At a recent hearing on identity theft, data brokers argued that only limited measures were needed to protect consumers from identity theft, while consumer advocates and identity theft victims disagreed and laid out steps Congress should take. Representatives from companies such as ChoicePoint, Acxiom Corporation, and LexisNexis shared their stories of data breaches and the theft of information from their computer systems. However, each organization claimed that it had taken steps to tighten security and that limited government intervention was needed. Jennifer Barrett, chief privacy officer for Acxiom, said that while “appropriately tailored” legislation could benefit companies in protecting consumer information, “even the best security systems imaginable and the strongest laws possible can nonetheless be circumvented by inventive criminals intent on committing fraud.” According to Barrett, Acxiom supports federal legislation requiring that companies notify consumers in the event of a security breach in cases where the consumer is at risk of identity theft or fraud. (More than 30 states have enacted such laws or are currently considering them.) This is the design of a bill (S. 751) introduced by Sen. Dianne Feinstein (D-CA). The bill would require this notification with exceptions for law enforcement investigations or matters of national security. However, Marc Rotenberg, president and executive director of the Electronic Privacy Information Center, a consumer advocacy group, told the committee that S. 751 doesn’t go far enough. He told lawmakers that another bill, (S. 798)introduced by Sen. Charles Schumer (D-NY), would better address the issue. Schumer’s bill would require the Federal Trade Commission (FTC) to establish rules for information brokers and for the protection of the information they gather. The rules would cover data accuracy, confidentiality, user authentication, and detection of unauthorized use. The bill would also give consumers the opportunity to review their information held by data brokers. It also requires that the FTC set up enforcement measures to punish companies that do not comply with the rules. Read the testimony.