RealTime IT News

ID Theft Bill Wends Through Senate

WASHINGTON -- The U.S. Senate Commerce Committee passed legislation today requiring disclosure to consumers when sensitive personal data is breached or lost.

Approved on a voice vote, the Identity Theft Protection Act requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.

The evidence of possible identity theft includes such factors as whether the data containing sensitive information is useable by an unauthorized third party and whether the data is in the possession of an unauthorized third party that is likely to commit identity theft.

Under the bill's language, companies and other organizations are required to develop, maintain and enforce a written program for the security of sensitive information. Physical and technological safeguards will be mandated through rules and regulations developed by the Federal Trade Commission (FTC).

Within a year of the passage of the bill, the FTC is required to develop procedures for authenticating the credentials of any third party to which sensitive personal information is to be transferred or sold by a data broker or other organization.

For security breaches involving 1,000 or more consumers, the firms responsible for the breaches must not only notify consumers but also the FTC. The agency, in turn, will post a report of the breach on its Web site without disclosing any sensitive personal data.

For breaches of fewer than 1,000 records that do not create a reasonable risk of identity, the data broker must still notify the FTC.

Despite the objections of some in the technology community, the bill covers both encrypted and unencrypted data.

In an amendment added Thursday, the bill also outlaws the selling, purchasing or displaying of Social Security numbers. The Senate Judiciary Committee is considering a similar measure as are various House committees drafting a national data breach law.

"As a matter of law, Social Security numbers shouldn't be available to buy and sell," Sen. Byron Dorgan (D-N.D.) said when introducing the amendment.

The bill also proposes to pre-empt state laws and prohibits private rights of action by individuals. Identity theft victims, however, can put a freeze on their credit reports.

Thursday's vote comes after a series of high-profile data breaches put the issue on Congress' radar. It first launched a series of hearings in the spring after the ChoicePoint and LexisNexis breaches made headlines. In those cases, consumers were notified of the breaches of their personal information only because of the new California disclosure law.

The Identity Theft Protection Act now goes to the full Senate for a vote, and it is likely there will be other amendments added to the legislation.