Executives of two major data brokers acknowledged to a Senate panel yesterday
that their companies did not tell consumers about security breaches that
occurred well before recent incidents exposed more than 400,000 people to
possible identity theft.
ChoicePoint Inc. and LexisNexis also suffered breaches before passage of a
California law in 2003 that requires companies doing business in the state to
notify consumers that their data might be at risk, officials said. But the
companies chose not to alert the public in those cases.
"Why not?" snapped Sen. Arlen Specter (R-Pa.), Judiciary Committee chairman.
"I can't explain it," replied Douglas C. Curling, president and chief
operating officer of ChoicePoint.
"That's very, very disconcerting," Specter said.
Pressed by Sen. Dianne Feinstein (D-Calif.), Curling and Kurt P. Sanford,
head of LexisNexis's corporate and federal markets group, agreed that were it
not for the California law, consumers might never have been informed about more
recent breaches.
Feinstein used the answers to bolster her push for a national notification
law, which she has sponsored several times in the past few years and
reintroduced Monday. Several similar bills have been proposed.
Security breaches at data brokers, banks and universities have focused
attention on a booming marketplace for sensitive personal information that is
routinely collected, sold and increasingly abused.
Witnesses warned the panel that data such as Social Security numbers are so
heavily overused that the problem will be difficult to control. Personal data is
for sale on the Internet and is available in public records in courthouses and
other government offices.
"Both government and the private sector deserve a failing grade," said Robert
Douglas, a privacy consultant and former private investigator.
Specter said he had little doubt that some kind of legislation would pass
during the current session. But witnesses yesterday disagreed on several key
points.
Federal Trade Commission Chairman Deborah Platt Majoras said companies should
be able to forgo notifying consumers if the firms determine that identity theft
is unlikely to result from breaches to their systems.
She said if a company had to tell consumers about every breach even if no
data leaked out, consumers would become "numb" to the notices and ignore them.
The data companies agree, saying they support national notification as long as
they can determine that a breach is likely to result in identity theft.
Privacy advocates argue that this is a loophole and that companies often
cannot tell whether data fell into the wrong hands. Feinstein's bill would not
allow companies to make that determination.
Other congressional proposals include requiring data brokers to register
with, and be regulated by, the FTC, and giving consumers the right to block the
sale of their data.
This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.
| 
