washingtonpost.com  > Technology > Special Reports > Privacy

Consumers Not Told Of Security Breaches, Data Brokers Admit

Senators Push for Notification Law

By Jonathan Krim
Washington Post Staff Writer
Thursday, April 14, 2005; Page E05

Executives of two major data brokers acknowledged to a Senate panel yesterday that their companies did not tell consumers about security breaches that occurred well before recent incidents exposed more than 400,000 people to possible identity theft.

ChoicePoint Inc. and LexisNexis also suffered breaches before passage of a California law in 2003 that requires companies doing business in the state to notify consumers that their data might be at risk, officials said. But the companies chose not to alert the public in those cases.

_____From Slate_____
Has Your Identity Been Stolen? Here's what you do if you find out your identity might have been stolen.
_____Privacy Resources_____
LexisNexis Press Release: LexisNexis Concludes Review of Data Search Activity, Identifying Additional Instances of Illegal Data Access (Apr 12, 2005)
LexisNexis.com: Privacy Resources for Consumers
washingtonpost.com: Protect Yourself From ID Theft
_____Privacy Background_____
LexisNexis Data Breach Bigger Than Estimated (The Washington Post, Apr 13, 2005)
States Scramble To Protect Data (The Washington Post, Apr 9, 2005)
Net Aids Access to Sensitive ID Data (The Washington Post, Apr 4, 2005)
Data Brokers Vow to Protect Personal Information (The Washington Post, Mar 16, 2005)
Data Under Siege (The Washington Post, Mar 10, 2005)
Databases Called Lax With Personal Information (The Washington Post, Feb 25, 2005)
ID Data Conned From Firm (The Washington Post, Feb 17, 2005)
_____Local Tech News_____
BearingPoint to Increase China Presence Sharply (The Washington Post, Apr 15, 2005)
Judge Rules Against FDA Ban on Ephedra (The Washington Post, Apr 15, 2005)
Southwest Airlines Profit Jumps (The Washington Post, Apr 15, 2005)
More Headlines
Tech Events Calendar

"Why not?" snapped Sen. Arlen Specter (R-Pa.), Judiciary Committee chairman.

"I can't explain it," replied Douglas C. Curling, president and chief operating officer of ChoicePoint.

"That's very, very disconcerting," Specter said.

Pressed by Sen. Dianne Feinstein (D-Calif.), Curling and Kurt P. Sanford, head of LexisNexis's corporate and federal markets group, agreed that were it not for the California law, consumers might never have been informed about more recent breaches.

Feinstein used the answers to bolster her push for a national notification law, which she has sponsored several times in the past few years and reintroduced Monday. Several similar bills have been proposed.

Security breaches at data brokers, banks and universities have focused attention on a booming marketplace for sensitive personal information that is routinely collected, sold and increasingly abused.

Witnesses warned the panel that data such as Social Security numbers are so heavily overused that the problem will be difficult to control. Personal data is for sale on the Internet and is available in public records in courthouses and other government offices.

"Both government and the private sector deserve a failing grade," said Robert Douglas, a privacy consultant and former private investigator.

Specter said he had little doubt that some kind of legislation would pass during the current session. But witnesses yesterday disagreed on several key points.

Federal Trade Commission Chairman Deborah Platt Majoras said companies should be able to forgo notifying consumers if the firms determine that identity theft is unlikely to result from breaches to their systems.

She said if a company had to tell consumers about every breach even if no data leaked out, consumers would become "numb" to the notices and ignore them. The data companies agree, saying they support national notification as long as they can determine that a breach is likely to result in identity theft.

Privacy advocates argue that this is a loophole and that companies often cannot tell whether data fell into the wrong hands. Feinstein's bill would not allow companies to make that determination.

Other congressional proposals include requiring data brokers to register with, and be regulated by, the FTC, and giving consumers the right to block the sale of their data.

© 2005 The Washington Post Company