Congress mulls new rules on protecting personal data
Government workers probably wish it happened earlier, but support is finally growing for federal regulation of personal information held by private companies. In February, Bank of America Corp. lost personal data, including Social Security numbers, for 1.2 million federal charge card holders.
What form any new regulations would take is unclear, and not everyone is convinced the government should get involved in the first place. But with each new revelation that citizens' privacy has been compromised, pressure mounts to close the data spigots. Ironically, such regulations could affect government consumers of commercial data, such as the FBI.
'I believe there will be some very firm federal regulations coming out of this issue,' Sen. Arlen Specter (R-Pa.) said during a recent hearing of the Senate Judiciary Committee on electronic personal data.
The hearing was called in the wake of a spate of incidents in which sensitive information about hundreds of thousands of individuals had been lost or stolen. Three senators at the hearing said they recently introduced or will reintroduce legislation to secure and control the handling of personal data.
When pressed by senators, representatives of three companies, all of which suffered security breaches, said they would support some level of regulation.
'Adoption of additional legislation may be appropriate,' said Jennifer T. Barrett, chief privacy officer of Acxiom Corp. of Little Rock, Ark. Acxiom provides background screening, credit reports, Social Security number traces and other services. In 2003, a man was arrested and pleaded guilty to hacking an Acxiom server and downloading millions of records. Authorities said he never used the information fraudulently.Data losses
The hearing came one day after LexisNexis Group of Dayton, Ohio, reported that information on as many as 310,000 individuals might have been stolen from its databases over the past two years.
'We sincerely regret these incidents,' said Kurt P. Sanford, CEO of the company's corporate and federal markets.
Also apologizing at the hearing was Douglas C. Curling, chief operating officer of ChoicePoint Inc. of Alpharetta, Ga., which recently announced it had sold data on as many as 145,000 individuals to phony clients. Data about hundreds of thousands of other people has recently been lost or stolen from banks, a retailer and a California university.
Much of the legislators' current attention is focused on data brokers, such as LexisNexis and ChoicePoint, which aggregate and sell data on individuals. This information supports much of the nation's credit market and is used for background checks and criminal investigations.
The government is a major consumer of these services. The FBI has contracts with many data brokers and paid $75 million last year to ChoicePoint. Chris Swecker, assistant director of the criminal investigative division, said the bureau made about one million queries to data brokers in fiscal 2003, and made 1.2 million queries to ChoicePoint alone in 2004.
Under a bill introduced by Senator Charles E. Schumer (D-N.Y.), data brokers would have to track how their clients access data and provide reports to consumers when their personal data is accessed. As currently written, the bill includes no exemptions for law enforcement agencies accessing personal data, although the FTC mould exempt any data merchant from the regulations, in whole or in part, if the commission determines that exemption is in the public interest.
In addition, a 2003 measure likely to be reintroduced by Sen. Russ Feingold (D-Wis.) would require agencies to report to Congress how they mine commercial data.
Swecker said the FBI does not perform data mining, and only makes queries on specific individuals. But there are no guarantees on the accuracy of the data returned.
'That's why we have contracts with all of these companies, to cross-check data,' he said.
Few of the breaches reported recently were the result of hacking. People using valid user names and passwords took data from both ChoicePoint and LexisNexis. Other data was on lost back-up tapes and a stolen notebook computer. These kinds of losses should be easy to prevent or mitigate, said Arthur Coviello, CEO of RSA Security Inc. of Bedford, Mass.
'Shame on those people,' for not employing basic tools such as strong access controls, data encryption and customer authentication, Coviello said at a recent panel discussion hosted by the Center for Strategic and International Studies in Washington.
'We need some level of federal regulation,' he said.
Although there is no law specifically regulating data brokers or the disclosure of consumer information, a number of federal laws do apply in this area, said Deborah Platt Majoras, chairwoman of the Federal Trade Commission, including:
- The Fair Credit Reporting Act, which is undergoing changes at the FTC to implement new provisions that target ID theft
- Title V of the Gramm-Leach-Bliley Act, which covers consumer information privacy
- Section 5 of the FTC Act, which protects consumers against deceptive practices.
'Other laws, such as the Driver's Privacy Protection Act and the Health Insurance Portability and Accountability Act, also restrict the disclosure of certain types of information, but are not enforced by the commission,' Majoras said.
The current patchwork of laws leaves gaps in their coverage, Specter said.
The closest thing to a national standard now is a 2003 California law requiring companies to notify individuals when unencrypted personal information might have been compromised. Because so many companies do business in California, the law has become a de facto standard nationwide.
That law is credited with leading to the exposure of the recent string of security breaches.
Sanford and Curling acknowledged that LexisNexis and ChoicePoint had suffered losses of data prior to 2003 that were not reported.
'We would not know of these breaches if it were not for the California law,' said Sen. Dianne Feinstein (D-Calif.).Federal action debated
Feinstein has introduced two bills patterned on the California law that would require notification when personal data is exposed.
But not everyone agrees that legislation is needed. 'I'm not a big fan of legislation,' Howard Schmidt, former special advisor to the president for cybersecurity, said at the CSIS discussion.
If federal legislation is inevitable, it should be crafted with input from industry to ensure it is not overly burdensome, he said.
'Currently, that dialog is not taking place,' he said of current proposed legislation. 'It's a knee-jerk reaction.'WEB EXTRA: Three potential data privacy laws Senators are considering. GCN.com/415, at www.gcn.com