Lawmakers Grill Data Providers at House, Senate HearingsSimultaneous identity theft hearings in Senate and House committees yesterday saw executives from several companies that had data breaches over the past few months testify and face harsh criticism and questions from members of Congress.
Arguably it was ChoicePoint Inc. executives who faced the most scrutiny as the company was represented by members of its senior management at each hearing.
The October discovery by ChoicePoint, Alpharetta, GA, that identity thieves had posed as legitimate businesses and accessed data on 145,000 consumers was followed by news of Bank of America's loss of data tapes containing data on 1.2 million government credit cardholders in late February. Also, data thefts at Reed Elsevier's LexisNexis division and Retail Ventures Inc. subsidiary DSW Shoe Warehouse were revealed this month. The breaches sparked a flurry of state and federal bills.
The Senate Banking, Housing and Urban Affairs Committee hearing on identity theft and consumer data security began March 10 but was adjourned before ChoicePoint and Bank of America officials could testify. The Senate finished its hearing yesterday with testimony from Don McGuffey, vice president of ChoicePoint Services Inc.; Barbara J. Desoer, executive vice president, global technology, service and fulfillment executive, Bank of America Corporate Center; and Evan Hendricks, editor of Privacy Times.
McGuffey and Desoer expressed regret over the incidents at their respective companies and outlined changes made within their organizations since the breaches.
ChoicePoint supports independent oversight and increased accountability of companies handling public record data as well as increased penalties for theft of data. It also supports "a reasonable nationwide mandatory notification requirement of any unauthorized access to personal data," according to McGuffey's testimony.
Apparently the company has changed its internal notification policy as a result of the data breach. When asked why chairman/CEO Derek Smith was not notified of the situation until as late as January, McGuffey said the scope had not been known previously. Company policy since has been changed so that senior management is notified immediately of information breaches and law enforcement involvement.
That was not good enough for Sen. Charles Schumer, D-NY, who along with Sen. Jon Corzine, D-NJ, plans to introduce identity theft legislation. Schumer blasted ChoicePoint for what he called its "casual attitude" and urged companies not to give data to ChoicePoint.
In her testimony, Desoer expressed caution against a blanket notification law. She cited breaches that do not pose serious identity theft risks as examples of cases where notification may be unnecessary and urged leaving it to the discretion of the institution.
Hendricks called for a set of fair information practices and data brokering industry transparency.
A House subcommittee of the Committee on Energy and Commerce also took up consumer data issues yesterday. The hearing was called by Cliff Stearns, R-FL, chairman of the subcommittee on commerce, trade and consumer protection.
To start, Federal Trade Commission chairman Deborah Platt Majoras reiterated the testimony she gave to the Senate Banking Committee, expressing support for legislation in the areas of security and notice. But she also said the FTC supports notification of data breaches in instances where consumers are put at significant risk but said some small-scale breaches may not require it.
"The most immediate need is to address the risks to the security of this information," she said.
Majoras outlined the Fair Credit Reporting Act, the Gramm Leach Bliley Act and section five of the FTC Act prohibiting unfair and deceptive trade practices as existing legislation that regulates some data brokering.
The next panel of witnesses included Smith and LexisNexis CEO Kurt Sanford. After citing changes made in their organizations since the breaches, both executives said they favored tougher penalties for identity thieves as well as mandatory notification of breaches when substantial risk exists.
Rep. Edward Markey, D-MA, took ChoicePoint to task for not telling consumers exactly what personal data were revealed instead of a list of possible data points such as name, address, Social Security number, etc. Smith said ChoicePoint has the ability to re-create the searches and provide the details to consumers who request the information.
Joseph Ansanelli, CEO of data loss prevention firm Vontu Inc., and Marc Rotenberg, executive director of the Electronic Privacy Information Center, also testified.
Kristen Bremner covers list news, insert media, privacy and fundraising for DM News and DMNews.com. To keep up with the latest developments in these areas, subscribe to our daily and weekly e-mail newsletters by visiting www.dmnews.com/newsletters