U.S. Senate Republican leaders finally tipped their hand Thursday on
long-awaited identity-theft legislation. After months of back-room
maneuvering, the proposed bill is likely to provoke howls of protest from both the technology and financial services industries.
The Identity Theft Protection Act (S.B. 1408), co-sponsored by Senate Commerce Committee Chairman Ted Stevens (R-Alaska) and Hawaiian Democrat Daniel Inouye, the ranking member of the Commerce Committee, requires companies, government
agencies and educational institutions to disclose to consumers breaches of
both encrypted and unencrypted data and imposes fines of up to $11 million
for violators.
“The fear out there is real and is something we must deal with as quickly as
possible,” said Stevens at a Washington press conference yesterday. He plans to have a full committee mark-up session on the legislation next Thursday morning.
Under the bill’s language, organizations that
hold sensitive personal information will be required to secure it with
physical and technological safeguards that will be specified by the Federal
Trade Commission (FTC).
The bill covers any business, school or other entity that collects information, including Social Security numbers, financial account
information, driver’s license information and other information that the FTC
determines can be used for identity theft. The bill also covers any third
party that purchases or otherwise acquires this information.
And if sensitive personal data — encrypted or unencrypted –- that could be used
for identity theft is lost or otherwise breached, the bill states the holder of that information is required to notify the consumers affected within 90 days of
the breach.
The legislation also requires that the FTC be notified of any breach
involving more than 1,000 individuals.
“With the problem of identity theft reaching epidemic proportions, a bill
designed to protect Americans is absolutely essential,” Stevens said. “I
look forward to continuing to work with my colleagues on legislation that
will mitigate to the greatest extent possible the occurrence of identity
theft in this country, but without inhibiting an information-sharing system
that yields extraordinary benefits to every American.”
In the wake of highly publicized data breaches this year,
Democratic Senators Dianne Feinstein of California and Charles Schumer of
New York introduced identity-theft bills but neither piece of legislation
has yet to even have a hearing.
Both Democratic bills encountered opposition from the technology industry,
which thinks encrypted data represents a good-faith standard that should
preempt disclosure to consumers.
“Using strong encryption to protect consumer records makes it extremely
unlikely that all but the most determined and technologically sophisticated
criminal will attempt to breach them,” Harris Miller, president of the
Information Technology Association of America (ITAA) said earlier this year.
Friday, Miller said in an e-mail statement to internetnews.com, “We
support a national breach notification law, but not one that fails to
recognize the power of technology. Data that are stolen that are encrypted
or otherwise protected from prying eyes should be exempt from any
notification requirements.”
Miller added that, “The focus needs to be on the bad guys and gals, and
they cannot read encrypted data. We also need to avoid a ‘chicken little’
problem by bothering consumers with notifications about breaches that have
no impact on them for fear they will fail to pay attention when a meaningful
breach occurs.”
A member of the Senate Commerce Committee staff told internetnews.com that the proposed bill incorporates much of
Feinstein’s and Schumer’s major points, including disclosing to consumers
all data breaches that represent a “reasonable” exposure of sensitive
personal data to identity thieves.
In addition to tech opposition over encrypted data, the staff member said
the committee also anticipates the financial services industry may fight
another key element of the bill that allows identity-theft victims to put a
credit freeze on their credit reports.
There are plans to introduce similar legislation in the U.S. House under the
direction of Rep. Joe Barton (R-Texas), chairman of the Energy and Commerce
Committee.
“The Internet and new business technologies have added a lot to daily life,
but they’ve also made us more vulnerable,” Sen. Gordon Smith (R-Ore.), the
bill’s sponsor, said in a statement. “We need this bill because having the
world at your fingertips shouldn’t get you into a financial world of hurt.”
