Congress offers competing ideas on fighting ID theft

WASHINGTON - Several U.S. senators pushed for new identity theft regulations on U.S. businesses, but a range of conflicting ideas was presented at a Thursday hearing, including a proposal requiring licensing of companies that sell personal data.

U.S. companies reported that 9.6 million personal records have been lost since early February, prompting members of the Senate Commerce, Science and Transportation Committee to say they're ready to act, although they have competing ideas of what to do.

"If this isn't an eye-opening threat to Americans' privacy, then I don't know what is," said Senator Bill Nelson, a Florida Democrat and cosponsor of a wide-ranging ID theft bill. "Consumers are losing trust in our system of electronic commerce."

A survey released Wednesday by the advocacy group the Cyber Security Industry Alliance seemed to support Nelson's concern. Of 1,003 likely voters surveyed, 97 percent said identity theft is a serious problem. Forty-eight percent indicated they avoid making purchases on the Internet because they are afraid their financial information may be stolen. Seventy-one percent of those surveyed said new laws are necessary to protect consumer privacy on the Internet.

Beyond the 20-plus bills in Congress that deal with ID theft in some way, committee members came up with more ideas at the hearing. Senator Conrad Burns, a Montana Republican, suggested that all so-called data brokers -- businesses that sell personal data -- be licensed by the government. Data broker ChoicePoint's disclosure in February that it had given data on 145,000 U.S. residents to ID thieves was the first in a series of large-scale data breaches this year.

"I'm coming down on the side of, anybody who collects information has to have a license to do so, or is outside the law and should be shut down," Burns said. "I think they need to have some reasonable license that gives them guidelines to do business in this arena."

Some senators pushed for a national law that would require businesses that have data breaches to notify potential victims, but witnesses disagreed on what form such a law should take. William Sorrell, attorney general for Vermont, urged the committee to pass a national data breach notification law that wouldn't preempt tougher state laws.

State law enforcement officials can help investigate and prosecute ID thieves, he said, and states can pass "innovative" laws to protect consumers, such as recent laws passed by seven states that allow consumers to freeze credit to prevent new accounts opened in their names. A national law shouldn't preempt those laws, he said.

But Deborah Majoras, chairwoman of the U.S. Federal Trade Commission (FTC) disagreed, saying it would be expensive for businesses to comply with up to 50 different state breach notification laws. "If you provide a federal standard that is a floor, as opposed to a ceiling, I'm not sure why you'd spend time imposing it at all," she said. "I think that businesses are going to have to spend time respond to the very highest [state] standard. I don't think they can chop up their customer lists into 50 different standards."