the information the government can access, on who gets the information and on what they can do with it," Rose said.

Zadra has a different view.

"If I could monitor everywhere you went by your expenditures, I could understand [the concern]," he said. "But we don't have access to that information."

A Secure Situation

Perhaps a larger problem is the data's security in the hands of the data brokers. When ChoicePoint was duped, it put nearly 145,000 people at risk of identity fraud. That incident, and others like it, stimulated interest in legislation to restrict data aggregators.

Some states -- including California, Washington, Arkansas, Georgia, Montana and North Dakota -- already have laws that penalize companies for failing to alert customers that their personal or financial information has been lost or stolen. Indiana just passed legislation that would alert residents if their Social Security numbers had been divulged, and legislation in Florida, if signed by the governor, would impose a $1,000 fine for each day of the first month that a company fails to disclose a data breach. For each month thereafter, the company would pay a $50,000 fine.

At the federal level, legislation proposed by U.S. Sens. Patrick Leahy, D-Vt., and Arlen Specter, R-Pa., would restrict the sale or publication of Social Security numbers and prohibit businesses from requiring Social Security numbers except in a few circumstances.

For its part, ChoicePoint says it now takes unprecedented steps to protect its databases. The company recently created an independent Credentialing, Compliance and Privacy office, and hired Carol DiBattiste as its chief officer. DiBattiste is a former prosecutor, former undersecretary of the Air Force, and most recently worked for the Department of Homeland Security on transportation security.

She said the information ChoicePoint provides to law enforcement agencies lets them link one bad person to another and could help uncover a terrorist group. That said, the company does restrict who has access to personally identifiable information and how they will get it.

ChoicePoint limited its business to customers that fall into just three categories, where the potential buyer's product must either: support consumer-driven transactions, such as insurance, banking and mortgage lending; be used for fraud detection or as an authentication tool for insurance, banking or mortgage lending entities; or be used by law enforcement.

ChoicePoint now authenticates the customer with a personal visit, something that wasn't done before. "That's one procedure to help tighten the credentialing procedure," DiBattiste said. "We will use many sources to verify customer authenticity, to verify they are who they say they are. We've also tightened our user ID and password protections."

The company hired consultants to help DiBattiste develop a best practices study. "At the end of the day, they'll help me do the framework for my compliance program, which I'll be instituting corporatewide," she said.

That probably won't be enough to stave off federal legislation protecting personal data, which Strickland said is due.

"This is very valuable information that could contribute significantly to homeland security, and we would be foolish not to take advantage of it," Strickland said. "At the same time, we have to have policies in place to make certain we don't become a surveillance state or a police state."

Strickland said the Privacy Act, which developed a framework in 1974 for the control of personal information held by the federal government following Watergate and other FBI excesses, might be out of date and not applicable under some of these circumstances.

"If the government receives this information, it becomes subject to the Privacy Act," Strickland said. "That's my view as a lawyer, but you have people making arguments, for one reason or another, that it doesn't." He said the courts have generally upheld those arguments and

Jim McKay, Justice and Public Safety Editor  |  Justice and Public Safety Editor