281 Vermonters’ Personal Data Affected By Breach At
LexisNexis,
Vermont AG Sorrell Testifies,
Before Senate Judiciary Committee on Information Security
WASHINGTON
(Wednesday, April 13) – Senator Patrick Leahy (D-Vt.), the ranking
Democratic member of the Senate Judiciary Committee, invited Vermont
Attorney General William Sorrell to testify Wednesday before the panel
on the emerging issue of securing personal electronic data in the
digital age. Sorrell, who is also the president of the National
Association of Attorneys General, discussed several of the recent string
of security breaches at large firms, including LexisNexis, which
confirmed earlier this week that a privacy breach at its subsidiary
Seisint was broader than earlier reported to include more than 300,000
Americans. The personal data of 281 Vermonters may have been accessed
by intruders as part of that breach, according to the company. Leahy, a
longtime champion of the public’s privacy rights, requested Wednesday’s
hearing as a way to spotlight the need to balance privacy and security
in this digital age and to consider the role Congress should play in
ensuring the protection of personal data. Below is Sorrell’s testimony
and Leahy’s statement at the hearing.
CONTACT: Tracy Schmaler, 202-224-2154
David Carle, 202-224-3693
Testimony of Vermont Attorney General William Sorrell,
President of the National Association of Attorneys General,
Senate Judiciary Committee
April 13, 2005
I. INTRODUCTION
Mr. Chairman, Senator Leahy, and honorable members of the
Committee, I am William H. Sorrell, Attorney General of the State of
Vermont and President of the National Association of
Attorneys General. I very much appreciate the opportunity to appear
before you today to discuss security breaches relating to personal
information of consumers and our recommendations for addressing some of
the problems in this area.
The public has become aware of numerous incidences of
security breaches in the past two months as a result of
California’s innovative security breach notification laws. The effect
of these security breaches is to expose millions of consumers to
potential identity theft, a serious and rapidly growing crime that now
costs our nation $50 billion per year. We make the following
recommendations to address the problems of security breaches:
-
Enact a federal security breach
notification law that doesn’t preempt more protective state laws.
-
Enact a unified federal program for
regulation of data brokers that doesn’t preempt more protective
state laws.
-
Strengthen the Gramm-Leach-Bliley
“Safeguards Rules” to require definitive minimum standards for
information security, and ensure that these rules cover data
brokers.
-
Recognize the important role of state
legislative and law enforcement efforts, particularly in developing
security freeze laws.
II. THE GROWTH OF
SECURITY BREACHES
Over the past several months, consumers, law enforcement
officials and policy makers have learned about a rising incidence of
breaches at private companies and public institutions that exposed
consumers’ personal information to unauthorized third parties.
Separately, these breaches involve the personal information of tens of
thousands, hundreds of thousands, and even millions of records about
consumers nationwide.
A. Numerous
Serious Incidences of Security Breaches Have Occurred Since 2002.
Nine known incidences of serious security breaches have
occurred in the past few years. It is instructive to examine each one
in some detail.
-
Ford Motor Credit:
In 2002, three individuals were arrested for downloading credit
reports on more than 30,000 consumers, and then selling the credit
reports to street criminals who emptied the victims’ bank accounts
and opened credit cards in their names. The scheme centered on an
employee of Teledata, a company that provides credit reports to
banks and other lenders; the employee stole the passwords and codes
of Teledata clients such as Ford Motor Company in order to download
credit reports from the three major credit reporting agencies. Over
a 10-month period, the password and code for Ford Motor Credit alone
was used to download 13,000 credit reports from just one credit
reporting agency, Experian. Losses were originally calculated at
$2.7 million, but were expected to rise significantly in the weeks
after the arrest.
-
Acxiom: In 2003,
the records of an unknown number of consumers were stolen from
commercial data broker Acxiom, based in Little Rock, Arkansas.
Hackers were able to download the passwords of 300 business accounts
on Acxiom’s system, costing the company $5.8 million in losses.
-
ChoicePoint: In
February 2005, ChoicePoint notified 144,000 consumers nationwide
that their personal data may have been accessed by “unauthorized
third parties” who were posing as small-business customers.
