Tuesday, May 17, 2005

Bills in U.S. Congress target ID theft

Bills in U.S. Congress target ID theft
Legislation creates new rules regulating the way companies handle customer data

By Grant Gross, IDG News Service
May 17, 2005

WASHINGTON -- Expect the U.S. Congress to pass new rules regulating the way companies handle customer data after recent leaks of personal information by data collectors ChoicePoint and LexisNexis, among other companies.

ChoicePoint announced in February that it had given personal information, including Social Security and driver's license numbers belonging to up to 145,000 U.S. residents, to ID thieves posing as legitimate business owners. In March, LexisNexis division Seisint lost personal data belonging to 310,000 U.S. residents, apparently when hackers compromised its database. Bank of America, Science Applications International and Boston College also lost customer data to thieves recently.

Both Republicans and Democrats complain about ID theft. "Anyone has a near-perfect right to package your personal information and do almost anything they want with it," says Rep. Joe Barton (R-Texas), chairman of the House Energy and Commerce Committee.

But it's mainly Democrats who are pushing restrictions on how personal data can be used and mandates that companies tell people when that data is compromised.

Among the proposals:

Notify consumers: A bill by Sen. Dianne Feinstein (D-Calif.) would require businesses to tell consumers when their data is stolen. The Notification of Risk to Personal Data Act went nowhere in 2004 and so far has no Senate cosponsors -- a barometer of support for the measure.

However, ChoicePoint and other businesses have said they prefer a national notification law to multiple state laws. Feinstein's bill is similar to a California data notification law that went into effect in July 2003 (see www.cio.com/051505). Meanwhile, the Federal Deposit Insurance Corp. (FDIC), along with other agencies, in March directed financial institutions to notify customers when their personal data is compromised.

Regulate information sharing: A bill by Sens. Charles Schumer (D-N.Y.) and Bill Nelson (D-Fla.) would, among other provisions, subject businesses that sell personal data to regulation by the Federal Trade Commission and provide $60 million to the agency to help ID theft victims.

Extend financial privacy laws: FTC Chairwoman Deborah Platt Majoras advocates extending the privacy and security obligations of financial institutions to data brokers. Under law, financial companies must have a security plan to protect personal consumer information.

Otherwise, Majoras thinks current law allows penalties for any company that deceptively promises data security.