LexisNexis flap draws outcry from Congress
It took mere hours for LexisNexis' latest embarrassing data leak revelation to spur cries of condemnation from Congress.
After LexisNexis revealed on Tuesday that an intrusion into its Seisint databases may have compromised personal information on about 310,000 Americans, a tenfold increase on its previous estimate, members of Congress quickly pledged an aggressive response.
Data breaks
High-profile breaches are finally waking lawmakers up to the need to make sure personal data is securely protected on computers.
- LexisNexis
- Date: March 2005
- Incident: Hackers gained access to databases at LexisNexis' Seisint unit.
- At risk: Personal information of about 310,000 U.S. citizens.
- ChoicePoint
- Date: February 2005
- Incident: The data collection company confirmed that information from its consumer database was stolen.
- At risk: Names, addresses and Social Security numbers of more than 150,000 Americans.
- Bank of America
- Date: February 2005
- Incident: Bank lost backup tapes detailing the financial records of credit cards held by federal employees.
- At risk: More than 1.2 million records in SmartPay charge card program, which has annual transactions totaling more than $21 billion.
- PayMaxx
- Date: February 2005
- Incident: Flaws in the online W-2 service of PayMaxx exposed customers' payroll records.
- At risk: Discoverer of the flaws claimed they affected more than 25,000 people. PayMaxx said only a small number of companies were involved.
- SAIC
- Date: February 2005
- Incident: Desktop computers were stolen from the offices of Science Applications International Corp.
- At risk: Personal information of current and past stockholders in the government contractor.
"Once again we're forced to ask, why should it continue to be legal to sell a person's Social Security number without permission?" said Rep. Joe Barton, a Texas Republican who heads the Energy and Commerce Committee. "If it takes a new law to protect people from identity thieves, so be it."
Added Sen. Dianne Feinstein, a California Democrat: "Not doing anything is not an option." Feinstein introduced a bill on Monday that would require that consumers be notified of certain types of security breaches.
The speedy bipartisan outcry after Tuesday's disclosure--the latest development in a series of high-profile security breaches--indicates that some form of legislation is likely to be enacted this year. The Senate Judiciary Committee plans to hold a hearing on Wednesday on the topic.
What's still unclear is what form it will take. During a hearing last month, Barton said he wanted to ban the sale of Social Security numbers. Other possibilities include mandating disclosures of security breaches or amending the Fair Credit Reporting Act to regulate the activities of data brokers like ChoicePoint and Acxiom.
LexisNexis, a unit of Reed Elsevier Group, said in a statement Tuesday that it has taken "a number of significant actions in recent weeks to further guard against these types of fraudulent intrusions at our customer sites and to enhance our security procedures and policies overall."
One bill, the Comprehensive Identity Theft Prevention Act introduced Tuesday by Democratic senators Chuck Schumer of New York and Bill Nelson of Florida, takes a hybrid approach. It would restrict the sale and display of Social Security numbers and require the Federal Trade Commission to focus more closely on identity fraud. The measure also would create an assistant secretary for "cybersecurity" in the Department of Homeland Security.
Liberal advocacy groups are egging Congress on. In testimony prepared for Wednesday's hearing, the Center for Democracy and Technology has endorsed "legislation that would tighten controls on the sale, purchase and display of Social Security numbers" and impose more regulations on corporations that collect personally identifiable information.