Congress offers competing ideas on fighting ID theft

WASHINGTON - Several U.S. senators pushed for new identity theft regulations on U.S. businesses, but a range of conflicting ideas was presented at a Thursday hearing, including a proposal requiring licensing of companies that sell personal data.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

U.S. companies reported that 9.6 million personal records have been lost since early February, prompting members of the Senate Commerce, Science and Transportation Committee to say they're ready to act, although they have competing ideas of what to do.

"If this isn't an eye-opening threat to Americans' privacy, then I don't know what is," said Senator Bill Nelson, a Florida Democrat and cosponsor of a wide-ranging ID theft bill. "Consumers are losing trust in our system of electronic commerce."

A survey released Wednesday by the advocacy group the Cyber Security Industry Alliance seemed to support Nelson's concern. Of 1,003 likely voters surveyed, 97 percent said identity theft is a serious problem. Forty-eight percent indicated they avoid making purchases on the Internet because they are afraid their financial information may be stolen. Seventy-one percent of those surveyed said new laws are necessary to protect consumer privacy on the Internet.

Beyond the 20-plus bills in Congress that deal with ID theft in some way, committee members came up with more ideas at the hearing. Senator Conrad Burns, a Montana Republican, suggested that all so-called data brokers -- businesses that sell personal data -- be licensed by the government. Data broker ChoicePoint's disclosure in February that it had given data on 145,000 U.S. residents to ID thieves was the first in a series of large-scale data breaches this year.

"I'm coming down on the side of, anybody who collects information has to have a license to do so, or is outside the law and should be shut down," Burns said. "I think they need to have some reasonable license that gives them guidelines to do business in this arena."

Some senators pushed for a national law that would require businesses that have data breaches to notify potential victims, but witnesses disagreed on what form such a law should take. William Sorrell, attorney general for Vermont, urged the committee to pass a national data breach notification law that wouldn't preempt tougher state laws.

State law enforcement officials can help investigate and prosecute ID thieves, he said, and states can pass "innovative" laws to protect consumers, such as recent laws passed by seven states that allow consumers to freeze credit to prevent new accounts opened in their names. A national law shouldn't preempt those laws, he said.

But Deborah Majoras, chairwoman of the U.S. Federal Trade Commission (FTC) disagreed, saying it would be expensive for businesses to comply with up to 50 different state breach notification laws. "If you provide a federal standard that is a floor, as opposed to a ceiling, I'm not sure why you'd spend time imposing it at all," she said. "I think that businesses are going to have to spend time respond to the very highest [state] standard. I don't think they can chop up their customer lists into 50 different standards."

Majoras also questioned some proposals, backed by some privacy advocates, that would require companies to notify potential victims in nearly all data breach cases. Consumers could become numb to notifications if they are notified of every breach, even those with little risk of ID theft, she said. Asked what constitutes a substantial risk of ID theft that should trigger a notification, Majoras said she wasn't sure.

Senator Dianne Feinstein, a California Democrat who has sponsored two data breach notification bill, acknowledged that several disagreements over a breach notification bill still need to be worked out, including whether it should preempt state law and what type of breach should trigger a notification. Feinstein's most recent bill, the Notification of Risk to Personal Data Act, would require notification in almost all data breaches, with companies that delay notification fined $1,000 per victim, up to $50,000 per day.

Feinstein is trying to work with consumer groups and businesses to iron out the differences, she said. But Senator Gordon Smith, an Oregon Republican, told witnesses he plans to introduce another ID theft bill with other committee members.

Smith's bill, he said, could incorporate pieces of Feinstein's bill and the legislation sponsored by Nelson and Senator Charles Schumer, a New York Democrat. The Schumer-Nelson bill would require breach notification, would require companies to notify consumers when they plan to sell their personal information, and would require companies to take reasonable steps to protect personal information.

Schumer and Nelson announced Thursday an addition to their Comprehensive Identity Theft Prevention Act that would require companies that ship personal data on tapes or disks to take security measures such as encryption. The addition to the bill is a response to recent announcements by the Bank of America and Citigroup that data tapes containing millions of personal records were lost during transit using commercial delivery services, Schumer said.

Schumer compared the value of personal information such as Social Security and drivers license numbers to gold. "All companies who keep sensitive personal ... need to guard our identities as if they were gold -- because in the hands of identity thieves, they are gold," he said. "We don't transport told the way we transport a crate of oranges."

But FTC members also questioned a piece of the Schumer-Nelson bill that would create an ID theft clearinghouse at the FTC. With an estimated 10 million cases of ID theft a year in the U.S., the FTC doesn't have the resources to handle every case, even with a $60 million budget increase in the bill, said Orson Swindle, an FTC commissioner. "That would be too much for any one agency," Swindle said.

To personally handle just 120,000 cases of ID theft a year, the FTC would have to add about 1,000 employees, nearly doubling its size, he added.

The FTC already works to educate U.S. residents about ID theft, and it does impose fines on companies that are careless with personal data, Majoras added. The FTC has taken action against five companies that didn't comply with their own data protection policies, and on Thursday, announced a settlement with a sixth company, BJ's Wholesale Club.

BJ's Wholesale Club, which operates 150 warehouse stores and 78 gas stations in 16 states, stored customer credit and debit card numbers on computers in its stores, without a legitimate reason for keeping those numbers, Majoras said. BJ's didn't encrypt the data, and a fraudulent scheme targeted those credit card numbers and allowed ID thieves to make counterfeit cards, the FTC said.

The FTC settlement requires BJ’s to implement a comprehensive information security program and obtain audits by an independent security professional every other year for 20 years.