Congress edges toward new privacy rules

Both Republicans and Democrats profess outrage over ChoicePoint and LexisNexis mishaps. New laws are being proposed.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
2 min read
An amorphous political debate over how to respond to recent data mishaps at ChoicePoint, Bank of America and Reed Elsevier Group's LexisNexis service is beginning to take shape.

In what could mark a turning point in the legislative process, both Democratic and Republican politicians on Thursday decried what they called poor security for Americans' personal information held by data brokers such as ChoicePoint and LexisNexis.

During a Senate Banking committee hearing, Sen. Jon Corzine, D-N.J., said he plans to introduce a bill next week that borrows concepts from securities regulation. The measure would require "the chairman or chief enforcement officer to attest to the effectiveness of the systems that provide for control of information" and provide notification to consumers of security breaches, Corzine said.

Sen. Charles Schumer, D-N.Y., said he is preparing his own proposal to require a "box to be posted on any Web site that seeks to obtain personal information about a customer" with disclosure about how the data will be used. Schumer promised that "we're going to force companies to demonstrate a need for customers' personal information before requiring it from them."

For the last few weeks, politicians have been responding to news of data breaches with the usual cries of outrage and vows of prompt action. But few details of possible legislative responses have emerged.

In the last 24 hours, however, Schumer and Patrick Leahy, a Vermont Democrat, have both talked about using the recent security incidents to enact legislation that would target far more companies than merely information brokers. Schumer, for instance, indicated he wished to regulate all commercial Web sites.

Such aggressive responses have raised eyebrows among some Washington watchers. "They're using this as an excuse to advance not-terribly-relevant privacy protections," said Jim Harper, director of information policy at the free-market Cato Institute. "These proposals are not focused on harm to consumers, which is what matters most."

Republicans also called for new laws. Rep. Joe Barton, R-Texas, chairman of the House Energy and Commerce committee, said Thursday that he plans to convene a hearing for March 15.

"Under current law these companies have a legal right to package information and do almost anything they want with it," Barton said. "I personally see no socially redeeming value in anyone having the right to give away and sell my personal information unless I approve it."

Deborah Majoras, appointed by President Bush as chairman of the Federal Trade Commission, echoed that sentiment. "There may be additional measures that will benefit consumers," she said.