WASHINGTON -- LexisNexis and ChoicePoint took their lumps before Congress today after admitting to more customer data security breaches not previously disclosed by the data brokers.
The breakdowns all occurred prior to 2003, when a California state law began requiring brokers to disclose breaches to consumers.
While no numbers were disclosed to a testy Senate Judiciary Committee, the two companies said they did not inform consumers of the pre-2003 breaches.
Since 2003, compliance with the California law has resulted in a series of embarrassing public-data hijacking admissions. A little more than a year after the law went into effect, there have been at least 12 disclosed database breaches exposing more than 10 million people to possible identity theft.
Wednesday's new disclosures by LexisNexis and ChoicePoint added momentum to a growing consensus in Congress that a national disclosure law based on the California measure is needed.
"This is my point, if it weren't for the California law we would have no way of knowing breaches had occurred," Sen. Dianne Feinstein (D-Calif.) told the packed hearing. "We in no way shape or form are able to pierce the depth of what has happened in that industry [pre-2003]."
Feinstein is pushing a new bill she introduced earlier this week requiring a business or government agency to notify an individual in writing or by e-mail when it is believed that personal information has been compromised.
Sen. Charles Schumer (D-N.Y.) is stumping for his own version of the same bill, but to also establish tougher regulations for the data brokers themselves.
"We would actually regulate the use of people's personal data," he said.
Included in Schumer's legislation is a disclosure provision for any company that plans to sell or transfer personal data. Modestly touting the provision as a "Schumer Box," the disclosure would let consumers know "this information may be sold or given to an unaffiliated third party without your additional consent."
On the Republican side, Sen. Arlen Specter (R-Penn.) predicted, "I believe there will be some firm federal legislation coming out of this hearing."
Specter, chairman of the Judiciary Committee, grew particularly annoyed at an evasive ChoicePoint President and CEO Douglas C. Curling. Under a series of tough questions from Specter, Curling ultimately said he couldn't explain why his company chose not to make pre-2003 disclosures.
Specter grumbled that Curling's answer was "very, very disconcerting," growling "some tough legislation will have you do your duty."
The lawmakers' call for, at a minimum, a national disclosure law drew no opposition from LexisNexis, ChoicePoint and other witnesses at the hearing, including the Federal Trade Commission (FTC), the FBI and the Secret Service.
Curling said ChoicePoint's position was "clear and unequivocal" in support of national disclosure. Kurt P. Sanford, president and CEO of LexisNexis' U.S. and corporate markets, echoed Curling's support, although both urged that any national law pre-empt state laws.
Vermont Attorney General William H. Sorrell urged the lawmakers not to make any law pre-emptive of state laws.
"The time for federal action is now," he said. "I hope Congress will follow the lead of California, but make [a new law] a floor and not a ceiling."
Feinstein objected to that notion, saying, "Different standards for notification make it difficult. It seems to me it needs to be the same."
LexisNexis' Sanford also made a distinction about when consumers need to be informed of a data breach, suggesting notification is only necessary "when there is a substantial risk of harm to consumers."
FTC Chairman Deborah Majoris agreed with Sanford.
"Eventually consumers will become numb if they are continuously notified of every breach," she said.