In the wake of recent high-profile thefts of sensitive personal information from what were considered protected databases, legislators are preparing to turn up the heat on private enterprises that fail to safeguard customers data.
Lawmakers renewed urgency is being fueled largely by the recent security blunder at data warehouse vendor ChoicePoint Inc.
The incident, which illustrates the kind of damage many privacy-law advocates have long feared, is spurring legislators to take a new look at data privacy initiatives that died in the last session of Congress.
ChoicePoint, based in Atlanta, disclosed earlier this month that scammers accessed information on more than 145,000 consumers, including Social Security numbers and credit histories.
In a separate incident, thieves stole some of Science Applications International Corp.s computers, which contained lists of SAIC shareholders, including their addresses, phone numbers, stock holdings and Social Security numbers.
Following requests from minority leadership last week, Sen. Arlen Specter, R-Pa., chairman of the Senate Judiciary Committee, said he would hold a hearing on the ChoicePoint incident.
Two of the Senates leading champions of privacy rights, Patrick Leahy, D-Vt., and Dianne Feinstein, D-Calif., called for an investigation.
Committee members want to examine how the incident happened and “how it can be prevented in the future,” said Tracy Schmaler, a representative for Leahy.
The senator is considering proposals that were not introduced in the last Congress, and there is more momentum for legislation this session, Schmaler said.
Feinstein has reintroduced a bill that would require all federal agencies and any enterprise doing business in more than one state to disclose to customers any unauthorized acquisition of their personal information.
Feinsteins measure, known as the Notification of Risk to Personal Data Act, first introduced in 2003, is similar in spirit to a California law that requires such notifications.
The experts weigh in
Some security experts applauded the legislators efforts.
“The disclosure laws are good things. It builds accountability on both sides,” said Dave Jevens, chairman of the Anti-Phishing Working Group and vice president at Teros Inc., a security vendor in Santa Clara, Calif.
“You can phish and send millions of e-mails and maybe get a thousand victims. But if you get a well-formed database with 250,000 names, you can make a quick couple of million dollars.”
Other experts, however, see flaws in Feinsteins bill and similar state measures proposed recently.
“The definition of personal information is too narrow. If I steal your bank account number, home address, phone number and the amount of money you have in your account, but not your PIN, the bank doesnt have to disclose that,” said Mark Rasch, chief security counsel at Solutionary Inc., in Omaha, Neb., and a former federal prosecutor.
Several lawmakers are drafting privacy legislation broader than the Feinstein approach.
Sen. Charles Schumer, D-N.Y., said last week that he intends to introduce a comprehensive identity theft bill soon.
Calling ID theft “Americas leading consumer complaint,” Schumer said there must be national limitations on the disclosure of data by private companies.
Particularly incensed about the Westlaw online research service provided by a division of Thomson Corp., Schumer said subscribers can obtain the Social Security numbers of millions of Americans.
“This makes identity theft as easy as operating a computer,” he said.