US: Consumers Not Told Of Security Breaches, Data Brokers Admit
Executives of two major data brokers acknowledged to a Senate panel yesterday
that their companies did not tell consumers about security breaches that
occurred well before recent incidents exposed more than 400,000 people to
possible identity theft.
ChoicePoint Inc. and LexisNexis also suffered breaches before passage of a
California law in 2003 that requires companies doing business in the state to
notify consumers that their data might be at risk, officials said. But the
companies chose not to alert the public in those cases.
"Why not?" snapped Sen. Arlen Specter (R-Pa.), Judiciary Committee chairman.
"I can't explain it," replied Douglas C. Curling, president and chief
operating officer of ChoicePoint.
"That's very, very disconcerting," Specter said.
Pressed by Sen. Dianne Feinstein (D-Calif.), Curling and Kurt P. Sanford,
head of LexisNexis's corporate and federal markets group, agreed that were it
not for the California law, consumers might never have been informed about more
Feinstein used the answers to bolster her push for a national notification
law, which she has sponsored several times in the past few years and
reintroduced Monday. Several similar bills have been proposed.
Security breaches at data brokers, banks and universities have focused
attention on a booming marketplace for sensitive personal information that is
routinely collected, sold and increasingly abused.
Witnesses warned the panel that data such as Social Security numbers are so
heavily overused that the problem will be difficult to control. Personal data is
for sale on the Internet and is available in public records in courthouses and
other government offices.
"Both government and the private sector deserve a failing grade," said Robert
Douglas, a privacy consultant and former private investigator.
Specter said he had little doubt that some kind of legislation would pass
during the current session. But witnesses yesterday disagreed on several key
Federal Trade Commission Chairman Deborah Platt Majoras said companies should
be able to forgo notifying consumers if the firms determine that identity theft
is unlikely to result from breaches to their systems.
She said if a company had to tell consumers about every breach even if no
data leaked out, consumers would become "numb" to the notices and ignore them.
The data companies agree, saying they support national notification as long as
they can determine that a breach is likely to result in identity theft.
Privacy advocates argue that this is a loophole and that companies often
cannot tell whether data fell into the wrong hands. Feinstein's bill would not
allow companies to make that determination.
Other congressional proposals include requiring data brokers to register
with, and be regulated by, the FTC, and giving consumers the right to block the
sale of their data.
- 192 Technology & Telecommunications