Senators Tackle ID Theft, Promise Clampdown on Data Brokers

Nelson said FTC Chmn. Deborah Majoras was “receptive” to the notion during a “prayer session” about the mounting reports of privacy breaches before the bill dropped. During her testimony later in the morning, Majoras still seemed keen on the idea though she hadn’t reviewed the measure. She said in her near year on the job, she’s never turned down offers for more funding, and the bill’s provisions sound like an expansion of what her staff is already doing to combat ID thieves. She said the Commission has long been a clearinghouse for educational materials and more than 15,000 consumers contact them weekly for information on the subject. The FTC currently enforces a trio of laws that restrict the disclosure of consumer information and require companies to ensure the security and integrity of data: the Fair Credit Reporting Act, the Graham-Leach-Bliley Act and the FTC Act, Majoras said.

Schumer wanted Majoras to get back to him within a week with her thoughts on the measure, but she said that would be “a bit quick” given the flurry of activity surrounding this topic. She promised to review the document and respond promptly. “Information can be sold and it’s almost as valuable as gold,” Schumer emphasized, noting that the key is effectively regulating the sale of information without bringing commerce to a standstill. The revelation that the LexisNexis data breach may have affected than 10 times the number of consumers than initially thought was “just the beginning of a regular news story that you're going to hear,” Nelson warned (WID April 13 p4).

Under the measure, data merchants would be required to register with the FTC in the same way credit bureaus do and would be required to institute safeguards to prevent fraudulent access by unauthorized parties. Data merchants would be require to develop authentication processes for information brokers and require furnishing customers with individualized passwords. The bill would allow consumers to obtain reports showing which data merchants have their information and it mandates a correction process to fix errors and it demands accuracy for their information. According to Schumer, any company collecting sensitive personal information with plans to transfer it to an unaffiliated entity would have to put a disclosure box on it, letting the customer know in plain English that “this information may be sold or given to an unaffiliated 3rd party without your additional consent.” Notification provisions in case of information breach are similar to the current Cal. state law that forced ChoicePoint to notify 145,000 customers in Feb. that their data might have been disclosed in an information breach. But the bill includes a new provision that allows any consumer notified of an information breach to request in writing that their information be expunged from the company’s database.

Sen. Feinstein (D-Cal.) also introduced a bill (S-751) this week that would ensure Americans are notified when their most personal data -- including SSN, DLN, state identification, bank account and credit card information -- is exposed in a breach that puts them at risk for ID theft. She said this legislation would require notification in writing or via e-mail when it’s believed that personal information has been compromised. The 2 exceptions are gathering personal information on written request of a law enforcement agency or when the action is for national security purposes. The measure addresses data whether or not electronic or encrypted and allows consumers to put themselves on a 7-year fraud alert, she said. The Cal. law covers only unencrypted data.

Committee Chmn. Specter (R-Pa.) agreed something has to be done on Capitol Hill: “It is my conclusion that we do need federal legislation, that there needs to be uniformity.” He told LexisNexis and ChoicePoint executives to expect some “tough legislation that will have you do your duty,” adding it was disconcerting that there were so many unknowns in both companies’ data breaches. “The time for government action is now,” seconded William Sorrell, pres. of the National Assn. of Attorneys General, who also testified: “We hope that the Congress will follow the lead of California and now 30 states that are considering disclosure laws.” He told lawmakers that if they did enact such a law, it should be “a floor, rather than a ceiling,” which would allow state legislators to build upon the mandate in ways they see fit. Feinstein took issue with this approach because it could, in effect, result in different standards for notification in every state. The govt. must be cautious to avoid creating a culture of over-notification, in which customers would become numb to notices if they're getting them every time an information broker notices irregular activity in a database, Majoras said. If there isn’t a clear risk to consumers, they shouldn’t be bothered.

LexisNexis CEO Kurt Sanford told lawmakers he recognized additional legislation may be necessary to improve data security and that his company supports several policy approaches. LexisNexis backs requiring notification concerning a security breach where there is substantial risk of harm to consumers, and he said it’s important that any such legislation contain federal preemption to insure that companies can quickly and effectively notify individuals and not struggle with complying multiple, potentially conflicting and inconsistent state laws. LexisNexis also strongly supports measures that impose more stringent penalties for ID theft and other cybercrimes.

In his testimony, James Dempsey, exec. dir. of the Center for Democracy & Technology (CDT) said: (1) Entities, including govt., holding personal data should be required to notify individuals in the event of a security breach. (2) Since notice kicks in after a breach, Congress should require entities that electronically store personal information to employ security safeguards similar to those required by the Cal. law and the regulations under Gramm-Leach-Bliley. (3) Congress should impose tighter controls on the sale, disclosure and use of SSN and should seek to break the habit of using SNN as an authenticator. (4) Lawmakers should address the federal govt.’s growing use of commercial databases, especially in the law enforcement and national security contexts. (5) Congress should examine the “fair information practices” that have helped define privacy in the credit and financial sectors and adapt them as appropriate to the data flows of this new technological and economic landscape.