LexisNexis Says Thieves May Have Taken Data on Consumers

By TOM ZELLER Jr.

Published: March 9, 2005

In yet another apparent theft of consumers' personal data, the LexisNexis Group, a major compiler of legal and consumer information, said today that about 30,000 of its records - including names, addresses and Social Security numbers of individuals - may have fallen into the hands of thieves.

The announcement follows the recent disclosure several other cases of the loss or theft of consumer data. ChoicePoint, another leading data broker, said last month that it had inadvertently sold the records of more than 140,000 individuals to con artists. And Bank of America said more recently that backup computer tapes containing information on more than a million of its customers had been lost.

The Federal Bureau of Investigation and the Treasury Department are investigating the LexisNexis incident, people close to the inquiry said. The concern in such cases is that criminals can use the information to open credit card accounts in other people's names or engage in various other forms of so-called identity theft.

The LexisNexis breach is almost certain to accelerate calls from privacy advocates and state and federal officials for greater scrutiny of the companies that buy, store and sell consumer data. The issue will be taken up on Thursday in a hearing before the Senate Banking, Housing and Urban Affairs Committee, and next Tuesday at a similar hearing before the House Energy and Commerce Committee.

"I personally see no socially redeeming value in anyone having the right to give away and sell my personal information unless I approve it," the chairman of the House Energy and Commerce Committee, Representative Joe Barton, Republican of Texas, said today.

"Under current law these companies have a legal right to package it and do almost anything they want to do with it," Mr. Barton said. "I just think that's fundamentally wrong. And in the Internet age, it's dangerous."

Some other lawmakers expressed similar sentiments.

"We need to think proactively and treat these data troves with the same level of care and protection that we would any other valuables," Senator Patrick Leahy, Democrat of Vermont, wrote in an e-mail statement. On behalf of the Senate Judiciary Committee, Mr. Leahy is scheduled to testify before the Senate Banking Committee hearing this afternoon. "Our peace of mind, our economy and even our nation's security depend on it," he wrote. The Judiciary Committee also plans to conduct hearings on the issue soon.

As it is, the industry is governed by a hodgepodge of state and federal laws. Critics have argued that because those laws are often at odds and sufficiently ill-defined, the rules permit companies like ChoicePoint and LexisNexis to police themselves as they market consumer data to insurance agencies, background screeners, private detectives, law firms and even the federal government.

Some control is provided by the federal Gramm-Leach-Bliley Act of 1999, which governs the use of personal information maintained by financial institutions. And the Fair Credit Reporting Act of 1970, along with its 2003 amended version, the Fair and Accurate Credit Transactions Act, establishes rules for gaining access to and disseminating consumer reports.

But it has been a matter of debate over how those rules apply to vast information warehouses like ChoicePoint and LexisNexis, which provide a blend of both public and private information, only some of which is of interest to identity thieves. The information services industry has lobbied hard in the past to stall legislation that would put curbs on the kinds of information that can be peddled and to whom. But the succession of large-scale breaches, and the sheer number of consumers being affected by each new incident, will make it harder for the industry to resist some sort of legislative yoke.

"This is going to be hotly fought by people who are gathering and packaging this information," Mr. Barton said. "But I don't see why you have to have Social Security numbers available that are really extraneous to the product at hand."

Several new bills have been introduced in Congress to address the growing problem of consumer privacy, including three submitted in January by Senator Dianne Feinstein, Democrat of California. Mr. Barton has said that he and colleagues from both sides of the aisle have been discussing possible legislative approaches. Senator Charles E. Schumer, Democrat of New York, who chastised another data compiler, WestLaw, in February for making sensitive information like Social Security numbers to easily available, said he plans to introduce legislation next week.