Take 15 U.S.C. §1681b…Please (sorry, I couldn’t resist the Henny Youngman reference there). It regulates the sale of consumer reports which are essentially aggregated data. The sale of aggregated data is big business, and Data Aggregators serve a number of valuable functions. Their data allows us to apply for loans and mortgages, spend our business advertising $ effectively, ensure that our daycares aren’t employing pedophiles, etc. All due respect to Orwellian protestations (as they are valid), Data Aggregators play an important role in our society.
So we read with interest the investigative article detailing the sale of aggregated data to an identity theft ring by company owned by a well known Data Aggregator. The article chastises said Data Aggregator for having sold data to an un-vetted “vendor”, and regulators for having missed the signs, but we took away a different message: The regulatory environment controlling the sale of this data is convoluted. It would be challenging for any business to ensure compliance and consumer safety while executing a viable business model.
15 U.S.C.§1681b details the “permissible purposes of consumer reports” (i.e. when it is allowable to sell aggregated consumer data). While not a defense of the company involved in this particular situation, we do challenge you to read that U.S. Code, put yourself in the shoes of a Data Aggregator, and come up with a business model that allows you to vet all vendors, data requests, etc. in a cost effective manner with a 100% guarantee that a scam artist hasn’t infiltrated the ranks.
Fortunately, the mothers of the MiddleGate team taught us to never point out a problem without offering a solution. The MiddleGate model, developed to work in the world of HIPAA, may be a model for the future of the Data Aggregation industry. We believe this case points out that the future of Data Aggregators may not be in the sale of their data, but in the sale of the patterns their data matches to. We used the model to navigate the complex world of HIPAA in a cost effective manner, and the same could be done to navigate 15 U.S.C.§1681b knowing that it is unlikely there will be any meaningful regulatory reform in the near future. We used the model to share the knowledge our data conveyed without sharing underlying patient information. In short, we used the model to maintain privacy in a world clamoring for information.