Senators vow more regulations for data collectors
By LAWRENCE M. O'ROURKE
April 14, 2005
Executives of three large private data collection companies conceded that stronger federal laws are needed to protect the public against misuse of the information, as well as creation of a single office where people can go after their records are misused in order to have their good credit reputation restored.
''There's no federal legislation on the subject. . . . It is my conclusion that we do need federal legislation, that there needs to be uniformity,'' said Senate Judiciary Committee Chairman Arlen Specter, R-Pa.
Senators cited studies that it takes 600 hours to clean up a personal record after it has been misused by an identity thief.
"Last year, 9.3 million Americans fell victim to identity theft, resulting in losses of more than $52 billion to individuals and corporations," said Sen. Patrick Leahy, D-Vt.
Leahy pointed out that a leading firm, ChoicePoint, based in Alpharetta, Ga., "sold personal information on at least 145,000 Americans to criminals posing as legitimate companies."
ChoicePoint president Douglas Curling testified before the Senate Judiciary Committee that he extended "sincere apology to those customers whose information may have been accessed by the criminals who perpetrated this fraud."
He said that ChoicePoint was cutting back on its sale of information. He said personal data would still be sold to insurance companies, employers and landlords, and to law enforcement agencies and corporations looking to prevent fraud.
Curling called for a single national standard on mandatory notification of identity theft victims and establishment of a right of consumers to check the accuracy of public record information gathered by the company.
Kurt P. Sanford, chief executive officer for corporate and federal markets at the data brokerage LexisNexis, revealed to the committee that personal information of 310,000 customers may have been revealed over the last 27 months, about 10 times the number first disclosed.
"We sincerely regret these incidents and any adverse impact they may have on the individuals whose information may have been accessed," Sanford said. "We will begin notifying those individuals immediately."
"What bank robbery was in the Depression Age, identity theft is to the information age," said Sen. Charles Schumer, D-N.Y. "When a company like LexisNexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand."
Specter pointed out that the federal government provides skimpy regulation of data collection companies, leaving oversight mainly to states.
California Democratic Sen. Dianne Feinstein contended that her state's laws on privacy and electronic data are the toughest in the nation and would serve as a model for the entire country.
Were it not for California's mandatory disclosure requirement, millions of Americans would not have been notified that their personal records had been stolen, Feinstein said.
While California is the only state to have enacted a security breach law, 28 other states are considering some form of personal information protection legislation.
"We urgently need a strong national standard that says whenever a data system is breached, everyone who is at risk of identify theft must be notified," Feinstein said.