Testimony of Robert
Douglas
CEO, PrivacyToday.com
Before the
United State Senate
Committee on the Judiciary
--
Hearing on
Securing Electronic
Personal Data: Striking a Balance
Between Privacy and
Commercial and Governmental Use
--
April 13, 2005
My name is Robert Douglas[1]
and I am the CEO and founder of PrivacyToday.com located in
I have
provided consultation and expert testimony for civil and criminal
investigations brought by private parties and state and federal law enforcement
agencies. Most relevant to today’s
hearing, I served as a consultant and expert witness for the Federal Trade
Commission in the design and execution of Operation Detect Pretext, a sting
operation to catch and civilly prosecute individual and corporate offenders
participating in the illegal “information broker” industry.[2] I served as an expert witness to the Florida
Statewide Grand Jury on Identity Theft.
I served as an expert witness and consultant for the plaintiffs in a
federal civil action brought by the parents of Amy Boyer, a young woman slain
in a murder committed by a man who purchased Ms. Boyer’s social security
number, date of birth, and place of employment from a web-based information
broker.[3] I have lectured before local, state, federal
and international law enforcement associations on the topic of identity
crimes. I have been a private
investigator and security consultant for the past twenty-two years. This is my fifth appearance before the United
States Congress to discuss personal information security.[4]
The Murder of Amy Boyer
Far too often as we grapple with
the issue of balancing the privacy of Americans with the necessary and
legitimate uses of Americans’ personal information the debate centers on
discussions of “data”, but not the lives behind the “data”. In order to illustrate what I’ve learned over
the course of more than twenty years using and investigating the good and harm
of database information, I’d like to begin by focusing on one life behind one
set of data. The untimely and violent
end to that life encapsulates all the issues that surround securing personal
information while balancing privacy with legitimate uses of information. Further, investigating this one act of
violence led me to a more complete understanding of how personal information is
being used and abused in the
On a quiet fall afternoon in
October of 1999 Amy Boyer, a young Nashua, New Hampshire woman, was leaving
work with two co-workers. The small
group was discussing plans for that weekend as they walked to their cars parked
on a side street less than a block from the office. As Amy said good-bye and closed her door, a
car driven by Liam Youens sped up the street and stopped driver’s door to
driver’s door with Amy’s car. Youens
yelled out Amy’s name as he fired 11 bullets into the head and upper body of
his unsuspecting 20 year-old victim.
Youens then fired one last shot into his head, instantly killing himself
as Amy lay just feet away mortally wounded.
Liam Youens was a demented young
man. He glorified the Columbine killers
and toyed with the idea of doing the same at
But that web site contained far
more than just the perversity of Liam Youens.
It contained the starting point for a trail of evidence that proves how
personal information of all Americans stored with good intent in myriad
databases across this country can be easily obtained and used for incalculable
harm. The trail that began on a quiet
In Amy’s murder the evidence
showed that Youens decided to ambush Amy as she left work. But Youens had a problem. He didn’t know where Amy worked. So he started using information brokers and
private investigators that run Internet based operations that specialize in
obtaining and selling personal information on Americans. In separate Internet transactions Youens purchased
Amy’s date of birth, social security number, home address, and finally her
place of employment.[5]
Youens himself was struck by how
easily he was able to purchase Amy’s personal information while concealing his
evil intent. Here is a small sampling of
Youens own words from his web site where he was documenting his step-by-step
activities to locate and kill Amy:
When I finished finding [street name
redacted] residents in the phone book I
thought my best bet was apt. number 7 so I entered the information. It wasn't
7, but who cares I got a HIT! I fell to the floor and let the endorphines fly.
Her address was [residential address redacted] she didn't move from home yet, no other information was provided in
the background check.
I found an internet site to do that, and to
my surprize everything else under the Sun. Most importantly: her current
employment. It's accually obsene what
you can find out about a person on the internet. I'm waiting for the results.
[typos from
original/redaction and emphasis added by R. Douglas]
The Internet site Youens found to
get Amy’s “current employment” and “everything else under the Sun” was
Docusearch.com. To obtain Amy’s “current
employment” Docusearch provided Amy’s social security number, date of birth,
and home address to Michele Gambino, another private investigator/information
broker operating as Gambino Information Services out of
At the time of Amy’s murder,
Gambino and others who worked as subcontractors for Docusearch specialized in
defeating the information security systems of financial institutions (including
many of the nation’s largest banks and brokerage houses), telecommunications
companies (obtaining non-published phone numbers and records of phone numbers
dialed from any phone in the country), utility companies
(power/cable/gas/water/satellite firms all maintain databases of personal
information), and unsuspecting private citizens with information about loved
ones.
In this case, Gambino conducted a
“pretext” to obtain Amy’s work address by impersonating an insurance company
representative and falsely stating that she had a refund for Amy. By having Amy’s social security number, date
of birth, and home address, Gambino was able to sound authoritative as most
Americans wrongly believe that only someone with legitimate access and
authority would have their social security number and other personal
information. Gambino was able to deceive
Amy and/or Amy’s mother out of Amy’s work address on the pretext that the work
address was needed to process the insurance refund.
The reality is, as far as
Docusearch and Gambino were concerned, obtaining Amy’s work address by fraud
was just another transaction to put money in their pockets. And a lucrative business it is. With just two employees and a handful of
independent contractors like Gambino, Docusearch was grossed over $1 Million
per year selling and re-selling Americans’ personal information.[6]
Outrageously, while Docusearch
was in the business of accessing and stealing Americans’ personal information
and continues to this day to brag about how they can find anything about
anybody, neither Gambino nor Docusearch took any constructive steps to
determine who Youens was, much less why he needed the employment address of
Amy. Had Docusearch or Gambino simply
typed Amy’s name into any free search engine they would have found Youens’ web
site documenting his intent to kill Amy.
