U.S. lawmakers push for data privacy legislation

Both executives told the House Commerce, Trade and Consumer Protection Subcommittee that their companies have taken steps to ensure their recent breaches do not happen again and to help the people whose personal information may have been stolen. Both companies are offering victims free credit reports and free one-year access to a credit monitoring service.

One free year of credit monitoring isn't enough for victims of ID theft, who often struggle for years to clear up their credit, said Representative Edward Markey, a Massachusetts Democrat.

Markey suggested a lifetime credit monitoring service paid for by ChoicePoint would be more appropriate. "Will you give them 10 years?" he asked Smith. "Will you give them five years, will you give them two years?"

ChoicePoint will "take a hard look" at additional ways to help the victims, Smith said, but he didn't commit to giving away credit monitoring services for a longer period. The company will spend nearly US$2 million on the one year of credit monitoring services, he said. "We will continue to look at other remedies," he added.

On March 3, Markey introduced a bill, the Information Privacy and Security Act, that would require the U.S. Federal Trade Commission (FTC) to develop rules for data brokers, including methods of protecting personal data, ways for individuals to check if their personal data is held by a data broker, and a way for individuals to correct mistakes in data held by data brokers.

FTC Chairwoman Deborah Platt Majoras, like Smith and Sanford, questioned whether a new law should prohibit nearly all sales of Social Security numbers without permission, but Markey ripped into the two CEOs for suggesting such a law could be too broad. "To whom do you think my Social Security number could be sold?" he said. "Who would it be appropriate for you to sell it to?"

Both companies said they supported additional data privacy laws. Sanford and Smith endorsed Platt Majoras' call for a national law that requires companies to tell consumers when personal data has been compromised and there is "significant risk" to consumers. Only California now has a data notification law, and both executives said they preferred a national law to a number of conflicting state laws.

Both companies called for increased penalties for ID thieves, and Sanford also agreed with an FTC proposal that would extend data safeguard requirements in the Gramm-Leach-Bliley Act, governing financial institutions, to data brokers.

But Markey criticized both companies for not backing stronger regulation, such as a ban on the sale of Social Security numbers.

"What we're hearing today is basically an industry that is still in denial, that still doesn't recognize how highly all Americans value their privacy, and who hope to be able to ride out this scandal," Markey said.