ChoicePoint, an Atlanta-based data broker and specialty credit
reporting agency with databases that contain 19 billion public
records about consumers and businesses, reported that identity
thieves created as many as 50 fake companies that posed as customers
and gained access to consumer data.
-
Bank of America:
Also in February 2005, Bank of America announced that it lost
computer backup tapes containing personal information, including
names and SSNs, relating to 1.2 million federal workers. The tapes
had been lost two months earlier, in December 2004. Bank of America
received permission from its federal regulators to notify consumers
about the security problem in mid-February.
-
DSW Shoe Warehouse:
On March 8, 2005, DSW Shoe Warehouse announced the theft of credit
card information, including account numbers and customer names,
relating to customers at more than 100 of its 175 stores. The theft
took place over a three-month period, beginning in early December
2004. DSW is a subsidiary of Retail Ventures, Inc., based in
Columbus Ohio.
-
LexisNexis: On
March 10, 2005, LexisNexis owner Reed Elsevier PLC announced that
records of about 32,000 consumers were accessed and compromised when
intruders used log-ins and passwords of a few legitimate customers
to obtain access to a database of public records. The records
included names, addresses, Social Security numbers (SSNs), and
driver’s license numbers. The breach occurred at Boca Raton,
Florida-based Seisint, a data broker recently purchased by Reed
Elsevier and integrated into LexisNexis. Seisint stores millions of
personal records about consumers nationwide.
On April 12, 2005, LexisNexis announced that an additional 280,000
consumers nationwide had been affected by other security breaches of
Seisint data over the past two years.
-
Boston College: In
late March 2005, Boston College notified 106,000 alumni that a
hacker had gained access to a computer database containing personal
information about them. Officials of the college stated that they
had to tell the affected alumni living in California about the theft
due to California’s notification law, and the officials therefore
decided to tell alumni who live in other states, too, to help them
limit their exposure to identity theft.
-
University of California:
On April 1, 2005, University of California-Berkeley officials
announced that a laptop computer containing information about 98,000
students and alumni had been stolen a month earlier. The
information, including names, SSNs, and in some instances birth
dates and addresses, was unencrypted, although the laptop was
password-protected. This breach follows another incident at UC-Berkeley
in September 2004 in which a hacker obtained the names, SSNs and
other identifying information belonging to 600,000 people.
-
San Jose Medical Group:
On April 8, 2005, the San Jose (California) Medical Group notified
nearly 185,000 current and former patients that their financial and
medical records might have been exposed following the theft of
computers. The theft occurred after the group copied patient and
financial information from its secure servers to two local PCs as
part of a patient billing project and the group’s year-end audit.
Several conclusions can be drawn from a review of these events. Hackers
and identity thieves employ both high-tech means for stealing passwords
and other log-in information to access consumers’ personal information,
as evidenced by the LexisNexis and Acxiom breaches, as well as low-tech
techniques to breach information systems, as evidenced by the
ChoicePoint incidence. In addition, although the pace of disclosures
about these breaches has accelerated over the past few months, it is
safe to presume that breaches have been occurring regularly over the
past several years. What has changed is not the existence of the
problem, but rather the public’s awareness of it.
B. The Public
Has Learned About These Breaches As a Result of
California’s Security Breach Notification Laws.
On
July 1, 2003, California’s security breach notification
laws went into effect. These laws require businesses and California
public institutions to notify the public about
any breach of the security of their computer information system where
unencrypted personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
California’s laws require that the notice be given without unreasonable
delay, consistent with the legitimate needs of law enforcement, which
can request a delay in notification if the notice would impede a
criminal investigation of the incidence.
“Personal Information” is defined as an individual's first name or first
initial and last name in combination with any one or more of the
following data elements, when either the name or the data element is not
encrypted:
-
Social Security number.
-
Driver's license number
or California Identification Card number.
-
Account number, credit
or debit card number, in combination with any required security
code, access code, or password that would permit access to an
individual's financial account.