Docusearch was on notice that
their Internet site was being used by potential stalkers with intent to do
harm. Just days before Gambino used a
“pretext” to obtain Amy’s work address, Docusearch learned that another
“client” was attempting to obtain an address on a young woman in
While Docusearch, Gambino, and
others in the information brokerage and investigative fields often argue that
they shouldn’t be held responsible for the unforeseen consequences of selling
“data”, those defenses ring hollow. Not
only is there ample evidence in the files of Docusearch and Gambino of
potential harm caused by the personal information they are selling on demand,
the information brokerage/private investigative industries have been aware
since at least the early 1980s of criminals using their services to carry out
violent and non-violent crimes.
Congress Passed the DPPA and Other Statutes to Protect Americans
In March of 1982 the information
broker/private investigative professions and all who maintain databases with
personal information learned first-hand that personal information in the wrong
hands can lead to severe physical harm or murder. In a scenario frighteningly similar to what
happened to Amy, actress Theresa Saldana was repeatedly stabbed and slashed by
a stalker at the front door of her home.
To find Saldana, the stalker hired a private investigator to obtain
Saldana’s mother’s non-published phone number.
The stalker then called Saldana’s mother and tricked her into providing
Saldana’s home address by using the “pretext” that he was Martin Scorcese’s
assistant and needed Saldana’s home address in order to reach Saldana for a
movie role.
Following the Saldana attack,
came the 1989 murder of actress Rebecca Schaeffer. In that case, a private investigator obtained
Schaeffer's home address through the
But the trail of evidence in
Amy’s murder does not end with an obsessed killer and a couple of greedy
private investigators operating Internet information brokerages. Quite simply, the evidence in Amy’s murder
leads to thousands of documents demonstrating in real time how databases
maintained in a wide range of American businesses and entire industries that
contain our most personal information are breached everyday.
Commercial/Government Information Security Systems Are Breached Every
Day
On a daily basis Docusearch,
Gambino, and other associates of Docusearch were penetrating the information
security systems of this nation’s financial services industry, postal service,
telecommunication and other utility companies, and selling that personal
information to just about anyone.
Contained within the files of Docusearch, Gambino, and hundreds of other
similar companies is evidence that not only can any piece of information about
anybody or any company be obtained by anyone willing to pay for it, but clear
and convincing evidence that when it comes to being guardians of critical
personal information both government and commercial entities deserve a failing
grade.
Unfortunately, Docusearch and
Gambino are not rare examples that limit the scope of the problem to a finite
few. The reality is there are hundreds
of “Docusearchs” combined with thousands of identity thieves conducting
arguably tens of thousands of breaches of information security systems across
all business and government sectors each day in this country. You don’t get ten million identity theft
victims and fifty-plus billion dollars in losses to identity theft related
financial fraud from dumpster divers.
To further illustrate the scope
of the problem, consider what we already know when it comes to the black market
of personal information provided by unscrupulous information brokers and
private investigators. Remember, these
unscrupulous companies are a window into the very same methods used by
criminals, identity thieves, and potentially terrorists.
Federal Trade Commission’s Operation Detect Pretext
Following my second of two
appearance before the House Banking Committee[8],
in which I assisted the Committee with a surreptitious survey of online
Internet information brokers and their offerings that confirmed financial
information of Americans was for sale, I worked with the Federal Trade
Commission to design a sting operation to civilly prosecute Internet based
information brokers selling financial account information (including specific
account numbers and balances) in violation of the Gramm-Leach-Bliley Act. Operation Detect Pretext, as it was named,
revealed that there were hundreds of Internet based information brokers and
private investigators advertising the sale of Americans’ most personal
information in violation of any of a number of federal statutes including but
not limited to Gramm-Leach-Bliley, the FCRA, the DPPA, and the Unfair and
Deceptive Trade Practices Act. There was
also evidence in the files of at least one of the FTC targeted information
brokers of the broker selling personal information (perhaps unknowingly) to
identity thieves.[9]
The reality of how the
Docusearchs, Gambinos, and identity thieves (as we know from the recent
ChoicePoint case) defeat the information security systems of so many companies
is that they often begin by acquiring the personal information of the victim of
the intended crime. Using this personal
information the criminal or unscrupulous information broker can impersonate the
victim in order to obtain further personal information or carryout a criminal
act by convincing the rightful custodian of personal information to reveal it
to the criminal posing as the victim.
As an information broker once
explained the process to me:
1)
Know what piece of data you want.
2)
Know who the custodian of the data is.
3)
Know who the custodian will release the data to.
4)
Know what circumstances are needed for the release of the
data.
5)
Become (impersonate) that person with those
circumstances.
Illegitimate Subscriber Access – The Resale Market
Unfortunately, many of the
illicit information brokers who will steal and sell any information about anybody
have subscriber access (through a variety of legitimate and illegitimate means)
to the legitimate information brokerage companies. They need the biographical information
contained in the databases of the legitimate information brokers in order to carry
out their pretexts like Gambino did to Amy.
Specifically, to carry out the 5 steps outlined above, the unscrupulous
information broker, private investigator or identity fraud criminal will
purchase the biographical data needed (from either a legitimate information
broker via a fraudulent subscriber agreement as in the instant ChoicePoint
case, or via a reseller who obtains the information from a legitimate broker
and willingly violates the no resale contract) in order to impersonate an
individual that desired information will be released to.
There are a number of information
brokerage companies, in addition to ChoicePoint, that have maintained
relationships with information brokers and private investigators that I
classify as resellers. While ChoicePoint
and several other brokers have announced they will further restrict access to
full social security numbers, dates of birth, and other personal identifiers to
some clients of certain size and business lines, there is no doubt that absent
legislation other companies will step in to fill the void—even if the
ChoicePoint-styled self-remedy is effective.
The hottest topic in the private investigative and information brokerage
fields right now is where can you obtain full social security numbers and from
what companies. The information
resellers and investigative markets will flock from ChoicePoint to other
mainstream information brokers willing to accept the revenue until Congress
acts.
Indeed, for many years
information resellers have easily deceived the major information brokers in the
application process or violated the no resale clauses of their contracts. This is the worst kept secret in the
information broker/investigative world.
