Executives of two major data brokers acknowledged to a Senate panel yesterday that their companies did not tell consumers about security breaches that occurred well before recent incidents exposed more than 400,000 people to possible identity theft.
ChoicePoint Inc. and LexisNexis also suffered breaches before passage of a California law in 2003 that requires companies doing business in the state to notify consumers that their data might be at risk, officials said. But the companies chose not to alert the public in those cases.
LexisNexis Data Breach Bigger Than Estimated (The Washington Post, Apr 13, 2005)
States Scramble To Protect Data (The Washington Post, Apr 9, 2005)
Net Aids Access to Sensitive ID Data (The Washington Post, Apr 4, 2005)
Data Brokers Vow to Protect Personal Information (The Washington Post, Mar 16, 2005)
Data Under Siege (The Washington Post, Mar 10, 2005)
Databases Called Lax With Personal Information (The Washington Post, Feb 25, 2005)
ID Data Conned From Firm (The Washington Post, Feb 17, 2005)
"Why not?" snapped Sen. Arlen Specter (R-Pa.), Judiciary Committee chairman.
"I can't explain it," replied Douglas C. Curling, president and chief operating officer of ChoicePoint.
"That's very, very disconcerting," Specter said.
Pressed by Sen. Dianne Feinstein (D-Calif.), Curling and Kurt P. Sanford, head of LexisNexis's corporate and federal markets group, agreed that were it not for the California law, consumers might never have been informed about more recent breaches.
Feinstein used the answers to bolster her push for a national notification law, which she has sponsored several times in the past few years and reintroduced Monday. Several similar bills have been proposed.
Security breaches at data brokers, banks and universities have focused attention on a booming marketplace for sensitive personal information that is routinely collected, sold and increasingly abused.
Witnesses warned the panel that data such as Social Security numbers are so heavily overused that the problem will be difficult to control. Personal data is for sale on the Internet and is available in public records in courthouses and other government offices.
"Both government and the private sector deserve a failing grade," said Robert Douglas, a privacy consultant and former private investigator.
Specter said he had little doubt that some kind of legislation would pass during the current session. But witnesses yesterday disagreed on several key points.
Federal Trade Commission Chairman Deborah Platt Majoras said companies should be able to forgo notifying consumers if the firms determine that identity theft is unlikely to result from breaches to their systems.
She said if a company had to tell consumers about every breach even if no data leaked out, consumers would become "numb" to the notices and ignore them. The data companies agree, saying they support national notification as long as they can determine that a breach is likely to result in identity theft.
Privacy advocates argue that this is a loophole and that companies often cannot tell whether data fell into the wrong hands. Feinstein's bill would not allow companies to make that determination.
Other congressional proposals include requiring data brokers to register with, and be regulated by, the FTC, and giving consumers the right to block the sale of their data.