The California law allows a
business or public institution to satisfy the notice requirement in
several ways: written notice through the mail; electronic notice in
conformity with the Federal Electronic Signatures Act;
substitute notice through email, website publication, and major
statewide news media if more than 500,000 consumers are affected; or in
conformity with the business’ or institution’s own notification system,
if it meets the timeliness requirements of the California security
breach notification laws.
California’s unique and
innovative laws in this area have ensured that we are aware of the
growing problem of data leaks that are plaguing our nation’s businesses
and public institutions.
III. THE EFFECT OF SECURITY BREACHES
Identity theft, already a growing problem,
is likely to grow even more rapidly as a result of security breaches.
The effect of these data leaks is to expose consumers to the threat of
identity theft by the criminals who gain access to consumers’ personal
information. MSNBC has noted that in the six-week period from
mid-February through early April, the rash of data heists has exposed
more than two million U.S. consumers to possible identity
theft.
Current estimates of the incidence of
identity theft in the United States are disturbingly
high. According to a survey released in January 2005 by Javelin
Strategy & Research, about 9.3 million U.S. adults were victims of
identity theft between October 2003 and September 2004.
Even though the vast majority of victims
of identity theft do not report the crime to law enforcement authorities
or credit bureaus,
the reported incidence of identity theft has grown dramatically. The
Federal Trade Commission reported in February 2005 that the number of
identity theft complaints submitted to its Consumer Sentinel database
has grown from 161,896 in 2002 to 246,570 in 2004,
representing a growth rate of more than 50% in two years. Victims’
information is misused to perpetrate financial fraud in the vast
majority of cases: fraud involving credit cards, checking and savings
accounts, and electronic funds transfers represented 46% of the
complaints in 2004.
Members of this Committee represent states that contain areas suffering
the most from the growing incidence of identity theft. Out of the 50
Metropolitan Statistical Areas that have generated the greatest number
of complaints relative to population, six are in
California, four are in Texas, three are in each of New York, Ohio,
Pennsylvania, and Wisconsin, and two are in Illinois.
Arizona victims of identity theft have filed the largest number of
complaints relative to population, followed by Nevada, California,
Texas, Colorado, Florida, New York, Washington, Oregon, and Illinois.
Identity theft has a deeply negative
impact on our nation’s economy. According to a survey published by the
Federal Trade Commission in September 2003, the total cost of identity
theft approaches $50 billion per year, with victims bearing about $5
billion of the losses, and businesses bearing the remaining $45 billion.
The average loss
from the misuse of a victim’s personal information is $4,800, but for
victims who had new credit card and other accounts opened in their name,
the average loss is $10,200.
Overall, victims spent almost 300 million hours resolving problems
relating to identity theft in one year, with almost two-thirds of this
time – 194 million hours – spent by victims who had new credit card and
other accounts opened in their name.
IV. CONSUMERS’ AND
STATE OFFICIALS’ CONCERNS ABOUT SECURITY BREACHES
The recent rash of information heists have had several
important effects on the state and local level. Consumers have
expressed concerns about their current level of knowledge of security
breaches and what they realistically can do in the event they become a
victim. State Attorneys General and other state and local officials
have taken action in a number of areas to resolve these concerns.
·
Consumers Across the Nation Want to Receive Notice of Security Breaches.
The citizens of California
have received notice of security breaches as a result of that state’s
innovative law. Consumers in the remaining 49 states, the District of
Columbia and the territories want the same right to receive notice when
their personal information is accessed in an unauthorized manner.
Unfortunately, in the absence of other state laws or a federal minimum
standard, consumers in the other states have not consistently received
notices in the recent spate of incidences. LexisNexis sent notices on a
voluntary basis to affected consumers nationwide. ChoicePoint
originally sent notices only to California residents; only after
receiving letters from the Attorneys General of numerous states did
ChoicePoint expand its notification process to include potentially
affected consumers in all states.
In addition to haphazard notification, the
paucity of regulation in this area has led to another problem. The
notices that were actually received by consumers came in envelopes from
“ChoicePoint.” Consumers have no idea who ChoicePoint is because
consumers typically have no business relationship with ChoicePoint. We
learned of instances where consumers tossed out the notification letters
without opening them, on the assumption that the letters were another
unsolicited offer for a credit card or some other piece of junk mail.
