Hot Air Swirls Around ID Theft Measure
While some of the hot air circulating on Capitol Hill today focused on former Vice President Al Gore's testimony on global warming, a debate down the hall managed to carve out its own environmental issues around another topic -- how to craft a data breach notification bill.
At a Senate Judiciary subcommittee hearing on a data breach bill introduced by panel Chairman Dianne Feinstein (D-Calif.), experts looked at making key components of California's influential data breach notification statute the law of the land.
Chris Hoofnagle, senior staff attorney for the University of California-Berkeley Samuelson Law, Technology & Public Policy Clinic explained that the duty to give individuals notice of security breaches is similar to laws created in the 1980s requiring companies to make inventories of certain toxic chemicals, and to report to the public when such chemicals are released.
"Just as [the law] created strong incentives to secure toxic chemicals, security breach laws create incentives for information security investment," Hoofnagle said. "Prior to the enactment of these laws....businesses were free to keep security incidences secret, and in effect, pass the costs to individuals who would be subject to identity theft and other misuse of their data."
Hoofnagle also recommended requiring lending institutions to report on the prevalence and severity of identity theft.
Joanne McNabb, chief of California's Office of Privacy Protection, extended the data breach-environmental catastrophe metaphor further, saying, "Personal information is like toxic waste: managing it requires a high level of skill and training."
Perhaps due to Gore's appearance today, the Judiciary Committee hearing room was largely devoid of lawmakers, save Feinstein and Sen. Jon Kyl.
The Arizona Republican quizzed the witnesses from the Justice Department and the Federal Trade Commission over why it is that some 30 percent of identity theft victims have new accounts opened in their name after successfully placing a 90-day fraud alert on their credit files, according to the Identity Theft Resource Center. Both witnesses took a pass on that question, saying that was the first they had heard of that statistic.
Ronald Tenpas, associate deputy attorney general at the Justice Department, told the committee that the ID Theft Task Force expected to forward its final recommendations to the White House by mid-April.
Feinstein, who chairs the subcommittee on terrorism, technology and homeland security, asked the five witnesses their opinions of the most controversial part of her identity theft bill. That portion would permit entities that experience a data loss, theft or breach to avoid notifying affected consumers if the entity decides the incident poses no risk of harm to consumers. The Feinstein bill currently contains a check that would require the entity suffering the breach to give a copy of the breach assessment to the U.S. Secret Service, which could overrule that decision and require that notice be sent.
Tenpas said he was in general agreement with that principle, but urged Feinstein not to forget about the FBI: "We'd note that the FBI is a very important investigative agency in parallel with the Secret Service, and we think it would be useful for there to be some recognition of that in terms of any kind of notification to law enforcement."
Feinstein, known for her candor, said: "We chose the Secret Service because they apparently have the know-how to do it and can do it."
Tenpas added that identity theft and ID theft crimes are an area where "a number of agencies all play important roles and some have closer ties to one industry sector than another and we just want to be sure that anything we do would capitalize on collective talent of all the agencies."
When asked whether entities should be able to decide for themselves whether a breach is serious enough to notify consumers, McNabb warned that this was treading into "dicey waters."
"How you conduct a risk analysis can be very tricky," she said. "You may find yourself in position of trying to prove or establish a negative. For example, if the forensic evidence showed that the apparent purpose of the hack was to store pirated music, but there was no indication that data on that server was touched...So then you have to go to the next level. Then that's part of risk analysis of what are our values and principles, and do we believe in an abundance of caution or not?"
When asked whether entities should be able to decide for themselves whether a breach is serious enough to notify consumers, Jim Davis, chief information officer for the University of California at Los Angeles, said in many cases it is simply too difficult to tell whether a data breach or loss would result in harm for affected consumers. In December 2006, the school notified some 800,000 individuals that their personal information -- including Social Security numbers -- had been fraudulently accessed.
"The definition of what is 'significant risk' is very difficult, so when we do our own analysis, it actually is going to be very difficult for us to find a situation in which we wouldn't notify" consumers, he said.
Posted by: ~sg | March 21, 2007 9:00 PM | Report abuse
Posted by: Anonymous | March 22, 2007 8:39 AM | Report abuse
Posted by: Martin Bosworth | March 22, 2007 11:43 AM | Report abuse
Posted by: Michaeld | March 22, 2007 12:43 PM | Report abuse
Posted by: antibozo | March 23, 2007 12:30 PM | Report abuse
Posted by: Hoku | March 24, 2007 4:01 PM | Report abuse
Posted by: Apine | March 29, 2007 11:44 AM | Report abuse
The comments to this entry are closed.