Members of Congress grilled ChoicePoint CEO Derek Smith on Tuesday, demanding the company do more to protect customers in the wake of the massive information leak at the database giant.
"The incident has caused us to go through some serious soul searching," Smith said, testifying at a hearing held by the House Subcommittee on Commerce, Trade, and Consumer Protection.
ChoicePoint revealed last month that thieves had accessed the personal information of 145,000 U.S. consumers from the firm.
Smith said ChoicePoint has now abandoned part of the data sales market would support some new legislation, including wider notification to victims.
Rep. Edward J. Markey, D-Mass., was one of several House members who expressed frustration with ChoicePoint and the commercial data industry, which has suffered several high-profile data leaks recently.
"This is an industry that's still in denial," Markey said. "And it hopes to be able to ride out this scandal without Congress passing serious privacy legislation."
Kurt Sanford, chief executive officer of Lexis Nexis, also testified at the Capitol Hill hearing. His firm recently revealed similar data leaks involving 32,000 consumers.
Ban on sale of SSNs?
Both CEOs were questioned about proposed legislation to regulate the sale of personal information, including bills that would make the sale of Social Security numbers illegal in certain circumstances, and give consumers the right to dispute inaccurate information stored by commercial data brokers.
"I just think that's wrong," to sell personal information without informing the consumer, said Rep. Joe Barton, R-Texas. "If I want somebody to have my Social Security number, I will give it to them. ... But it's routinely given without my permission, and I just think that's fundamentally unfair."
Markey compared the burgeoning commercial data broker industry to an open street market in Bombay, India.
"How would consumers feel if they discovered that while they take extra precautions to guard their personal information, their names, Social Security numbers, tax records, credit histories and employment documents were piled high into wheelbarrows and baskets and sold to the highest bidder?" Markey asked. "Right here, get your Social Security numbers. Medical records, employment history, cheaper by the dozen."
Smith and Sanford said they were opposed to legislation banning the sale of Social Security numbers, arguing that the sale of personal information was important to fight fraud and assist law enforcement in its investigations.
"The privacy debate should not be a debate between civil defense and civil liberty," Smith said. "We should strive to protect both."
Both Smith and Sanford said they would support some new regulation of their firms and the commercial data brokerage industry, including a national law requiring notification of consumers if their personal information has been stolen and they face "substantial risk."
A version of that law in California led to the initial disclosure of the ChoicePoint incident. They also said they would support extending the so-called ", passed as part of the Financial Modernization Act, to data brokerages. The rule gives the Federal Trade Commission oversight of data safety procedures at financial institutions.
"We share the subcommittee's concerns," Sanford said. "We support legislation that imposes stringent penalties for misuse of information."
In earlier testimony before the committee, FTC chairwoman Deborah Platt Majoras said her agency supported similar proposals.
But Marc Rotenberg, executive director of the Electronic Privacy Information Center, told the hearing that more extensive regulation was required.
"There has been discussions with the Federal Trade Commission ... but there has been no discussion with consumer organizations regarding what might be effective privacy protection."
'If it's my information I ought to have access'
The most spirited exchange occurred between Markey and Smith, when the Massachusetts congressman challenged ChoicePoint to offer additional protections to the 145,000 consumers whose information was leaked by the firm.
ChoicePoint is offering credit monitoring services to all affected consumers, at a cost of about $2 million, Smith said. But Markey noted that identity thieves armed with that data can simply wait one year and then use it to commit crimes.
"Will you give my constituents five years? Two years?" he asked Smith.
The ChoicePoint CEO said he would consider any proposals, but did not directly answer the question. Markey then added, "This is absolutely preposterous. ... We not going to get the answers we need in this panel."
Markey has sponsored a bill that would give the FTC greater oversight of the commercial data brokerage industry. His law would make commercial data brokers like ChoicePoint subject to the Fair Credit Reporting Act, which would give consumers the right to dispute information contained in their files.
Rep. Gene Green, D-Texas, referred several times to an MSNBC.com story about consumers who had received their ChoicePoint reports and found multiple errors in them. All consumers, Green said, should be able to see the information the firm has on them.
"If it's my information, I ought to have access to it," he said.
Smith said consumers are entitled to see most ChoicePoint reports for free once each year, because some of the company's data is regulated by the Fair Credit Reporting Act. He also said he supported the right of consumers to add comments to their files if they believe data is in error, similar to comment areas on consumer credit reports.
However, ChoicePoint itself cannot correct errors, he said. Consumers must go to the original source of information -- a public record, for example -- and get them to fix the original mistakes, Smith said.
'Dirty work for Big Brother'
Rep. Jan Schakowsky, D-Ill., questioned Smith about why the firm disclosed in a recent SEC filings that it was only looking for victims from the data leak incident whose information had been stolen after July 1, 2003, the effective date of the California notification law.
"I would assume the numbers are higher than 145,000," she said, suggesting the firm was using a technicality to avoid notifying additional consumers.
Smith said ChoicePoint was continuing to research the number of victims. Company representatives have previously said they did not expect a "significant increase" in the original estimate of victims after its investigation is complete.
Schakowsky also chastised Smith for being unaware of prior security incidents at the firm that have recently come to light, including a 2002 theft by criminals using similar methods. Two suspects were convicted in connection with the 2002 incident.
"I am surprised you would have been unaware ... of the criminal convictions," she said. "How could that happen?"
Smith said ChoicePoint was regularly involved in many incidents involving law enforcement research, and in the past, he had not been routinely notified.
Schakowsky said she was also concerned that federal law enforcement agencies had signed contracts with ChoicePoint, and that taxpayer funds were paying for the data.
"The Privacy Act made it illegal for government to amass the kind of information that data brokers do," she said.
"While it's not a breach of the law, it's a breach of the spirit of the law. We can't do that kind of data collection, but we can purchase it. ... We did not realize that big business would do the dirty work for Big Brother."
More congressional hearings on the ChoicePoint incident and proposed federal privacy reforms are expected. Sen. Arlen Specter, R-Penn., chairman of the Senate Judiciary Committee, has said he will hold hearings, but they have not yet been scheduled.
Wednesday, the California state Senate will hold a hearing in connection with the incident. Several ChoicePoint executives and consumer group officials are expected to testify.
Bob Sullivan is author of Your Evil Twin: Behind the Identity Theft Epidemic.