Data Privacy Gets a Hearing

After years of lurking in the shadows, the problem of data theft burst into the spotlight in 2005. Millions learned their personal data may have been accessed by criminals who compromised systems at data brokers ChoicePoint and LexisNexis, as well as retailer DSW and leading universities.

The data theft disclosures, which have caught the attention of Congress and are spurring consumer protection bills, were driven by California’s SB 1386. That state law requires organizations that keep databases containing sensitive information on individuals to notify them if their data is exposed.

ChoicePoint, which had its database compromised by identity thieves who posed as legitimate customers, disclosed the breach to California residents first in February, after the company was compelled by SB 1386 to notify about 35,000 of the state’s residents that their data had been exposed to identity theft. Public outcry forced ChoicePoint to notify another 110,000 people whose data may have been exposed. (See “The Five Most Shocking Things About the ChoicePoint Debacle,” in our May issue or www.csoonline.com/printlinks.)

A string of similar announcements followed. Data broker LexisNexis revealed evidence of 59 incidents of unauthorized access to information on more than 300,000 people in a database maintained by LexisNexis’s Seisint division. DSW disclosed that the customers affected by its identity breach was 10 times its original estimate, for a grand total of 1.4 million affected.

After shying away from consumer privacy legislation last year, lawmakers on Capitol Hill came at the issue with gusto in April.

Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.) introduced a bill on April 12 that would require better disclosure from data brokers, while the Senate Judiciary Committee held hearings on April 13 regarding “Notification of Risk to Personal Data Act of 2005,” a bill introduced by Sen. Dianne Feinstein (D-Calif.). Feinstein’s bill, which was modeled on SB 1386, is a notification law that requires businesses and government agencies to tell an individual when his private information has been compromised. The law allows individuals to put a seven-year fraud alert on their credit reports and defines specific requirements for how organizations must notify those affected.

The legislation introduced by Sens. Schumer and Nelson includes notification provisions akin to SB 1386, and strict regulations for data merchants to secure sensitive information. It also creates a new Office of Identity Theft at the Federal Trade Commission to help victims of identity theft.

Privacy laws are tough to pass because they tend to require input from the judiciary, commerce and financial services committees, says Chris Hoofnagle, West Coast director of the Electronic Privacy Information Center. But now politicians have gone from ducking the issue to jockeying to get their name on a consumer protection bill, he says.