Few thrilled by ID theft bill

November 18, 2005

Senate members will soon be voting on a controversial new identity theft bill, but some experts think it doesn't have enough teeth. The Personal Data Privacy and Security Act, sponsored by Sen. Arlen Specter, R-Pa., and Sen. Patrick Leahy, D.-Vt., passed the Senate Judiciary Committee Thursday by a 13-5 vote, and will be soon moving into the full Senate.

"This bill will ensure that our laws keep pace with technology," said Leahy. "In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly."

But Avivah Litan, analyst at Gardner Group, said she wasn't sure the bill fully addresses the problem.

"They're chickening out on the biggest issues," Litan said.

The bill calls for companies to notify law enforcement and affected customers when personal information has been compromised, if there is a significant risk of harm.

At issue is exactly what constitutes a significant risk, and whose job it is to decide that. As currently worded, the bill tacitly says that it's up to the breached company to decide if the risk is significant.

"I'm very encouraged by (the bill) moving forward, but it doesn't really address the biggest issues," Litan said.

"Who's going to define what's risky?" she added. "It's such a major loophole. They are avoiding that whole issue."

The bill was inspired by recent security breaches which have made the issue a priority.

Data broker ChoicePoint Inc. announced last February that one of their databases had been compromised the previous September by thieves posing as small-business owners. ChoicePoint only notified its customers months after the breach, when it told law enforcement, and 17,000 customers weren't informed until September 2005, a full year after the breach.

Authorities said that up to 750 cases of identity theft were directly related to the ChoicePoint breach.

In March, Lexis-Nexis announced that a database owned by them had been compromised. It Lexis-Nexis first claimed that about 32,000 customers were affected by the breach; a month later that number was bumped up to 310,000 customers.

A similar bill called the Data Accountability and Trust Act is currently being marked up in the House Subcommittee on Commerce, Trade and Consumer Protection.

Neither bill directly addresses who is responsible to decide what constitutes a significant risk, nor whether a Congressional bill would supersede the current state laws on the matter.

"What I think will happen is this bill will get passed, avoiding these two issues," Litan said.

Litan said the focus of the Senate bill, which is on data brokers more so than financial services companies, is encouraging.

"They understand they should stay out of it with financial services companies," she said. "The data brokers have no regulation and no accountability."

Financial services companies are already regulated under the Gramm-Leah-Bliley act.

Litan said the matter of determining what risk is significant is a slippery one. On one hand, she said, "some disclosures are overboard. There are some very marginal risks, such as tapes falling off a UPS truck."

However, she also said, "Any data poses a risk of some sort in the wrong hands. No one knows what the crooks do with the information they get."

She said the best solution was to place tighter controls on sensitive information.

"Instead of focusing on disclosure, (Congress should) just focus on not breaching security," she said. "Try to prevent it from happening in the first place. There are no standards being created except for disclosure."

Federal Trade Commission research indicates that more than 27 million Americans have been victimized by identity theft in the last five years, and that damage and loss resulting from identity theft and cyber-crime costs nearly $50 billion annually.

Copyright 2005 by United Press International

Explore further: Is your doctor's office the most dangerous place for data? (Update)

Related Stories

Clean reviews preceded Target's data breach, and others

April 2, 2014

Trustwave Holdings gave Target Corp. the green light on payment card security last September, just weeks before malware installed on the retailer's networks began sucking up customer information in a mega data heist.

Recommended for you

Most EU nations seek to bar GM crops

October 4, 2015

Nineteen of the 28 EU member states have applied to keep genetically modified crops out of all or part of their territory, the bloc's executive arm said Sunday, the deadline for opting out of new European legislation on GM ...

The dark side of Nobel prizewinning research

October 4, 2015

Think of the Nobel prizes and you think of groundbreaking research bettering mankind, but the awards have also honoured some quite unhumanitarian inventions such as chemical weapons, DDT and lobotomies.

Internet giants race to faster mobile news apps

October 4, 2015

US tech giants are turning to the news in their competition for mobile users, developing new, faster ways to deliver content, but the benefits for struggling media outlets remain unclear.

Fusion reactors 'economically viable' say experts

October 2, 2015

Fusion reactors could become an economically viable means of generating electricity within a few decades, and policy makers should start planning to build them as a replacement for conventional nuclear power stations, according ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.