Can Congress Meet Identity Theft Head-On?
Special Edition - National Consumer Protection WeekFebruary 2007
As data breach and identity theft cases reach a feverish pitch, one might expect the American government to respond in kind in an effort to stanch the flow of personal information. Yet getting unified Congressional help in the battle against identity theft has thus far been a slow and disappointing process. The new wave of leadership seems to present an opportunity to pass legislation that has failed in the past, but insiders say that even modest proposals are likely to meet stiff resistance. Senator Dianne Feinstein (D – CA) has been among those legislators leading the effort to pass laws that help protect consumers against identity theft.
It shouldn’t be this hard. Ever since 2003, when California passed the first state law requiring companies to notify people of security breaches that could expose their personal data to identity thieves, many thought Congress would follow in California’s steps by enacting a federal law to provide all citizens with at least some minimal consumer protections.
Four years later, the vast majority of states have breach notification laws on the books. However, at the federal level, almost a dozen notification bills have been introduced in Congress. None have passed. The most successful attempt, a bipartisan effort between veteran Senators Arlen Specter (R – PA) and Patrick Leahy (D – VT), passed the Senate in 2005, only to languish and die in the House.
Two different types of security breach laws:The chief difference among the laws involved is the threshold for disclosure. Some proposals gave companies leeway to disclose a breach only if they deemed information was “reasonably likely to be misused,” a provision consumer advocates thought was ripe for abuse, similar to letting Exxon decide whether to report an oil spill to the authorities based on its own assessment of the situation. The Specter/Leahy proposal shifted the burden so that companies instead had to prove that there was “no significant risk” of harm as the only way to preclude disclosure.
“Getting these bills passed through Congress is an uphill battle all the way,” says Scott Gerber, spokesman for Senator Dianne Feinstein (D – CA), who introduced the first version of the Specter/Leahy bill in 2004.
Two bills introduced:Now that Feinstein’s party is back in the majority, she’s trying again. In the opening days of the new session, Feinstein introduced the Notification of Risk to Personal Data Act (S239). If passed, the law would require companies and federal agencies to notify an individual of a security breach involving personal data “without unreasonable delay.” The law also would authorize the U.S. Attorney General and state Attorneys General to bring civil actions against companies that don’t comply.
“It’s critical that victims of a security breach are informed promptly when their personal or financial information has been compromised,” Senator Feinstein said in a prepared statement. “Individuals cannot take the appropriate steps to protect themselves if they are not armed with detailed information about the breach. Without that knowledge, individuals are left completely defenseless to identity thieves.”
State vs. Federal law:Feinstein’s bill is almost an exact copy of California’s landmark law. Many privacy advocates are thrilled that Congress may make such protections enforceable nationwide.
Some are worried about Feinstein’s proposal, however, because it includes language specifically written to make the new federal law supersede any conflicting state statutes. Since 2003, a number of states have enacted laws that go even further than California’s to protect consumers.
For example, in California, a breach involving debit card numbers must be reported only if personal access codes are stolen along with card number. In others, these breaches must be reported regardless. Some states, most notably Florida, New Jersey and Delaware, define private information broadly, including food stamp account numbers and mothers’ maiden names among the items that fall under the purview of the notification law. Some states, including Hawaii, spell out exactly what information companies must provide in their notification, while Florida gives exact time limits between the date of the breach and when notification must be sent.
While any federal law requiring breach notification would be an improvement, says Ari Schwartz, associate director of the Center for Democracy and Technology, Feinstein’s bill could have the unintended consequence of wiping out valuable, stronger consumer protections in some states.
The difficulties of getting the bill through Congress:But just because Democrats now have narrow control over Congress doesn’t mean that passing even a medium-strength bill like Feinstein’s is a slam-dunk, caution some who work on the Hill. “It’s been difficult to get the notification bill passed, even though on its face it’s the right thing to do,” Gerber says.
So Feinstein is taking a slow-as-you-go approach. The other bill she’s introduced, the Social Security Number Misuse Prevention Act (S238), is specifically designed to attract bipartisan support. She hopes the proposal will draw together the liberal consumer advocates of her own party with more conservative Republicans who approach identity theft as a traditional law-and-order issue or see it as a catalyst for passing laws to limit the intrusiveness of government. Feinstein’s bill would prohibit federal, state and local government agencies from displaying Social Security numbers on public records posted on the Internet or issued to the general public. It would also prevent the employment of prison inmates for tasks that would give them access to the Social Security numbers of other individuals.
“If a person’s Social Security number is compromised, the path to identity theft is a short one,” Feinstein says in a press release. “Thieves can obtain Social Security numbers through public records – marriage licenses, professional licenses, and countless other public documents – many of which are available online.”
For a bill that likely needs pro-business support to pass, the more politically risky provisions include limitations on when businesses can ask customers for their Social Security numbers, and a prohibition on the sale or display of an individual’s Social Security number to the general public without the individual’s consent. The law would be narrowly tailored, however, applying to government agencies and many corporations but not to the entire sector of data aggregators, that find, bundle and sell huge databases containing personal information on millions of people. (Ironically, ChoicePoint would likely have fallen into this category.)
Eventually the senator hopes to pass a comprehensive privacy protection act that would go further than any of the states in protecting consumers’ personal information. But after years of watching her best anti-identity-theft proposals die slow deaths in the legislative process, Feinstein has decided that the smart tactic is still to move slowly. “The idea is to get the Notification and Social Security number bills passed, which will be difficult in itself,” Gerber says. “Then we can use that as a foundation to pass more comprehensive reforms.”
How to help:Here’s the secret about contacting your senators and representatives: Sometimes, it actually works. Elected leaders pay a lot of attention to the opinions that arrive over the transom. As a general rule, a hand-written letter to your senator carries the most weight, because it takes the most time and attention. Next in importance are phone calls. E-mails receive the least amount of attention, but even they are important.
Senator Feinstein’s breach notification bill is Senate Bill 239. It’s been referred to the Senate Judiciary Committee, of which she is a member. Urge the other members of the committee to support this common-sense protection against identity theft:
Patrick J. Leahy
Edward M. Kennedy
RANKING MEMBER, R-PENNSYLVANIA
Joseph R. Biden, Jr.
Orrin G. Hatch
Charles E. Grassley
Russell D. Feingold
Charles E. Schumer
Richard J. Durbin
Benjamin L. Cardin