The buying and selling of customer data is a multibillion-dollar, unregulated business that's growing larger by the day. Companies are selling information about you, and your company is probably selling data about its customers. Consumers are growing more concerned amid an endless string of data thefts and losses.

Want a list of 3,877 charity donors in Detroit? USAData will sell it to you for $465.24. How about 3,797 cat owners in Peoria? Available for $455.64. Interested in data on graduating high school seniors? The College Board sells that to 1,700 colleges and universities for 28 cents a kid. Then there are those who obtain cell phone and credit card records illegally and sell them to private investigators, law enforcement, and angry spouses planning a divorce.

It's a messy situation that's attracting the attention of legislators and government agencies. Businesses could find them- selves in a jam if they aren't careful how they buy, sell, and handle customer data; if they don't live up to their published privacy policies; and if they don't protect that data with ironclad security.

Taking The Fifth

Former data broker James Rapp testified last month before the U.S. House Energy and Commerce Committee about how easy it is to obtain telephone and credit card data by impersonating customers. Eleven others identified as data brokers refused to testify, invoking their right to not incriminate themselves.

U.S. Sen. Hillary Rodham Clinton, D.-N.Y., plans to introduce a "privacy rights" bill that would, among other things, protect phone records and require that consumers be notified when their personal information has been compromised. And in April, the Government Accountability Office, the investigative arm of Congress, issued a report that said data brokers often fail to follow privacy protection guidelines in the Privacy Act of 1974 when using information obtained from public sources.

Some data brokers are getting the message that changes are needed. ChoicePoint last year brought a spotlight to the industry's practices when it revealed it had previously sold information on 145,000 consumers to identity thieves posing as a legitimate business. Since then, ChoicePoint has restricted sales of personal information to supporting consumer-initiated events such as a job application or to large businesses that already have a relationship with the consumer. The company has abandoned some markets. It won't sell data to collection agencies, for instance, a move that cost it $15 million to $20 million in annual revenue. It also improved its screening of companies it sells data to, established procedures for auditing how clients use that data, and created a chief privacy officer post for the company and data privacy and security positions in each business unit, CPO Carol DiBattiste says.

Amid the bad publicity, ChoicePoint is shunning the label of data broker. "In my world, that's companies that aren't protecting the data or that are just selling data like phone numbers," DiBattiste says.

It's not just established data marketers like Acxiom, ChoicePoint, and LexisNexis that are under scrutiny. A growing number of online data brokers, financial services and media companies, charities, educational institutions, and even federal and state govern- ment agencies are buying and selling information on consumers. Publishing companies, including the parent of InformationWeek, buy and sell subscriber mailing lists.

Any company that buys and sells personal information on a per-name basis is a data broker, says Marc Rotenberg, executive director of the Electronic Privacy Information Center, an advocacy group. "In this environment, there's no transparency," Rotenberg says. "The individual whose records are being accessed has no interaction with the data broker."

The amount of consumer data for sale or freely available is vast, but hard numbers are hard to come by. Acxiom, one of the industry's largest marketing data and information management services companies, collects publicly available information such as property records, driver's license data, and professional license data from state and local governments.

Wanna Buy A Car?

Another example: Under the Massachusetts Freedom of Information Act, the state's Registry of Motor Vehicles must provide auto registration and driver's license data to anyone who asks for it. One of the largest buyers is R.L. Polk, which provides marketing prospect lists to the auto industry.

The government is one of the biggest customers of data brokers. The Internal Revenue Service and departments of Homeland Security, Justice, and State paid $30 million last year to data brokers. Sixty-nine percent was for law enforcement and 22% for counterterrorism, according to the GAO. The IRS last year signed a five-year, $200 million deal to tap into ChoicePoint's databases to locate assets of delinquent taxpayers.

Some consumer data is resold or distributed through chains of data brokers. Acxiom offers data and IT services that its customers use to develop telemarketing lists, identify prospects for credit card offers, screen prospective employees, and detect fraudulent transactions. About 20% of its $1.3 billion in annual sales comes from selling marketing data.

While the industry is unregulated, Acxiom's chief privacy officer, Jennifer Barrett, says data brokers increasingly must negotiate a growing number of peripheral regulations, such as the National Do Not Call Registry, anti-spam laws, and even privacy laws pertaining to video rentals. "There's also a growing amount of self-regulation," she says.

Acxiom developed its own grid-computing technology to help manage petabytes of data. Early this year Acxiom and storage technology vendor EMC established a partnership to accelerate the development of grid-based information management systems.

Acxiom also sells data to brokers such as USAData, which advertises privacy-compliant consumer and business mailing lists for rent on Google and Yahoo. Through USAData's portal, which is linked to Acxiom and Dun & Bradstreet databases, anyone with a credit card can buy marketing lists of consumers according to geography, demographics, and interests. USAData sales and marketing VP Dominic Le Claire says clients demand data that's not only well-targeted but complies with all do-not-call lists. "We consider ourselves a provider of quality privacy-assured data," he says.

But businesses must remember that this data is about people and needs to be handled carefully--and discarded when it becomes more of a liability than an asset. Take the case of Kate del Solar, who recently received a letter from Sacred Heart University alerting her that personal information, including her Social Security number, could be at risk for identity theft because of a breach of the school's computer system in May. Adding insult to injury, she isn't a student at the Fairfield, Conn., school--and never even applied.

A Sacred Heart spokeswoman says some 135,000 people were potentially affected by the security breach. The school may have obtained del Solar's data from the College Board, the consortium that administers the Scholastic Aptitude Test, but the spokeswoman isn't sure.

The College Board, which stopped providing Social Security numbers to schools in late 2002, about the time del Solar took the PSAT, provides 1,700 colleges and universities with lists of students who match requested PSAT and SAT test score ranges and other demographics, at a cost of 28 cents per student. Test-takers must give permission for their information to be distributed to schools.

"Some institutions will come in if they feel they're having a diversity problem on campus or meeting their numbers for a new initiative on campus, which might be a new major," says Mike Matthews, the College Board's associate director for recruitment services.

That doesn't make the del Solar family feel any better. Just days after Kate received her warning letter from Sacred Heart, her father, Bill, a U.S. Army civilian brigade safety officer at Fort Drum, N.Y., was notified by the Department of Veterans Affairs that his personal data was on a laptop stolen from the home of a VA analyst along with data on some 26.5 million personnel and spouses.

Today, the del Solars check their credit reports and credit card statements for hints of identity theft. "You have no choice," Bill del Solar laments. "You don't control your own information."