The security breach of at least two massive databases containing sensitive personal information, and concerns about access to Social Security numbers from another source, have prompted lawmakers to call for legislation, investigations, and hearings. The Chairman of the Senate Judiciary Committee, Arlen Specter (R-PA), said his panel will hold hearings on identity theft and how data about individuals is collected, safeguarded, and used.

The theft of consumer information has also prompted legislators in several states to introduce bills requiring companies to notify individuals if they think information from their databases has been stolen or released. All of these developments will cause increased scrutiny of lists and create greater calls for regulation of databases and the use of personal information.

The Georgia-based ChoicePoint recently reported that criminals had obtained access to information, including Social Security numbers and credit reports, on 145,000 individuals in its databases. It is notifying all of those individuals about the theft and risks it poses.

A major government contractor, Science Applications International Corporation (SAIC), reported that information on tens of thousands of its current and former employees and stockholders had been stolen when their offices were broken into.

At a news conference two weeks ago, Senator Chuck Schumer (D-NY) alleged that Social Security numbers and other personal information is too accessible through Westlaw's People-Find service. He called on the company to "immediately suspend" the service, which is primarily used by government and law-enforcement agencies and news media organizations. Senator Schumer has said he will introduce some type of comprehensive legislation.

Besides Schumer and Specter, other lawmakers jumping into the fray include:

• Senator Patrick Leahy (D-VT), the ranking Democrat on the Judiciary Committee, who requested the hearing and said, "It's time to turn some sunshine on these developments so the public can understand how and why their personal information is being used."

• Senator Diane Feinstein (D-CA), a member of the Judiciary Committee who has introduced a series of privacy bills, called for a federal law requiring notification about data breaches, saying "individuals have a right to be notified when their most sensitive information is compromised."

• Senator Bill Nelson (D-FL), a member of the Senate Commerce Committee, has called for increased regulation of database companies and oversight by the Federal Trade Commission. At a news conference last week when it was revealed that the CheckPoint theft may have affected more than 10,000 Floridians, he said, "We are getting very close to 'Big Brother is watching you. If this is not an eye-opening threat to our privacy, then nothing is."

• Congressman Joe Barton (R-TX), the Chairman of the House Energy and Commerce Committee, "has directed his staff to investigate the storage and security practices of database companies," according to The Washington Post.

It is unclear when a Senate hearing may be held and what the full scope of that session might be.

Meanwhile, a feature story in The New York Times last week called it "a grim week for privacy" and said "Americans are increasingly at risk from data leaks large and small.... "Companies in the industry say they are always trying to improve security and that any risks are outweighed by the benefits to consumers, businesses and law enforcement."

States Weigh In

California is currently the only state in the nation to require companies to notify its residents if information about them may have been revealed due to a security breach, and 33,000 Californians were notified about the ChoicePoint theft. (Senator Feinstein's legislation would enact a national notification requirement.) Legislation modeled on the California law has been introduced in New York, Georgia, and Texas.


New York Considers "Do-Not-Mail" Bill

The Federal Trade Commission's development of a "do-not-call" list received widespread notice and legislative backing from Congress. Legislation has now been introduced in the New York Assembly to establish a state do-not-mail registry.

The legislation, which would apply to e-mails as well, would authorize the state Consumer Protection Board to create and maintain the registry, and allows fines of up to $2,000 for sending unsolicited mail to New Yorkers who are on the registry. Charities, governments, and political mailings would be exempt from the banned mail.

The Direct Marketing Association (DMA) already maintains a "Mail Preference Service" through which individuals nationwide can indicate that they do not want to receive promotional mailings at their homes. DMA members are required to use the service.

Anti-Credit Card Marketing Bills Introduced

Focus on College Students in New York and Washington State

The marketing of credit cards to young people is a recurring hot-button issue. For example, in the past, Senator Chris Dodd (D-CT), the author of the student-privacy provisions governing information-gathering in elementary and secondary schools, has proposed making it harder for young adults to get credit cards.

And when Congresswoman Darlene Hooley (D-OR) introduced the House version of Senator Wyden's bill restricting the transfer of lists of children under the age of 16, she raised the issue of the "inappropriate practice of mailing unsolicited credit card applications to children," even though that does not intentionally happen now and her bill would not stop it even if it did.

Now, bills in three state legislatures seek to curtail the practice, two of them targeting activities on college campuses.

• A bill in the New York Assembly would simply prohibit mailing credit card applications to young adults under the age of 21.

• A measure in the New Jersey Assembly would prohibit the state's public higher education institutions from allowing the "direct merchandising" of credit cards to their students, regardless of age.

• Legislation in the Washington State House and Senate would require colleges and universities to develop policies on the marketing of credit cards on their campuses.

The North Dakota House recently voted to reject a bill that would have prohibited credit card marketing on its college campuses.