Rep. Barton Proposes Outlawing Use of SSNs
for Non-Governmental Purposes
May 11, 2005. Rep. Joe Barton (R-TX), the Chairman of the House Commerce Committee, stated at a hearing on consumer data security that the Congress should outlaw the use of social security numbers for non-governmental purposes.
He spoke during the questioning of witnesses at a hearing of the Subcommittee on Commerce, Trade, and Consumer Protection titled "Securing Consumers' Data: Options Following Security Breaches".
Rep. Barton (at right) said that "I would like to outlaw the use of social security numbers for any purposes other than government purposes."
Rep. Cliff Stearns (R-FL), who presided at the hearing, stated that he hopes that the Subcommittee will mark up a bill within thirty days. He focused his comments and questions on a national data breach notification standard, and regulation of data aggregators.
Rep. Barton began his questions at about 12:00 NOON when most members of the Subcommittee were away for a vote on the House floor. He stopped when U.S. Capitol Police ordered an immediate evacuation an airplane breached restricted airspace around Washington DC. Outside the Rayburn House Office Building police gave orders to run to the south. About one hour later, the Subcommittee resumed its hearing, albeit with fewer members, staff, witnesses, reporters, and others in attendance.
Rep. Barton then launched into his attack on the ubiquitous use of social security numbers. Several of the witnesses may have been more discomposed by the Chairman's statements than by the emergency evacuation.
The Subcommittee heard testimony from Jennifer Barrett of Acxiom, Steven Buege of Thomson West, and Oliver Ireland and a colleague, who testified on behalf of Visa USA. Each of these rely upon social security numbers as unique identifiers. Rep. Barton said that many consumers are harmed by identity theft that is facilitated by the widespread use of social security numbers. Barrett protested that Barton's proposal would create huge problems for Acxiom's clients.
The Subcommittee also heard testimony from Daniel Burton of Entrust, which provides security services, and Daniel Solove, a professor at George Washington University Law School and author of The Digital Person: Technology And Privacy In The Information Age.
When industry witnesses advocated the importance of the social security number as a unique identifier of individuals, Rep. Barton responded that "we have had banks a lot longer than we have had the social security system".
"We have to do something", said Rep. Barton. He continued that consumer's "whole financial records, their medical records, all kinds of consumer data is just out there, without their permission. And the social security number ties that all together, and makes it easy for the criminal element. We have had testimony that organized crime is moving into identity theft. I know that there are legitimate business reasons why that is done. But, I think the time has come to tip the balance in favor of the individual privacy, and find another way to help businesses determine the identity of the people they want to give credit to."
Rep. Stearns stated at the beginning of the hearing that "we must ensure that existing federal law is not leaving open ways for certain entities to skirt the objectives of the primary laws governing this area, including the Fair Credit Reporting Act and Gramm Leach Bliley."
He also stated that "if we determine that existing law is inadequate, we need to get a clearer and more accurate assessment of the scope of the problem across all sectors, assess the current legal tools we have to attack it, and weigh the need for additional regulation and other approaches. Other non-regulatory approaches could include applying good old American technological ingenuity to buttress current consumer data security regulations."
Rep. Stearns also questioned the witnesses regarding possible elements of Congressional legislation, including a national notification of breach standard, federal preemption of state laws, government regulation of data providers, consumers' right to inspect and correct data, and remedies for negligent conduct. The witnesses all agreed that there should be federal preemption. (Professor Solove, a privacy advocate, did not return after the evacuation.) They agreed that there should be a national notification standard, without agreeing on what that standard should be. Witnesses generally dissented, dissembled or remained silent on other possible components of a data security bill.
Rep. Stearns said in closing that "we are hoping, I think, in due time here to get a bill". He added that "I am hoping that we can mark this up, perhaps, in the next thirty days."
Rep. Janice Schakowsky (D-IL), the ranking Democrat on the Subcommittee, stated at the outset that she wants the Congress to enact "comprehensive legislation". She listed components of possible legislation, including a requirement of consent from consumers for release of their information, consumers' right to access and correct their information, and data security requirements.
During the questioning of witnesses she focused on how to draft a national standard for notifying individuals of data security breaches. For example, she asked, if the rule were to be that notice must be given when there is a "significant risk of harm", how should the Congress define the term "significant risk of harm". She suggested that breaches that result in solicitations, but not identity theft or fraud, should be considered "harm".
She also questioned whether and when notice should be given when a breach by an employee or former employee has occurred. She did not reach a consensus with the witness panel on how to draft a national notification standard.
Daniel Burton of Entrust advocated the merits of encrypting data, and stated that any national notification standard should provide that breaches involving encrypted data should be exempt.
Acxiom is based in Little Rock, Arkansas. Rep. Mike Ross (D-AR) represents many Acxiom employees, and is a member of the Subcommittee. He praised Acxiom at the hearing.
Rep. Ed Markey (D-MA) used his opening statement to promote three bills sponsored by him: HR 1080, the "Information Protection and Security Act", HR 1078, the "Social Security Number Protection Act of 2005", and HR 1653, the "Safeguarding Americans From Exporting Identification Data Act".
Howard Waltzman is the Committee counsel who sat next to the Chairman throughout the hearing. He is Chief Counsel for the Subcommittee on Telecommunications and the Internet.
There have been numerous hearings before various Congressional committees in the past several months. Many of the same witnesses, from the same companies and groups, are making the rounds of several committees, providing often repetitive testimony.
The House Commerce Committee's Subcommittee on Commerce, Trade, and Consumer Protection held its first hearing on this subject on March 15. See, prepared testimony [22 pages in PDF] of Federal Trade Commission (FTC) Chairman Deborah Majoras, prepared testimony [13 pages in PDF] of Kurt Sanford (LexisNexis), prepared testimony [10 pages in PDF] of Derek Smith (ChoicePoint), prepared testimony [11 pages in PDF] of Joseph Ansanelli (Vontu, a data security company), and prepared testimony [14 pages in PDF] of Marc Rotenberg (Electronic Privacy Information Center).
On Tuesday, May 10, the Senate Commerce Committee held a hearing titled "Identity Theft/Data Broker Services". See, statements of Sen. Ted Stevens (R-AK), opening statement of Sen. Daniel Inouye (D-HI), prepared testimony of Kurt Sanford (LexisNexis), prepared testimony of Douglas Curling (ChoicePoint), prepared testimony of Jennifer Barrett (Acxiom), prepared testimony of Paul Kurtz (Cyber Security Industry Alliance), prepared testimony of Marc Rotenberg (EPIC), and prepared testimony of Mari Frank (author of Safeguard Your Identity: Protect Yourself with a Personal Privacy Audit and From Victim To Victor: A Step By Step Guide For Ending the Nightmare of Identity Theft).
On Wednesday, May 4, the House Financial Services Committee (HFSC) held a hearing titled "Assessing Data Security: Preventing Breaches and Protecting Sensitive Information". See, opening statement of Rep. Michael Oxley (R-OH), opening statement of Rep. Michael Castle (R-DE), opening statement of Rep. Paul Gillmor (R-OH), opening statement of Rep. Rubčn Hinojosa (D-TX), prepared testimony of Barbara Desoer (Bank of America), prepared testimony of Eugene Foley (P/CEO of Harvard University Employees Credit Union), prepared testimony of Don McGuffey (ChoicePoint), prepared testimony of Kurt Sanford (LexisNexis), prepared testimony of Bestor Ward (Safe Archives-Safe Shredding).
The HFSC's Subcommittee on Financial Institutions will hold a hearing titled
"Enhancing Data Security: The Regulators' Perspective" at 10:00 AM on May 18.