WASHINGTON - Sen. Charles Schumer leaned forward in his chair at the Senate Banking Committee's March 10 hearing and interrupted Federal Trade Commission Chairman Deborah Platt Majoras - again.
"Was ChoicePoint under your jurisdiction under Gramm-Leach-Bliley?" the New York Democrat asked.
"It depends on whether it's a financial institution," she replied.
"If you can't answer 'yes' or 'no' succinctly, whether ChoicePoint, one of the most major data-collection companies in the country, is under your jurisdiction or not, don't you think we need to tighten this up?" Sen. Schumer followed.
The exchange served to illustrate the regulatory gap into which ChoicePoint Inc. and other data brokers have wedged themselves - a mostly unregulated, hugely profitable business of numbers and records for which banking companies, law enforcement, and, yes, identity thieves are eager customers.
"ChoicePoint's business model was designed to avoid regulation," said Edmund Mierzwinski, the consumer program director at U.S. Public Interest Research Group. "They are trying to slip through the cracks."
Changes being considered in Congress could drive up costs for banking companies, which use information brokers thousands of times a day to confirm customer identities. Business at companies like ChoicePoint has soared thanks to the USA Patriot Act's know-your-customer requirements.
"The industry is enormously profitable," said Brandt Sakakeeny, a managing director at Deutsche Bank Securities Inc. "There's a lot of demand from a variety of different sources for this type of data."
Marco Piovesan, ChoicePoint's vice president of business services, said it is too early to know how the regulatory structure may change or how any potential changes might affect his company's fees.
Asked to respond to critics like Mr. Mierzwinski who claim ChoicePoint was structured to skirt regulation, spokesman Chuck Jones said: "ChoicePoint doesn't write the laws. ChoicePoint operates within the laws."
ChoicePoint, which was spun off from Equifax Inc. in 1997, came under scrutiny last month when it revealed it had sold personal information on 145,000 people to identity thieves. Two weeks ago Reed Elsevier Group PLC's LexisNexis unit, another data storage company, announced that information on 32,000 people had been stolen.
Responding to outrage on Capitol Hill, Ms. Majoras testified twice in four business days, telling senators March 10 that laws governing data-storage companies were a "complicated maze." On the job just seven months, Ms. Majoras was a tentative witness.
She did endorse a federal standard that would require a data broker to notify consumers after security breaches that were likely to harm them.
The agency has jurisdiction under three laws: the Gramm-Leach-Bliley, Fair Credit Reporting, and Federal Trade Commission acts.
Experts are split on whether Gramm-Leach-Bliley gives the FTC any power over data brokers. The law requires financial institutions to safeguard nonpublic customer information, and the federal banking agencies used the law as the basis for guidelines issued Friday saying banking companies should notify customers in cases when identity thieves might use data exposed in a security failure.
The FTC implements Gramm-Leach-Bliley for mortgage companies, auto lenders, and other nonbanks that are still considered financial institutions.
But Ms. Majoras' testimony suggests the agency has not determined whether that classification includes information brokers. Agency officials said they may have to look at companies on a case-by-case basis.
"Gramm-Leach-Bliley covers a very broad swath of entities," said Jessica Rich, an assistant director in the FTC's bureau of consumer protection. "In determining whether a particular entity falls under the law, we would be looking at what their business is, what type of information they are collecting, and where it comes from."
For example, she said, "if they are resellers of credit reports, they would be covered."
But firms such as ChoicePoint typically do not sell credit reports. And because they do not accept deposits or offer investment advice, they do not fit the law's traditional definition of a "financial institution," said Gilbert Schwartz, a partner at Schwartz & Ballen LLP. Also, ChoicePoint's customers are businesses and government agencies, not the consumers Gramm-Leach-Bliley aims to protect.
Still, he said, the FTC could try to assert jurisdiction over some information brokers using one of the law's lesser-known provisions that defines a firm as a financial institution if it holds employment histories that other companies could use in credit decisions.
The Fair Credit Reporting Act may be even tougher to apply to information brokers. Among other things, the law protects consumers' privacy, but only if the consumer reporting agency is collecting and selling certain information.
"Data brokers are subject to the requirements of FCRA only to the extent that they are providing 'consumer reports,' " Ms. Majoras said March 15 at a House Commerce subcommittee hearing. For the data to be considered a consumer report, it must be used for "eligibility purposes," such as credit or employment decisions, according to a footnote in her testimony.
Three divisions of ChoicePoint are considered "consumer reporting agencies" and therefore subject to FCRA. One maintains histories on insurance claims, another holds employment records, and the third has tenant history information.
ChoicePoint, of Alpharetta, Ga., would not say how much of its business these three units represent. But it is clear the information recently exposed was not subject to FCRA. Nor does the law cover the divisions used most frequently by the financial services industry - those that search for outstanding liens or debts or are used for USA Patriot Act compliance.
Most experts agreed that the FTC's best chance at reining in information brokers is under the Federal Trade Commission Act, which gives the agency broad jurisdiction over nonbanking companies for "unfair and deceptive" practices.
"Prohibited practices include deceptive claims that companies make about privacy, including claims about the security they provide for consumer information," Ms. Majoras said in her March 10 testimony. The agency has already sued five companies for "deceptive security claims," and it could use this argument against information brokers.
For information security, however, enforcement will probably occur only after a breach, Mr. Schwartz said. This might not be good enough for lawmakers pushing for more proactive oversight.
Sen. Bill Nelson, D-Fla., and Rep. Edward Markey, D-Mass., introduced a bill this month that would put data brokers under the FTC's jurisdiction and require the companies to protect personal information as well as make sure that customers with access to this information are legitimate.
Mr. Piovesan said Tuesday that ChoicePoint supports the Nelson-Markey bill. The company's stock is down 17.5% since early February, when the security failure was made public.











