The U.S. House of Representatives jumped into the compiled information fray on Tuesday, when it held a first hearing on consumer data security and identity theft. The hearing featured ChoicePoint Inc.’s chairman and CEO as a marquee attraction. (See article, below).
The hearing was spurred by recent breaches of consumer data security, including the sale of 145,000 consumer names and data packages by ChoicePoint to scam artists, 32,000 data sets purchased from LexisNexis by someone illicitly using a client’s account, and the loss of data tapes bearing 1.2 million names, and associated credit card information, that had been shipped by Bank of America.
Given a chance to trump their upper-chamber counterparts, the House committee carefully scheduled its star panelists – ChoicePoint chairman and CEO Derek V. Smith and LexisNexis president and CEO Kurt P. Sanford -- as part of its second panel, immediately after the stage was set by Federal Trade Commission chair Deborah Platt Majoras.
Last week, a Senate committee failed to be the first to grill another ChoicePoint executive when a hearing was adjourned due to pressing votes on the Senate floor. The Senate reconvened its hearing yesterday as well, with testimony given by Don McGuffey, vice president of ChoicePoint Services; Evan Hendricks, editor of Privacy Times; and Barbara J. Desoer, executive vice president of global technology, service and fulfillment executive for Bank of America Corporate Center.
The third and final panel of the House hearing consisted of Marc Rotenberg, president of the Electronic Privacy Information Center, and Joseph Ansanelli, chief executive officer of Vontu Inc., a data security technology firm based in San Francisco.
Majoras’s testimony was similar to that she gave in the Senate last Thursday: She explained that while there is no single federal law governing the practices of data brokers, a number of statutes address the security of the information they maintain, depending on how the information was collected, and how it is used. These include the Fair Credit Reporting Act; the Gramm-Leach-Bliley Act; and Section 5 of the Federal Trade Commission Act.
She also reiterated her call for Congress to expand the FTC’s ability to regulate sensitive personal information collected by data brokers, and called again for a federal requirement for prompt notice to consumers when there has been a security breach that raises a significant risk of harm to consumers.
Ansanelli, who was there on behalf of his data security firm, addressed new technology solutions to combat misuse of otherwise authorized clients of data brokers, including merging passwords with a tangible plastic chip card, which would assumedly be more difficult to misappropriate than a password alone.
And Marc Rotenberg, president of the Electronic Privacy Organization Center, noted that his organization had contacted the FTC regarding alleged violations of the Fair Credit Reporting Act by ChoicePoint and other data brokers long before the Alpharetta, GA-based firm’s current travails became public.
Rotenberg went out of his way to mention AutoTrackXP, a ChoicePoint product he described as “a detailed dossier of individuals’ personal information,” much to the interest of several committee members, who had previously not heard of the product.
Rotenberg’s recommendations went far beyond extending the security safeguard provisions of such legislation as the Gramm-Leach-Bliley Act, or ratcheting up notification levels in the event of breaches. Among the new provisions he called for were subjecting data information security violator to face civil penalties; permission for states to develop stricter measures; and allowing consumers to determine whether a given transaction constitutes a “consumer-driven benefit” – one of the standards ChoicePoint has adopted for all sales of information in the future.