To ensure that citizens across the nation
receive adequate notice about security breaches, twenty-eight states are
currently considering legislation modeled on California’s
law.
·
After Learning About a Breach of Their Personal Information, Consumers
Want to Review Their Credit Reports to Determine if They Are Victims of
Identity Theft.
The 2003 amendments to the federal Fair
Credit Reporting Act
gave consumers the right to receive a free copy of their credit report
once every 12 months, following the example previously set by seven
states that require credit reporting agencies to provide free reports to
their citizens.
However, because the FTC allowed the nationwide credit reporting
agencies to stagger the implementation of the national free credit
report, consumers in the
Southern states
— Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi,
Oklahoma, South Carolina, Tennessee, and Texas — are not able to order
their free reports under federal law until
June 1, 2005.
And consumers in the Eastern states
— Connecticut, Delaware, Maine, Maryland, Massachusetts, New Hampshire,
New Jersey, New York, North Carolina, Pennsylvania, Rhode Island,
Vermont, Virginia, and West Virginia, as well as the District of
Columbia, Puerto Rico, and all U.S. territories — are not able to order
their free reports under federal law until
September 1, 2005.
As a result, many citizens have been unable to see their credit report
for free during this time of heightened anxiety over possible
identity theft, causing great frustration
in the Eastern and Southern states.
In addition, in those Eastern and Southern
states – like Vermont – that already require credit reporting agencies
to provide free credit reports under
state law, consumers have
been confused and frustrated because the credit reporting agencies have
not adequately adjusted their systems to enable consumers in these
states to easily access their free report under
state law. Many consumers
in Vermont attempted to obtain their free report under
Vermont law after learning about the ChoicePoint and other security
breaches, only to be told – incorrectly – by the credit bureaus’
voice-mail systems that they were not eligible for a free credit report.
·
Consumers Want to Control Access to Their Credit Reports so that
Identity Theft Does Not Occur
The 2003 amendments to the federal Fair Credit Reporting Act also gave
consumers the right to place a “fraud alert” on their credit reports for
at least 90 days, with extended alerts lasting for up to seven years in
cases where identity theft occurs.
Yet many states are considering enacting stronger measures to assist
consumers in combating the rapidly escalating outbreak of security
breaches.
Two states, California and Texas, allow consumers to place
a “security freeze” on their credit report. A security freeze allows
consumers to control who will receive a copy of their credit report,
thus making it nearly impossible for criminals to use stolen information
to open an account in the consumers’ name.
Security freeze provisions will become effective on July 1, 2005, in two
additional states, Louisiana and Vermont.
Although the credit bureaus argue that security freezes are overkill,
and cause consumers more harm than good, many members of the business
community in Vermont supported implementation of our security freeze
law, enacted last year. Overall, consumer advocates and many State
Attorneys General believe that security freeze laws are one of the most
effective tools available to stop the harm that can result from data
heists. Twenty states are currently considering security freeze bills.
V. RECOMMENDATIONS
ON ADDRESSING THE PROBLEM OF SECURITY BREACHES
We recommend that this Committee take several actions to
address the security breach problem, with its concomitant potential
effect on the increased incidence of identity theft. The
recommendations center on enactment of better federal laws to address
the problem, while allowing the states to continue to perform their
vital functions in assisting consumers and creating additional
innovative solutions.
1.
Enact a Federal Security Breach Notification Law: Enact a federal
law requiring notice of security breaches in appropriate circumstances.
Allow states to enact laws that are more protective of consumers, thus
ensuring that states can continue devising additional innovative
solutions to this issue.
2.
Enact a Federal Program for Regulation of Data Brokers: Enact a
federal law to regulate data brokers in a manner similar to regulation
of credit reporting agencies. Currently, the regulation of data brokers
comes under a scattered mixture of federal laws, including the federal
Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (GLBA),
and a few other laws, and arguably these laws do not cover all the
practices of data brokers. In developing a unified federal regulatory
scheme for data brokers, only preempt state laws to the extent that they
are less protective of consumers.
3.
Strengthen the “Safeguards Rules”: Enact a federal law that will
strengthen the GLBA Safeguards Rules issued by the federal financial
regulators and the Federal Trade Commission.
