Senators rip into ChoicePoint, Bank of America

WASHINGTON — Several U.S. senators faulted ChoicePoint and Bank of America Thursday for recent large-scale identify thefts from the two companies, and some lawmakers called for national legislation that would regulate what data collection companies can do with private information.

Two Democratic members of the Senate Banking Committee, Senator Jon Corzine of New Jersey and Senator Charles Schumer of New York, announced plans to introduce legislation to regulate data brokers, companies that sell private information such as Social Security numbers and credit histories to law enforcement agencies, insurance companies, lenders and other businesses.

Speaking at a committee hearing, Senator Patrick Leahy, a Vermont Democrat, criticized ChoicePoint for failing to recognize legitimate customers after ID thieves using stolen identities set up businesses that requested hundreds of thousands of background check records from the company during 2004.

In mid-February, ChoicePoint disclosed that the identity thieves had gained access to the personal information of up to 145,000 U.S. residents. ChoicePoint maintains a 19-billion-item database including Social Security numbers, drivers license numbers and credit data.

“It was an irresponsible violation of the fiduciary relationship they have with their customers,” Leahy said of ChoicePoint.

Leahy also criticized Bank of America’s decision to transfer a digital tape containing private data on a commercial airline flight. In late February, Bank of America announced that, on a flight, it lost digital tapes containing the credit card account records of 1.2 million federal employees, including 60 U.S. senators.

Leahy questioned the apparently common practice in the financial industry of transferring such data on commercial flights, saying he’s lost his luggage too many times to trust that airplane holds are secure. “I don’t know what these people are thinking,” Leahy said. “You can imagine how disillusioned their customers must feel that Bank of America didn’t care any more about them.”

Senator Paul Sarbanes, a Maryland Democrat, called ChoicePoint the “world’s largest private intelligence operation.”

In addition to the ChoicePoint and Bank of America incidents, LexisNexis’ parent company, Reed Elsevier PLC, announced Wednesday that hackers compromised databases and stole the personal information of at least 32,000 people.

In the first of several likely congressional hearings on ID theft after the recent disclosures, representatives of ChoicePoint and Bank of America were scheduled to testify, but their appearances were rescheduled until next week after a conflict with several votes on the Senate floor.

Both companies, in written testimony, apologized for the ID thefts and said they’ve taken steps to ensure that similar incidents will not happen. Representatives of both companies said they welcome a debate on national privacy protection laws. “As Congress continues its work in this area, we stand ready as a company to cooperate with your efforts,” ChoicePoint Vice President Don McGuffey said in written testimony.

In its statement, ChoicePoint detailed a series of steps it has taken since the breach, including its decision to stop selling sensitive consumer data to many of its customers, except when that data helps complete a consumer transaction or helps government or law enforcement.

Senator Dianne Feinstein, a California Democrat, in January introduced a bill that would require businesses and government agencies to notify the likely victim when there is a “reasonable basis to conclude” that a criminal has obtained unencrypted personal data. Her bill is similar to a California notification law passed in 2003, the only state law requiring companies to notify customers of data breaches.

But Barbara Desoer, executive for global technology, service and fulfillment with Bank of America, asked lawmakers in her written statement to be cautious about passing a law that would require immediate notification of a security breach.

“Our recent actions demonstrate our support of the conviction that customers have a right to know when their information may have been compromised, and that timely notification in the appropriate circumstances could help to minimize various risks,” she wrote. “At the same time, we advise some caution regarding legislative solutions. In some instances a thorough investigation of the security may conclude there is no risk that the information was used for illegal purposes. In these instances, it is probably best to leave it to the discretion of the institution to decide if customers should be notified.”

Deborah Platt Majoras, chairwoman of the U.S. Federal Trade Commission (FTC), agreed, saying that in some cases, computer hackers may attempt to crack databases for the sport of it, instead of attempting to steal personal data. “If we try to inform consumers of every single breach, for one thing, they’re going to become numb to it,” she said.

Platt Majoras acknowledged, however, that ID theft is a growing problem. The FTC estimated there were 10 million U.S. victims of ID theft between early 2002 and early 2003, at a total estimated cost of $53 billion to U.S. businesses and individuals.

“Isn’t this one of the biggest robberies going on today?” asked committee chairman Richard Shelby, an Alabama Republican. “Traditional bank robbers are petty thieves compared to the aggregate of this, are they not?”

Platt Majoras agreed.

Of the two bills announced Thursday, Corzine’s bill would require companies that lose private information to ID thieves to notify potential victims promptly. His Identity Theft Prevention and Victim Recovery Act would also require companies holding private information to establish security systems to protect that data. A high-level company executive would be required to personally attest to the security measures

Schumer’s bill would establish an ID theft office at the FTC that would have jurisdiction over data brokers, he said. It would also require companies that sell consumer data to third parties to conspicuously display that information on the front of their Web sites.

Schumer said he was “utterly amazed” at the ease of which data collection companies give up private consumer data. “Every year, (ID theft) gets much worse and much worse and much worse, and yet, we’re doing very little about it,” he said. “Our laws are a patchwork quilt of state and federal laws that, frankly, don’t do the job. It’s the crime of choice these days.”