Senators rip into ChoicePoint, Bank of America on data losses

Some lawmakers want legislation to regulate data collection firms

Several U.S. senators faulted ChoicePoint Inc. and Bank of America Corp. yesterday for recent large-scale identify thefts from the two companies, and some lawmakers called for national legislation that would regulate what data-collection companies can do with private information.

Two members of the Senate Banking Committee, Sen. Jon Corzine (D-N.J.) and Sen. Charles Schumer (D-N.Y.), announced plans to introduce legislation to regulate data brokers -- companies that sell private information such as Social Security numbers and credit histories to law enforcement agencies, insurance companies, lenders and other businesses.

Speaking at a committee hearing, Sen. Patrick Leahy (D-Vt.) criticized ChoicePoint for failing to recognize legitimate customers after ID thieves using stolen identities set up businesses that requested hundreds of thousands of background-check records from the company in 2004.

In mid-February, ChoicePoint disclosed that identity thieves had gained access to the personal information of up to 145,000 U.S. residents. The Alpharetta, Ga.-based company maintains a 19 billion-item database including Social Security numbers, driver's license numbers and credit data.

"It was an irresponsible violation of the fiduciary relationship they have with their customers," Leahy said of ChoicePoint.

Leahy also criticized Charlotte, N.C.-based Bank of America's decision to transfer a digital tape containing private data on a commercial airline flight. In late February, Bank of America announced that on one such flight, it lost digital tapes containing the credit card account records of 1.2 million federal employees, including 60 U.S. senators.

Leahy questioned the apparently common practice in the financial industry of transferring such data on commercial flights, saying he has lost his luggage too many times to trust that airplane holds are secure. "I don't know what these people are thinking," Leahy said. "You can imagine how disillusioned their customers must feel that Bank of America didn't care any more about them."

Sen. Paul Sarbanes (D-Md.) called ChoicePoint the "world's largest [private] intelligence operation."

In addition to the ChoicePoint and Bank of America incidents, LexisNexis Group's parent company, Reed Elsevier PLC, announced this week that hackers had compromised databases and stolen the personal information of at least 32,000 people (see story).

In the first of several likely congressional hearings on ID theft following the recent disclosures, representatives of ChoicePoint and Bank of America were scheduled to testify. But their appearances were rescheduled until next week after a conflict with several votes on the Senate floor.

Both companies in written testimony apologized for the ID thefts, said they have taken steps to ensure that similar incidents won't happen and welcomed a debate on national privacy protection laws. "As Congress continues its work in this area, we stand ready as a company to cooperate with your efforts," ChoicePoint Vice President Don McGuffey said in his testimony.

In its statement, ChoicePoint detailed a series of steps it has taken since the breach, including a decision to stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement.

Sen. Dianne Feinstein (D-Calif.) in January introduced a bill that would require businesses and government agencies to notify likely victims when there is a "reasonable basis to conclude" that a criminal has obtained unencrypted personal data. Her bill is similar to a California notification law passed in 2003, the only state law requiring companies to tell customers about data breaches.

But Barbara Desoer, executive for global technology, service and fulfillment at Bank of America, asked lawmakers in her written statement to be cautious about passing a law that would require immediate notification of a security breach.

"Our recent actions demonstrate our support of the conviction that customers have a right to know when their information may have been compromised, and that timely notification in the appropriate circumstances could help to minimize various risks," she wrote. "At the same time, we advise some caution regarding legislative solutions. In some instances a thorough investigation of the security may conclude there is no risk that the information was used for illegal purposes. In these instances, it is probably best to leave it to the discretion of the institution to decide if customers should be notified."

Deborah Platt Majoras, chairwoman of the Federal Trade Commission (FTC), agreed, saying that in some cases, computer hackers may attempt to crack databases for the sport of it, instead of attempting to steal personal data. "If we try to inform consumers of every single breach, for one thing, they're going to become numb to it," she said.

Platt Majoras acknowledged, however, that ID theft is a growing problem. The FTC estimated there were 10 million U.S. victims of ID theft between early 2002 and early 2003, at a total estimated cost of $53 billion to U.S. businesses and individuals.

"Isn't this one of the biggest robberies going on today?" asked committee chairman Sen. Richard Shelby (R-Ala.). "Traditional bank robbers are petty thieves compared to the aggregate of this, are they not?"

Platt Majoras agreed.

Of the two bills announced yesterday, Corzine's would require companies that lose private information to ID thieves to notify potential victims promptly. His Identity Theft Prevention and Victim Recovery Act would also require companies holding private information to establish security systems to protect that data. A high-level company executive would be required to personally attest to the security measures.

Schumer's bill would establish an ID theft office at the FTC that would have jurisdiction over data brokers, he said. It would also require companies that sell consumer data to third parties to conspicuously display that information on the front of their Web sites.

Schumer said he was "utterly amazed" at the ease of which data collection companies give up private consumer data. "Every year, [ID theft] gets much worse and much worse and much worse, and yet, we're doing very little about it," he said. "Our laws are a patchwork quilt of state and federal laws that, frankly, don't do the job. It's the crime of choice these days."

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon