The day before data broker LexisNexis increased by nearly tenfold the number of identities feared stolen in last months data breach, Sen. Dianne Feinstein (D-Calif.) on Monday filed beefed-up identity legislation that privacy experts hope will close large loopholes in existing and previously filed legislation.
Feinsteins current bill, which the Senate Judiciary Committee will examine Wednesday, is an overhaul of the ID Theft Notification Bill that Feinstein proposed in June 2003. She hammered out the current version with the help of the Consumers Union, the Privacy Rights Clearinghouse and EPIC (the Electronic Privacy Information Center).
It was drafted to close a loophole in the senators previous legislation and in Californias Security Breach Information Act (SB 1386), through which companies can avoid notifying customers of data breaches if the breached data is encrypted or if no PINs are collected with Social Security numbers.
“After additional discussions with privacy rights advocates, it became clear that much more needed to be done to protect Americans,” Feinstein said in a news release.
“Every day, we learn that we are more and more at risk from identity theft—entire databases have been lost, stolen or hacked into,” Feinstein said.
“First we heard about ChoicePoint—a case that resulted in the theft of the personal information of 145,000 Americans—but this was just the beginning. Now we have watched as wave after wave of data system theft has come to light, exposing millions of Americans to identity theft.”
Chris Hoofnagle, director of the West Coast office of EPIC, said Feinsteins revamped legislation would accomplish two things: encourage companies to stop collecting drivers license numbers and/or Social Security numbers, and encourage the use of encryption and other security safeguards.
“The legislation from Dianne Feinstein is a fine improvement upon earlier drafts,” said Hoofnagle, in San Francisco. “Really, its about notice, but it improves information-collection practices and security.”
At this point, EPIC hasnt even figured out all of the loopholes in Californias SB 1386, Hoofnagle said. “Were still finding them,” he said.
Harnessing Data Brokers
Gail Hillebrand, senior attorney for the Consumers Union, said the new legislation is also notable in that it covers all industries and all forms of data, both analog and digital. “Its got one rule for all breaches, so theres no special exemption for the banking industry or any other industry,” she said.
“Its got no special exemption for a company to decide, Its not important, we dont have to tell anybody about it, which is one idea that the industry has been floating around Capitol Hill,” Hillebrand said. “[Plus,] it covers security breaches of data held in paper form as well as computerized form. After all, a file cabinet with employee personnel files is as rich a source as a database. It covers both.”
According to the senators news release, the new bill would require businesses or government agencies to notify individuals in writing or e-mail when personal information—such as a Social Security number, drivers license or state identification number, or credit card or bank account information—has been compromised.
The only exceptions allowable under the new bill would be upon written request by law enforcement for purposes of a criminal investigation or for national security, according to the release.
At this point, Californias statute is the only existing state law to require that businesses inform consumers if their data has been compromised. Feinsteins bill would be the first to take that to a nationwide level.
But privacy experts say notification is only part of the problem. The other side of the coin involves unregulated data brokers. “Theyre running around outside of the law,” said Edmund Mierzwinski, consumer program director at USPIRG (U.S. Public Interest Research Group).
“The FTC [Federal Trade Commission] was caught asleep at the switch by allowing them to create a business model outside the law in the 1990s. Now, the FTCs kicking it home to roost, where we have unregulated data brokers in the center of the storm.”
That storm grew in severity on Tuesday, as data broker LexisNexis revealed that personal information on 310,000 U.S. citizens may have been stolen, or nearly 10 times the number of citizens whose information was believed stolen when the company announced a data breach last month. According to Reuters, the companys parent, Reed Elsevier, determined that its database had been breached 59 times with stolen passwords, leading to possible theft of addresses and Social Security numbers.
As reported by Reuters, LexisNexis plans to notify an additional 278,000 individuals who might be victims of identity theft. Of the 32,000 already notified in last months effort, only 2 percent asked the company to conduct an investigation into their credit records. In those records investigated, no identity theft was evident, LexisNexis officials told Reuters.
The problem is that data brokers such as LexisNexis can sell to anyone, said EPICs Hoofnagle. “Weve been saying this a long time: The data brokers, their business model is one where they make more money by selling more and more details of personal information to more and more people. Theres really no upper limit to data collection.”
As it now stands, Mierzwinski said, data brokers such as LexisNexis sell products that are virtually identical to credit reports and which are often used for the same purposes as credit reports, yet which are exempt from many credit laws.
To address this, USPIRG is supporting legislation proposed by Sen. Bill Nelson (D-Fla.) and Rep. Edward Markey (D-Mass.) to regulate data brokers.