Photo by fabio on Unsplash

Private Investigator Databases: What the GLBA Really Means to You

In the mid-1990s to early 2000s ushered in an “Information Age” for investigators. Database companies were just starting to come online. I remember gaining Internet access to my first database providers in the early to mid-1990’s: IRSG (not to be confused with the now defunct consumer reporting agency and information broker trade group “Individual Reference Services Group”), CDB Infotek and DBT Online, all long since gone, and immediately understood the implications it would have on my own investigation agency and my ability to gather and present more information to my investigative clients.  Additionally, I was heavily involved in the bail enforcement business in Louisiana at the time, and I was finding more bail fugitives faster and at less expense than ever.  As a matter of facility and economics, wearing out shoe leather, driving hundreds of thousands of miles a year and working human sources of information has given way to data-miners, who, with a few strokes of the keyboard, can produce a mind-boggling amount of information on any given subject. It was a time where being in the investigations businesses depended less upon “how well you were connect” to  “how fast you were connected.”

Access to professional databases, then and now, unquestionably give investigators the opportunity to make more money- even if you are one of those complaining about the cost. (You should have been around when the database companies charged you by the record and the time you were connected to their server! I have it on very good authority, that if it had been a slow month they would throttle back the connection speed to that they could charge more money for the time their clients were connected.) Taking 15 years of inflation and economic adjustments into account, a “comprehensive report” could cost as much as $45 in today’s currency.  Eventually, these commercial database providers evolved and acquired staggering amounts of data and technology made the data cheaper to serve then faster to sort through and obtain, which also made data more affordable.

What I didn’t immediately recognize back then was the legal minefields these databases would eventually become…

The days when just about anyone could gain access to data and pull information on friends, relatives, enemies and “lost loves” out of mere curiosity and a touch of voyeurism were short lived!  This fast and unfettered access to shocking amounts of “private information” horrified an unaware American public in a series of highly publicized stories of major data breeches, murders and an alarming rise in identity theft, which were all being connected in one way or another to professional information brokers.  This sudden awakening also gave rise to a new breed of political crusader; the privacy zealots were born.  It wasn’t long before these neo-politicos would begin to curry favor with their constituents by changing existing laws and producing new laws in an effort to protect consumer privacy.  Thankfully, the database and information brokers did form a trade group, Individual Reference Services Group (IRSG), and made earnest attempts to police themselves through what was coined the “IRSG Principles” whose aim was to educate their clients about the use of reference data, improve data quality, limit access to non-public data, improve security of sensitive data and to promote consumer choice in the marketplace.  While the effort was a little too late in coming and the IRSG eventually disbanded, these early attempts at preserving the professional investigator’s access to restricted information paid off.

The Fair Credit Reporting Act (FCRA) was originally enacted in 1970 in an effort to address a growing credit reporting industry in the United States that collected and sold “consumer credit reports” and “investigative consumer reports.”  It was the first official act of Congress to define and place access/use restrictions on “non-public personal information.” Sweeping and substantial amendments to the FCRA were made in the Consumer Credit Reporting Reform Act of 1996 that further limited access to information contained in a consumer credit report through a set of “permissible purposes” that were loosely based upon the IRSG principles of access and would later be adopted by the Drivers Privacy Protection Act (DPPA) and the GLBA.  The FCRA also more narrowly defined how non-public personal information could be used and what disclosures had to be made when adverse information was used to make credit or employment decisions deemed unfavorable to the consumer.  While the FCRA did have a widespread effect on access to restricted data, it had the most chilling effect on private investigators and agencies that were in the business of pre-employment background screening. Background screening and FCRA compliance is a topic best served under a separate title.

The DPPA was passed as an amendment to the “Violent Crime Control and Law Enforcement Act of 1994” in reaction to a series of abuses of information contained in State motor vehicle registration and driver’s license databases.  The murder of actress Rebecca Schaeffer in 1989 was paraded as one example of such an egregious misuse of this information. In that instance, a private investigator obtained Rebecca Schaeffer’s address through her California motor vehicle record and sold it to an obsessed fan who used that information to eventually stalk and kill the actress.  The act was amended again in 2000 to provide for even stricter privacy protocols; it more narrowly defined the available permissible purposes used to gain protected records and gave individual states increased power to enact broader protections than those authored by Congress in the DPPA.

A little over 10 years ago Congress also enacted the Gramm-Leach-Bliley Financial Modernization Act of 1999 (GLBA) “to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, and other financial service providers, and for other purposes.”  These other purposes would famously include comprehensive privacy protection and access restrictions to non-public personal information derived from data obtained, developed and shared by financial institutions.

