Establishing Digital Trust: Don't Sacrifice Security for Convenience
Approved on a voice vote, the Identity Theft Protection Act requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a ''reasonable risk'' of identity theft involved in the breach.
The evidence of possible identity theft includes such factors as whether the data containing sensitive information is useable by an unauthorized third party and whether the data is in the possession of an unauthorized third party that is likely to commit identity theft.
Under the bill's language, companies and other organizations are required to develop, maintain and enforce a written program for the security of sensitive information. Physical and technological safeguards will be mandated through rules and regulations developed by the Federal Trade Commission (FTC).Within a year of the passage of the bill, the FTC is required to develop procedures for authenticating the credentials of any third party to which sensitive personal information is to be transferred or sold by a data broker or other organization.
For security breaches involving 1,000 or more consumers, the firms responsible for the breaches must not only notify consumers but also the FTC. The agency, in turn, will post a report of the breach on its Web site without disclosing any sensitive personal data.
For breaches of fewer than 1,000 records that do not create a reasonable risk of identity, the data broker must still notify the FTC.
Despite the objections of some in the technology community, the bill covers both encrypted and unencrypted data.