In prepared testimony for a hearing by the House Committee on Financial Services, executives from Bank of America, ChoicePoint, and LexisNexis supported legislation patterned after California's law requiring companies to notify customers about security breaches.
ChoicePoint Inc., the information broker whose disclosure of a security breach set off a furor over privacy and identity theft, favors existing laws such as the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, as well as a "pre-emptive" national law for notifying consumers when a breach has occurred, said Don McGuffey, senior VP for data acquisition and strategy.
In March, ChoicePoint discontinued the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there's a specific consumer-driven transaction or benefit, or where the products support government and criminal-justice purposes.
Reed Elsevier plc's LexisNexis division, which last month said data on 310,000 individuals might have been compromised, supports a national reporting law, as well as increased penalties for ID theft and increased resources for law enforcement, said Kurt Sanford, president and CEO for U.S. corporate and federal government markets. The company has tightened its security procedures, such as truncating Social Security numbers displayed in nonpublic documents and limiting access to full Social Security and driver's license numbers to law-enforcement agencies, banks, and other legally-authorized entities, Sanford said.
Bank of America, which disclosed that backup tapes containing customer and account information for 1.2 million government charge-card holders were lost in transit, has implemented corporatewide package-delivery carrier services for backup tape transport, said Barbara Desoer, global technology, service, and fulfillment executive. The bank, she said, favors a "national approach to information security guidelines."