Data Security Hearing: ChoicePoint

The Senate Commerce Committee had this hearing on 5/10/05

Hearing on Identity Theft/Data Broker Services
Full Committee Hearing
Tuesday, May 10 2005 - 2:30 PM - SR-253


Webcast: Click here to view a live webcast of this hearing. http://commerce.senate.gov/archive.idtheft051005.ram
Description: Senate Commerce Committee Co-Chairmen Ted Stevens (R-Alaska) and Daniel Inouye (D-Hawaii) have scheduled a Full Committee hearing on Tuesday, May 10 at 2:30 p.m.on identity theft in room 253 of the Russell Building. The hearing will focus on data broker services, and the treatment of such services under existing state and federal privacy laws.

Witnesses (Among others)
Mr. Kurt Sanford
President & CEO, U.S. Corporate and Federal Government Markets, LexisNexis

Mr. Douglas C. Curling
President and Chief Operating Officer, ChoicePoint, Inc.

Check this hearing out: Sen. Kerry appears about 1:22 into the web video. He asks a really scary question around 1:38.

posts starting with #25. This explains what happened in the hearing, who ChoicePoint is and why Sen. Kerry's questions was really scary.

I wonder if he is on to something here.

What do you guys think?

Diebold and ChoicePoint. Two of the scariest name around. Glad to see Kerry on top of this.

However, after watching the hearing several things Kerry mentioned got my attention. Terms such as, medical records, biometrics and DNA and the "how far and wide this information goes was IMO the best question asked up to that point. He then topped that with his question on proprietary information and ChoicePoint's access to proprietary information on us that we don't even have access to. Scary stuff. Thanks for posting this hearing.

PS. What is the connection you refer to between Diebold and ChoicePoint?
Thanks again.

You say "go to this thread", but I don't see a link to a thread.

U.S. SENATE COMMITTEE ON COMMERCE, SCIENCE AND TRANSPORTATION HOLDS A HEARING ON IDENTITY THEFT AND DATA BROKER SERVICES

MAY 10, 2005

From the transcript:
U.S. SENATOR GORDON SMITH (R-OR)
U.S. SENATOR JOHN F. KERRY (D-MA)
U.S. SENATOR BILL NELSON (D-FL)

WITNESSES: KURT SANFORD PRESIDENT/CEO U.S. CORPORATE AND FEDERAL GOVERNMENT MARKETS LEXISNEXIS

DOUGLAS CURLING PRESIDENT/COO CHOICEPOINT, INC.


KERRY: Could I just have one quick follow-up?

SMITH: Absolutely.

KERRY: Would either of you sell to a political committee?

SANFORD: Senator, we have legal research business, news and business information services. There's nothing that would stop them from having access. I don't think they would qualify for permissive use under TLBA (ph) or the BPTA (ph), though. I mean, those are around fraud detection and prevention and law enforcement type of permissible use.

KERRY: But is there anything to stop a committee from -- have you sold anything to a political committee?

SANFORD: Not that I'm aware of, no, Senator.

KERRY: But could they buy?

SANFORD: I don't believe that's a customer segment we serve.

KERRY: But could they?

SANFORD: I don't believe they would get credentialed, but I can find out. It's not a question I've heard before. But I don't believe -- I've never heard -- I've been around with the company since its inception, and...

KERRY: Well, do you have a means of checking, so that...

SANFORD: We have a business purpose criteria upon which we'll enroll people as customers. I don't believe political committees meet the business purpose; therefore, I don't believe we would set up a customer account with them.

KERRY: What about a political consultant, who is doing sophisticated political analysis, polling analysis?

SANFORD: I don't believe they're customers of ours, nor do I believe we'd serve them.

KERRY: You "don't believe," but there's no set of guidelines with respect to...

SANFORD: I'm trying to be very specific. There are very specific guidelines about who we serve as customers. I've never heard of this customer segment being anybody we serve.

The preponderance of our customers are large insurance companies, large financial institutions, trying to process transactions so a consumer can get some kind of benefit -- an insurance policy, a job -- large retailers or large customers of ours. We don't have very many customers that aren't in the large commercial -- space (ph) or government enterprises.

