RealTime IT News

Congress Closer to National ID Theft Law

U.S. Senate Republican leaders finally tipped their hand Thursday on long-awaited identity-theft legislation. After months of back-room maneuvering, the proposed bill is likely to provoke howls of protest from both the technology and financial services industries.

The Identity Theft Protection Act (S.B. 1408), co-sponsored by Senate Commerce Committee Chairman Ted Stevens (R-Alaska) and Hawaiian Democrat Daniel Inouye, the ranking member of the Commerce Committee, requires companies, government agencies and educational institutions to disclose to consumers breaches of both encrypted and unencrypted data and imposes fines of up to $11 million for violators.

"The fear out there is real and is something we must deal with as quickly as possible," said Stevens at a Washington press conference yesterday. He plans to have a full committee mark-up session on the legislation next Thursday morning.

Under the bill's language, organizations that hold sensitive personal information will be required to secure it with physical and technological safeguards that will be specified by the Federal Trade Commission (FTC).

The bill covers any business, school or other entity that collects information, including Social Security numbers, financial account information, driver's license information and other information that the FTC determines can be used for identity theft. The bill also covers any third party that purchases or otherwise acquires this information.

And if sensitive personal data -- encrypted or unencrypted –- that could be used for identity theft is lost or otherwise breached, the bill states the holder of that information is required to notify the consumers affected within 90 days of the breach.

The legislation also requires that the FTC be notified of any breach involving more than 1,000 individuals.

"With the problem of identity theft reaching epidemic proportions, a bill designed to protect Americans is absolutely essential," Stevens said. "I look forward to continuing to work with my colleagues on legislation that will mitigate to the greatest extent possible the occurrence of identity theft in this country, but without inhibiting an information-sharing system that yields extraordinary benefits to every American."

In the wake of highly publicized data breaches this year, Democratic Senators Dianne Feinstein of California and Charles Schumer of New York introduced identity-theft bills but neither piece of legislation has yet to even have a hearing.

Both Democratic bills encountered opposition from the technology industry, which thinks encrypted data represents a good-faith standard that should preempt disclosure to consumers.

"Using strong encryption to protect consumer records makes it extremely unlikely that all but the most determined and technologically sophisticated criminal will attempt to breach them," Harris Miller, president of the Information Technology Association of America (ITAA) said earlier this year.

Friday, Miller said in an e-mail statement to internetnews.com, "We support a national breach notification law, but not one that fails to recognize the power of technology. Data that are stolen that are encrypted or otherwise protected from prying eyes should be exempt from any notification requirements."

Miller added that, "The focus needs to be on the bad guys and gals, and they cannot read encrypted data. We also need to avoid a 'chicken little' problem by bothering consumers with notifications about breaches that have no impact on them for fear they will fail to pay attention when a meaningful breach occurs."

A member of the Senate Commerce Committee staff told internetnews.com that the proposed bill incorporates much of Feinstein's and Schumer's major points, including disclosing to consumers all data breaches that represent a "reasonable" exposure of sensitive personal data to identity thieves.

In addition to tech opposition over encrypted data, the staff member said the committee also anticipates the financial services industry may fight another key element of the bill that allows identity-theft victims to put a credit freeze on their credit reports.

There are plans to introduce similar legislation in the U.S. House under the direction of Rep. Joe Barton (R-Texas), chairman of the Energy and Commerce Committee.

"The Internet and new business technologies have added a lot to daily life, but they've also made us more vulnerable," Sen. Gordon Smith (R-Ore.), the bill's sponsor, said in a statement. "We need this bill because having the world at your fingertips shouldn't get you into a financial world of hurt."