Information Security in the U.S. is Laughable at Best
But even if all legitimate
information brokers were to appropriately and effectively secure the data in
their electronic warehouses, the flow of information would continue. Criminals and others will just access, and in
many cases continue to access, databases from the government and private sector
to find the personal information they need for their crimes.
When it comes to the overwhelming
majority of databases in this country from government maintained military,
postal, education, tax, welfare, and child support records to commercially
maintained financial account, telecommunications, utility, medical, and business records, the information can
almost always be obtained by an individual named in the records. Often this is the actual account holder. For the unscrupulous information broker or
criminal, it is merely a matter of piecing together enough personal information
about the targeted victim to impersonate the victim to the custodian of the
information. And with far too much
frequency, the key to unlocking most personal information is the social
security number.
As I demonstrated a week ago in a
story by Jonathan Krim of the Washington Post, it is a simple matter to go on
the Internet and purchase from any one of a number of information brokers the
social security number of any American.
But even if social security numbers were not easily obtained from
information brokers through direct or indirect (the illicit resale market), the
indisputable fact is social security numbers have been compromised in this
country in many ways for such a long period that it is laughable that either
government or commercial enterprises use the number as a personal identifier
for maintaining security of databases.
Yet this is the method chosen by
more than 50% of the nation’s banks, telecommunication companies, hospitals,
doctor’s offices, universities, utility providers, government programs, and
almost any government or commercial entity one can name. I can inform this Committee and easily prove
to this Committee based upon my experience investigating and studying
information security practices and criminal methods for defeating those
practices, and from the documents available in the Boyer murder case (that I
would gladly share with this Committee in a closed setting), that any information
security system using personal biographical information as the primary security
identifier to allow access to the information is a fatally flawed system.
Congress Should Outlaw the Use of
Personal or Biographical Identifiers for Information Access
Let me blunt. If this Committee and this Congress want to
take a giant step down the road to securing Americans’ data stored across all
government and commercial entities, that step should be to prohibit the use of social
security numbers, dates of birth, addresses, phone numbers, mothers maiden
name, and any other personal biographical identifiers as information access
security protocols. The reason for
prohibiting the use of personal biographical information as security protocols
for access to information maintained in databases is simple. Anyone can find them for free or buy them in
hundreds of locations and databases across the country and on the Internet.
Why is it critical that we
maintain the security of these databases?
Because the vast majority of personal information contained in databases
across this country is used for purposes that benefit Americans every day. Those benefits include commercial
applications that assist citizens in transactions that weren’t possible even
ten years ago, but that we now take for granted. Additionally, the personal and biographical
data maintained in a wide range of storage methods can be of critical value for
government in fulfilling constitutionally mandated societal welfare, law
enforcement, military, and national security functions. In the commercial sector personal information
databases can assist in expediting transactions resulting in lower costs in
addition to fraud prevention, detection, and prosecution.
The challenge is to determine a
way to maintain this information which can be used for good and harm in a
secure way that guarantees it is available for good, but not harm. As with any challenge, we must first
understand the scope of the problem.
As I’ve tried to demonstrate
through the evidence uncovered in the Boyer murder case, the scope of the
problem far exceeds the ChoicePoints of the world. I am not here to make excuses for ChoicePoint
or the other “legitimate” information brokers who after all do provide critical
information to government and the private sector as discussed above.[10]
In fact, I think the most recent
breach that was the catalyst for this hearing is inexcusable given
ChoicePoint’s prior knowledge of attempts to fraudulently obtain subscriber
access.[11]
Legislation Must Address All Commercial and Government Entities
Yet to limit any proposed
legislation to the information broker industry would be short-sighted in my
opinion. After all, information brokers
are nothing but aggregators of data contained in a wide variety of storage
media. From courthouses; state, local,
and federal offices; and, the military to marketing lists; phone directories;
credit bureaus; insurance companies; and, dozens of commercial industries,
information brokers gather “data” that is re-packaged and sold for a wide
variety of uses.
If Congress takes action that
only affects the commercial information broker industry while ignoring the
government and the private business sector databases where information brokers
obtain their raw data, there will be little accomplished. This is because criminals and others who
would use information for illegal purposes will turn to the original sources of
that raw information.
To place the question as to scope
of the problem and how to curb it in the framework of the recent ChoicePoint
breach, ask the following question: What
good is to mandate that ChoicePoint have adequate security protocols to protect
our personal information if the banks, telecommunication companies,
universities, hospitals, doctors offices, insurance companies, utility
providers, car dealers, and governmental agencies don’t have adequate security
protocols and are as porous when it comes to information security as
ChoicePoint was?
If the ChoicePoint debacle causes
this Committee and Congress to begin to seriously re-think how we protect all
forms of data in this country, particularly at a time of war when our enemies
have proven adept at understanding and using to their advantage information
systems (such as deficiencies in driver’s license cross-reference verification
systems that allowed issuance of multiple driver’s licenses from multiple
jurisdictions to the 19 September 11th hijackers) then a complete
understanding will be needed of how information too easily accessed and used
for harm can be secured across the board and used for the benefit of
individuals and the security of the nation.
But it must be a holistic
approach. There are far too many sources
of personal information in this country to either believe we can put the genie
back in the bottle when it comes to social security numbers and other personal
biographical identifiers or that we can solve the problem of securing
information by addressing industries on a piecemeal basis.
In fact, Congress has tried the
piecemeal approach for years with different issues, governmental agencies, and
commercial industries. From the Privacy
Act (restrictions on government use of personal information) to the Fair Credit
Reporting Act (restrictions on consumer reporting agencies use of personal
information) to the Driver’s Privacy Protection Act (restrictions on state
motor vehicle agencies handling of personal information) to most recently
Gramm-Leach-Bliley (restrictions on financial institutions use and handling of
personal information) Congress has addressed issues of privacy, data protection
and data access on a case by case basis.
I would urge this body to
recognize and accept as fact that many of the same challenges when it comes to
securing personal data while balancing the legitimate privacy of Americans with
the legitimate needs of government and beneficial commercial practices permeate
all aspects of American government and private business. It is time to mandate that all government
entities and the business community develop practical and effective information
security programs that address 1) appropriate use questions (who gets access)
and 2) authentication issues (how access is granted in a secure method).
