WASHINGTON - The debate over whether to strengthen data security laws continued to gather momentum Tuesday as Republicans held hearings on both sides of Capitol Hill.
House Commerce Committee Chairman Joe Barton said new laws are likely.
"Sometime this spring we're going to sit down after listening to testimony and make a decision about what legislative strategy" to pursue, the Texas Republican said. "My guess is that we are going to move forward with some federal legislation on this issue."
The safety of personal financial data - which once barely registered on the agendas of Capitol Hill leaders - has become a top priority following a string of incidents in which data brokers misused or lost personal records.
Congressional interest spiked last month after ChoicePoint Inc. said it had sold information on 145,000 consumers to fraudsters posing as legitimate businessmen. The breach occurred in October, but ChoicePoint delayed a public announcement at the request of law enforcement officials. Later in February, Bank of America Corp. said it lost several tapes containing credit card information on 1.2 million customers, including many in the federal government and quite a few in the Senate.
Similar headlines this month on Lexis-Nexis and DSW Shoe Warehouse have ratcheted up the pressure on lawmakers to toughen public policy.
Legislation that has been introduced or is in the drafting stage could clamp down on when companies can buy or sell records, as well as restrict what information they contain. Data-sharing exemptions provided to financial institutions under the Gramm-Leach-Bliley Act could be ripe for reform.
At the House Commerce hearing, Rep. Edward Markey, D-Mass., said protecting personal data to prevent identity theft was a bipartisan issue. "There's a point on privacy issues where the libertarian right and the liberal left agree wholeheartedly - that the privacy of individuals should be inviolate."
The very information that customers guard so carefully, like Social Security numbers, tax records, and credit reports, is being "sold to the highest bidder in a bustling marketplace that is as frenetic and unregulated as the streets of Bombay," Rep. Markey said.
He also suggested that the Federal Trade Commission had not been as aggressive as it should be in investigating data theft.
FTC Chairman Deborah Platt Majoras testified that her agency is investigating ChoicePoint, but she reminded lawmakers that it does not have the power to bring criminal actions against fraudsters.
Federal law does not comprehensively address data brokers, Ms. Majoras said; restrictions are enforced through a patchwork of laws, like Gramm-Leach-Bliley and the Fair Credit Reporting Act.
"There may be additional measures that would benefit consumers," she said. "Although a variety of proposals have been put forward and all should be considered, the most immediate need is to address the risk to the security of the information."
Ms. Majoras advocated tighter restrictions on the sale of Social Security numbers, though she was careful to point out that there are legitimate business purposes - making credit decisions, for instance - in which such sales would be necessary.
Lawmakers expressed interest in requiring companies to notify consumers whose records are affected by a security breach. Support was most uniform in instances where the breach might reasonably result in consumer harm, but lawmakers have yet to define what a reasonable standard might be - and to what extent brokers would have to go to make sure consumers received the notification.
Federal banking regulators are expected to finalize guidelines Friday to address this question. First proposed in August 2003, the guidelines were mandated by Gramm-Leach-Bliley in 1999.
Though regulators have not described the new guidelines in detail yet, Amy S. Friend, the Office of the Comptroller of the Currency's assistant chief counsel, testified last week that there would have to be a potential for "misuse" of the data before customers would have to be notified.
At a Senate Banking Committee hearing Tuesday, Chairman Richard C. Shelby did not say whether he favored a legislative solution, but he hammered Don McGuffey, a vice president at ChoicePoint, and accused it of weak data security policies, miscommunication among top executives, and a slow response to the snafu.
"How do you reconcile … [the fact that] senior management and others did not play a critical role in this situation … until November [when the breach was discovered in October], and yet in your written statement, you say that ChoicePoint is committed to 'the highest standards of information security,' " the Alabama Republican asked.
Mr. McGuffey apologized on behalf of ChoicePoint but said it was the victim of a crime.
Lawmakers did not seem to care, and Mr. McGuffey was unable to answer some of the lawmakers' questions, leading Sen. Charles Schumer, D-N.Y., to ask, "Why are you here, sir?"
Barbara Desoer, the chief technology, service, and fulfillment executive at B of A, got off much easier.
In fact, Sen. Schumer drew a distinction between information brokers and the banking industry.
"If banks operated like ChoicePoint, bank robbers wouldn't need guns," he said. "They would walk in, open an account, and then take all the money out of the safe."