In the Electronic Privacy Information Center (EPIC) article, “Victoria’s Secret and Financial Privacy,” the author wrote, “Outside the Beltway, it is not well known that a Victoria’s Secret catalog is one of the key reasons that Congress included privacy protections for financial information when passing the Gramm-Leach-Bliley Act (GLBA). The GLBA sought to “modernize” financial services- that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use…”

“In a session where House Commerce Committee Members “marked up” a draft version of the GLBA, Representative Ed Markey (D-MA) introduced an amendment that would add privacy protections. The Markey Amendment was strongly opposed by the banking industry. It added “Title V” to the Act, giving individuals notice and an ability to control some information sharing…” and “Prospects for privacy protection remained dim despite a series of testimonials by Members who recounted their experiences of having their Social Security Numbers and financial information sold…”

However, critical support for the Title V Amendment came from Representative Joe Barton, a conservative Republican and privacy advocate from Texas, who was outraged and embarrassed that he started receiving Victoria’s Secrets catalogs at his Washington, D.C. residence- the address to which he had only given to his Credit Union.

The article went on to say that, “Barton expressed concern that his credit union had sold his address to Victoria’s Secret. Representative Barton noted that he started receiving Victoria’s Secret catalogs at his Washington home. This was troubling- he didn’t want his wife thinking that he bought lingerie for women in Washington, or that he spent his time browsing through such material.”

On the heels of that experience, Barton supported prohibiting financial institutions from selling their customer’s personal information.  The GLBA, with the newly appended “Title V Privacy” amendment, was then approved by Congress.  It should also be noted that Barton’s ex-wife went on to become a victim of identity theft as well and he has used these issues to further identity theft and personal information privacy legislation.

Thus protecting the privacy of consumer information held by “financial institutions” became the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999 and there are essentially three principal parts of Title V, the privacy provision in the GLBA: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.  The Financial Privacy Rule regulates the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.  The Safeguards Rule requires all financial institutions to create and deploy safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions “such as credit reporting agencies” that receive customer information from other financial institutions.  Subtitle B of the GLBA titled “Fraudulent Access to Financial Information,” prohibits the practice commonly referred to by private investigators as “Pretexting” in order to obtain personal financial information.  It is important to note that this law also makes soliciting of others to engage in pretexting a crime as well.  In several (very well-publicized) instances the Federal Trade Commission has brought cases against information brokers who engaged in obtaining protected information under false pretense.

So what does the GLBA really mean to the professional investigator as it relates to gaining access to sensitive, non-public personal information on subject’s whom they may be investigating?

Statistically speaking only 458 words out of the over 60,000 words in the GLBA apply to professional database providers and their clients. If an investigator has in the past several years attempted to gain access to GLBA protected data from a professional provider these words should be very familiar as they form the basis of the general exceptions under which non-public personal information can be disclosed to our clients:

++++++++++++++++++++++++++++++++++++++++

TITLE V – PRIVACY

Subtitle A – Disclosure of Nonpublic Personal Information

SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL INFORMATION.

Subsection (e):

GENERAL EXCEPTIONS. – Subsections (a) and (b) shall not prohibit the disclosure of nonpublic personal information-

(1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with-
(A) servicing or processing a financial product or service requested or authorized by the consumer;
(B) maintaining or servicing the consumer’s account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
(C) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;

(2) with the consent or at the direction of the consumer;

(3) (A) to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, the service or product, or the transaction therein;
(B) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;
(C) for required institutional risk control, or for resolving customer disputes or inquiries;
(D) to persons holding a legal or beneficial interest relating to the consumer; or
(E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;

(4) to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors;

(5) to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, to law enforcement agencies (including a Federal functional regulator, the Secretary of the Treasury with respect to subchapter II of chapter 53 of title 31, United States Code, and chapter 2 of title I of Public Law 91–508 (12 U.S.C. 1951–1959), a State insurance authority, or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;

(6) (A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act, or
(B) from a consumer report reported by a consumer reporting agency;

(7) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or

(8) to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.

++++++++++++++++++++++++++++++++++++++++

Generally speaking, private investigators should really be more concerned about running afoul of individual state privacy breach laws that have far-reaching civil and criminal implications.  Data breach laws are vastly different from state to state and some have provisions in them allowing state agencies to pursue enforcement actions against violators located well beyond state lines.

This new reality means that someone with access to GLBA protected data has to be extremely careful when considering whether or not they really have a “permissible purpose.” In an age when information returned in database searches are most probably obtained from sources outside of the state in which the investigator is conducting his or her investigation, it is entirely possible to run afoul of several state data breach laws if not extremely careful.  For example, did you know that it is against North Carolina data breach laws to even speak about protected, personally identifiable information with someone who is not authorized to be in possession of that data?