Currently, these rules require the covered institutions to develop a
written information security plan that describes their programs to
protect customer information, and to maintain reasonable security for
customer information. The rules were intended to provide flexibility to
account for each covered institution’s size, complexity, scope of
activities, and sensitivity of information handled. However, in light
of the recent wave of security breaches, we believe that more definitive
minimum standards of information security should be required, and that
the Safeguards Rules should be expanded to more clearly cover data
brokers.
4. Recognize the Important Role
Of State Legislative and Investigative Efforts: States are
providing key additional protections for consumers.
California’s security breach notification law, and the security freeze
laws in California, Louisiana, Texas, and Vermont, are important
examples of the critical role played by states in developing innovative
solutions to the complex problems presented by data breaches. In
addition, State Attorneys General and local law enforcement are playing
critical roles in the investigations surrounding security breaches that
have been disclosed to date. State and local law enforcement officials
are cooperating with their federal counterparts to investigate and
prosecute the perpetrators, and to determine if there were defects in
security systems that may have allowed the breaches to occur. Congress
should recognize these vital functions provided by state and local
authorities, and ensure that these functions are not preempted.
Thank
you for giving me the opportunity to testify on this important subject.
++++++++++
(Footnotes to Sorrell Testimony Appear Below)
Statement
Of Senator Patrick Leahy,
Ranking Member, Committee On The Judiciary
Hearing On "Securing Electronic Personal Data: Striking A Balance
Between Privacy And Commercial And Governmental Use"
April 13, 2005
I am
pleased the Committee is turning its attention today to the challenges
we face in securing electronic personal data in a digital era. Earlier
this year I wrote to the Chairman and requested this hearing, and I
appreciate his receptiveness, interest and prompt agreement.
I
welcome the witnesses here today and look forward to their testimony.
Our colleague, Senator Feinstein, has been a leader on these important
issues and I look forward to hearing of her efforts to date, and Senator
Schumer and other members of our Committee, as well as Senator Nelson on
Commerce, have also followed these issues closely and have insights to
offer. I am also pleased to see here today my old friend and fellow
Vermonter, Bill Sorrell, who is the Attorney General of Vermont and now
is president of the National Association of Attorneys General.
Personal Information, A Hot
New Commodity
In the
past few months, we have become aware of a string of major security
breaches involving large firms such as ChoicePoint, Bank of America and
Seisint, a LexisNexis subsidiary. These incidents demonstrate the
susceptibility of our most personal data to relatively unsophisticated
scams and logistical mishaps, and they raise broader concerns about the
misappropriation of personal information and identity theft. The
ChoicePoint breach was especially troubling for its highlight of a
dangerous vulnerability in the information economy – the inadequate
screening of the customers who are buying this personal information.
ChoicePoint’s bread-and-butter business includes identity verification
and screening to help corporate America “know its
customers.” Yet the company failed to know its own customers and sold
personal information on at least 145,000 Americans to criminals posing
as legitimate companies.
Advanced technologies, combined with the realties of the post-9/11
digital era, have created strong incentives, opportunities and a robust
market for collecting and selling personal information about each and
every American. Today, all types of corporate and governmental entities
routinely traffic in billions of digitized personal records about
Americans. The sudden rise of giant data brokers has brought much of
this information together for centralized access. We rely on this data
to facilitate financial transactions, provide services, prevent fraud,
screen employees, investigate crimes, and find loved ones. In today’s
security-saturated environment, our own government is using it to “know
its residents.”
These
advances have improved our lives and made us safer. But in this era
where personal information has become a key commodity, the personal
information of Americans has become a treasure trove, valuable and
vulnerable, and our privacy and security laws have not kept pace.
Increasingly, those who trade in digital dossiers have no direct
relationship with the individuals and faces behind the numbers or
letters that identify them, so the normal market discipline of
disgruntled consumers does not necessarily save the companies from
themselves. Even where there is a direct relationship, individuals
often have no idea what companies are doing with their personal data or
even what kinds of information is being collected about them. What are
these companies doing with this information, who do they sell it to, and
why? How is it protected? What are the benefits for Americans whose
information has become a new commodity? These are all questions that
too often go unanswered, with unfortunate, and sometimes tragic,
results.
