Private Eyes Try Getting Tough on Congress

By Shawn Zeller, CQ Staff
CQ WEEKLY - VANTAGE POINT
Aug. 1, 2005 Page 2089

In the popular imagination, American private investigators are the toughest of tough customers, impervious to saps, slipped Mickeys and seductresses. But private eyes now fear they may be meeting their match in Congress. The detective industry says legislation aimed at redressing identity theft and data breaches among companies collecting consumer data could put it out of business. The proposal, by Senate Judiciary Chairman Arlen Specter , R-Pa., would erect barriers to ready acquisition of Social Security numbers - and that, in turn, would enormously complicate missing-persons and witness-location work, mainstays of the detective trade.

The bill (S 1332), which Judiciary panel Democrats Patrick J. Leahy of Vermont and Russell D. Feingold of Wisconsin are cosponsoring, would bar the sale or purchase of any Social Security number without its holder's consent. Similar language is in a bill (S 1408) by Gordon H. Smith , R-Ore., that the Senate Commerce Committee approved last week. (Story, p.2125)

In May, representatives of the National Council of Investigation and Security Services - the private detectives "trade group" met with data brokers and agreed to lobby against provisions limiting investigators' ability to purchase the numbers. D.C. lobbyist Lawrence Sabbath is leading the charge. Sabbath singles out Rep. Pete Sessions , R-Texas, as the investigators' top ally. Sessions also helped bounty hunters and bail bondsmen to get business-friendly provisions in a House immigration bill this February - even though that language later died in conference.

Large database companies, such as LexisNexis Group and ChoicePoint, sell partial Social Security numbers to private investigators, but not to the general public. But the law surrounding their sale is murky, and some companies will sell full numbers to anyone.

Investigators also hired Washington PR man Joseph Ricci to boost their image in Washington. Last month, the investigators hosted an "ID Fraud Summit" at a hotel in Washington with representatives from the Secret Service and the Justice Department. Among the participants was John Stoll, who was convicted of child molestation in California and served 20 years in prison before a private investigator discovered information that exonerated him.

But consumer groups are mounting their own PR campaign in support of the Specter bill. They say uneven state licensing rules - some don?t require licenses at all - are reason enough to prevent the investigators from buying the numbers. They also point to cases such as that of Amy Boyer, a New Hampshire woman killed in 1999 by a stalker who obtained personal information about her from an Internet-based firm run by a P.I. in Florida.

Without a law closing off much of the traffic in identity data, advocates say the status quo will deteriorate. P.I.s "are virtually unregulated in too many states," says Edmund Mierzwinski of the U.S. Public Interest Research Group. "There's no question that there will be massive data misappropriations."

Data Protection turf war pleases lobbyists

By Elana Schor
The Hill
August 17, 2005

The many data-security bills wending their way around the Hill are sparking a turf war in the Senate but relief on K Street, where lobbyists in several industries welcome the crush of options as a much-needed drag on momentum.

While acknowledging the need to regulate trade in consumers' personal information to prevent identity theft, lobbyists say the universe of companies potentially affected by new data-security standards presents challenges that lawmakers have yet to address fully. By next month, two more congressional committees are likely to join the four already working on the issue.

''It's difficult to even define an industry here because you have so many different kinds of companies who have suffered breaches - data providers, banks, credit-card providers. It's difficult to decide who would have jurisdiction,'' said Abby Stewart, a lobbyist at Jefferson Consulting Group, which represents one of the businesses that recently has endured the public-relations nightmare of a personal-data breach.

The Senate Commerce Committee cleared the first hurdle just before the August recess, unanimously approving an anti-ID-theft bill that prevents the trading of Social Security numbers without their owners' consent and allows easy freezing of consumer-credit reports. But banking lobbyists, and Senate Banking Committee Chairman Richard Shelby (R-Ala.), were displeased with Commerce's quick movement.

"The Fair Credit Reporting Act is a Banking Committee issue, and Senate Commerce just ripped it out and put it in their bill," said one banking lobbyist who asked not to be identified. "his is the problem with all the bills; it's a huge jurisdictional fight."

Bob Davis, top lobbyist for America's Community Bankers, sent a letter to Commerce Chairman Ted Stevens (R-Alaska) and ranking member Daniel Inouye (D-Hawaii) urging them to withhold support for the bill over two provisions: credit freezing, which banks fear could inadvertently discourage consumers from signing up for new credit cards, and permitting state attorneys general to sue nationally regulated banks for noncompliance. Stevens and Inouye nonetheless endorsed the bill, which was introduced by Sens. Bill Nelson (D-Fla.) and Gordon Smith (R-Ore.).

Stewart echoed the banking lobbyist's sentiment when discussing the Senate Judiciary Committee, which postponed consideration of three separate data-security bills until the end of recess. "It's an intriguing concept that they would have jurisdiction at all," she said.

The lead Senate Judiciary bill, sponsored by Chairman Arlen Specter (R-Pa.) and ranking member Patrick Leahy (D-Vt.), attracts criticism from lobbyists because it could let states wriggle free from some aspects of new national data-security rules. Another Judiciary bill, written by Sen. Dianne Feinstein (D-Calif.), has a crucial cheerleader in ChoicePoint, the data broker that disclosed the first of this year's high-profile security breaches.

"We'd like to see a vehicle like that get through," said David Davis, vice president of government affairs at ChoicePoint, referring to Feinstein's bill. The company supports Feinstein's language about the definition of "real harm" posed to consumers, sometimes call the "California standard," which would trigger automatic notification of an ID-theft risk.

Davis praised Stevens's promise to hold up floor consideration of the Senate Commerce bill until chairmen can resolve their jurisdictional clashes but noted the realities of a legislative clock ticking down into] fall. "If all the stars were aligned, and Banking and Judiciary stepped back, then you would still have the House," he said.

ChoicePoint is one of only a few stakeholders actively pushing for a bill to pass this year. Most other lobbyists were not discouraged by the likelihood that Congress's crammed calendar would make consensus on data security unreachable before 2006.

So far only the House Financial Services Committee has tackled the question of who pays for consumer notification after a security breach, one of the most pressing priorities for banks and credit-card issuers. That committee's bill, introduced by Reps. Deborah Pryce (R-Ohio) and Mike Castle (R-Del.), requires the company responsible for the information exposure to foot the bill for "reasonable and actual costs."

One financial-services lobbyist said an accountability vacuum in the aftermath of a large-scale data compromise could be hazardous. "If there is a fear of liability, about what happened and who's paying, the flow of information gets severely restricted."

Giving too many concessions to banks and credit cards could alienate data brokers such as ChoicePoint and Lexis-Nexis, which was hacked by ID thieves in March in a breach the company first projected as one-tenth of its actual size.

In addition to requiring responsible companies to pay for notification, some lobbyists would like to see banks get reimbursed for the new credit cards that often must be issued after a breach.

In the House, the Energy and Commerce and Judiciary committees remain in the process of drafting their data-security bills. The former version will likely give blanket enforcement power to the Federal Trade Commission, an annoyance to banks that want their financial regulators to take on data-security duties to avoid creating new bureaucracy.

Yet another player in the game is the private-investigation community, which has formed a lobbying coalition and embarked on a vigorous publicity push to remind lawmakers that access to Social Security numbers does not solely affect public law enforcement.

Lawrence Sabbath, who lobbies for the National Council of Investigation & Security Services (NCISS), said the substitute amendment in Stevens's committee ironically could keep private eyes from tracking down the same fraudsters who perpetrate ID thefts. "They recognize that there are potential problems," Sabbath said. "There is some indication that that [Social Security] provision may not remain in the bill."