April 14, 2005
Evidence continues to mount that personal information on millions of Americans, stored in massive computer databases, is not only at risk, but that much of it may have already been stolen. The latest revelation has rocked LexisNexis, which now concedes that cyber-criminals have been rifling its files for at least three years, with consumers blissfully in the dark.

A LexisNexis executive, testifying before a Congressional committee this week, said there has been at least one data break-in that was never reported to the public. Earlier, the data management firm revised its estimate of the number of compromised computer files from 32,000 to 310,000.

ChoicePoint Inc. conceded under questioning that it too suffered breaches before passage of a California law in 2003 that requires companies doing business in the state to notify consumers that their data might be at risk, officials said.

Since they were not legally obligated to do so, the companies chose not to alert the public in those cases.

The Electronic Privacy Information Center, a Washington-based privacy watchdog, has renewed its call for federal regulation of data brokers, saying there is too much secrecy surrounding their practices and too little accountability. EPIC said in the LexisNexis case, databases had been fraudulently breached 59 times using stolen passwords, allowing access to addresses, Social Security numbers, and other sensitive information.

Sen. Dianne Feinstein (D-Calif.) has sponsored a bill that would establish a national notification law, similar to the state law already in effect in California. She has introduced similar bills several times in past sessions, with no success.

More than 20 states are studying California's statute and considering enacting similar legislation.

Kurt Sanford, LexisNexis President and CEO for U.S. Corporate and Federal Markets, told Congress that an earlier, unreported break-in occurred prior to 2003. He did not give details or estimate how many personal files might have been compromised.

The issue of consumer privacy and data brokers took center stage earlier this year when Georgia-based ChoicePoint revealed that data thieves had used phony accounts to access the most sensitive financial information on hundreds of thousands of consumers nationwide. Officials at EPIC say the issue is not security, but privacy.

In testimony to the California Senate Banking Committee, EPIC West director Chris Hoofnagle argued that even if commercial data brokers could securely sell personal information, that would not address the underlying issue of whether the information should be sold in the first place. EPIC urged California lawmakers to act quickly to limit commercial data brokers' collection and sale of personal information.