Another congressional committee took a crack at data providers and called for federal legislation to govern them yesterday, just one day after LexisNexis revealed its discovery of data breaches exposing 280,000 additional consumers to identity theft.
On March 9, LexisNexis said that personal information of 32,000 consumers had been accessed through misappropriation of legitimate customer identifications and passwords from its Seisint database. After an internal investigation, it announced April 12 that another 280,000 consumers were at risk. The investigation yielded 59 instances of fraudulent access to data including names, addresses, Social Security numbers and driver's license numbers.
The Senate Committee on the Judiciary hearing was titled “Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use.” It was led by committee chairman Arlen Specter, R-PA, who stressed the need for uniform federal regulation of data brokers in his opening statement.
LexisNexis president/CEO Kurt P. Sanford testified on a panel along with executives from fellow data providers ChoicePoint Inc. and Acxiom Corp.
ChoicePoint initially notified 35,000 California consumers that their information may have been accessed in late January as required by state law. On Feb. 16, it said another 110,000 letters would be sent nationwide involving the fraud. ChoicePoint president/COO/director Douglas C. Curling also testified.
Sanford and Curling expressed regret about the data breaches and highlighted increased security measures being taken at their firms as they did previously during March 15 hearings of the Senate Banking, Housing and Urban Affairs Committee and a House of Representatives subcommittee of the Committee on Energy and Commerce.
In her testimony, Jennifer T. Barrett, chief privacy officer at Acxiom, emphasized the differences between her firm and other data brokers, saying that Acxiom does not provide information on individuals beyond telephone directory products. She also said Acxiom has no information that could be used to commit identity fraud because its directory products contain only name, address and telephone information.
Barrett discussed a hacking incident in which mostly non-sensitive data were compromised and said the firm has tightened security since. She said Acxiom supports federal preemptive legislation to require consumer notification of security breaches that put people at risk. Barrett also said Acxiom supports the extension of the Gramm Leach Bliley Act Safeguards rule, which requires financial institutions to have a written information security plan, and that it voluntarily follows this rule.
Federal Trade Commission chairman Deborah Platt Majoras reiterated her testimony from the previous hearings, outlining the Fair Credit Reporting Act, Gramm Leach Bliley and Section Five of the FTC Act prohibiting unfair and deceptive trade practices as existing legislation that regulates some data brokering.
Additional panelists included the FBI, U.S. Secret Service and National Association of Attorneys General representatives as well as privacy advocates.
In other data protection news, Sen. Dianne Feinstein, D-CA, offered a revised version yesterday of the Notification of Risk to Personal Data Act that she first introduced Jan. 24. The original bill required mandatory notification when sensitive data are breached. The revision adds provisions to close loopholes that exempt encrypted data and specify the contents of the notices.