If we don’t take this approach
across all sectors, criminals and this nation’s enemies will do just as the
unscrupulous and illegitimate information brokers I’ve discussed throughout
this testimony do should they be effectively cut off from access in one
database. They’ll just turn to the next
database in the next industry that has not been protected.
Need For A GAO Investigation
I have seen a number of
investigations done by the GAO which provide a blueprint for an investigation
this Committee might find beneficial as it grapples with the issues at
hand. The two most relevant
investigations were: 1) An investigation as to how easily undercover GAO
investigators using movie prop badges and fake law enforcement IDs created with
off the shelf software were able to access secure government facilities and
secured areas of airports; and, 2) An investigation as to how easily undercover
GAO investigators were able to obtain state issued driver’s licenses by
submitting obviously fraudulent identity documents to counter clerks.
Perhaps this Committee would
consider requesting the GAO to perform an investigation of how easily they can
access telecommunication company databases; financial services companies
databases; utility companies databases; hospital databases; university
databases; and, state and federal government agency databases, all by means of
social engineering/pretext. I think the
results would be enlightening.
Oversight and Enforcement Are Critical
Additionally, Congress needs to
exercise oversight on the agencies already charged with enforcing the FCRA,
GLBA, DPPA, and other applicable privacy and data security laws. From credit reports, to financial account
information, to driver’s records and beyond—it is all for sale by hundreds of
companies routinely laughing in the face of Congress and the laws that are not
enforced.
Those laws were passed with
reasons that were important at the time, but are even more important in the age
of terrorism that has been visited upon our shores. Our porous information systems in this country
are a terrorists dream and a potential terrorist tool.[12] It is time we get serious about protecting
information of all forms in this nation.
In addition to the dangers of
criminals, terrorists, identity thieves, and illicit information brokers who
violate Americans’ privacy there is an equally compelling reason to take action
to protect personal information. The
very same information that is too often abused is the life blood of this
country and all Americans. If Americans
don’t have faith that the information they provide is secure it will harm
commerce, and more fundamentally, the trust we all place in those that we share
our most important and private data with.
In closing, I’d like to make an
offer to this Committee, any other Committee of the Congress, any individual
Senator of Representative, or any agency of the
Thank you.
APPENDIX I
I have
testified before the United States Congress on four previous occasions. The
July 28, 1998 Hearing on “The Use of Deceptive Practices To Gain Access To
Personal Financial Information” (U.S. House of Representatives Committee on
Banking and Financial Services); the April 12, 2000 Hearing on “Establishing a
Commission For the Comprehensive Study of Privacy Protection” (U.S. House of
Representatives Committee on Government Reform, Subcommittee on Government
Management, Information and Technology); the September 13, 2000 Hearing on
“Identity Theft and Related Financial Privacy Issues” (U.S. House of
Representatives Committee on Banking and Financial Services); and, the
September 9, 2003 Hearing on “Homeland Security Threats Posed By Document
Fraud, Identity Theft, and Social Security Number Misuse” (U.S. Senate
Committee on Finance).
In addition to my previous
testimonies before Congress, I served as a consultant and expert witness for
the Federal Trade Commission in the preparation and execution of Operation
Detect Pretext, a sting operation designed to catch and prosecute individual
and corporate offenders participating in the illegal “information broker”
industry. I also served as an expert witness to the Florida Statewide Grand
Jury on Identity Theft. I continue to serve as an expert witness and consultant
for the plaintiffs in a federal civil action brought in
To assist the private sector and
the financial services industry in its efforts to detect and combat financial
crimes involving identity theft, I have authored a number of training guides
including: “Privacy and Customer Information Security – An Employee Awareness
Guide” (2001); and, “Spotting and Avoiding Pretext Calls” (2000). I have served
as a keynote speaker for the FDIC and I have been a frequent lecturer at state
and national banking association conferences.
Finally, prior to founding American Privacy Consultants,
Inc., I was a
For a complete curriculum vitae see http://www.privacytoday.com/douglas.htm
APPENDIX
II
NOTICE: This opinion is subject to motions for rehearing under Rule 22 as well
as formal revision before publication in the New Hampshire Reports. Readers are
requested to notify the Reporter, Supreme Court of New Hampshire,
THE SUPREME COURT OF
___________________________
No. 2002-255
HELEN REMSBURG, ADMINISTRATRIX OF THE
ESTATE OF
AMY LYNN BOYER
v.
DOCUSEARCH, INC., d/b/a
DOCUSEARCH.COM & a.
Argued: November 14, 2002
Opinion Issued: February 18, 2003
Gottesman and Hollis, P.A., of
Getman, Stacey, Tamposi, Schulthess & Steere, PA, of
Law Office of Hess & Fraas, of Bow (Carol L. Hess on the
brief), for defendant Kenneth Zeiss.
Sichenzia Ross Friedman & Ference, of
Chris J. Hoofnagle & a., of
Scott H. Harris, of
John M. Healy and Jordan G. Ulery, appearing pursuant to
Supreme Court Rule 33(2), by brief, for the New Hampshire League of
Investigators, Inc., as amicus curiae.
DALIANIS, J. Pursuant to Supreme Court Rule 34, the United States District
Court for the District of New Hampshire (Barbadoro, C.J.) certified to
us the following questions of law:
1. Under the common law of New Hampshire and in light of the undisputed
facts presented by this case, does a private investigator or information broker
who sells information to a client pertaining to a third party have a cognizable
legal duty to that third party with respect to the sale of the information?
2. If a private investigator or information broker obtains a person’s social
security number from a credit reporting agency as a part of a credit header
without the person’s knowledge or permission and sells the social security
number to a client, does the individual whose social security number was sold
have a cause of action for intrusion upon her seclusion against the private
investigator or information broker for damages caused by the sale of the
information?
3. When a private investigator or information broker obtains a person’s work
address by means of a pretextual telephone call and sells the work address to a
client, does the individual whose work address was deceitfully obtained have a
cause of action for intrusion upon her seclusion against the private
investigator or information broker for damages caused by the sale of the
information?
