The customers were federal employees who used the U.S. General Services Administration SmartPay charge cards. The incident has sparked calls for hearings on identity theft.
"The wholesale loss of vast treasure troves of personal information is a new type of problem that requires us to fundamentally rethink how we approach data security and privacy," Sen. Patrick Leahy said in a press release issued Friday.
The Vermont Democrat is the Senate Judiciary Committee's ranking member and one of his staffers was among those whose information was compromised.
Sen. Leahy decried the incident on the Senate floor Monday. "This is one of the dumbest things I've ever seen," he said during debate on the bankruptcy bill. "I'd hate to be a customer of Bank of America and wake up in the morning and find they were so stupid and so negligent they lost your information. They ought to be ashamed of themselves."
He said the committee plans to hold hearings on the security concerns posed by the loss of large blocks of consumer information.
Bank of America said Friday that several computer data tapes containing personal information of 1.2 million customers were lost in December while being shipped to a data center. The Charlotte company said it had seen no evidence that the tapes had fallen into criminal hands or that the customer data had been misused.
A week earlier the data storage firm ChoicePoint Inc. of Alpharetta, Ga., said that in October criminals impersonating businesses had obtained information on 144,778 people.
California is the only state that requires companies to disclose when consumer information has been compromised. In early February, ChoicePoint at first told only the 34,000 California residents who were affected by the incident. On Feb. 15 it disclosed the much larger extent of the problem.
Thirty-eight state attorneys general signed a letter to the company saying, "We insist that ChoicePoint take immediate corrective action to notify all citizens of our states who have or may have been affected by this breach."
Avivah Litan, a vice president at Gartner Inc. and a research director with the Stamford, Conn., market researcher, said of B of A and ChoicePoint: "Who are they to play God with my information? They're making the decision that Avivah Litan doesn't need to know her Social Security number was stolen for a few months."
B of A spokeswoman Alexandra Trower said the company was unable to disclose the loss sooner because the Secret Service was looking into it. "An investigation was ongoing," she said.
But Ms. Litan said it seemed odd that Bank of America or ChoicePoint might have been barred from revealing that they had lost personal details about so many people, especially since the California law requires just such notification.
The statute permits a delay in notifying customers "if a law enforcement agency determines that the notification will impede a criminal investigation."
However, Ms. Litan said B of A and ChoicePoint waited too long. "I can understand a week or two. Did they really need two months?"
If companies disclose the theft or loss of consumer information immediately, the worst that will happen is that criminals would "just hang on to the information and not use it right away, and that's a good thing, I think," Ms. Litan said.
