The learning curve continued yesterday as the latest congressional committee to question data providers explored the need for legislation regarding identity theft and data brokers.
The Senate Committee on Commerce, Science and Transportation heard testimony from representatives of data providers LexisNexis and ChoicePoint, which have revealed data breaches this year, as well as fellow data provider Acxiom and privacy/security advocates.
Committee chairman Ted Stevens, R-AK, characterized the hearing as the first in a series and introduced the first panel of witnesses from LexisNexis and ChoicePoint. The testimonies echoed those given by the firms' executives May 4 before the House Financial Services Committee and in previous congressional hearings.
LexisNexis on March 9 said personal information of 32,000 consumers had been accessed through misappropriation of legitimate customer identifications and passwords from its Seisint database. After an internal investigation, it announced April 12 that another 280,000 consumers were at risk.
In his testimony, LexisNexis president/CEO Kurt P. Sanford listed the legislative actions his firm supports. He said the company advocates data security breach notification in cases of substantial risk of harm. The company also called for the adoption of data security safeguards and increased penalties for identity theft and other cyber crimes.
ChoicePoint initially notified 35,000 California consumers that their information may have been accessed in late January as required by state law. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the fraud.
ChoicePoint president/COO Douglas C. Curling also testified as to what types of regulation of data brokers his company supports. He said the company favors independent oversight and accountability for those handling personal information; a preemptive federal law requiring notice of data breaches; consumer access to correct public records; and restriction of the display of Social Security numbers.
Sen. Bill Nelson, D-FL, questioned Curling and Sanford in relation to identity theft prevention legislation that he and Sen. Charles Schumer, D-NY, introduced in April. The bill would create a Federal Trade Commission office of identity theft and require data providers to register with the FTC. It also would institute safeguards to prevent fraudulent access to data and give consumers access and the option to fix errors.
The legislation also would mandate notice of third-party data disclosure and notification of data breaches. Provisions related to Social Security numbers would prohibit companies from asking for the numbers unless necessary for a transaction; prohibit display of Social Security numbers on employee IDs; ban the sale and purchase of the numbers except for law enforcement, national security and fraud purposes; and grant the attorney general the ability to define exemptions.
Sanford and Curling said they agreed with the bill's provisions.
The second panel began with testimony from Jennifer Barrett, chief privacy officer at Acxiom Corp.
As in previous congressional testimony on the topic, Barrett emphasized the differences between her firm and other data brokers, saying that Acxiom does not provide information on individuals beyond telephone directory products. She also said Acxiom has no information that could be used to commit identity fraud because its directory products contain only name, address and telephone information.
Barrett discussed a hacking incident in which mostly non-sensitive data were compromised and said the firm tightened security since then. She said Acxiom supports federal preemptive legislation to require consumer notification of security breaches that put people at risk. Barrett also said Acxiom backs the extension of the Gramm Leach Bliley Act Safeguards rule, which requires financial institutions to have a written information security plan, and that it voluntarily follows this rule.
Other panelists included Paul Kurtz, executive director of the Cyber Security Industry Alliance; Marc Rotenberg, president/executive director of the Electronic Privacy Information Center; and Mari Frank of Mari Frank, Esq. & Associates.
