February 23, 2008
Worker Snooping on Customer Data Common
By THE ASSOCIATED PRESS
Filed at 7:41 a.m. ET
MADISON, Wis. (AP) -- A landlord snooped on tenants to find out information about their finances. A woman repeatedly accessed her ex-boyfriend's account after a difficult breakup. Another obtained her child's father's address so she could serve him court papers.
All worked for Wisconsin's largest utility, where employees routinely accessed confidential information about acquaintances, local celebrities and others from its massive customer database.
Documents obtained by The Associated Press in an employment case involving Milwaukee-based WE Energies shine a light on a common practice in the utilities, telecommunications and accounting industries, privacy experts say.
Vast computer databases give curious employees the ability to look up sensitive information on people with the click of a mouse. The WE Energies database includes credit and banking information, payment histories, Social Security numbers, addresses, phone numbers, and energy usage. In some cases, it even includes income and medical information.
Experts say some companies do little to stop such abuses even though they could lead to identity theft, stalking and other privacy invasions. And companies that uncover violations can keep them quiet because in many cases it is not illegal to snoop, only to use the data for crimes.
''The vast majority of companies are doing very little to stop this widespread practice of snooping,'' said Larry Ponemon, a privacy expert who founded The Ponemon Institute, a Traverse City, Mich.-based think tank.
Jim Owen, spokesman for the Edison Electric Institute, a lobbying association that represents utilities, disputed suggestions the problem was common in the industry.
''I am not aware of any other situation that has arisen in the utility sector,'' he said.
Companies generally avoid talking about snooping or any measures they've taken to prevent it.
Scott Reigstad, a spokesman for Madison, Wis.-based Alliant Energy, which has one million electric and 420,000 natural gas customers in Iowa, Wisconsin and Minnesota, said his company has safeguards in place to stop misuse but does not discuss them publicly.
''We haven't had any issues that we're aware of,'' he said.
Jay Foley, executive director of the Identity Theft Resources Center, said state regulators and lawmakers must step in if companies are not guarding their customer information responsibly.
''Something needs to be done at the state level to make sure this is illegal,'' he said.
He said more companies have to start using software that can track each customer account that employees access.
WE Energies says it has taken numerous steps to stop the problem but even so detecting misuse can be difficult. That's because it is hard to discern the legitimate access of customer information from employees looking for curiosity.
''People were looking at an incredible number of accounts,'' Joan Shafer, WE Energies' vice president of customer service, said during a sworn deposition last year. ''Politicians, community leaders, board members, officers, family, friends. All over the place.''
Her testimony came in a legal case involving an employee who was fired in 2006 for repeatedly accessing information about her ex-boyfriend and another friend. An arbitrator in November upheld the woman's firing. The AP reviewed testimony and documents made public as part of the case.
The misuse came to light in 2004 when an employee helped leak information to the media during a heated race for Milwaukee mayor that a candidate, acting Mayor Marvin Pratt, was often behind in paying his heating bills. Pratt lost to the current mayor, Tom Barrett.
Pratt said he's convinced the disclosure cost him votes and unfairly damaged his reputation. Pratt said he recently met with top company executives and was satisfied it has stopped the problem as much as possible. He said he has dropped earlier plans to explore a lawsuit.
''They caught this and they are making corrections to it, which they should. But it never should have happened in the first place. Not just to me, but to anyone. They gave their employees too much latitude to access files.''
After the incident involving Pratt, the company fired the employee who leaked the information and vowed to crack down after finding others engaged in similar practices. But problems continued.
In all, the utility fired or disciplined at least 17 employees for breaking the policy between 2005 and 2007, according to testimony and company records. Another employee gained access to Pratt's account for no business purpose and was suspended in 2005 but kept her job.
Others looked up information on their bosses at WE Energies and local conservative radio host Mark Belling, who said he had never been told of the breach.
Ponemon said employees with access to vast amounts of customer information often see nothing wrong with looking up an individual out of curiosity, or in some cases, more sinister motives.
Governmental agencies have also struggled with the problem.
The IRS took 219 disciplinary actions, including firings and suspensions, against employees who browsed through confidential taxpayer information last year, according to the U.S. Treasury Inspector General for Tax Information. That was more than double the number the previous year.
Last month, the Minnesota Department of Public Safety said it disciplined two employees who accessed information on 400 residents from its driver's license database. The agency did not say what the discipline was because it continues to investigate. It said the employees were looking for their own entertainment, not any criminal motives.
WE Energies serves 1.1 million electric customers in Wisconsin and Michigan's Upper Peninsula and 1 million natural gas customers in Wisconsin.
Shafer said in an interview that the utility took steps to eliminate the practice and only one employee has been disciplined for violations in the last year.
After the 2004 incident, the company started checking who accessed high-profile customer accounts and requiring annual training on its policies.
Still, Shafer acknowledged in her deposition last year that it would be ''difficult, if not impossible'' to discover many instances of misuse.
Utility regulators in Michigan and Wisconsin said they had not been notified of the company's problems. They say they do not have any rules covering such misuse.
The head of the Wisconsin Citizens' Utility Board, which lobbies on behalf of utility customers, said he was ''shocked and dismayed'' to learn about the practice.
''The testimony is incredibly candid. I'm very surprised that utility employees were misusing this information,'' said executive director Charlie Higley. ''We hope WE Energies has taken steps to ensure that information is treated privately.''