WASHINGTON - In February 2005, some 140,000 people around the country were notified that their personal information - including names, addresses, identification numbers and job histories - had been stolen from a database run by ChoicePoint.
Now, Sen. Bob Bennett is sponsoring legislation, written with input from ChoicePoint, a data-collection company, that privacy advocates say would override tougher state laws and could keep consumers from ever finding out about future security breaches.
"It's unacceptable to any privacy advocate, and it's unnecessary because we already have constructive compliance nationally with the strongest state laws," said Ed Mierzwinski, consumer program director at the Public Interest Research Group. "The only purpose in Congress going forward would be to please companies that don't like the strong state laws."
Bennett argues that his bill simply replaces an unworkable hodgepodge of state laws with a uniform standard that would enable businesses to deal with data security more efficiently.
"Obviously, I don't think it's a weak bill or I wouldn't be pushing it. You always get folks who want the perfect world, and I'm sympathetic with that," Bennett said. But it gets more complicated when "you get into the reality of how these records are kept, how they're managed, what the challenges are."
Bennett also has ties with lobbyist John Harmer, whom the Utah senator said he has known since high school and had been hired by ChoicePoint and the credit reporting agency Equifax to work on data-security issues. Harmer is treasurer of the Hatch/Bennett Political Action Committee, a fundraising body created last year that raised $43,834 for Bennett and Utah Sen. Orrin Hatch.
Harmer, whose lobbyist contract with ChoicePoint ended last year, still represents Equifax. As Equifax's representative, Harmer said he offered input on Bennett's data-security bill, mostly answering specific questions about how it would affect the company.
Bennett said he doesn't recall ChoicePoint weighing in on the legislation, but it would make sense.
"A lot of people say, 'Gee, you should never talk to a lobbyist who has an interest in your bill.' That's a good way to write a bill that will do a lot of harm," he said. "You don't want to legislate in ignorance."
Data security has been a hot topic recently, particularly with growing public concern over identity theft and recent high-profile security breaches, including the loss and subsequent recovery of millions of Veterans Administration records.
Identity theft is the top consumer complaint to the Federal Trade Commission and costs an estimated $53 billion each year.
Since the ChoicePoint security breach in 2004, nearly 90 million personal records have been compromised in various breaches, according to the Privacy Rights Clearinghouse. Thirty-one states have responded with some sort of data-security legislation, some requiring notification, credit freezes or penalties against companies.
Utah's Legislature passed a bill this year requiring companies to protect sensitive personal information and notify individuals if that data is inappropriately accessed.
But the result of the legislation, said Marc Rotenberg, executive director of the Electronic Privacy Information Center, is that, "Industry groups are running to Washington trying to get through bills that would leave them without any accountability or responsibility."
There are at least 17 data-security and privacy bills pending in the House and Senate.
Many of the bills, including Bennett's, would replace existing state laws with a uniform national standard on how to deal with security breaches. Consumers in states with a weak law or no data security law might get new protection, but those in states with strong laws would see their protections watered down.
In November, 48 state attorneys general, including Utah Attorney General Mark Shurtleff, sent a letter urging Congress to pass a strong data-protection and breach-notification law, without pre-empting existing state laws.
Bennett said his bill applies a sort of cost-benefit analysis, so companies don't have to spend the money notifying customers if there is no risk posed by the security breach.
Companies that suspect a breach would have to do an internal investigation and notify individuals if the information lost is "reasonably likely to result in substantial harm or inconvenience."
Bennett's bill would also prohibit consumers from taking a company to court for not adequately securing data or handling a breach, and would prevent state attorneys general from filing charges against a company that failed to comply with the law. Bennett's staff said outside legal action wouldn't be needed because federal regulators would enforce the law.
Rotenberg said the practical effect would be that consumers might never find out about future security breaches, although he hopes that Bennett, who he says has been strong on privacy in the past, would be open to strengthening the bill.
"Some members are looking for comprehensive laws that will safeguard consumers, and other members seem happy to consider legislation that will safeguard companies that are largely responsible for the problem," he said. "I'm afraid at the moment that Senator Bennett's bill falls into the latter category."