An
example of tragic consequences from the misuse of personal data is the
case of Amy Boyer. In 1999, a man who had been obsessed with her since
high school bought Amy’s Social Security number, work address and other
information from data broker Docusearch for $154. He used the
information to track her down and one day came up to her as she was
leaving work and fatally shot her, just before killing himself.
In
this information-driven age, the use of personal data has significant
consequences for every American. People have been refused jobs because
a database search has wrongly reported that they have a criminal
history. For others caught up in the endless cycle of watching their
credit unravel, undoing the damage caused by security breaches and
identity theft becomes life-consuming. Last year, 9.3 million Americans
fell victim to identity theft, resulting in losses of more than $52
billion to individuals and corporations. And on average, it took 28
hours to sort out the subsequent problems, and much, much longer for
many victims.
Sophisticated Scams In The
Digital Age
While
dumpster-diving is still a popular method of data theft, increasingly
the focus is on a new low-hanging fruit: insecure, where one good “hit”
nets troves of information. Insecure databases are now low-hanging
fruit for hackers looking to steal identities or otherwise misuse data
for financial gain. This is especially true as more and more of
Americans’ personal information is being processed abroad. Just this
past weekend, it was reported that individuals working for an Indian
data processor stole personal information of Citibank customers and
transferred $350,000 to fake accounts. Last year was the report that a
Pakistani transcriber of medical files from a San
Francisco hospital threatened to post that information on the Internet
unless she received back pay.
In yet
another strain of cyber crime and high-tech law-breaking, we are seeing
a rise in organized rings that target personal data to sell in online,
virtual bazaars. These are not your run-of-the-mill criminals. They
increasingly have sophisticated computing skills and steal data using a
full suite of malicious software, or “malware,” such as Trojan horses,
keystroke logging, spyware, and phishing, which I recently introduced a
bill (S.472) to combat.
A
recent investigation by the U.S. Secret Service revealed that one
criminal group with some 4,000 members – Shadowcrew -- traded more than
one million stolen credit-card numbers, resulting in financial losses of
more than $4 million. These are challenging scams to penetrate, and I
appreciate and applaud all the work that the Secret Service and other
federal agencies have been doing to crack these cases. Just recently,
the Senate Sergeant of Arms posted guidance on identity theft on the
Senate website.
State
and local law enforcement have also worked tirelessly to combat cyber
challenges. I know in Vermont, the U.S. Small Business
Administration will be hosting a forum to protect small businesses from
the impact of scams and identity theft.
Identity theft is a major problem, but when the government is the
purchaser of personal data, citizen inconveniences have also arisen, and
the stakes can be far higher. We have all heard stories from everyday
individuals, as well as colleagues like Senator Kennedy, about the
airline passenger screening programs that use incomplete or bad data to
peg innocent individuals for delay or denied boarding.
Protecting National
Security As Well As Financial Security
Weaknesses in the data industry can also jeopardize our law enforcement
and homeland security efforts. Government contractors providing
critical data and processing tools must get it right. Protecting our
borders requires that we prevent security breaches, especially as we
outsource data abroad, that would allow a potential terrorist to steal
Social Security and account numbers and masquerade as law-abiding
residents, or simply fund their criminal enterprises. We also need to
know that data brokers are safeguarding the secrecy of law enforcement
investigations and operations where necessary. For example, we need to
ensure that there are no technological weaknesses in the data brokers’
systems that are supposed to prevent their employees from viewing FBI
data searches and suspects the Bureau is investigating.
Our
hearing today is not about shutting down these data brokers or
abandoning their services. It is about shedding a little sunshine on
current practices and weaknesses, and establishing a sound legal
framework to ensure that privacy, security and civil liberties will not
be pushed aside in this new and evolving age.
