Network News

X My Profile
View More Activity

Hot Air Swirls Around ID Theft Measure

While some of the hot air circulating on Capitol Hill today focused on former Vice President Al Gore's testimony on global warming, a debate down the hall managed to carve out its own environmental issues around another topic -- how to craft a data breach notification bill.

At a Senate Judiciary subcommittee hearing on a data breach bill introduced by panel Chairman Dianne Feinstein (D-Calif.), experts looked at making key components of California's influential data breach notification statute the law of the land.

Chris Hoofnagle, senior staff attorney for the University of California-Berkeley Samuelson Law, Technology & Public Policy Clinic explained that the duty to give individuals notice of security breaches is similar to laws created in the 1980s requiring companies to make inventories of certain toxic chemicals, and to report to the public when such chemicals are released.

"Just as [the law] created strong incentives to secure toxic chemicals, security breach laws create incentives for information security investment," Hoofnagle said. "Prior to the enactment of these laws....businesses were free to keep security incidences secret, and in effect, pass the costs to individuals who would be subject to identity theft and other misuse of their data."

Hoofnagle also recommended requiring lending institutions to report on the prevalence and severity of identity theft.

Joanne McNabb, chief of California's Office of Privacy Protection, extended the data breach-environmental catastrophe metaphor further, saying, "Personal information is like toxic waste: managing it requires a high level of skill and training."

Perhaps due to Gore's appearance today, the Judiciary Committee hearing room was largely devoid of lawmakers, save Feinstein and Sen. Jon Kyl.

The Arizona Republican quizzed the witnesses from the Justice Department and the Federal Trade Commission over why it is that some 30 percent of identity theft victims have new accounts opened in their name after successfully placing a 90-day fraud alert on their credit files, according to the Identity Theft Resource Center. Both witnesses took a pass on that question, saying that was the first they had heard of that statistic.

Ronald Tenpas, associate deputy attorney general at the Justice Department, told the committee that the ID Theft Task Force expected to forward its final recommendations to the White House by mid-April.

Feinstein, who chairs the subcommittee on terrorism, technology and homeland security, asked the five witnesses their opinions of the most controversial part of her identity theft bill. That portion would permit entities that experience a data loss, theft or breach to avoid notifying affected consumers if the entity decides the incident poses no risk of harm to consumers. The Feinstein bill currently contains a check that would require the entity suffering the breach to give a copy of the breach assessment to the U.S. Secret Service, which could overrule that decision and require that notice be sent.

Tenpas said he was in general agreement with that principle, but urged Feinstein not to forget about the FBI: "We'd note that the FBI is a very important investigative agency in parallel with the Secret Service, and we think it would be useful for there to be some recognition of that in terms of any kind of notification to law enforcement."

Feinstein, known for her candor, said: "We chose the Secret Service because they apparently have the know-how to do it and can do it."

Tenpas added that identity theft and ID theft crimes are an area where "a number of agencies all play important roles and some have closer ties to one industry sector than another and we just want to be sure that anything we do would capitalize on collective talent of all the agencies."

When asked whether entities should be able to decide for themselves whether a breach is serious enough to notify consumers, McNabb warned that this was treading into "dicey waters."

"How you conduct a risk analysis can be very tricky," she said. "You may find yourself in position of trying to prove or establish a negative. For example, if the forensic evidence showed that the apparent purpose of the hack was to store pirated music, but there was no indication that data on that server was touched...So then you have to go to the next level. Then that's part of risk analysis of what are our values and principles, and do we believe in an abundance of caution or not?"

When asked whether entities should be able to decide for themselves whether a breach is serious enough to notify consumers, Jim Davis, chief information officer for the University of California at Los Angeles, said in many cases it is simply too difficult to tell whether a data breach or loss would result in harm for affected consumers. In December 2006, the school notified some 800,000 individuals that their personal information -- including Social Security numbers -- had been fraudulently accessed.

"The definition of what is 'significant risk' is very difficult, so when we do our own analysis, it actually is going to be very difficult for us to find a situation in which we wouldn't notify" consumers, he said.

By Brian Krebs  |  March 21, 2007; 6:19 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: New Firefox Version Fixes Flaw
Next: Online Trading Firms to Swap Fraud Tips

Comments

So under this bill, the company experiencing the data breach might decide that they don't have to tell customers whose data was compromised about the incident, but the Secret Service could overrule that decision? Weird. Then again, it might work if it's the FBI who causes the data breach since giving up their unfettered use of National Security Letters.

Posted by: ~sg | March 21, 2007 9:00 PM | Report abuse

> some 30 percent of identity theft victims have new accounts opened in their name after successfully placing a 90-day fraud alert on their credit files

But, oh no - we can't allow people in all states to freeze their own credit. That solution would be too simple.

Posted by: Anonymous | March 22, 2007 8:39 AM | Report abuse

I'm baffled by the idea that Congress thinks it's reasonable to let the company responsible for a data breach do its own closed evaluation to determine if notification is necessary. That's like hiring Arthur Andersen to investigate their own accounting failures post-Enron.

Any agency or company that fails to protect data should submit to review by a trusted, non-involved third party. That just seems like common sense to me.

Martin Bosworth
http://www.mypublicinfo.com (MyPublicInfo)
http://www.consumeraffairs.com (ConsumerAffairs.Com)

Posted by: Martin Bosworth | March 22, 2007 11:43 AM | Report abuse

While I am not sure about the secret service section it is huge progress to have a group accountable for enforcing. So many regulations go into effect without this and then never get the follow though. While this is still shaky i look forward to seeing if this passes.

Posted by: Michaeld | March 22, 2007 12:43 PM | Report abuse

I suspect the Secret Service is too small, by a couple of orders of magnitude, to handle the volume of evaluation requests they would get as a result of this bill. Consequently, most of the evaluations will be skipped, and the check won't accomplish anything.

Posted by: antibozo | March 23, 2007 12:30 PM | Report abuse

I think this tackles the wrong end of the issue. Assume data breaches are going to occur. Some have taken place for years before being discovered. Make it harder to fraudulently use personal information.

If banks,lending institutions,and businesses were held liable for negligence in determining an applicants identity then data breaches and identity theft would be much less of a problem.

Posted by: Hoku | March 24, 2007 4:01 PM | Report abuse

I agree with Hoku. We are trying to put a bandaid on a blood-spouting gash. We need to require companies to ask for better identification. As a test, I had my son use my credit card and sign my name. My picture (I am his mother and decidedly female in appearance) was on that credit card. Not one person questioned the purchase.

Posted by: Apine | March 29, 2007 11:44 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company