RealTime IT News

Senate Debating Data Privacy Changes

WASHINGTON -- Unless Congress takes quick action against identity theft, Americans will soon find all their personally identifiable information up for sale or in the hands of ID thieves.

That's the sentiment of U.S. Sen. Bill Nelson (D-Fla.). He and Charles Schumer (D-N.Y.) want data brokers such as ChoicePoint and LexisNexis to be regulated in the same manner as credit bureaus.

"We must mandate that companies must reasonably protect this information collected on virtually every American," Nelson said. "As a result of what we've seen so far, if we don't do something none of us are going to have any identity left."

Their goal in co-sponsoring new legislation is to require notification to consumers when their data is compromised and crack down on the sale of Social Security numbers.

Nelson's comments came Tuesday as the Senate Commerce Committee began the first of a series of hearings on private data companies that currently have little oversight and few rules that protect public privacy. Hearings are already underway in other Senate and House committees.

"This is a very serious thing with several bills already introduced in Congress. It's going to be a very difficult thing to handle," Chairman Ted Stevens (R-Alas.) predicted.

As they have in three previous appearances before Congressional panels this year, executives from ChoicePoint and LexisNexis headlined Tuesday's hearing. And, as before, they again apologized for their companies' well-publicized data breaches while touting their strengthened security measures.

"Even if they [ChoicePoint and LexisNexis] improve their business practices, there are still hundreds of smaller data brokers who have no incentive to change their ways since there is no law governing their behavior," Stevens said.

Tuned into the current Capitol Hill clamor for federal action, both companies said they support a data breach disclosure law as long as it pre-empts any existing state laws. If forced to accept regulations, the companies prefer to deal with one federal standard as opposed to a patchwork of state laws.

Data breach disclosure to consumers is an integral part of the proposed bill by Nelson and Schumer, as well as legislation sponsored by Sen. Dianne Feinstein (D-Calif.).

"We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified," Feinstein told the Senate Judiciary Committee last month.

While Feinstein's bill focuses solely on data breach disclosure requirements, Nelson supports giving the Federal Trade Commission (FTC) the power to develop regulations on the sale of data by brokers. The bill would also allow the FTC to fine violators and give consumers and states the right to civil actions against data brokers who compromise a consumer's personal data.

Both Nelson and Feinstein base parts of their legislation on a recently enacted California law requiring data brokers to inform residents if their personal data is exposed to possible ID theft.

Both ChoicePoint and LexisNexis admitted last month to unreported data breaches prior to the passage of the California law.

"Without the California statute, we wouldn't know about any of this," Nelson said.