Generally, the GLBA affects professional investigators in the following three ways:

1.  The GLBA reaffirms, reinforces and then expands upon the FCRA’s definition of “non-public personal information;” most importantly, the GLBA limits access to credit headers because they are a part of the consumer credit report, which is information developed by financial institutions. Credit header information forms the basis of almost all of the information contained in “people search” products and is the foundation upon which all “comprehensive report” database products are built!

Information in the header, or top most portion, of the consumer credit report was once not considered to be derived from financial information because it did not include banking information, credit accounts or financial profiles, per se. The credit header only contained personal identifier information, (name, aliases, date of birth and social security number) current reported address and a list of previously reported addresses. That changed in 2002 when the Court of Appeals for the District of Columbia affirmed rulings in TransUnion v. FTC, No. 01-5202 (D.C. Cir. 2002) and in IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C. 2001) when both TransUnion, one of the top three consumer reporting agencies, and the IRSG were both unsuccessful in lawsuits against the FTC that were filed in their efforts to overturn GLBA privacy regulations and to have certain data (i.e. credit header information) excluded from the Financial Privacy Rule and the Safeguards Rule specifically.

2.  The GLBA requires those who possess GLBA-protected data to secure and prevent the unauthorized distribution of that data unless the intended receiver is also permitted by exception under the GLBA.

3. The GLBA provides severe civil penalties for unauthorized access to data (a data breach) and those who access the information in contravention of the GLBA.  States also have the power to provide for broader protection of non-public private information and to further define what constitutes a data breach and the “reasonable risk of harm” to their citizens.

Why is GLBA compliant data more expensive to obtain than non-GLB compliant data?

It’s better. Plain and simple- you get what you pay for.  The difference between the investigator barely making it and the one who is successful in his or her own business comes down to the quality of their tools.  The investigator using the $.50 “people search” or the $1.00 “criminal history search” is using the same information being marketed and sold to the average consumer.  I have never purchased data at cut rate prices and not expected to get stale, outdated data.  It is more expensive for the top-tier, professional data provider to obtain fresh updates to the information I need and I understand that.  Using data sourced from a professional provider, I can find the lead that will close those cases that others cannot.

I also want access to non-traditional sources of information.  Professional database companies are actively out looking for data from other “buckets of information” in order to be the best database provider in the industry.  This creatively sourced data is usually only available to companies with the financial capital to afford it.

Ultimately, I want access to billions of records updated everyday… not hundreds of thousands updated once a year and only the top-tier companies can manage that- they also happen to be GLBA compliant.

Database providers have become the convenient, if not vogue, coat hook on which the privacy hawks have hung their hats lately.  It will not be long before they begin to target the consumers of that data as well.  So, the bottom line for me is this:  I choose professional, top-tier GLBA data providers because…

1.  I have a PI license.  I had to go through a great deal of effort and expense to get and keep that license and it is valuable to me.  I want access to information not available to the public and I want to do a better job than my competition.  There are permissible purposes that allow me, as an investigative professional, access to non-public personal information and I understand that I will have to prove that I run a legitimate company, which will mean extra paperwork and time getting properly vetted before being approved for access.  I don’t want to do business with a company that is double-dealing while trying to compete with me by playing both the “business to business market” (me) and the “business to consumer market” (John Q. Public) at the same time.

2.  I need to know where my data comes from, where it was sourced and when it was last updated.  If (when) I am called to court to justify the findings of my investigation, I expect that the foundation upon which I built my investigation is solid. An established professional database provider knows where, when and how his or her data is sourced and takes steps to make sure that it is not collected or shared contrary to the law.  Cut-rate providers don’t usually know exactly where their records are sourced- are they GLB-protected or not? I NEED to know in order to stay out of trouble.  Who will be there to stand behind their data if called upon to do so?  I want to know more about where my data comes from, too, and a professional is not afraid to share that information.

3.  Professional database providers take the time and effort to train me to be a better investigator and how best to use their product and gain maximum advantage over non-clients, while potentially saving some money on my monthly search bill.  I respect the professional database provider that will tell me that his or her product is not the same as other database providers and helps me understand the strengths and weaknesses of each so that I can use the right tool for the job.  My database providers of choice each regularly tell me that I need to subscribe to multiple sources of information.

4.  I am not an expert on the GLBA, FCRA, DPPA, FDCPA, HIPPA, the Identity Theft Act of 2004 or the data breach laws of 50 individual states; when I have compliance questions I can call someone who understands complex compliance issues.  Professional database companies spend a great deal of time and money to educate their clients.  I expect that level of quality customer service and that if I use their service as prescribed that I will not get into trouble.

5.  Professional database companies materially support the investigation industry.  National and State industry associations do very important work and need the financial support of sponsors.  Database providers contribute to important causes and fund the ongoing fight to preserve my access to the information vital to the success of my business.  I will support those who support me.