Senators, FTC Call for ID Theft Legislation at Hearings
Prompted by recent high-profile consumer data breaches, the hearing was called to assess the state of data security, compliance with existing laws and the possible need for new legislation.
The breaches discussed in the hearing included the October discovery by Alpharetta, GA-based ChoicePoint Inc. that identity thieves had posed as legitimate businesses and accessed data on 145,000 consumers and this week's news of data thefts at Reed Elsevier's LexisNexis division and Retail Ventures Inc. subsidiary DSW Shoe Warehouse.
Sen. Patrick J. Leahy, D-VT, testified first and singled out Bank of America for its admission last month that some of its computer data tapes containing personal and account information for 1.2 million federal government charge card program customers were lost during shipment to a backup data center. Leahy also took other data stewards to task.
"The troubling events at ChoicePoint, Bank of America and now LexisNexis are a window on some of these weaknesses," he said. "ChoicePoint's bread-and-butter business includes identity verification and screening to help corporate America know its customers. Yet the company failed to know its own customers and sold personal information on at least 145,000 Americans to criminals posing as legitimate companies."
Leahy said Congress is examining the information-brokering industry and considering legislation.
FTC chairman Deborah Platt Majoras expressed some support for legislation in her testimony, especially in the areas of security and notice. She said the FTC supports notification of data breaches in instances where consumers are put at significant risk but said some small-scale breaches may not require it. She also said the FTC is investigating ChoicePoint, but would not elaborate when questioned.
Majoras also outlined the Fair Credit Reporting Act, the Gramm Leach Bliley Act and section five of the FTC Act prohibiting unfair and deceptive trade practices as existing legislation that regulates some data brokering.
Also making statements at the hearing were Sens. Jon Corzine, D-NJ, and Charles Schumer, D-NY, who both said they plan to introduce identity-theft legislation soon.
"The patchwork of state and federal laws don't do the job," Schumer said.
These new bills would join others introduced in Congress over the past few months, including one from Sen. Dianne Feinstein, D-CA, that would require mandatory notification when sensitive data are breached.
Companion bills were introduced March 3 in the Senate and House that would create new fair information practices and require information brokers to provide consumers with individual access to personally identifiable information and the right to correct information.
Sen. Bill Nelson, D-FL, introduced the Information Protection and Security Act, which also would require the FTC to devise and enforce rules for data brokers regarding security and customer screening. Rep. Edward Markey, D-MA, introduced the bill in the House. Reps. Jan Schakowsky, D-IL; Bennie G. Thompson, D-MS; and Rahm Emanuel, D-IL, are co-sponsors. If the legislation is enacted, the FTC would be required to issue the new rules in six months.
Because of several votes in the Senate yesterday, the hearing was adjourned before executives from ChoicePoint and Bank of America could testify. Committee chairman Sen. Richard Shelby, R-AL, said the hearing would resume next week but did not specify the day.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters