House Committee Talks Data Breach Notification
In his opening statement, committee chairman Michael G. Oxley, R-OH, said consumers needed to receive notice when sensitive information has been compromised and is likely to be misused, but he urged caution.
"One of my concerns in this regard is that given the dramatic rise in recent reports on data breaches, there will be a headlong rush toward notification in every instance," he said. "When no evidence surfaces to indicate that their information has been misused, consumers may begin to ignore these notices as just that many more pieces of unsolicited junk mail."
Committee member Paul E. Gillmor, R-OH, echoed Oxley's sentiments and called for guidelines covering when breaches require notification.
Testifying at the hearing were representatives from firms that have revealed data breaches this year, incidents that have spurred several congressional hearings and federal bills.
ChoicePoint initially notified 35,000 California consumers that their information may have been accessed in late January as required by state law. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the fraud.
Don McGuffey, ChoicePoint senior vice president for data acquisition and strategy, began his testimony with an apology and went on to outline ChoicePoint's support for some regulation of data brokers. He said the company supports independent oversight and accountability for those handling personal information; a preemptive federal law requiring notice of data breaches; consumer access to public records; and restriction of the display of Social Security numbers.
Similarly, LexisNexis president/CEO Kurt P. Sanford listed the legislative issues his firm supports. On March 9, LexisNexis said personal information of 32,000 consumers had been accessed through misappropriation of legitimate customer identifications and passwords from its Seisint database. After an internal investigation, it announced April 12 that another 280,000 consumers were at risk.
Like ChoicePoint, LexisNexis advocates data security breach notification in cases of substantial risk of harm, Sanford testified. The company also called for the adoption of data security safeguards and increased penalties for identity theft and other cyber crimes.
Barbara J. Desoer, executive vice president, global technology, service and fulfillment executive, Bank of America Corporate Center, testified that Bank of America thinks certain principals must be considered as the legislative process continues. Desoer said Bank of America backed breach notification for incidents that reasonably could lead to consumer harm.
Bank of America revealed the loss of tapes containing data on 1.2 million government credit cardholders in late February.
The sentiments expressed by the representatives and executives about notification were seemingly at odds with a revised bill introduced April 13 by Sen. Dianne Feinstein, D-CA. That bill requires mandatory notification when sensitive data are breached, and the revision adds provisions to close loopholes that exempt encrypted data and specify the contents of the notices.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters