Cybercime bill inadequate, cries consumer advocate

New legislation in the U.S. Congress intended to help law enforcement agencies fight cybercrime falls short because it does not give consumers tools to guard against identity theft, a lawmaker and a consumer advocate said Thursday.

The Cyber-Security Enhancement and Consumer Data Protection Act, introduced Tuesday, would be inadequate as a stand-alone cybersecurity bill because it does not require companies with data breaches to notify affected consumers, and it does not allow consumers to freeze their credit when they've been victims of ID theft, said Susanna Montezemolo, policy analyst for Consumers Union.

"One question we ask when we consider federal legislation is, 'Will this make consumers better off?'" Montezemolo said during a hearing on the bill. "The legislation does address some of the broader consumer issues, such as notifying individuals ... so that they can take steps to avoid or detect, at a much earlier time, identity theft."

The bill, sponsored by House Judiciary Committee Chairman James Sensenbrenner, a Wisconsin Republican, would allow fines or five-year jail sentences for people who fail to report to federal law enforcement authorities large data breaches involving personal information. The bill would triple the maximum jail sentence to 30 years for first-time offenders convicted of computer fraud, and it would allow federal law enforcement officials to charge organized cybercrime groups with racketeering.

The bill would also increase funding for federal cybercrime programs, and it would spell out a prohibition against taking over computers remotely to create so-called botnets.

The legislation is needed because cybercriminals are becoming increasingly inventive, said Representative Howard Coble, a co-sponsor of the bill and chairman of the Judiciary Committee's Crime, Terrorism, and Homeland Security Subcommittee, where the bill was debated Thursday.

"One thing we know about Internet fraudsters is they are a sophisticated and intelligent group of criminals," said Coble, a North Carolina Republican.

But the bill doesn't go far enough, said Montezemolo and Representative Robert Scott, a Virginia Democrat. Scott called for additions that would allow consumers to check the accuracy of the data held by data brokers, credit agencies and other companies, as well as a data breach notification provision.

If the Sensenbrenner bill is married to another breach notification bill, Congress should continue to allow states to pass their own breach notification laws, Scott said. Close to 30 states have passed breach notification bills after a rash of breaches were made public in early 2005.

Other bills before Congress include data breach notification provisions, but a bill approved in March by the House Financial Services Committee would preempt stronger state laws, Scott and Montezemolo said. The Financial Data Protection Act would require companies to report data breaches only after they determine the breaches pose a significant risk to consumers, Montezemolo said.

"We call this the 'don't know, don't tell' policy," she said. "Because if the company doesn't know whether consumers can be harmed, they don't have to notify them."

Others testifying before the subcommittee praised the Sensenbrenner bill. The legislation is a "good first step toward punishing" cybercriminals, said Joseph LaRocca, vice president for loss prevention at the National Retail Federation.