Security Legislation

By CIOinsight  |  Posted 04-05-2005

After a spate of high-profile security breaches, including those at ChoicePoint Inc., Bank of America Corp. and LexisNexis Group, U.S. lawmakers are waking up to the growing problem of identity theft. Jon Corzine's (D-N.J.) Identity Theft Recovery and Victim Assistance Act, and Dianne Feinstein's (D-Calif.) Notification of Risk to Personal Data Act, are bills that focus on forcing companies to inform customers in the event of a security breach that compromises their personal data.

But neither of these measures gets to the crux of the problem, says Jim Harper, director of information policy studies at the Washington, D.C.-based Cato Institute, a nonprofit public policy research foundation. "They don't actually address security issues," he says. "What good is it to simply inform a customer of a security breach a month after it's happened?"

Harper argues that any federal legislation must hold companies liable for the consequences of a security breach. "So if someone is a victim of identity theft, the company that allowed the data to get into the hands of the criminals will be responsible for the consequences—and the cost," he says.