BILL NELSON: May I ask a follow-up on that. But if one of your large commercial customers asked for this information and you had some reason to know that they were going to use it for political purposes...

SANFORD: Our customers, by and large, have to send us -- they're asking questions an application at a time, so I'm not sure how they come in and ask that question anyway.

The most likely way they could present themselves is through the direct marketing business, where we don't sell sensitive personal identifiable information in any way.

But -- again -- I'll be happy to get back to the senator and the committee on that. I'm not aware this is a market we have any interest or any services to.

SMITH: Like I said earlier in the hearing, Senator, this is a question that didn't register Republican or Democrat, but maybe both sides are pretty interested now.

(LAUGHTER)

But I think you raised...

BILL NELSON: Well, I've seen some pretty sophisticated analysis based on those things.

SMITH: In all seriousness, I think your point is well-taken, and I think both sides do have an interest in making sure that people's rights and privacy are protected.

So we appreciate very much, gentlemen, your being here today and for the contribution you've made to our understanding of this issue and the kind of problem we're trying to wrestle with and get some results for the American people.

So we thank you.

WITNESSES: KURT SANFORD PRESIDENT/CEO U.S. CORPORATE AND FEDERAL GOVERNMENT MARKETS LEXISNEXIS

DOUGLAS CURLING PRESIDENT/COO CHOICEPOINT, INC.

KERRY: Thank you, Mr. Chairman. I apologize for being late, but we had competing meetings -- as is always the case here.

I apologize to the witnesses.

I've tried to get an update as fast as possible so I'm not overly repetitive or repetitive here, and I know a lot of questions -- good questions -- have been asked.

Obviously, from the participation here today, you can get a sense of the importance, but you already knew that before you came here because of the outcry publicly and the concerns that people are expressing. And the moving sort of (ph) model statewide, beginning with California, of regulation are obviously an indication of people's desire to do something.

I understand your business models, and I understand that the information you provide is obviously often used for very valid purposes; but as we move forward, the question of how to protect this is, needless to say, critical.

During the campaign last year -- and I think it came to fruition yesterday or today -- President Bush and I both talked about e-medical records and the need to try to reduce costs in the medical system, and obviously that's critical.

I wonder if you could share with us a little bit: First of all, what types of personal information currently do you maintain in your product lines? -- including information based on biometrics, DNA and medical records.

Mr. Curling?

CURLING: We don't maintain any data on biometrics, DNA or medical data. The data...

KERRY: Might you as this opens up now, with a certain amount of money? Is this not a lucrative business prospect?

CURLING: I don't know whether it's a lucrative business prospect or not, but it's not an area where we have a lot of expertise or traction.

We do have a DNA laboratory that supports our law enforcement initiatives, but that laboratory -- Bode Labs -- merely takes specimens on behalf of law enforcement agencies, processes the DNA, maintains chains of custody, and turns that back over to them for forensic purposes.

Our scientists have been to Thailand to work on the tsunami. We identified the victims of the World Trade Center tragedy through that laboratory. But it's a forensic science laboratory that's really an extension of the services we do to support law enforcement, not part of our business model that we necessarily embrace. I think it is possible that the identifiers that we all begin to see more used in our society are perhaps biometric identifiers you're seeing today, technological solutions beginning to be deployed, that use authentications exceeding user IDs and passwords and incorporating things like biometrics, but that's not something that, in the industry that I'm in, is heavily in use today.

KERRY: Mr. Sanford?

SANFORD: We don't collect medical information, Senator, or biometrics or DNA either.

KERRY: What about that information, Mr. Curling, that you do collect, in terms of the forensic chain of custody -- is there any intrusive link in there that should be of concern?

CURLING: No, sir. That data doesn't get -- the data repositories in ChoicePoint are generally housed at the product level. None of the information in Bode Laboratories -- which is in Springfield, Virginia -- goes out of the laboratory into other places in ChoicePoint.

KERRY: When you say you changed your business model and essentially tightened procedures, what loopholes did you tighten?

