Congress Nears Final Identity Theft Legislation

By Lisa Vaas  |  Posted 07-21-2005

Congress Nears Final Identity Theft Legislation

Since the ChoicePoint headlines in February, the number of reported data breaches of personal information has exploded to the point that the tally now reaches a staggering 50,324,480 records exposed to potential theft and fraud.

The breaches have affected Congress as fertilizer to daylilies, with a new identity-theft law sprouting every few weeks, the most recent of which was introduced into the Senate last week.

The Identity Theft Protection Act, sponsored by Sen. Gordon Smith, R-Ore., and a slate of bipartisan supporters, is a bill that touches on data protection and safeguards, as well as data breach notification.

It joins a bumper crop: the SPY ACT (Securely Protect Yourself Against Cyber-Trespass), the SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) bill, the Internet Spyware Prevention Act, and the ID Theft Notification Bill, to name a few.

Some have passed, while others have withered on the vine but might see their provisions resprout in the Smith/Nelson bill, as the Identity Theft Protection Act is also known.

The act is scheduled for markup on July 28. Markup is expected to be delayed, but after markup, it will likely be the container for provisions from other proposed bills. The question is, after the bill is masticated by industry, consumer groups and committees, what will Congress spit out? If privacy advocates have their say, what will the final federal law look like?

What some privacy advocates most fear is that the product of Congress' mulling will be a feeble version of stronger state laws—a feeble version that would then topple more vigorous laws.

"We're very interested to see that the state breach-notification laws—for example, the California state law—is not pre-empted by a weaker standard," said Pam Dixon, executive director of the World Privacy Forum, referring to California SB (Senate Bill) 1386, a law that went into effect in July 2003. The law requires that organizations experiencing security breaches notify those whose records have been exposed.

It's impossible to discern whether California's law is preventing identity theft, of course, but notification has measurably worked in two areas, according to Joanne McNabb, chief of the California Office of Privacy Protection. First, it gives potential victims of identity theft an early warning so they can take preventive actions such as applying a fraud alert.

The second benefit of a breach-notification law such as California's is that organizations that have felt its sting have since cleaned up their acts. McNabb cites two examples: The first had to do with blood-donation vans that were losing laptops.

She asked why the vans' operators felt the need to collect Social Security numbers, and it turned out that this was an antiquated system left over from the days when most donations were done at hospitals that used the SSN as a patient ID number. The practice was then dropped.

A storm is brewing over whether to let organizations that encrypt data off the hook when it comes to breach notification. Click here to read more.

The next example is that of a state agency that lost records when a laptop was stolen from a car trunk. The agency went through notification, but weeks later, another laptop was stolen from the locked trunk of a car.

By this time, however, the agency had gotten its act together and encrypted data on laptops. Thus, it didn't have to notify anybody. "That's an example of the other benefit of a good breach-notification law," McNabb said. "It's a very strong incentive to apply security measures to protect information."

That's a strong law, and a good law, at work, and it's this strength that privacy experts fear will be lost in whatever federal law comes out of Congress in the coming weeks. "If a federal law isn't at least as strong as a strong state law, we're all in trouble," Dixon said.

Insofar as "we" refers to consumers, we might all be in trouble. The Smith/Nelson bill has been booted over to the House Subcommittee on Commerce, Trade and Consumer Protection.

Next Page: Hostile to consumer protection?

Consumer Protection

?"> Observers agree that markup likely will be delayed because the Senate Banking Committee wants to get its hands on it, as does the House Financial Services Committee—both of which tend to be hostile to consumer protection, said Chris Hoofnagle, director of the West Coast office of the EPIC (Electronic Privacy Information Center).

At the heart of the battle between industry and consumer groups lies three key legislative components: First, the bill doesn't specifically exempt data that's encrypted.

It also has stringent notification requirements wherein the breach of a single consumer's data triggers notification requirements, as opposed to other bills' stipulations that larger totals, such as 10,000 records, will trip the notification requirement. Finally, and most importantly, it provides for a consumer's right to freeze their credit report.

Hoofnagle suspects that the committees will water down consumer protection in the bill by targeting the credit report freeze. "[Credit freezes] can at least theoretically slow down impulse buying decisions," he said. "With the freeze, you have to call an agency to say, 'Please thaw my record so I can buy a big-screen TV.' In that delay, you might speak with your spouse or think to yourself, 'Can I really swing this?'"

The credit industry's view is that people vote with their pocketbooks, and they want the convenience of instant credit. As McNabb pointed out, however, California's law has a provision whereby consumers can receive a PIN to thaw credit temporarily.

A credit bureau has three business days to act on the thaw request, and the thaw can last as long as it takes to refinance a house—for example, 10 days or 30 days. Three days isn't that far away from instant credit, McNabb said. Besides, pre-ChoicePoint, a mere 4,000 Californians had frozen their credit reports in the three years of the law's existence.

"Even when they know about it, not everybody will do it," McNabb said. But the idea of a freeze is particularly appealing for people who aren't in the market for credit, such as the elderly or disabled; in other words, people who are traditional targets of fraud.

Some security experts find the law—or any law that's been proposed—misses the point. Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., said it's absurd that banks aren't responsible for the fraudulent withdrawal of money from accounts, for example.

"The situation is where the people who are responsible for the problem have no responsibility to fix it. They don't care," he said. "That's how not to run a railroad."

Schneier pointed to credit card companies, which are typically responsible for fraudulent purchases past an initial $50, as being a much better model. "Credit cards are safe, with all the security measures the credit companies have put in place." he said. "But there are no rules on how cards are kept in your wallet. Unlike banks, which say, 'If somebody else uses your password to withdraw money, you're screwed.'"

Pete Lindstrom, research director at Spire Security LLC, would prefer that we all stop pretending that any of this supposedly private information—Social Security numbers, mother's maiden name—is actually private.

"We want to continue with the façade that this information is somehow being kept from most folks or from a lot of people," he said. "Really, so many people have access to this information, it's silly to begin with. If we really cared about identity theft, we'd be looking for stronger authentication."

Rather than a credit report freeze, Lindstrom said he would like to see a requirement that stipulates that consumers be notified whenever their credit report has been accessed.

"I'd rather just know, if a Toyota dealership has just accessed my credit report," he said. "I'd know if I had just bought a car or not. You'd have much better evidence of wrongdoing."

Lindstrom also has a strong desire to see Social Security numbers publicly published, so we can finally give up on the idea that they're sacred, and so we can finally get away from banks and other financial institutions' tendency to use such insensitive information as barter for our financial welfare.

"We're creating this façade that we can protect this information, and in reality we can't. There are too many people who have legitimate access to this stuff that can go bad to begin with. … Credit card numbers or Social Security numbers, the only reason those identifying numbers are sensitive is these entities are treating them sensitively as if they're good authenticators, and they're not.

"As long as we create this façade that we can put Pandora back in her box, then we're going to try to do it."

Check out's for the latest database news, reviews and analysis.