WASHINGTON - Congressional efforts to restrict what businesses can do with customer information gained steam on Wednesday.
"I believe there will be some very firm federal legislation," Senate Judiciary Committee Chairman Arlen Specter said at a hearing about recent high-profile security lapses at data brokers, banks, and other businesses in which customers were put at risk of identity theft.
The Pennsylvania Republican echoed lawmakers on both sides of the aisle and both sides of the Capitol. On Tuesday, House Energy and Commerce Chairman Joe Barton announced that he would consider legislation.
Though any bill is likely to focus on data merchants such as ChoicePoint Inc. and LexisNexis Group, legislation could wade into areas directly affecting the way financial services companies identify customers, store their data, and notify them of security breaches.
"It may well be that Congress will consider limited disclosures of Social Security numbers," Sen. Specter said at the hearing.
He suggested barring businesses from using the numbers for purposes other than the original one of reporting tax and other employee information to the government. Independent data security experts endorsed the idea.
"We need to wean businesses away from it," Robert Douglas, the chief executive of PrivacyToday.com, said at the hearing. He recommended giving corporations time to implement a new authentication system but said that "right away" they should "stop using the Social Security number as an authenticator, like a PIN number."
Sen. Dianne Feinstein raised the possibility of the government mandating encryption of consumer information and prohibiting it from being held on personal computers.
The California Democrat also raised concerns about banks giving a large number of employees access to customer passwords and IDs. "This is a weak link," she said.
Sen. Charles Schumer, D-N.Y., who introduced a comprehensive bill Wednesday to tighten regulation of data merchants, also suggested increasing background checks of employees with access to sensitive consumer information.
Sen. Feinstein on Monday introduced a bill that would require banks and other companies to notify customers about any security breach involving sensitive personal data. Currently banks need only notify their regulator, which then helps them decide if customers should be alerted.
Expanding the notification requirement was endorsed Wednesday by other lawmakers, Federal Trade Commission Chairwoman Deborah Platt Majoras, and executives from the major data brokerage companies.
Vermont Attorney General William Sorrell, the president of the National Association of Attorneys General, also recommended toughening a provision of the Gramm-Leach-Bliley Act that requires financial services companies to develop security plans but gives them flexibility to do so.
"We believe that more definitive minimum standards of information security should be required, and that the … rules should be expanded to more clearly cover data brokers," Mr. Sorrell told the committee.
Ms. Majoras endorsed applying the rules to data brokers.
Also at the hearing, officials from LexisNexis (a Reed Elsevier Group PLC unit) and ChoicePoint revealed previously unreported security failures and said they would generally support stricter regulation proposed in bills by Sens. Feinstein and Schumer.
