Students of journalism quickly learn how to tap into LexisNexis to search its vast archive of newspaper and magazine articles for background information on their story subjects. But LexisNexis, a Dayton, Ohio-based division of the Reed Elsevier, based in London, is far more parsimonious when it comes to protecting identity data used to authenticate and validate individuals.
That's because knowledge of personal information has become increasingly important during the account opening process. Credit card companies, as well as banks, use LexisNexis to help authenticate applications for new accounts. "It took us years to develop a very proprietary system at LexisNexis that authenticates people the first time they come to be enrolled as a customer," said Norman Willox, chief privacy officer with LexisNexis and chairman of the National Fraud Center.
During a war on terrorism, it's hard to overstate the importance of authentication. "Not only is it a homeland security issue, not only is it a terrorism issue, but it's a commerce issue," said Willox. "If we can't authenticate a person, that they are who they say they are, then it's going to impede the growth of global commerce."
For its part, LexisNexis maintains an indexed collection of public record data, shared through what Willox describes as a "closed system" of machine-to-machine communication between the company and its customers. LexisNexis provides information to financial institutions, government agencies and other entities with a legitimate use for personal information
However, legitimate uses by financial institutions, already highly regulated, will become even more constrained over time. As data gains "currency" as a means to perpetrate fraud and other crimes, new controls over who can access information and how it can be used are likely to emerge. "There are going to be a lot of rules and guidelines built around those," said Willox. "It's happening already-- with FCRA Fair Credit Reporting Act, GLBA Gramm-Leach-Bliley Act and the USA PATRIOT Act--you're starting to get some of those carve-outs."
But in many instances, public records currently lack such protection, even where those sources might contain data of potential value to an identity thief. That's likely to change. Since authentication may be based upon disparate gleanings of information about an individual, such as prior addresses and so forth, then it follows that any source of information about those personal data items should require an increased level of protection. "You're starting to see those fences come up now," said Willox. "You've got to fence it, and you've got to fence it accordingly."
Of course, fences need gates that allow traffic to flow for appropriate purposes. Willox envisions a "matrix" that allows access to specific items of information for permitted uses, viewable from authorized locations. "Sensitive public record information can be used for law enforcement, national security or risk management purposes, so you protect both the business and the consumer; but in this scenario you can't use it for marketing purposes," said Willox.
Indeed, that's the guiding principle behind the information-sharing provisions of the USA PATRIOT Act, which allow financial institutions to certify in order to share information about suspicious activities and to help perform extended due diligence. But the same information-sharing partners that can help determine the legitimacy of a foreign business also happen to be business competitors. In response to this potential conflict of interest, Treasury regulations prohibit the use of shared information beyond the due diligence and suspicious activity detection specified by the USA PATRIOT Act.
Along with the potential for misuse, sharing data also poses a tremendous technology challenge when multiple organizations are involved. "Everybody always agreed that risk management and law enforcement were good reasons to be able to share and exchange data," said Willox. "We're dealing with it now, and we're recognizing it's not that simple."
There's also the problem of a relative dearth of information about non-U.S. citizens. "From an industry perspective, the business case has never been strong enough for an organization like LexisNexis or its competitors to really go out and acquire that data," said Willox. "You just can't afford to do it, that's the bottom line."
That's why U.S. government agencies such as the Department of Defense and the Treasury's FinCEN are expected to lead the way towards establishing information exchanges with their foreign counterparts. "If it's that important for the government, they're going to help pioneer something," said Willox. "You're starting to hear about that now."