Congress offers competing ideas on fighting ID theft

Proposals include licensing data brokers, notifying potential victims

WASHINGTON -- Several U.S. senators pushed for new identity theft regulations on U.S. businesses, but a number of conflicting ideas were presented at a hearing yesterday, including a proposal requiring licensing of companies that sell personal data.

U.S. companies reported that 9.6 million personal records have been lost since early February, prompting members of the Senate Commerce, Science and Transportation Committee to say they're ready to act, although they have competing ideas of what to do.

"If this isn't an eye-opening threat to Americans' privacy, then I don't know what is," said Sen. Bill Nelson (D-Fla.), a co-sponsor of a wide-ranging ID theft bill. "Consumers are losing trust in our system of electronic commerce."

A survey released Wednesday by the Cyber Security Industry Alliance advocacy group seemed to support Nelson's concern. Of 1,003 likely voters surveyed, 97% said identity theft is a serious problem. Forty-eight percent indicated that they avoid making purchases on the Internet because they are afraid their financial information may be stolen. Seventy-one percent of those surveyed said new laws are necessary to protect consumer privacy on the Internet.

Beyond the 20-plus bills in Congress that deal with ID theft in some way, committee members came up with more ideas at the hearing. Sen. Conrad Burns (R-Mont.) suggested that all so-called data brokers -- businesses that sell personal data -- be licensed by the government. Data broker ChoicePoint Inc.'s disclosure in February that it had given data on 145,000 U.S. residents to ID thieves was the first in a series of large-scale data breaches this year (see story).

"I'm coming down on the side of [saying that] anybody who collects information has to have a license to do so, or is outside the law and should be shut down," Burns said. "I think they need to have some reasonable license that gives them guidelines to do business in this arena."

Some senators pushed for a national law that would require businesses that have data breaches to inform potential victims, but witnesses disagreed on what form such a law should take. William Sorrell, the attorney general of Vermont, urged the committee to pass a national data-breach notification law that wouldn't preempt tougher state laws.

State law enforcement officials can help investigate and prosecute ID thieves, he said, and states can pass "innovative" laws to protect consumers, such as recent laws passed by seven states that allow consumers to freeze credit to prevent new accounts from being opened in their names. A national law shouldn't preempt those laws, he said.

But Deborah Majoras, chairman of the Federal Trade Commission, disagreed, saying it would be expensive for businesses to comply with up to 50 different state breach-notification laws.

"If you provide a federal standard that is a floor, as opposed to a ceiling, I'm not sure why you'd spend time imposing it at all," she said. "I think that businesses are going to have to spend time responding to the very highest [state] standard. I don't think they can chop up their customer lists into 50 different standards."

Majoras also questioned some proposals, backed by some privacy advocates, that would require companies to inform potential victims in nearly all data-breach cases. Consumers could become numb to notifications if they are notified of every breach, even those with little risk of ID theft, she said. Asked what constitutes a substantial risk of ID theft that should trigger a notification, Majoras said she wasn't sure.

Sen. Dianne Feinstein (D-Calif.), who has sponsored two data-breach notification bills, acknowledged that several disagreements over a breach-notification bill still need to be worked out, including whether it should preempt state law and what type of breach should trigger a notification.

Feinstein's most recent bill, the Notification of Risk to Personal Data Act, would require notification in almost all data breaches, with companies that delay notification fined $1,000 per victim, up to $50,000 per day.

Feinstein is trying to work with consumer groups and businesses to iron out the differences, she said. But Sen. Gordon Smith (R-Ore.) told witnesses he plans to introduce another ID theft bill with other committee members.

Smith's bill could incorporate pieces of Feinstein's bill and the legislation sponsored by Nelson and Sen. Charles Schumer (D-N.Y.). The Schumer-Nelson bill would require breach notification, would require companies to notify consumers when they plan to sell their personal information and would require companies to take reasonable steps to protect personal information.

Schumer and Nelson announced an addition to their Comprehensive Identity Theft Prevention Act that would require companies that ship personal data on tapes or disks to take security measures such as encryption. The addition to the bill is a response to recent announcements by the Bank of America Corp. and Citigroup Inc. that tapes containing millions of personal records were lost during transit using commercial delivery services, Schumer said (see story).

Schumer compared the value of personal information such as Social Security and drivers license numbers to gold. "All companies ... need to guard our identities as if they were gold, because in the hands of identity thieves, they are gold," he said. "We don't transport gold the way we transport a crate of oranges."

But FTC members also questioned a piece of the Schumer-Nelson bill that would create an ID theft clearinghouse at the FTC. With an estimated 10 million cases of ID theft a year in the U.S., the FTC doesn't have the resources to handle every case, even with a $60 million budget increase in the bill, said Orson Swindle, an FTC commissioner. "That would be too much for any one agency," he said.

To personally handle just 120,000 cases of ID theft a year, the FTC would have to add about 1,000 employees, nearly doubling its size, Swindle added.

The FTC already works to educate U.S. residents about ID theft, and it does impose fines on companies that are careless with personal data, Majoras added. The FTC has taken action against five companies that didn't comply with their own data-protection policies, and on Thursday, it announced a settlement with a sixth company, BJ's Wholesale Club Inc. (see story).

Copyright © 2005 IDG Communications, Inc.

  
Shop Tech Products at Amazon