The interaction between legislators and data compiler executives did not reach the level of feistiness seen in last month’s hearings on Capitol Hill, largely due to the more somber tone set by Senate Judiciary Committee chair Arlen Specter (R-PA). But several senators appeared annoyed that breaches in data security which occurred before notification laws were in effect were apparently kept from the public.
On Tuesday, the night before the trial, LexisNexis, which had previously announced that records on 30,000 consumers had been compromised, revealed that since early 2003 a total of more than 310,000 consumer records had been breached.
“Did that announcement have any connection with this hearing scheduled?” Specter asked Kurt P. Sanford, LexisNexis’s president and CEO for U.S. corporate and federal markets, during Wednesday’s session.
Sanford explained that the timing was based on an internal investigation he had ordered in March after the initial breach was discovered.
“I would like the specifics in writing focusing on why the people whose information was breached couldn’t have been notified earlier,” Specter said. “Those people were all at risk, and you have a duty to notify them at the earliest possible moment. So I want to know precisely what you did, what was the intensity of your investigation, and whether it could have been done faster.”
The Judicial Committee chair then turned his attention to Douglas C. Curling, president and chief operating officer of ChoicePoint Inc. Under questioning, Curling said that his company, too, had not informed people of a breach two years ago – a breach that took place before California put laws in place requiring that its residents be notified of such data compromises.
A more recent incident occurred after the California laws, which require that all state residents affected by data breaches be notified, were enacted.
Regarding the recent breach, Curling said that his company “not only followed California law, [but] we built upon it and voluntarily notified consumers who may have been impacted across the country, and we did that before anyone called upon us to do so.”
However, published reports at the time, as well as testimony from William H. Sorrell, Vermont’s attorney general and president of the National Association of Attorneys General, said that ChoicePoint undertook nationwide notification only after a variety of entities, including several attorneys general, requested that they do so.
Specter was not mollified by Curling’s words. “We may well face the necessity for some really tough legislation that will have you do your duty,” he said, addressing Curling and Sanford by name.
A third witness from the compiling industry, Jennifer Barrett, Acxiom Corp.’s chief privacy officer, faced only perfunctory questioning. Acxiom has had its data compromised twice by hackers twice since 2003, although no cases of identity fraud have been reported in conjunction with the attacks.
