (UPP 8).

While UPP 8 does provide coverage of data security issues, it does not address concerns about the creation of very large data sets. UPP 8 applies equally to a single file or a massive database.

Credit reporting agencies have significant data holdings (Veda Advantage holds one of the largest private sector data sets in the region with over 14 million individual records). Concerns about data breaches are based on three fears:

The larger and more valuable a data set becomes, the more attractive it is as a target for fraud and unauthorised access;
The larger and more complex a data set becomes the more vulnerable it becomes to errors, accidents and negligence that result in a data breach; and
There is a history of security breaches at credit reporting agencies elsewhere.

Major credit reporting agencies in the US and Canada have reported data security breaches or identity theft losses in recent years:

US – TransUnion
In December 2006, the TransUnion credit bureau investigated an unauthorised entry into their database, and an illegal download of hundreds of people's personal information. It was alleged that four different scam companies across the country stole more than 1,700 people’s credit information and social security numbers.[20]
US – Equifax
In May 2006, Equifax credit agency acknowledged that a laptop computer containing employee names and Social Security numbers was stolen from a worker travelling on a train near London. The theft affected nearly all of the company's 2,500 US employees.[21]
US – Experian
In June 2005, a new tenant to a building in Kansas City discovered that it was formerly occupied by the Topeka Credit Bureau and the Experian credit reporting agency. Inside the building, the tenant found the previous lessee had left ‘thousands and thousands’ of printed documents and numerous computerised records behind. The documents had personal data printed on them, including names, addresses and Social Security numbers, located in cabinets and within the drives of 10 to 20 computers.[22]
Canada – Equifax
In February 2004, unauthorised remote access was gained to the personal, detailed credit files of more than 1,400 people on Equifax Canada’s database. The files contained social insurance numbers, bank account numbers, credit histories, home addresses and job descriptions. The breach was discovered in March of that year. More than 1,400 Canadians were notified of the breach via registered mail asking that they contact the agency to review the contents of their respected credit files.[23]

This Report concludes that, in line with the ALRC Proposal, UPP 8 should be the main requirement for data security in credit reporting. However, it is noted that a significant security issue in credit reporting is scale. With some data sets exceeding 14 million records containing multiple data fields of highly sensitive financial data, consumers are concerned about the vulnerability of credit reporting information to deliberate attack or neglect.

This issue is closely linked with the discussion of ‘more comprehensive reporting’ proposals in this Report at Section 2.13 (page 23).

[20] Kxan.com, Credit Bureau Security Breached, 1 December 2006, <http://www.kxan.com/Global/story.asp?S=5752352>.

[21] Searchsecurity.com, Data theft affects 88 million-plus Americans, 21 June 2006, <http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1195270,00.html>.

[22] Consumeraffairs.com, Experian Abandons Thousands of Consumer Data Records, 15 June 2005, <http://www.consumeraffairs.com/news04/2005/experian_abandons_data.html>.

[23] Computerworld.com, Credit agency reports security breach, 17 March 2004, <http://www.computerworld.com/securitytopics/security/story/0,10801,91319,00.html>.