U.S. SENATOR PATRICK LEAHY

Leahy Urges Tighter Scrutiny Of Info Brokers
On Data Breaches Affecting Thousands Of Americans

[(Thursday, March 10) -- In testimony before the Senate Banking, Housing and Urban Affairs Committee Thursday afternoon, Senator Patrick Leahy (D-Vt.) called for tighter congressional scrutiny of the security practices of data brokers which have allowed the theft or loss of personal or financial information on hundreds of thousands of Americans in recent months. The hearing marked the first of what is expected to be a series of congressional hearings involving the rash of data breaches that have come to light in the last month involving ChoicePoint Inc., Bank of America, and, this week, NexisLexis.  Leahy, long a leader on privacy and technology issues, also is organizing upcoming hearings on personal data banks and identity theft issues by the Senate Judiciary Committee, where he is the panel’s Democratic leader.  Leahy’s testimony follows.]

Statement Of Senator Patrick Leahy During Hearing On
“Identity Theft: Recent Developments Involving
The Security Of Sensitive Consumer Information”

Mr. Chairman, I applaud your decision to hold today’s hearing about recent security breaches at ChoicePoint and Bank of America, and their implications for protecting sensitive consumer data.  You and Senator Sarbanes have been leaders on these issues, and I thank you both for this opportunity to appear before you today to discuss our shared goals of ensuring data privacy and security.

We are in a challenging era.  Advanced technologies have opened up new possibilities and brought enormous benefits to consumers, to commerce, and to law enforcement.  There is no doubt these advances have improved our lives and made us safer.  But they have also created new vulnerabilities for privacy and security.  It is also becoming increasingly clear that these trends have challenged our current privacy laws.  And today’s security-saturated environment is fostering partnerships between governments and private data brokers, creating new challenges for maintaining privacy standards over sensitive information involving each and every American.

The troubling events at ChoicePoint, Bank of America and now LexisNexis are a window on some of these weaknesses.  ChoicePoint’s bread-and-butter business includes identity verification and screening to help corporate America “know its customers.”  Yet the company failed to know its own customers and sold personal information on at least 145,000 Americans to criminals posing as legitimate companies.

Bank of America recently announced that the personal information of more than a million government employees, including some senators and Senate staff members, was compromised when backup tapes disappeared during transport on a commercial airliner.  We now understand that this type of transport was routine, not only for Bank of America, but for the entire industry.  On of the eve of this hearing, we have also learned that personal information on 32,000 more Americans was potentially compromised at a subsidiary of LexisNexis.

The susceptibility of our most personal data to relatively unsophisticated scams and logistical mishaps is greatly disturbing.  And this is before we consider the dangers posed by insiders, hackers, organized crime and terrorists.  In an era where personal information is a key commodity, the personal information of Americans has become a treasure trove, valuable and vulnerable.

Today, companies around the world routinely traffic in billions of personal records about consumers.  The magnitude of these transactions has rendered the individuals behind the data faceless.  But at the end of the day, when things go south, it is the consumer that bears the brunt of the harm.  For consumers caught up in the endless cycle of watching their credit unravel, undoing the damage caused by such breaches becomes life-consuming and monumental.

Congress needs to act, but we need to do it right.  Many of us have been examining the information-brokering industry and considering various legislative options.  Consumers should know who has their data, what it is being used for and how they can correct mistakes.  They should also have notice, consistent with law enforcement considerations, so that they can protect themselves.  These all are matters of basic fairness.

Congress needs to look closely at ensuring a standard of care consistent with the high value of this data, including penalty options when companies fall short of meeting those standards.  Data brokers are increasingly partnering with the government in law enforcement and homeland security efforts.  It might prove useful for Congress to consider the extent to which a company’s privacy and security practices are qualifying factors in securing federal contracts, including appropriate penalties in the contract procurement process for any failures.  I welcome the opportunity to work with my colleagues on Judiciary, this Committee and others to craft an effective solution that allows us to harness the benefits of the information age, while protecting Americans from unauthorized and inappropriate uses of their personal information.

Privacy and liberty are important values to the American people, and our collective vigilance in protecting these cherished values has allowed us to enjoy unparalleled freedoms, security and economic vitality.  We must continue this vigilance.

Your hearing today will shed much-needed light on a rapidly growing industry and its practices in handling the financial and personal information of every American.  I am also pleased that Senator Specter understands the significance of these concerns and has agreed to my request for a hearing in the Judiciary Committee, where there also is a high level of concern and interest in this subject, and where we will to continue the process of shedding a little sunshine on these practices. 

I thank you for the opportunity to appear here today, and I look forward to continued discussions on these issues.