Approved on a voice vote, the Identity Theft Protection Act requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a ''reasonable risk'' of identity theft involved in the breach.
The evidence of possible identity theft includes such factors as whether the data containing sensitive information is useable by an unauthorized third party and whether the data is in the possession of an unauthorized third party that is likely to commit identity theft.
Under the bill's language, companies and other organizations are required to develop, maintain and enforce a written program for the security of sensitive information. Physical and technological safeguards will be mandated through rules and regulations developed by the Federal Trade Commission (FTC).
For security breaches involving 1,000 or more consumers, the firms responsible for the breaches must not only notify consumers but also the FTC. The agency, in turn, will post a report of the breach on its Web site without disclosing any sensitive personal data.
For breaches of fewer than 1,000 records that do not create a reasonable risk of identity, the data broker must still notify the FTC.
Despite the objections of some in the technology community, the bill covers both encrypted and unencrypted data.