Today
will be an opportunity to address these concerns as we hear from some of
the industry’s leaders, ChoicePoint, Acxiom and LexisNexis. These
companies play a legitimate and valuable role in the information
economy. Their data services facilitate important commercial
transactions, improve hiring decisions, deter fraud, assist law
enforcement and enhance homeland security. But as with any other
significant beneficial industry, the information industry is subject to
mistakes, abuse, and unintended consequences that can flourish absent
transparency, oversight and proper boundaries.
Although we are focusing today on several leading data brokers, many
other companies that traffic in personal data use much lower standards
than the companies that have agreed to come under the spotlight today.
For example, Docusearch, the company that sold Amy Boyer’s personal
information to her killer, has said it has no duty to check its
customers’ backgrounds. This past December, CNN interviewed the founder
of Abika, an Internet-based company that performs some three million
background searches annually and creates psychological profiles. He
said, “I don’t even believe in privacy too much . . . why do we need
privacy? That’s the question . . . why do people need privacy?”
That
kind of sentiment is outrageous and is not one that should be tolerated
in the data industry. But I will answer the question. One of the most
fundamental liberties of being an American is the right to be let alone,
and when you invade someone’s privacy or treat it glibly, you trample on
that liberty. That’s why we need privacy, and that’s why we should
vigilantly protect it.
A Role For Congress
Congress has a role in protecting Americans’ privacy, but we need to do
it right. Senator Specter and I, as well as many others on the
Committee, have been examining these issues closely to ensure a
carefully balanced environment that can evaluate the adequacy of current
boundaries and behaviors in the realm of data brokering.
We
need to consider rules that will guarantee Americans the right to see
what information has been collected about them and to make corrections
where necessary. We need to consider rules that will ensure Americans
are notified when there has been a security breach involving their
digitized personal information. We also need to create baseline
expectations for data security programs and practices, and penalize
government contractors that don’t comply. We also need to look at how
to protect increasingly public, yet vulnerable, sensitive data such as
Social Security numbers, which are the keys to unlocking so much of our
financial and personal lives. A computer glitch at another payroll
company, PayMaxx, allowed any of its customers to see thousands of W-2s
of other company clients, including social security numbers and
salaries. Just this past week, it was reported that “Automatic Data
Processing,” a company that provides payroll and benefits to
corporations, mailed out postcards to 1000 workers with their Social
Security numbers brazenly visible for anyone to see. Worse still, they
described in detail how those Social Security numbers could be used to
access employee benefits online. This should not happen. We must have
a national dialogue on when and how Social Security numbers can be
properly used.
Finally, we need to take a closer look at how the government is using
commercial data, and whether those uses properly balance privacy and
civil liberty concerns. Recently a ChoicePoint executive was quoted as
saying, “We do act as an intelligence agency, gathering data, applying
analytics.” These partnerships between governments and private data
brokers create new challenges for maintaining privacy standards over
sensitive information involving each and every American.
With
such powerful information-age tools comes heightened responsibility. As
the 9/11 Commission noted, “…we must find ways of reconciling security
and liberty, since the success of one helps protect the other.” No
doubt, the information industry can enhance law enforcement and homeland
security efforts. But as the Commission also recognized, “while
protecting our homeland, Americans should be mindful of threats to vital
personal and civil liberties. This balancing act is no easy task, but
we must constantly strive to keep it right.” We can “keep it right” by
putting mechanisms in place to ensure appropriate checks and balances
and congressional oversight.
We
have many issues to consider on this front. Today’s hearing will begin
that process by shedding much-needed light on a rapidly growing industry
and its practices of handling the most personal information of each and
every American.
# # # # #
(Footnotes to Sorrell Testimony
Follow)
LexisNexis
Concludes Review of Data Search Activity, Identifying Additional
Instances of Illegal Data Access, April 12, 2005,
available at
http://www.lexisnexis.com/about/releases/0789.asp.
15
U.S.C.A. § 7001.
Pub. L. No.
108-159 (2003).
See 15 U.S.C.A.
§1681t(b)(4), grandfathering in the state provisions allowing free
reports in Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey
and Vermont.
See Cal. Civ.
Code 1785.11.2 (California); V.T.C.A., Bus.& C. 20.034
(Texas).
See LSA-R.S. 9:3571.1 (Louisiana);
9 V.S.A. 2480b (Vermont).
