Grilling on the Hill

Even before the first witness was called, members of the U.S. House of Representatives were lining up to take shots at the compiled data industry during a March hearing of the Commerce and Energy Committee.

Committee chairman Joe Barton (R-TX) started out by calling for consumer data safeguards.

“The constraints [on data vending] are laughable,” said Barton. “I personally see no socially redeeming value in anyone having the right to market or use Social Security numbers and other personal information without my approval. If a company wants to use my life for its profit, they ought to ask me first.”

Taking his seat before the committee, ChoicePoint CEO Derek V. Smith apologized for his company's sale of 145,000 consumer records to clients who turned out to be scam artists. The February revelation of this data breach was followed by similar announcements from Bank of America, LexisNexis and DSW Shoe Warehouse, all of which experienced compromises of sensitive consumer information.

Lawmakers called for expansion of the Federal Trade Commission's ability to regulate data and a clamping down on Social Security number dissemination and the use of government data contracts as either a carrot or a stick.

“Despite its power, profit and reach, the burgeoning data brokerage industry is largely unregulated,” said Rep. Jan Schakowsky (D-IL). The lack of regulation of data providers is especially disturbing, Schakowsky said, “because of the government's reliance on them. One report says the number of government agencies using data brokers is about 7,000, from local police stations to the Department of Justice, with $67 million in contracts to ChoicePoint Inc. in 2004 alone. If we are going to be using taxpayer dollars to pay for these services, we need to make sure data brokers are accountable when it comes to security and accuracy of the data they are compiling.”

Rep. Sherrod Brown (D-OH) likened data vendors to banks with inadequate security. “Crooks know the bank is an easy mark, so the depositors keep taking it on the chin,” Brown said. “Would we consider responding only with tougher bank-robber penalties and mandatory robbery disclosures? Of course not. We'd make sure the bank got a state-of-the-art lock, Lasik surgery for the guard, and an alarm system designed maybe for a nuclear missile site.”

Brown added: “We ought to use the government's purchasing power to promote best practices to take security beyond the bare minimum.”

During his testimony, Smith detailed some of the steps ChoicePoint had taken since announcing the breach. These include a halt to the sale of sensitive data on consumers (data not covered under the Fair Credit Reporting Act), strengthening its client verification systems and establishing an office of credentialing, compliance and privacy. In addition, the firm has named Robert McConnell, a veteran of the federal government's Nigerian Organized Task Force, to serve as the company's liaison to law enforcement officials. In both the current incident and an earlier ChoicePoint data breach in 2002, the fraudsters were Nigerian Americans.

A few Democratic representatives, including Schakowsky and Edolphus Towns of New York, criticized ChoicePoint for its reported errors in purging Florida voting rolls of eligible voters during the months leading up to the 2000 elections.

Smith responded that the actual work on the Florida voting rolls had been done by Database Technologies, a firm ChoicePoint bought after it finished its work scrubbing the lists. ChoicePoint acquired the company in May 2000.

The data industry didn't fare much better in an earlier hearing held by the Senate Banking, Housing and Urban Affairs Committee. Sen. Patrick Leahy (D-VT) needled data compilers for sloppy security practices.

“ChoicePoint's bread-and-butter business includes identity verification and screening to help corporate America, as they say, ‘know its customers.’ Well, this company failed to know its own customers.”

Leahy's credit card information was among that of 1.2 million Defense Department workers contained on five Bank of America data files that were lost in transit in late December. He had harsh words for Bank of America, which said it used commercial airliners to transport the data tapes that disappeared.

Addressing Committee Chairman Richard C. Shelby (R-AL), Leahy said: “We travel a lot. We've had our suitcases lost, and they think that a suitcase full of some of the most important data on their customers couldn't get lost, too? And can you imagine how disillusioned their customers must feel when they realize Bank of America didn't care any more about them than to let that happen?”