New Legislation Targets Data-Security Breaches in Order to Curb Identity Theft
January 2006Forget thieves rifling through the trash for unshredded bank statements. Forget cyber-pests sending bogus emails phishing for your personal information. The most widespread precursor to identity theft is in fact private data-security breaches.
Last year companies ranging from Designer Shoe Warehouse to Ford Motor Co. to Marriott Vacation Club International underwent hacked servers, stolen computers and laptops, missing backup tapes, et cetera – the personal data files of 50 million consumers are believed to have been compromised from ChoicePoint, LexisNexis and MasterCard accounts alone.
In the year 2005, some 135 companies disclosed massive private data-security breaches, resulting in the potential susceptibility of at least 57 million people to identity theft. It has accordingly been deemed the worst year for known security breaches. These unnerving statistics and the upshot of nationwide media attention have prompted both state and federal lawmakers to introduce dozens of fresh proposals aimed at halting the epidemic.
Credit-freeze legislation appears to be the newest medication – a provision under which a consumer may place a security freeze on his or her credit report by making a request to a consumer reporting agency, thus prohibiting the disclosure of any personal information without the consumer’s expressed authorization. Growing in popularity since North Carolina and, subsequently, New York implemented their own in December, states including Connecticut, Illinois, Louisiana, Georgia, New Jersey and Maine will have adopted such measures this year.
Equally noteworthy are the numerous states joining the 22 that already require companies by law to disclose to all potentially affected customers the event of a data-security breach.
Such policies essentially fit the mold set by California’s bellwether Security Breach Information Act (commonly referenced as SB-1386) – which was enacted in 2003 and calls for corporate accountability for data privacy – and bear considerable controversy in regards to the way they should be implemented, if at all, and their alleged effectiveness in general.
One of the notification requirement's main criticisms, according to Gartner Research, is the expense shelled out by companies who are hit – at least $90 per customer. One need only consider the ChoicePoint fiasco in which the data of 145,000 people were sold to criminals posing as businessmen. Under the aforementioned SB-1836, customers were swiftly notified of the breach. Needless to say, the process was not cheap.
The dilemma is especially apparent in the newly approved, federal adaptation of SB-1386 – the comprehensive Personal Data Privacy and Security Act of 2005, a bipartisan bill proposed by Senator Arlen Specter (R-Pennsylvania) and Senator Patrick Leahy (D-Vermont).
The bill hinges on the idea that the single step of notifying people about a potential risk is critical in the prevention of fraud. In addition, the bill addresses what should be considered a “significant risk,” a definition that idealistically distinguishes between hazardous, costly over-notification and apathetic responses.
FTC Chairman Deborah Majoras supported the “significant risk” standard, saying that consumers ought to “receive notices when they are at risk of identity theft…” and furthermore, “the goal of any notification requirement is to enable consumers to take steps to avoid the risk of identity theft.” She said that “to be effective, any such requirement must provide businesses with adequate guidance as to when notices are required.”
Skeptics of the Specter-Leahy bill, on the other hand, worry that by requiring data brokers to give consumers a chance to access and correct their information, their efforts to undercut fraud could backfire by providing an entirely different channel for identity thieves.
A plethora of other more individualistic and perhaps specialized policies being introduced – most currently on the state level – will supplement the widespread breach-disclosure and security-freeze policies. Only time will dictate which prove effective. Unfortunately, the reality of any attempt to curtail a crime as swiftly and dynamically evolving as identity theft is that any supposed solution may likely be extremely short-lived. 
