Senator Says Data Service Has Lax Rules for Security

By TOM ZELLER Jr.

Published: February 25, 2005

As the fallout continued to spread from the news of a security breach at Choice-Point, a company that inadvertently sold sensitive consumer data to thieves last year, Senator Charles E. Schumer, Democrat of New York, took aim at another data search service, Westlaw. He promised to introduce broad new legislation aimed at curbing identity theft.

At a news conference in Washington yesterday, Mr. Schumer complained that any employee - from high-level managers to interns - of a company subscribing to Westlaw's databases could access sensitive records on millions of people, including Social Security numbers, previous addresses, dates of birth and other data that is valuable to identity thieves.

Mr. Schumer presented a parade of posters of well-known individuals whose information was available on Westlaw, including the former attorney general John Ashcroft, Vice President Dick Cheney, Gov. Arnold Schwarzenegger, the actor Brad Pitt and the heiress Paris Hilton. The posters obscured their personal data.

The senator called on Westlaw to "immediately close an egregious security gap that risks making millions of Americans the unwitting victims of identity theft."

"We saw what happened with ChoicePoint," he said, "but what Westlaw does makes what ChoicePoint did look like child's play."

Representatives of Westlaw, an online legal research service operated by Thomson West, a joint venture of West Group, based in Minnesota, and the Thomson Corporation of Canada, disagreed, saying in a prepared statement that "our terms of use restricting access go beyond federal law and current industry standards."

Westlaw's 20,000 databases, which are used primarily by corporate, legal and government subscribers, house archives of statutes and other case law materials, but its People-Find databases, like those of other data warehousers including LexisNexis and ChoicePoint, also store some public and personal data on millions of American consumers.

These databases are stocked with information that is publicly available via court filings and phonebook entries, as well as with more sensitive information, such as Social Security numbers, that are purchased from third-party vendors like credit agencies.

But Westlaw representatives say the company has only nine corporate subscribers - mostly large insurance companies - that may have access to the kind of data Mr. Schumer talked about. The only other subscribers with similar levels of access, the company said, are federal or regulatory agencies - including the United States Senate - and ideally only select personnel are given clearance.

Westlaw's other customers are hundreds of thousands of attorneys and law firms who use the service primarily for researching case law, and they do not have access to Social Security numbers, the company said.

John Shaughnessy, a spokesman for Thomson West, said that subscribers to the Westlaw public records databases shared some of the responsibility for monitoring who has access to what information, and that Westlaw provides ways to manage this.

Accounts granted to different people working for the same government agency, for instance, can be tailored to provide different levels of access, Mr. Shaughnessy said. But it is up to the subscriber to make those decisions.

Mr. Schumer dismissed that suggestion.

"That's a beggar-thy-neighbor argument," Mr. Schumer said in an interview. "They are collecting the Social Security numbers and giving them out, and they have an obligation to protect them."

Mr. Schumer said he contacted the company a few weeks ago after some of his constituents complained to him that they were able to access sensitive information via Westlaw. He said he was "brushed off" by company executives.

Thomson West said it was surprised by the senator's comments, and said it looked forward to continuing talks with him about the data brokerage industry, identity theft and any new legislation that may be in the offing.

"We share Senator Schumer's serious concerns about identity theft," the company's statement said.