Prompted by an incident in which personal information was fraudulently obtained from data broker ChoicePoint Inc., Congress is likely to enact legislation to limit the sale of Social Security numbers, a key lawmaker said Tuesday. But the CEOs of ChoicePoint and information broker LexisNexis Group's U.S. Corporate and Federal Government Markets cautioned the lawmakers not to ban all sales of Social Security numbers.
"There's a very good chance we're going to put together a bill that will make it illegal to sell the Social Security number without the permission of the individual unless there is a legitimate law-enforcement purpose," Rep. Joe Barton, the Texas Republican who chairs the House Commerce and Energy Committee, said at a House hearing addressing identity theft. "There may be one or two other exceptions; I don't know what they would be. I have not heard anything that explains to me why we should allow that to go on."
At the four-hour hearing--held by the panel's Subcommittee on Commerce, Trade, and Consumer Protection--lawmakers also suggested that Congress would consider legislation to extend to businesses that sell consumer information the rules in the Gramm-Leach-Bliley Act, a 6-year-old regulation that requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information.
And though the chairwoman of the Federal Trade Commission and executives from ChoicePoint and LexisNexis called for a single federal act to regulate data brokers that would usurp state laws, others contended that eliminating state statutes could harm consumers.
Identity theft is a growing problem in the United States, with technology making it easier for crooks to heist Social Security, driver's license, and bank-account numbers, as well as other personal information. An FTC survey in 2003 found that in one year nearly 10 million people discovered some of their personal information was stolen, costing businesses $50 billion and individuals $5 billion. ChoicePoint last month said scam artists had tricked the Georgia company into handing over 145,000 records containing Social Security numbers and other personal information on people in every state. And last week, LexisNexis said thieves using passwords and identifications from legitimate customers broke into its databases and stole personal information on about 32,000 Americans.
Despite calls to restrict the sale of Social Security numbers, FTC chair Deborah Majoras, along with ChoicePoint CEO Derek Smith and LexisNexis unit CEO Kurt Sanford, testified that situations exist in which businesses should be given a consumer's Social Security number without notification to facilitate commerce, such as when a bank considers issuing a loan and wants to ensure that it's being granted to the right individual. "How do we associate records of information with a particular individual?" Sanford asked. "That Social Security number is that unique identifying piece of info to allow financial institutions, for example, to determine whether they're having a fraudulent transaction in their business."
Majoras and the two CEOs also said that any legislation Congress offers to regulate the transfer of personal information should usurp state laws so as not to overwhelm consumers with notification if personal information is stolen. "It is important that any such proposal contain federal preemption to ensure that companies can quickly and effectively notify consumers and not struggle with complying with multiple, potentially conflicting, and inconsistent state laws," Sanford said.
But Marc Rotenberg, president of the Electronic Privacy Information Center, a public-interest group, noted that the California law required ChoicePoint to notify consumers that their personal information was stolen. "Congress simply should not pass laws that tie the hands of state legislators and prevent the development of innovative solutions that respond to emerging privacy concerns," Rotenberg said.
The heads of the data brokerages had no objection to extending the safeguard provisions of the Gramm-Leach-Bliley Act to their businesses. But Rotenberg called for a new law to let the FTC develop fair information practices for data brokers, which also would subject violators to civil penalties. "Consumers would be able to pursue a private right of action, albeit a modest one," he said. "And states would be free to develop stronger measures if they chose."
Adding a more formal structure to the current scheme of information use could help society realize the full value of technology-based tools, ChoicePoint's Smith said. "Every advance in technology that makes our lives easier also makes it easier for our enemies to move swiftly against us," he said. "You and I can be approved for a bank account in a matter of minutes, but a person can use that same technology to get a fake or real driver's license or to create a fake business. The point being, technology and information are neither good nor bad. People determine if the power of information is used for the benefit of individuals or society or to create harm."