WASHINGTON—A growing outcry over security breaches at giant information brokers—coupled with the growing sophistication of scammers—is jolting consumers with a grim threat: They're more vulnerable than ever to identity theft.
Congress begins a series of hearings Thursday into how data-collection companies with huge databases collect, handle and sell personal information, and whether new federal regulations are needed to improve security and privacy.
Capitol Hill is responding to growing consumer anxiety fueled by two serious security breaches at large data brokers, much of whose business is unregulated.
ChoicePoint, the largest information broker, warned 145,000 people last month that criminals posing as small businesses had accessed their personal data. The firm, which is headquartered in suburban Atlanta, compiles data on millions of Americans and sells it to companies and government agencies.
At least 750 people were defrauded, but California officials who are investigating the breach estimate that more than 400,000 consumers may have had their data compromised.
And on Wednesday, Lexis Nexis announced that intruders using identification from legitimate businesses were able to get access to information on as many as 32,000 U.S. citizens in a database of Seisnet, its subsidiary.
Seisnet, based in Boca Raton, Fla., and recently acquired by Lexis Nexis' corporate parent, Reed Elsevier Group, supplies data to a crime and terrorism database, called Matrix, for the U.S. government.
As online shopping and banking boom, consumers are becoming more exposed to identity theft, security experts warn. The Federal Trade Commission reported that it was the No. 1 consumer complaint last year.
An FTC survey in 2003 found that 9.9 million Americans had their personal data stolen.
One of those victims, Ruth Wilburn of Cocoa, Fla., discovered that someone had opened 15 credit card accounts in her name and her mother's name. Hundreds of miles from her home, a "Ruth Wilburn" was charging high-priced clothes, jewelry and electronics.
"Fighting this is like a full-time job, and there's no one place to go to get help—it has been a nightmare," said Wilburn, 43, who still has bad credit two years after the fraudulent accounts were opened.
Like many victims, Wilburn isn't sure how her identity was stolen. Thieves are finding holes in computer systems, taking advantage of insecure databases and using such low-tech tricks as persuading data brokers that they're legitimate customers.
"Identity theft is mushrooming, from college students trying to make false IDs to sophisticated criminals," said Bill Callahan, a former federal prosecutor who heads a security company called Unitel.
Several members of Congress are proposing legislation to give the FTC more authority to regulate information brokers, improve the standards for selling data and require the data companies to notify people when their personal information has been compromised.
"If we don't do something in the law, no American will have any privacy left," said Sen. Bill Nelson, D-Fla., whose bill would increase FTC oversight much in the way fair credit laws cover the credit industry.
Sen. Dianne Feinstein, D-Calif., is pushing the notification bill. She said the ChoicePoint breach wouldn't have come to light without the strong California law requiring notification.
Several members of both parties also want restrictions on the use and distribution of Social Security numbers, which scammers use to set up false accounts. Rep. Joe Barton, R-Texas, chairman of the House Energy and Commerce Committee, has said he favors some restrictions.
Sen. Patrick Leahy, D-Vt., warned that if criminals are finding it easier to get personal data, terrorists could do the same.
Deborah Majoras, the chairwoman of the FTC, will testify Thursday before the Senate Banking Committee—the first of several hearings—and said she's open-minded about legislation.
"We may have some gaps in the law and there may be some need for legislation," Majoras said in a brief interview after meeting Monday with Nelson.
Consumer groups are pushing for more regulation. They also want more rights for consumers to protect data about themselves and for companies to be required to correct the information when it's wrong.
"With the fallout from ChoicePoint, I'm optimistic Congress will act because we have two important ingredients—a scandal that woke people up and the fact that states are showing the way," said Ed Mierzwinski, who heads consumer programs for the U.S. Public Interest Research Group.
Industry representatives are cautious and point out that data brokers, or aggregators as they're called, are often compiling and selling information that's already public.
"These companies are not the bad guys, and the industry wants to work to improve security," said Mike Zaneis, director of congressional affairs for the U.S. Chamber of Commerce.
"I don't think we need new regulations."
ChoicePoint has faced a wave of bad publicity. It's disclosed that it's under investigation by the FTC and the Securities and Exchange Commission. The company's two top executives earned $16.6 million from stock sales after the security breach was discovered but before it was made public.
ChoicePoint's CEO, Derek Smith, announced that he would support additional federal regulation and that the company would stop selling sensitive data to small businesses and instead concentrate on corporate clients and the government.
The company also hired a top security official from the government, Carol DiBattiste, to improve security and the screening of customers. DiBattiste, a former Air Force undersecretary, was deputy administrator of the Transportation Security Administration.
Seisnet and Reed Elsevier will move quickly to notify any customers affected by the security breach, a spokesman said Wednesday, and improve ID and password procedures.
(Davies reports for The Miami Herald.)
(c) 2005, Knight Ridder/Tribune Information Services.
PHOTOS (from KRT Photo Service, 202-383-6099): IDTHEFT
Need to map