Two captains of the information-broker industry told a congressional panel yesterday that they would support new regulations to better protect sensitive personal data that they collect and sell on virtually every adult American.
But the executives balked at what appears to be a growing bipartisan consensus among key House and Senate members that the sale of Social Security numbers for commercial purposes should be banned unless individuals give their permission.
Rep. Edward J. Markey (D-Mass.) says companies should extend consumers' credit-alert monitoring period. "What about lifetime monitoring?" he asks. "What about five years?"
(Chris Kleponis -- Bloomberg News)
Data Under Siege (The Washington Post, Mar 10, 2005)
When Your Identity Is Their Commodity (The Washington Post, Mar 6, 2005)
ChoicePoint Data Cache Became a Powder Keg (The Washington Post, Mar 5, 2005)
Databases Called Lax With Personal Information (The Washington Post, Feb 25, 2005)
ChoicePoint Victims Have Work Ahead (The Washington Post, Feb 23, 2005)
ID Data Conned From Firm (The Washington Post, Feb 17, 2005)
In Age of Security, Firm Mines Wealth Of Personal Data (The Washington Post, Jan 20, 2005)
"When my [Social Security] number and my information is routinely given out without my permission, it's just wrong," said Rep. Joe Barton (R-Tex.), who heads the House Energy and Commerce Committee. "And in the Internet age, it's dangerous."
Barton said Congress would probably consider a measure to require permission for the trading or sale of such data except to law enforcement agencies, in addition to other steps to increase oversight of the largely unregulated data-broker industry that has been rocked by a series of security breaches.
Last month, ChoicePoint Inc., one of the nation's largest brokers, announced that personal information on at least 145,000 consumers was bought from the company by thieves who masqueraded as legitimate business people.
Last week, LexisNexis Group, another big broker that specializes in business and legal data, announced that its systems had been penetrated by thieves who obtained data on 32,000 consumers.
Kurt Sanford, chief executive of LexisNexis Corporate and Federal Markets, endorsed a proposal by the head of the Federal Trade Commission, Deborah Platt Majoras, that would extend the same security guidelines to data brokers that financial institutions must follow.
Sanford also agreed with calls for a federal law requiring notification of consumers if their personal information has been obtained by thieves. Only California has such a law.
But Sanford said banning all sales of Social Security numbers would be a mistake, because "there are circumstances where the sale is in the consumers' best interests." For example, he said, independent investigative agencies might need such data to help fight identity fraud. Businesses, he added, need it to help collect unpaid debts.
Derek V. Smith, chief executive of ChoicePoint, agreed.
"I believe that only by adding a more formal structure to the current scheme of information use will we realize the value of technology-based tools to society," Smith said. Both he and Sanford used the hearing as a platform to apologize to consumers whose data have been compromised, and to assure Congress that they have tightened their systems to try to prevent such fraud.
But several members of the House subcommittee on commerce, trade and consumer protection were unimpressed by the companies' efforts.
Raising his voice in a series of rapid-fire questions, Rep. Edward J. Markey (D-Mass.) pressed Smith on whether he would lengthen the credit-alert monitoring period that ChoicePoint has offered to consumers whose information was stolen.
"What about lifetime monitoring?" Markey asked. "One year is not enough. What about five years? Can you guarantee that?" He said thieves might simply lie low for a year before trying to access consumers' accounts.
Smith, appearing rattled, said he would consider extending the service but refused to commit.