CURLING: Well, I don't know that I would say we tightened loopholes. We made business decisions that we thought were in the best interests of our company, given the experiences that we've had, and they were basically twofold.

One, there are businesses that are hard to credential -- those are small businesses -- and given that the preponderance of our revenue is in large either government contracts or of commercial enterprises, small businesses are simply something that's awful hard for us to adequately credential and ensure that we know exactly who on the other end is buying the information products.

We chose to exit the market of selling sensitive personal information to those businesses, even though they have legitimate business interests to get at -- and, you know, certainly small businesses face many of the challenges that big businesses do.

Secondly, there are products that we sell that, while legal, don't have direct consumer benefit, and so we chose to not sell certain segments of the marketplace sensitive personal data that they're legally entitled to get but they don't fit our business model.

KERRY: Was that small business changed specifically in response to the Nigerian...

CURLING: Yes, it was.

KERRY: It was, okay.

Is it your judgment now that those two problems were the only two problems, or are you taking further steps that we should be aware of? CURLING: Well, our investigations and those of law enforcement continue. We tend to think of security risks in five different categories: basic physical possession risk -- which you can think of as common burglary or just loss of data; secondarily, the hacking potential -- and we have, like most in our industry, monitoring software and extensive tools to try and monitor and track and prevent hacking attempts; you have properly-credentialed customers that have an employee that does a search they're not permitted to do -- you know, the typical scenario of doing a background check on somebody's girlfriend or neighbor; you have properly-credentialed customers that lose track of passwords and user IDs -- of which you've already heard testimony today; and then, lastly, you have customers that get past credentialing procedures, that simply should not have been credentialed as customers -- and that's the experience we most recently had, where the notices were driven by.

KERRY: With respect to the law enforcement agencies, I gather you sell information to about 7,000 agencies? Is that correct?

CURLING: We serve 7,000 agencies. A lot of those don't buy data -- they're buying software or tools from us.

KERRY: So is there any limitation on the sale of that information to law enforcement?

CURLING: Well, we're limited by the type of information we're able to legally obtain from the repositories. The states have laws -- as does the federal government -- about what data can be sold, under what conditions it can be used.

KERRY: So that's established by the states.

CURLING: And by federal government. But, Senator, and as I testified earlier today, largely the federal agencies are turning to us to buy otherwise readily available public record information; they're merely turning to us for convenience and cost...

(CROSSTALK)

KERRY: And to which law enforcement agencies do you currently sell this -- what I assume can be termed -- sensitive consumer information?

CURLING: We sell to a wide variety of federal -- we serve most of the federal law enforcement agencies and many state and local law enforcement agencies.

KERRY: Is there any standard of probable cause?

CURLING: We have circumstances under which they inform us they want to buy data for investigations; but we're not privy -- nor would you want us to be -- to the actual investigations those law enforcement agencies are conducting.

KERRY: So it's an automatic affirmative response for information. CURLING: In most cases, yes, sir.

KERRY: No matter what.

A few years ago you acquired VitalChek, which is a company responsible for handling vital records -- birth, death, marriage, divorce -- in all 50 states. How is that information shared with ChoicePoint?

CURLING: It's not. That's an ordering and payment platform where a consumer orders a vital record directly from a vital records office. We provide a technology infrastructure to those vital records offices. They receive the customer order, they pull the vital record, and they deliver it through secured carrier directly back to the consumer; the records never come through ChoicePoint.

KERRY: So there's no transfer of any of that information outside of VitalChek itself.

CURLING: No, sir.

KERRY: Do both of you accept the premise -- that I think has been bouncing around here today -- that reasonable security standards ought to apply universally to any custodian of sensitive personal information?

SANFORD: Yes, Senator.

KERRY: And Mr. Curling?

CURLING: (OFF-MIKE)

KERRY: I think most of the other questions were touched on.

Let me just ask you, for my own edification: How do you collect and maintain, store and protect the information? What's the process by which you do that? -- if you could go through that. Mr. Curling? How do you collect the information and maintain it and store it, how do you go about that?