4. If a private investigator or information broker obtains a social security
number from a credit reporting agency as a part of a credit header, or a work
address by means of a pretextual telephone call, and then sells the
information, does the individual whose social security number or work address
was sold have a cause of action for commercial appropriation against the
private investigator or information broker for damages caused by the sale of
the information?
5. If a private investigator or information broker obtains a person’s work
address by means of a pretextual telephone call, and then sells the
information, is the private investigator or information broker liable under
N.H. Rev. Stat. Ann. § 358-A to the person it deceived for damages caused by
the sale of the information?
For the reasons expressed below, we respond to the first, second and fifth
questions in the affirmative, and the third and fourth questions in the
negative.
I. Facts
We adopt the district court’s recitation of the facts. Docusearch, Inc. and
Wing and a Prayer, Inc. (WAAP) jointly own and operate an Internet-based investigation
and information service known as Docusearch.com. Daniel Cohn and Kenneth Zeiss
each own 50% of each company’s stock. Cohn serves as president of both
companies and Zeiss serves as a director of WAAP. Cohn is licensed as a private
investigator by both the State of
On July 29, 1999,
Later that same day, Youens again contacted Docusearch and placed an order
for Boyer’s social security number (SSN), paying the $45 fee by credit card. On
August 2, 1999, Docusearch obtained Boyer’s social security number from a
credit reporting agency as a part of a "credit header" and provided
it to Youens. A "credit header" is typically provided at the top of a
credit report and includes a person’s name, address and social security number.
The next day, Youens placed an order with Docusearch for Boyer’s employment
information, paying the $109 fee by credit card, and giving Docusearch the same
phone number he had provided originally. Docusearch phone records indicate that
Zeiss placed a phone call to Youens on August 6, 1999. The phone number used
was the one Youens had provided with his follow-up inquiry regarding Boyer’s
birth date. The phone call lasted for less than one minute, and no record
exists concerning its topic or whether Zeiss was able to speak with Youens. On
August 20, 1999, having received no response to his latest request, Youens
placed a second request for Boyer’s employment information, again paying the
$109 fee by credit card. On September 1, 1999, Docusearch refunded Youens’
first payment of $109 because its efforts to fulfill his first request for
Boyer’s employment information had failed.
With his second request for Boyer’s employment information pending, Youens
placed yet another order for information with Docusearch on September 6, 1999.
This time, he requested a "locate by social security number" search
for Boyer. Youens paid the $30 fee by credit card, and received the results of
the search – Boyer’s home address – on September 7, 1999.
On September 8, 1999, Docusearch informed Youens of Boyer’s employment
address. Docusearch acquired this address through a subcontractor, Michele
Gambino, who had obtained the information by placing a "pretext"
telephone call to Boyer in
On October 15, 1999, Youens drove to Boyer’s workplace and fatally shot her
as she left work. Youens then shot and killed himself. A subsequent police
investigation revealed that Youens kept firearms and ammunition in his bedroom,
and maintained a website containing references to stalking and killing Boyer as
well as other information and statements related to violence and killing.
II. Question 1
All persons have a duty to exercise reasonable care not to subject others to
an unreasonable risk of harm. See Walls v. Oxford Management Co.,
137 N.H. 653, 656 (1993). Whether a defendant’s conduct creates a risk of harm
to others sufficiently foreseeable to charge the defendant with a duty to avoid
such conduct is a question of law, Iannelli v. Burger King Corp., 145
N.H. 190, 193 (2000), because "the existence of a duty does not arise
solely from the relationship between the parties, but also from the need for
protection against reasonably foreseeable harm." Hungerford v. Jones,
143 N.H. 208, 211 (1998) (quotation omitted). Thus, in some cases, a party’s
actions give rise to a duty. Walls, 137 N.H. at 656. Parties owe a duty
to those third parties foreseeably endangered by their conduct with respect to
those risks whose likelihood and magnitude make the conduct unreasonably
dangerous. Hungerford, 143 N.H. at 211.
In situations in which the harm is caused by criminal misconduct, however,
determining whether a duty exists is complicated by the competing rule
"that a private citizen has no general duty to protect others from the
criminal attacks of third parties." Dupont v. Aavid Thermal
Technologies, 147 N.H. 706, 709 (2002). This rule is grounded in the
fundamental unfairness of holding private citizens responsible for the
unanticipated criminal acts of third parties, because "[u]nder all
ordinary and normal circumstances, in the absence of any reason to expect the
contrary, the actor may reasonably proceed upon the assumption that others will
obey the law." Walls, 137 N.H. at 657-58 (quotation omitted).
In certain limited circumstances, however, we have recognized that there are
exceptions to the general rule where a duty to exercise reasonable care will
arise. See Dupont, 147 N.H. at 709. We have held that such a duty
may arise because: (1) a special relationship exists; (2) special circumstances
exist; or (3) the duty has been voluntarily assumed.
Thus, if a private investigator or information broker’s (hereinafter
"investigator" collectively) disclosure of information to a client
creates a foreseeable risk of criminal misconduct against the third person
whose information was disclosed, the investigator owes a duty to exercise
reasonable care not to subject the third person to an unreasonable risk of
harm. In determining whether the risk of criminal misconduct is foreseeable to
an investigator, we examine two risks of information disclosure implicated by
this case: stalking and identity theft.
It is undisputed that stalkers, in seeking to locate and track a victim,
sometimes use an investigator to obtain personal information about the victims.
See Note, Stalking Humans: Is There A Need For Federalization Of
Anti-Stalking Laws In Order To Prevent Recidivism In Stalking?, 50 Syracuse
L. Rev. 1067, 1075 (2000) (discussing two high profile California cases where
the stalkers used investigators to obtain their victims’ home addresses).
Public concern about stalking has compelled all fifty States to pass some
form of legislation criminalizing stalking. Approximately one million women and
371,000 men are stalked annually in the
Identity theft, i.e., the use of one person’s identity by
another, is an increasingly common risk associated with the disclosure of
personal information, such as a SSN. Komuves, We’ve Got Your Number: An
Overview of Legislation and Decisions to Control the Use of Social Security
Numbers as Personal Identifiers, 16 J. Marshall J. Computer & Info. L.
