Data brokers didn’t notify consumers of past breaches

Two large data brokers that recently reported data breaches potentially affecting hundreds of thousands of U.S. residents have been compromised in the past and have not notified victims, executives from the two companies told a U.S. Senate committee Wednesday.

Executives from ChoicePoint and LexisNexis, under questioning from Senator Dianne Feinstein, told the Senate Judiciary Committee that they did not report some data breaches to potential victims before a California law requiring notification went into effect in 2003.

A LexisNexis executive also told the committee that law enforcement agencies have reported 10 incidents of potential identify fraud, in which new e-mail or credit card accounts were opened, related to a recent LexisNexis breach where about 310,000 U.S. residents’ records may have been compromised.

Feinstein, a California Democrat, and committee Chairman Arlen Specter, a Pennsylvania Republican, questioned the two companies’ efforts to notify victims during recently announced breaches of their multibillion-record databases. The companies’ databases contain personal information such as driver’s license numbers and Social Security numbers.

Specter demanded that LexisNexis provide a detailed explanation in writing of why the company took until Tuesday to announce that 280,000 more U.S. residents may be victims of a recent breach, up from the 32,000 people the company identified in early March. LexisNexis began investigating the breach at its Seisint division, caused when thieves gained access to legitimate database passwords, in February, said Kurt Sanford, president and chief executive officer of U.S. Corporate and Federal Markets for LexisNexis.

“Didn’t you know about the breach in February?” Specter asked.

“I didn’t know what I had until I did an investigation, senator,” Sanford answered.

Sanford didn’t give an exact number, but he did say the company had some breaches it didn’t report to potential victims before the California notification law went into effect. LexisNexis has uncovered 59 beaches, dating back to early 2003, due to the investigation started in February, Sanford said.

Victims of the LexisNexis breaches will get free credit report and credit monitoring services, free credit counseling services, and free identity theft insurance, Sanford said. “We will begin notifying those individuals immediately,” he said.

In at least one case in 2001, ChoicePoint did not report a breach to victims because it was not told of the focus of a law enforcement investigation that uncovered the compromise, said Douglas Curling, president and chief operating officer at ChoicePoint.

“If it weren’t for the California law, we would have no way of knowing the breaches that have occurred,” Feinstein responded.

ChoicePoint has found 45 to 50 data breaches, mostly related to a scam it announced this year, Curling said. In that incident, identity thieves used IDs stolen from legitimate business owners to open bogus businesses that paid ChoicePoint for information such as driver’s license and Social Security numbers. Up to 145,000 U.S. residents could be affected, ChoicePoint announced in February.

During the hearing, Robert Douglas, chief executive officer of PrivacyToday.com, a privacy consulting service and news site, told senators that after a reporter asked him, he was able to get the reporter’s Social Security number from two online data sellers within 36 hours.

Banks, businesses, or government agencies that use Social Security numbers to confirm people’s identities are courting trouble, he added. “Even if Social Security numbers were not for sale on the Internet, the reality is Social Security numbers have been compromised in many ways for such a long period that it’s laughable that either government or commercial enterprises … as identifiers for maintaining security of databases,” he said.

Leading up to the hearing, Feinstein on Monday introduced a bill that would require businesses and government agencies to notify an individual in writing or by e-mail when they believe personal information has been compromised. The bill would allow exceptions only when law enforcement requests that notification be delayed because of a criminal investigation or for national security purposes. Feinstein also introduced another breach notification bill this year.

Feinstein’s bill is a good first step, but it doesn’t go far enough in addressing ID theft prevention, said the Information Technology Association of America (ITAA), a trade group. Feinstein’s earlier bill exempted encrypted data from notification requirements, but her bill does not, and by not exempting encrypted data, the bill could discourage companies from encrypting personal data, Harris Miller, ITAA’s president, said in a statement.

The new Feinstein bill also allows companies or government agencies to avoid notifying individual victims if the costs of direct notice exceed $500,000 or involve more than 500,000 potential victims. Instead, with a large breach, a company could post a notice to its Web site or send out a press release.

“Ironically, this limit seems to say, ‘If you are going to have a data breach, make it a really big one,'” Miller in his statement.

Also introducing legislation were Senators Charles Schumer, a New York Democrat, and Bill Nelson, a Florida Democrat. They called their bill, introduced late Tuesday, the first “comprehensive” ID theft legislation. “When a company like LexisNexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand,” Schumer said.

Among the Schumer/Nelson bill’s provisions:

— An additional $60 million for an ID theft office at the U.S. Federal Trade Commission (FTC). The office, an expansion of current FTC ID theft efforts, would help victims of ID theft recover their identities.

— A data notification provision that goes beyond Feinstein’s legislation by allowing people who have had their data stolen to request that the compromised company delete all their data.

— A requirement that businesses planning to sell their customers’ personal data notify those customers.

— Requirements that data brokers register with the FTC, track who accesses their records and determine what the records were used for.

Asked if they would support the Schumer/Nelson bill, Sanford said he would support most provisions, and Curling said he would support all the provisions that Schumer described in a hearing.