CURLING: It varies widely by market. In the largest market we serve -- which is the insurance market -- we gateway directly to states to get motor vehicle records and driver's license records, in most cases, and we deliver those back directly to our insurance customers, an application at a time.

So when an application comes in, we break that application down against some decision rules the insurance companies have given us, and then we begin to buy information products. Sometimes they're products that we database and warehouse; sometimes we go gateway to them.

KERRY: Do you gateway to credit check companies, credit companies?

CURLING: We do. KERRY: Do you see any distinction between the information that you use and sell and the information that's on somebody's credit record?

CURLING: In many cases, from a regulatory standpoint, there's not a difference. We are a consumer reporting agency governed by the FCRA in many of the information products we have. The insurance products would be FCRA products. We would be treated similar to a credit reporting company. The same is true for our preemployment workplace solutions product and our tenant-screening products.

KERRY: Do you think, from a legal point of view, that any individual in America, as a citizen, has a proprietary interest in their own information?

CURLING: I think citizens are obviously very concerned about the data...

(CROSSTALK)

KERRY: Proprietary information, proprietary interest.

In other words, should you be trafficking in their information and they have no participation in the process? *** CURLING: Again, the majority of our transactions that contain sensitive consumer information are initiated directly by consumers, so the transaction would not happen if a consumer hadn't initiated it.

KERRY: Of course, that depends on knowledge standard, right, the knowledge standard? I mean, the opt-in, opt-out, whether they know or don't know...

CURLING: Well, they applied for an automobile insurance policy, and on the application...

KERRY: But they didn't apply to have their information go to you, to be winning you a profit for the transfer of whatever their life is, did they?

CURLING: I wouldn't know, Senator.

KERRY: Mr. Sanford?

SANFORD: I don't believe that a proprietary standard is workable. We use public record information to provide very vital services that actually help the consumer...

KERRY: Is the information of a credit company a public record or is it private, privately held...

SANFORD: We don't collect...

KERRY: ... on a specific kind of contract relationship, the contract between the individual and that particular entity?

SANFORD: We do not collect financial or credit information on individuals, so -- we're not in that business.

KERRY: Mr. Curling, what about that? Is it specifically...

CURLING: I'm not an expert in the Fair Credit Reporting Act, but I believe that a consumer -- a credit reporting agency has opt-in and opt-out -- both -- provisions on it with respect to certain uses of their products, and in many cases our products are regulated by the FTC under FCRA, just as they are.

KERRY: I think one of the things, Mr. Chairman, we're going to have to think through very carefully as we go forward is: What is the level of knowledge and option available to anybody, as to how far and how wide their information goes, and I think that's central to this.

I thank you.

SMITH: Thank you, Senator Kerry.

last night while talking about this (son's in town ;-)), but that was what I meant. Pretty sly:

"KERRY: Could I just have one quick follow-up?

SMITH: Absolutely.

KERRY: Would either of you sell to a political committee?"

Just an afterthought. Right. :D

That was what brought my antenna. That's not a casual throw-away question. That's it's own friggin hearing. Something is (mildly) up.

This is good stuff. Somebody has been doing their homework and making some great mental connections on what these data merchants are doing now and what could happen unless government fulfills their regulatory obligations to safeguard our personal financial information.

This is interesting and good work. I know that it's not as sexy as arguing with Kos, but this is actually what is going on. These are not only the issues of the future, but they might just tie into sexy issues like voter list frauds and such. You know, the Senate just passed the "Real ID' bill as part of the Iraq Supplemental funding bill. Who is going to collect this info on Real ID? What info is going to be used to deny driver's licenses to people. Only folks with driver's licenses or State IDs will be able to vote, you know. This stuff might just become explosive in the next few months. They who control the information flow control the future.

Do you care?

Somebody in GDP said he voted Yay.

But, it will not survive a challenge in federal court, so most of the Dems felt they could afford to vote based on the funding of the troops in Iraq side of the bill. (Well, they have a point.)

HOWEVER, this is not over. This stuff is important.

Thanks for the shout out! :bounce::applause: :hug: