Congress offers competing ideas on fighting ID theft

One idea calls for businesses that sell personal data to be licensed by the government

Majoras also questioned some proposals, backed by some privacy advocates, that would require companies to notify potential victims in nearly all data breach cases. Consumers could become numb to notifications if they are notified of every breach, even those with little risk of ID theft, she said. Asked what constitutes a substantial risk of ID theft that should trigger a notification, Majoras said she wasn't sure.

Senator Dianne Feinstein, a California Democrat who has sponsored two data breach notification bill, acknowledged that several disagreements over a breach notification bill still need to be worked out, including whether it should preempt state law and what type of breach should trigger a notification. Feinstein's most recent bill, the Notification of Risk to Personal Data Act, would require notification in almost all data breaches, with companies that delay notification fined $1,000 per victim, up to $50,000 per day.

Feinstein is trying to work with consumer groups and businesses to iron out the differences, she said. But Senator Gordon Smith, an Oregon Republican, told witnesses he plans to introduce another ID theft bill with other committee members.

Smith's bill, he said, could incorporate pieces of Feinstein's bill and the legislation sponsored by Nelson and Senator Charles Schumer, a New York Democrat. The Schumer-Nelson bill would require breach notification, would require companies to notify consumers when they plan to sell their personal information, and would require companies to take reasonable steps to protect personal information.

Schumer and Nelson announced Thursday an addition to their Comprehensive Identity Theft Prevention Act that would require companies that ship personal data on tapes or disks to take security measures such as encryption. The addition to the bill is a response to recent announcements by the Bank of America and Citigroup that data tapes containing millions of personal records were lost during transit using commercial delivery services, Schumer said.

Schumer compared the value of personal information such as Social Security and drivers license numbers to gold. "All companies who keep sensitive personal ... need to guard our identities as if they were gold -- because in the hands of identity thieves, they are gold," he said. "We don't transport told the way we transport a crate of oranges."

But FTC members also questioned a piece of the Schumer-Nelson bill that would create an ID theft clearinghouse at the FTC. With an estimated 10 million cases of ID theft a year in the U.S., the FTC doesn't have the resources to handle every case, even with a $60 million budget increase in the bill, said Orson Swindle, an FTC commissioner. "That would be too much for any one agency," Swindle said.

To personally handle just 120,000 cases of ID theft a year, the FTC would have to add about 1,000 employees, nearly doubling its size, he added.

The FTC already works to educate U.S. residents about ID theft, and it does impose fines on companies that are careless with personal data, Majoras added. The FTC has taken action against five companies that didn't comply with their own data protection policies, and on Thursday, announced a settlement with a sixth company, BJ's Wholesale Club.