WASHINGTON -- The chief executives of ChoicePoint and LexisNexis told a House panel today they supported federal legislation requiring data collection companies to notify consumers in the case of a security breach.
Currently, only California has such a law, but recent disclosures by ChoicePoint and LexisNexis that identity thieves gained access to their massive databases have brought a flurry of proposed legislation by lawmakers.
"We support requiring notification in the event of a security breach where there is substantial risk of harm to consumers," Kurt P. Sanford, LexisNexis' president and CEO, told the House Subcommittee on Commerce, Trade and Consumer Protection.
Derek Smith, president and CEO of ChoicePoint, testified he welcomed legislation to "provide appropriate regulation of our industry." Under questioning from the panel, Smith said he would support a federal disclosure law.
Last month, the Alpharetti, Ga.-based ChoicePoint said it was duped into selling personal data on approximately 145,000 U.S. citizens in all 50 states. ChoicePoint, the largest information broker in the United States, has more than 19 million records on Americans, containing everything from Social Security numbers to criminal records to DNA data.
The ChoicePoint revelations were followed by LexisNexis admitting to making available records from its Seisint division on 35,000 consumers to a criminal fraud ring that exploited the passwords of legitimate Seisint customers. Bank of America also said it recently misplaced backup tapes containing detailed financial information on 1.2 million federal government employees.
"The security breach that ChoicePoint discovered last fall in California has caused us to go through some serious soul searching at ChoicePoint," Smith said. "Beyond our apology, I want to assure the public and the members of this committee that we have moved aggressively to safeguard the information in our possession from future criminal theft."
Smith said ChoicePoint has discontinued the sale of data products containing Social Security numbers, drivers licenses and other sensitive data unless the information is needed to benefit the consumer, such as insurance, employment and tenant screening. It will also provide authentication or fraud prevention tools to governments and large corporate customers where consumers have existing relationships.
Marc Rotenberg, president of the Electronic Privacy Information Center, was unimpressed by the Choicepoint measures.
"Even their recent proposal to withdraw the sale of this information is not reassuring," he told the panel. "They have left a significant loophole that will allow them to sell data if they believe there is a consumer benefit."
Sanford said LexisNexis "sincerely" regretted the Seisint incident and is taking steps to assist the affected consumers.
"It is critical that any legislation being considered ensure that legitimate business, government agencies and other organizations continue to have access to identifying information that they depend on for important purposes, including fraud detection and prevention, law enforcement and other critical applications," he said.
Rep. Cliff Stearns (R-Fla.), chairman of the subcommittee, said the ChoicePoint and LexisNexis incidents are compelling congress to revisit some of the fundamental issues of an ongoing privacy debate in Washington.
"The commercialization, or monetizing, as some may suggest, of consumer data has made protecting it far more complex and important given its value in the wired marketplace," Stearns said. "At the same time, the ability to access much of this personal information facilitates legitimate commerce that benefits all of us."
Stearns added, "There is clearly a need to consider a comprehensive federal consumer notification requirement, a uniform national standard, so that jurisdictional issues don't cause unnecessary problems for consumers victimized by criminal activity."
Rep. Joe Barton (R-Tex.), chairman of the House Energy and Commerce Committee, said legislation is likely necessary to make data collection firms such as ChoicePoint "bear greater responsibility for the security and integrity" of information they sell.
"I believe we will need to consider whether there should be national standards for protecting consumers when their personal information is lost or wrongfully disclosed by a data broker,' Barton said. "To data brokers, we are not customers -- information about each of us is a product that is sold for many purposes, including marketing without our knowledge and consent."