Establishing Digital Trust: Don't Sacrifice Security for Convenience
With data ID thieves increasingly putting the bite on consumers, U.S. Sen. Diane Feinstein (D-Calif.) moved Monday to add more teeth to her two-year-old identity-theft legislative proposal.
Based on a California state law, the bill requires a business or government agency to notify an individual in writing or by e-mail when it is believed that personal information has been compromised.
Under opposition from banks and financial institutions, the proposal died in the 108th Congress. Feinstein reintroduced the legislation in January but redrafted the bill in light of the high-profile data leaks at ChoicePoint, LexisNexis and Bank of America.
The Senate Judiciary Committee will examine Feinstein's bill Wednesday, and the notion of a national notification law will likely be a major source of questions to officials from the Federal Trade Commission, the FBI and the Secret Service.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In addition, Douglas C. Curling, president and CEO of ChoicePoint, and Kurt P. Stanford, president and CEO of LexisNexis' corporate and federal markets, are expected to testify.
"We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified," Feinstein said in a statement.
She added, "The fact of the matter is that your buying habits, your bank accounts, your Social Security number, your driver's license -- all of your personal data -- today is being collected, collated, distributed, bought, sold, without your knowledge or consent."
The legislation proposes a $1,000 per individual civil fine for failure to notify or not more than $50,000 per day while the failure to notify continues. The data covered by the bill includes both electronic and non-electronic information, as well as encrypted and non-encrypted data.
Feinstein's bill makes only two exceptions to notifying consumers of a data breach: by the written request of law enforcement for the purposes of a criminal investigation and for national security purposes.
The measure also allows companies or government agencies to bypass mail or e-mail notice with a Web site posting or media release. In order to qualify for the substitute notice, the company or agency must demonstrate that the cost of providing direct notice would exceed $500,000 or 500,000 individuals to be notified.
"Every day, we learn that we are more and more at risk from identity theft -- entire databases have been lost, stolen, or hacked into," Feinstein said. "First, we heard about ChoicePoint -- a case that resulted in the theft of the personal information of 145,000 Americans -- but this was just the beginning. Now we have watched as wave after wave of data system theft has come to light, exposing millions of Americans to identity theft."
Feinstein said that while she based her legislation on the California law, her proposal goes further than the nation's only ID theft measure. The California law, for instance, only covers unencrypted electronic data.
In addition, the Feinstein bill lays out specific requirements for what must be included in the data breach notices, including a description of the data that may have been compromised and a toll-free number to learn what information and which individuals have been put at risk.
By contrast, California law is silent on what must be included in data-breach notices to consumers.
The bill also allows individuals to put a seven-year fraud alert on their credit report, while the California law doesn't address fraud alerts.