The committee's hearing Wednesday morning included testimony from Deborah Platt Majoras, the chairman of the Federal Trade Commission (FTC), officials from the FBI and Secret Service, representatives from privacy advocacy groups, and executives from ChoicePoint and LexisNexis, firms that sold identities to fraudsters and had a database hacked, respectively.
"In the past few months, we have become aware of a string of major security breaches involving large firms such as ChoicePoint, Bank of America, and Seisint, a LexisNexis subsidiary," said Sen. Patrick Leahy (D-Vt.) in opening the hearing. "These incidents demonstrate the susceptibility of our most personal data to relatively unsophisticated scams and logistical mishaps, and they raise broader concerns about the misappropriation of personal information and identity theft."
Judiciary is taking testimony as it begins to consider Feinstein's newest ID Theft Notification Bill, an overhaul of similar legislation she introduced in the last session of Congress, and trumpeted in February. "After additional discussions with privacy rights advocates, it became clear that much more needed to be done to protect Americans," Feinstein said in a statement as she explained why she strengthened the bill.
Based on California's Security Breach Information Act, which requires companies to notify users when identity data has been exposed, Feinstein's version closes several loopholes in the California statute.
Her bill covers both electronic and non-electronic data, as well as encrypted and non-encrypted data, lets consumers put a seven-year fraud alert on their credit report, lays out the specific requirements companies must meet when they notify users, and levies stiffer penalties for non-compliance.
California's law -- the only one of its kind in the country -- doesn't cover encrypted data, for instance, and leaves the details of notification to the companies whose information has been hijacked.
"We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified," said Feinstein.
Among those supporting a national notification law was Douglas C. Curling, the chief operating officer and president of ChoicePoint, the firm which in February sent 145,000 notifications to people in 50 states whose personal information may have been sold to con artists last October.
Still chastised by the scandal, Curling said "Let me again offer our sincere apology to those consumers whose information may have been accessed by the criminals who perpetrated this fraud," at the start of his prepared statement to the committee.
"One of the most fundamental liberties of being an American is the right to be let alone," added Sen. Leahy. "When you invade someone's privacy or treat it glibly, you trample on that liberty. That's why we need privacy, and that's why we should vigilantly protect it."