529, 534 (1998). A person’s SSN has attained the status of a quasi-universal
personal identification number.
Like the consequences of stalking, the consequences of identity theft can be
severe. The best estimates place the number of victims in excess of 100,000 per
year and the dollar loss in excess of $2 billion per year. LoPucki, Human
Identification Theory and the Identity Theft Problem, 80
The threats posed by stalking and identity theft lead us to conclude that
the risk of criminal misconduct is sufficiently foreseeable so that an
investigator has a duty to exercise reasonable care in disclosing a third
person’s personal information to a client. And we so hold. This is especially
true when, as in this case, the investigator does not know the client or the
client’s purpose in seeking the information.
III. Questions 2 and 3
A tort action based upon an intrusion upon seclusion must relate to
something secret, secluded or private pertaining to the plaintiff. Fischer
v. Hooper, 143 N.H. 585, 590 (1999). Moreover, liability exists only if the
defendant’s conduct was such that the defendant should have realized that it
would be offensive to persons of ordinary sensibilities.
In addressing whether a person’s SSN is something secret, secluded or
private, we must determine whether a person has a reasonable expectation of
privacy in the number. See Fischer, 143 N.H. at 589-90. SSNs are
available in a wide variety of contexts. Bodah v. Lakeville Motor Express
Inc., 649 N.W.2d 859, 863 (Minn. Ct. App. 2002). SSNs are used to identify
people to track social security benefits, as well as when taxes and credit
applications are filed. See Greidinger, 988 F.2d at 1352-53. In
fact, "the widespread use of SSNs as universal identifiers in the public
and private sectors is one of the most serious manifestations of privacy
concerns in the Nation."
Thus, while a SSN must be disclosed in certain circumstances, a person may
reasonably expect that the number will remain private.
Whether the intrusion would be offensive to persons of ordinary
sensibilities is ordinarily a question for the fact-finder and only becomes a
question of law if reasonable persons can draw only one conclusion from the
evidence. See Swarthout v. Mutual Service Life Ins. Co., 632
N.W.2d 741, 745 (Minn. Ct. App. 2001). The evidence underlying the certified
question is insufficient to draw any such conclusion here, and we therefore
must leave this question to the fact-finder. In making this determination, the
fact-finder should consider "the degree of intrusion, the context, conduct
and circumstances surrounding the intrusion as well as the intruder’s motives
and objectives, the setting into which he intrudes, and the expectations of
those whose privacy is invaded." Bauer v. Ford Motor Credit Co.,
149 F. Supp. 2d 1106, 1109 (D.
We next address whether a person has a cause of action for intrusion upon
seclusion where an investigator obtains the person’s work address by using a
pretextual phone call. We must first establish whether a work address is
something secret, secluded or private about the plaintiff. See Fischer,
143 N.H. at 590.
In most cases, a person works in a public place. "On the public street,
or in any other public place, [a person] has no legal right to be alone."
W. Page Keeton et al., Prosser and Keeton on the Law of Torts
§ 117, at 855 (5th ed. 1984).
A person’s employment, where he lives, and where he works are exposures
which we all must suffer. We have no reasonable expectation of privacy as to
our identity or as to where we live or work. Our commuting to and from where we
live and work is not done clandestinely and each place provides a facet of our
total identity.
Webb v. City of
IV. Question 4
"One who appropriates to his own use or benefit the name or likeness of
another is subject to liability to the other for invasion of his privacy."
Restatement (Second) of Torts § 652C at 380. In Hamberger, we
noted that the law of invasion of privacy consists of four separate causes of
action, including appropriation. Hamberger, 106 N.H. at 110-11. However,
we have not had occasion to recognize appropriation as a cause of action within
the State. We now hold that
Tortious liability for appropriation of a name or likeness is intended to
protect the value of an individual’s notoriety or skill. Thus, the Restatement
notes, in order that there may be liability under the rule stated in this
Section, the defendant must have appropriated to his own use or benefit the
reputation, prestige, social or commercial standing, public interest or other
values of the plaintiff’s name or likeness. The misappropriation tort does not
protect one’s name per se; rather it protects the value
associated with that name.
Matthews v. Wozencraft, 15 F.3d 432, 437 (5th Cir. 1994) (citation,
brackets and quotation omitted). Appropriation is not actionable if the
person’s name or likeness is published for "purposes other than taking
advantage of [the person’s] reputation, prestige or other value"
associated with the person. Restatement (Second) of Torts § 652C comment
d at 382-83. Thus, appropriation occurs most often when the person’s
name or likeness is used to advertise the defendant’s product or when the
defendant impersonates the person for gain. Matthews, 15 F.3d at 437; see
Restatement (Second) of Torts § 652C comment b at 381.
An investigator who sells personal information sells the information for the
value of the information itself, not to take advantage of the person’s
reputation or prestige. The investigator does not capitalize upon the goodwill
value associated with the information but rather upon the client’s willingness
to pay for the information. In other words, the benefit derived from the sale
in no way relates to the social or commercial standing of the person whose
information is sold. Thus, a person whose personal information is sold does not
have a cause of action for appropriation against the investigator who sold the
information.
V. Question 5
The last issue relates to the construction of the Consumer Protection Act,
RSA chapter 358-A. "On questions of statutory interpretation, this court
is the final arbiter of the intent of the legislature as expressed in the words
of a statute considered as a whole." Franklin Lodge of Elks v. Marcoux,
147 N.H. 95, 96 (2001) (quotation omitted). We begin by considering the plain
meaning of the words of the statute. Snow v. American Morgan Horse Assoc.,
141 N.H. 467, 471 (1996). In conducting our analysis "we will focus on the
statute as a whole, not on isolated words or phrases."
RSA 358-A:2 (1995) states, in pertinent part:
It shall be unlawful for any person to use . . . any unfair or deceptive act
or practice in the conduct of any trade or commerce within this state. Such . .
