Monday, May 15, 2006
Congress ready to tackle data breaches, SSN sales
A new bill sponsored by the infamous House Judiciary Committee Chairman James Sensenbrenner requires private companies to report significant data breaches to the federal government within two weeks. Under the terms of the new Cyber-Security Enhancement and Consumer Data Protection Act of 2006 (PDF) (H.R. 5318), failure to disclose information about the infiltration of electronic databases containing information on at least 10,000 people or information on federal employees can lead to harsh punishments, including jail time:
Whoever owns or possesses data in electronic form containing a means of identification (as defined in section 1028), having knowledge of a major security breach of the system containing such data maintained by such person, and knowingly fails to provide notice of such breach to the United States Secret Service or Federal Bureau of Investigation, with the intent to prevent, obstruct, or impede a lawful investigation of such breach, and if such breach causes a significant risk of identity theft, shall be fined under this title, imprisoned not more than 5 years, or both.
Last a year, the personal data of over a hundred thousand people was stolen from a company called ChoicePoint. The ChoicePoint debacle and similar situations have compelled the government to look for better ways to ensure that companies are doing everything in their power to protect consumer data and prevent identity theft. At this point, 28 individual states have enacted their own laws requiring the disclosure of data breaches and similar laws are pending in many other states.
Despite the apparent need for better regulation concerning disclosure of data breaches, this new proposal abysmally fails to acknowledge the rights and needs of data theft victims. Although the proposal requires companies to report data breaches to federal law enforcement agencies, it does not require those companies to report data breaches to the affected consumers. In addition, the proposal would imbue the government with the authority to prevent a company from voluntarily disclosing data breach details to consumers in cases where doing so could conflict with a criminal investigation or national security, even when the company is obligated to inform consumers under applicable state laws:
if the United States Secret Service or Federal Bureau of Investigation determines that any notice required to be made to consumers under State or Federal law would impede or compromise a criminal investigation or national security, the United States Secret Service or Federal Bureau of Investigation shall direct in writing within 7 days that such notice shall be delayed for 30 days, or until the United States Secret Service or Federal Bureau of Investigation determines that such notice will not impede or compromise a criminal investigation or national security;
This law expands the power and authority of the federal government at the expense of victims, and it does very little to deter the perpetration of actual data theft. Exclusion of consumer notification requirements is not particularly surprising, given the position that the federal government has taken on the issue in the past. In 2003, Senator Feinstein proposed the Notification of Risk to Personal Data Act, which would have required companies to inform victims of data theft. Unfortunately, Feinstein's proposal was strongly opposed by government and law enforcement officials that believe in hiding details of data breaches from the public in order to protect the reputation of targeted companies. Many law enforcement officials are concerned that companies will decide not to report data breaches at all rather than risk the public embarrassment. In the past, prosecutors and law enforcement officials have vowed to keep secret the identity of companies that have been hacked or digitally infiltrated.
There may be some relief at hand for consumers in the offing. Legislators from both sides of the aisle are working on bills that would curtail the sale of Social Security Numbers. One particularly promising version comes from Rep. Clay Shaw (R-FL), whose proposed legislation would make it harder for companies to decline doing business with those who refuse to divulge their Social Security Numbers. In addition, full Social Security Numbers could no longer be displayed on credit reports and certain other documents. Rep. Edward Markey (D-MA) wants the Federal Trade Commission to crack down on the sale of Social Security Numbers, with his bill providing exceptions for emergency situations, law enforcement usage, and the occasional research project.
At a Congressional hearing yesterday, FTC Commission Jon Leibowitz admitted that there is a problem with how companies are using and disclosing Americans' Social Security Numbers and that protections against abuse are few and far between.
Is there a better way?
Although the accumulation of personal data by private companies is often necessary and in some cases beneficial, instances of identity theft could be decreased if less identifying information is retained and if access to such information is better controlled. In addition to requiring disclosure of breaches to victims, effective identity theft prevention laws could potentially impose limitations on what kind of data can be retained, how it can be used, and how long it can be kept.
If the federal government is really serious about preventing identity theft and protecting the private information of American citizens, it should start by repealing the costly and destructive Real ID Act. Opposed by more than 600 independent organizations including the National Governors Association, the Real ID Act creates a centralized national database of private citizen information and requires individual state ID cards to contain machine readable RFID mechanisms. The Real ID Act has been broadly condemned by privacy advocates, who point out that a centralized database and machine-readable RFID system will imbue identity thieves with unprecedented ease of access to our private information.
