Senators rip into ChoicePoint, Bank of America

Senator Dianne Feinstein, a California Democrat, in January introduced a bill that would require businesses and government agencies to notify the likely victim when there is a "reasonable basis to conclude" that a criminal has obtained unencrypted personal data. Her bill is similar to a California notification law passed in 2003, the only state law requiring companies to notify customers of data breaches.

But Barbara Desoer, executive for global technology, service and fulfillment with Bank of America, asked lawmakers in her written statement to be cautious about passing a law that would require immediate notification of a security breach.

"Our recent actions demonstrate our support of the conviction that customers have a right to know when their information may have been compromised, and that timely notification in the appropriate circumstances could help to minimize various risks," she wrote. "At the same time, we advise some caution regarding legislative solutions. In some instances a thorough investigation of the security may conclude there is no risk that the information was used for illegal purposes. In these instances, it is probably best to leave it to the discretion of the institution to decide if customers should be notified."

Deborah Platt Majoras, chairwoman of the U.S. Federal Trade Commission (FTC), agreed, saying that in some cases, computer hackers may attempt to crack databases for the sport of it, instead of attempting to steal personal data. "If we try to inform consumers of every single breach, for one thing, they're going to become numb to it," she said.

Platt Majoras acknowledged, however, that ID theft is a growing problem. The FTC estimated there were 10 million U.S. victims of ID theft between early 2002 and early 2003, at a total estimated cost of $53 billion to U.S. businesses and individuals.

"Isn't this one of the biggest robberies going on today?" asked committee chairman Richard Shelby, an Alabama Republican. "Traditional bank robbers are petty thieves compared to the aggregate of this, are they not?"

Platt Majoras agreed.

Of the two bills announced Thursday, Corzine's bill would require companies that lose private information to ID thieves to notify potential victims promptly. His Identity Theft Prevention and Victim Recovery Act would also require companies holding private information to establish security systems to protect that data. A high-level company executive would be required to personally attest to the security measures

Schumer's bill would establish an ID theft office at the FTC that would have jurisdiction over data brokers, he said. It would also require companies that sell consumer data to third parties to conspicuously display that information on the front of their Web sites.

Schumer said he was "utterly amazed" at the ease of which data collection companies give up private consumer data. "Every year, (ID theft) gets much worse and much worse and much worse, and yet, we're doing very little about it," he said. "Our laws are a patchwork quilt of state and federal laws that, frankly, don't do the job. It's the crime of choice these days."