. unfair or deceptive act or practice shall include, but is not limited to, the
following:
. . .
III. Causing likelihood of confusion or of misunderstanding as to
affiliation, connection or association with . . . another.
Pretext phone calling has been described as the use of deception and
trickery to obtain a person’s private information for resale to others. See
Com. v. Source One Associates, Inc., 763 N.E.2d 42, 47-48 n.8 (
The defendant argues that our holding in Snow bars recovery in cases
such as this because an investigator who makes a pretextual phone call to
obtain information for sale does not conduct any "trade" or
"commerce" with the person deceived by the phone call. The Consumer
Protection Act defines "trade" and "commerce" as including
"the advertising, offering for sale, sale, or distribution of any services
and any property . . . ." RSA 358-A:1, II. There is no language in the Act
that would restrict the definition of "trade" and
"commerce" to that affecting the party deceived by the prohibited
conduct. In fact, the Act explicitly includes "trade or commerce directly
or indirectly affecting the people of this state."
The defendant argues that a person deceived by a pretextual phone call lacks
standing to maintain a private cause of action under RSA chapter 358-A because
only a buyer or seller in privity with the defendant may recover under the
statute. We disagree. According to the statute, "[a]ny person
injured by another’s use of any method, act or practice declared unlawful under
this chapter may bring an action for damages . . . ." RSA 358-A:10
(emphasis added). The statute defines who may bring a private action broadly, Milford
Lumber Co. v. RCB Realty, 147 N.H. 15, 17 (2001), and by its plain meaning does
not limit the class of persons who have standing to those in privity with the
defendant.
We find support for this conclusion in the Massachusetts Consumer Protection
Act, which is similar in many respects to the
Accordingly, we conclude that an investigator who obtains a person’s work address
by means of pretextual phone calling, and then sells the information, may be
liable for damages under RSA chapter 358-A to the person deceived.
Remanded.
NADEAU and DUGGAN, JJ., concurred.
APPENDIX III
Statement
by Robert Douglas
Before the
Committee
on Banking and Financial Services
Hearing On
The Use Of
Deceptive Practices To Gain Access To
Personal
Financial Information
July 28,
1998
Introduction
Thank you, Mr. Chairman. My name is Robert Douglas and my firm is
Douglas Investigations. My firm provides
private investigative services to the
First, Mr. Chairman, let me state that I
appreciate the opportunity to appear before you to give my perspective on what
I believe to be one of the most significant problems facing our nation
today. I want to personally thank you
for your willingness and desire to address this serious issue and the time you
have invested on this problem. I am
aware from both the legislation you have introduced and your public comments
that you share my concerns about maintaining citizen’s financial privacy. I particularly want to thank your Committee’s
staff, and specifically David Cohen, for the time they have invested with me
discussing this problem.
Mr. Chairman, I also would like to single
out for recognition your administrative assistant, Bill Tate, for his
assistance in getting this critical issue before you and the Committee. When I first approached Bill with my concerns
about this subject, he immediately recognized this as an issue worthy of you
and your Committee’s attention and moved quickly to bring it before you. For that I am thankful and I believe the
American people will be thankful when they learn the scope and dimensions of
the problem we are hear today to discuss.
All across the
The types of financial information for
sale include: Private bank account
numbers and balances; stock, bond and mutual fund holdings including the number
of shares held; insurance policy data including the types of insurance
maintained and the amount or value of the policy; credit card information
including account numbers, size of credit lines, and transaction details including
specific purchases.
While the theft and sale of this
information is occurring on a daily basis, much of societies focus on privacy
as it relates to personal information has been concentrated elsewhere. To date, the majority of public scrutiny has
been on issues related to basic data collected via the Internet and the
explosion of information that is collected everyday as part of routine
commercial transactions.
Issues such as the mass collection of
citizens social security numbers, home addresses, phone numbers, and purchasing
preferences by retailers have dominated the debate. As part of this debate we routinely hear and
read of generic “what ifs...” and concerns that “sometime in the near future” a
citizen’s most privately held information will be easily obtained by anyone
willing to pay for it.
Mr. Chairman, I am here today to tell you
that we passed that point long ago and somehow it seems no one noticed.
The
By
“Information Brokers”
Currently, thousands of information
brokers and private investigators are advertising their ability to locate
citizen’s personal financial information.
The advertisements almost uniformly refer to “bank account searches” and/or
“asset investigations”. These advertisements
can be found in legal and investigative trade journals, general circulation
newspapers, the yellow pages, and on the World Wide Web.
The genesis of this specialty niche within
the information industry is a growing black market that has developed to sell
financial and other forms of personal information. As with most black markets, there needs to be
a seller of a commodity that can’t be obtained through normal channels and a
buyer interested in that commodity. In
this case the sellers are private investigators and information brokers, who I
will collectively refer to as brokers, who have perfected a technique they call
“pretexting”. The commodity is private
financial information. Originally, and
to a great extent still, the buyers were lawyers looking to seize assets of
individuals with unsatisfied judgments.
I do not want to mislead the Committee on
this point. There is a substantial
problem in this country concerning the ability of successful parties to a
lawsuit ever collecting the monetary awards from the opposing party. There are millions of uncollected judgments
representing billions of uncollected dollars in the
Even if, for arguments sake, all brokers
were only providing financial information obtained through pretext to attorneys
holding lawful judgments as a means to assist in the collection on those
judgments, it would still be a gross violation of privacy and in many states a
violation of the law. In other words, in
a society governed by law, the end cannot justify the means.
Yet this is the very argument that many
brokers I have talked to make. Their
position is that there is nothing wrong with what they do. They see themselves as financial bounty
hunters filling a demand for information on where individuals have secreted
their money. Time and again in numerous
conversations I have had with brokers around the country I have heard the
following two positions argued as a justification of the services they
sell.
The primary position is that it is not
against the law to obtain private financial information. In the materials I have provided the
Committee there are two specific examples of this declaration. One is direct and the other is by
inference. The first is a broker
assuring the viewers of the web page that it is legal to obtain financial
information. The second is a law firm
newsletter on the web where they advise their readers and clients that they use
brokers to locate bank accounts and that they will assist their clients in
hiring brokers to do the same.
