Senate members will soon be voting on a controversial new identity theft bill, but some experts think it doesn't have enough teeth. The Personal Data Privacy and Security Act, sponsored by Sen. Arlen Specter, R-Pa., and Sen. Patrick Leahy, D.-Vt., passed the Senate Judiciary Committee Thursday by a 13-5 vote, and will be soon moving into the full Senate.
"This bill will ensure that our laws keep pace with technology," said Leahy. "In this information-saturated age, the use of personal data has significant consequences for every American. People have lost jobs, mortgages and control over their credit and identities because personal information has been mishandled or listed incorrectly."
But Avivah Litan, analyst at Gardner Group, said she wasn't sure the bill fully addresses the problem.
"They're chickening out on the biggest issues," Litan said.
The bill calls for companies to notify law enforcement and affected customers when personal information has been compromised, if there is a significant risk of harm.
At issue is exactly what constitutes a significant risk, and whose job it is to decide that. As currently worded, the bill tacitly says that it's up to the breached company to decide if the risk is significant.
"I'm very encouraged by (the bill) moving forward, but it doesn't really address the biggest issues," Litan said.
"Who's going to define what's risky?" she added. "It's such a major loophole. They are avoiding that whole issue."
The bill was inspired by recent security breaches which have made the issue a priority.
Data broker ChoicePoint Inc. announced last February that one of their databases had been compromised the previous September by thieves posing as small-business owners. ChoicePoint only notified its customers months after the breach, when it told law enforcement, and 17,000 customers weren't informed until September 2005, a full year after the breach.
Authorities said that up to 750 cases of identity theft were directly related to the ChoicePoint breach.
In March, Lexis-Nexis announced that a database owned by them had been compromised. It Lexis-Nexis first claimed that about 32,000 customers were affected by the breach; a month later that number was bumped up to 310,000 customers.
A similar bill called the Data Accountability and Trust Act is currently being marked up in the House Subcommittee on Commerce, Trade and Consumer Protection.
Neither bill directly addresses who is responsible to decide what constitutes a significant risk, nor whether a Congressional bill would supersede the current state laws on the matter.
"What I think will happen is this bill will get passed, avoiding these two issues," Litan said.
Litan said the focus of the Senate bill, which is on data brokers more so than financial services companies, is encouraging.
"They understand they should stay out of it with financial services companies," she said. "The data brokers have no regulation and no accountability."
Financial services companies are already regulated under the Gramm-Leah-Bliley act.
Litan said the matter of determining what risk is significant is a slippery one. On one hand, she said, "some disclosures are overboard. There are some very marginal risks, such as tapes falling off a UPS truck."
However, she also said, "Any data poses a risk of some sort in the wrong hands. No one knows what the crooks do with the information they get."
She said the best solution was to place tighter controls on sensitive information.
"Instead of focusing on disclosure, (Congress should) just focus on not breaching security," she said. "Try to prevent it from happening in the first place. There are no standards being created except for disclosure."
Federal Trade Commission research indicates that more than 27 million Americans have been victimized by identity theft in the last five years, and that damage and loss resulting from identity theft and cyber-crime costs nearly $50 billion annually.
Copyright 2005 by United Press International
Explore further: Is your doctor's office the most dangerous place for data? (Update)