In furtherance of this position that what
they do is legal, brokers argue that there is no federal law prohibiting a
private citizen from obtaining the financial information of another private
citizen. The brokers, and in some
instances their corporate attorneys, have told me that federal laws in this
area relate only to the government’s access to a citizen’s financial
information. I would like to note that
these very brokers and their attorneys appear to be ignoring existing state
laws in many instances.
The second position brokers advance is
that “pretexting”, which I will discuss in more detail shortly, is perfectly
legal. The argument goes like this. “If the bank is stupid enough to tell me the
information, that’s the banks problem--not mine.”
The
Extent of the Problem
Five years ago there were a small number
of these brokers actively advertising their “asset location” services. The advertisements at that time were largely
confined to legal and investigative trade journals, as the target markets were
lawyers and creditors who had judgments that had remained uncollected.
Today, there are literally hundreds of
brokers advertising around the
The results are a combination of
information brokers and traditional private investigators. Each of these firms is advertising to other
private investigators, information resellers, attorneys, and often the general
public. Even the firms that are publicly
stating that they are not selling to the public will gladly sell to a private
investigator without any ability to control where the data will go from there. The end result is that thousands of
investigators, brokers, and in many cases individual consumers can now purchase
the personal financial information of any citizen in the
To further illustrate to the Committee the
scope of the problem we are discussing today I would like to point out another
fact. By just examining two of the forty
companies I have provided the Committee with web pages for, Noble Assets and
The Pathfinder Group, you will see that they claim to have located over 1.5
billion dollars in assets. If we take
them at their word, or even if we divide that number by a factor of two, the
scope of the dilemma is staggering.
Identity
Theft and Pretexting
The means by which private financial
information is most commonly obtained is identity theft. The financial data is obtained by the broker
under false pretenses. The most common
method of identity theft used to obtain privately held financial information is
for the broker to obtain through currently legal means enough biographical
information on the target of the investigation to be able to falsely pretend
that he, the broker, is the actual owner of the information sought after. Having convinced the financial institution by
false pretenses that he, the broker, is actually the institution’s client, the
institution is only too happy to provide whatever information is
requested.
The following is a basic example of this
method. Bob Smith is the holder of a
bank account at USA Bank. Joe Info
Broker obtains from one of dozens of lawful databases, many of which can be found
on the Internet, Mr. Smith’s full name, social security number, address, and
date of birth. Joe Broker then starts
calling banks in Mr. Smith’s neighborhood posing as someone who has received a
check from Mr. Smith. When Joe Broker
finds a bank that confirms that Mr.Smith has an account, Joe Broker hangs
up. Joe Broker then calls back and
identifies himself to the bank as Mr. Smith.
The bank, for security reasons, asks for personal information that the
bank mistakenly believes only Mr. Smith would know. Joe Broker armed with Mr. Smith’s
biographical data is able to convince the bank that he is actually Mr.
Smith. The bank then provides Joe Broker
with any information he requests on Mr. Smith’s account.
A second method is for the broker to falsely
convey to the target of the asset investigation that he, the broker, is an
employee of a legitimate financial institution or company. Having gained the confidence of the target,
the broker induces the target to provide his or her own financial data.
The following is a basic example of this
second method. Joe Info Broker, having
determined Sally Senior Citizen’s bank by the means outlined above, calls Sally
Senior Citizen at home and pretends to be an employee of the bank. Joe Broker tells Sally that there is some
confusion with her account and that they can clear it up on the phone if she
goes and gets her checkbook. Sally
wanting to avoid a trip to the bank complies.
Joe Broker having gained Sally’s confidence gets her to read her account
number to him as a means of “confirmation”.
Joe then gets Sally to tell him what her balance is so “the bank” can be
sure its records are accurate. Sally
complies. Joe Broker now has Sally’s
banking information.
These are just two of many methods that I
have uncovered. I note that the
Committee will hear today from an information broker, Al Schweitzer, and I
suspect that Mr. Schweitzer will be able to provide other techniques commonly
in use. However, at the core of any of
these techniques is identity theft.
Private investigators and information
brokers who obtain these types of information by the above methods prefer to
call it “pretexting”. While pretexting
is a commonly accepted investigative technique, I believe it is more properly
classified as fraud when it rises to the level of identity theft as outlined
above.
Pretexting is a traditional, accepted
investigative technique within the investigative trade. The technique of pretexting is to either
intentionally induce or allow another party to believe the investigator is
someone they are not. The goal being
that the individual being pretexted will drop their guard and reveal
information that they would not if they knew the true identity of the
investigator. This technique is routinely
used by both law enforcement and private investigators.
An example of traditional pretexting would
be to pose by phone as a generic delivery person with a package for Mr. Jones
as a method to determine if Mr. Jones is home so that a subpoena could be
served or a warrant executed. A second
example would be to pose as an “old school friend” in order to find the current
address of Mr. Jones from Mr. Jones’ parents.
The goal again being to learn the public address of Mr. Jones so that
lawful process can be carried out.
The difference between true pretexting and
identity theft is simple. In pretexting,
the investigator poses as a generic individual or company in order to obtain
public, non-protected information such as an address, name of a witness or
relative. Identity theft is the use of
the targets personal and biographical information to impersonate the target as
a means to obtain the target’s private, protected information.
Creditor
Networks and “Sources”
While I believe identity theft is
currently the most common method being used by information brokers today, and
is almost always used to gain the balance of a financial account, it is not the
only method.
Creditor networking as a means of
obtaining personal financial information is another method used by
brokers. This method consists of a
broker calling companies that have made inquiries on a target’s credit report
in order to learn what biographical and financial information that company
maintains on the target. The broker will
offer to exchange data in the broker’s possession or promise to call back with
information developed as a means to induce the company to provide personal data
on the target. By calling one or more
companies the broker begins to piece together the financial profile of the
subject in order to then sell that information to the broker’s client.
<