WASHINGTON (11/05/2003) - As identity theft becomes the fastest-growing crime in the U.S., some companies endorse legislation requiring them to disclose theft of personal data, while privacy advocates urge lawmakers to go even further to protect consumers.
At a Tuesday hearing called by the bill's author, Senator Dianne Feinstein, a California Democrat, witnesses applauded S. 1350 as a much-needed first step in guarding against increasing security breaches on databases.
"There are few consumer issues more worthy of the attention than this topic," said David McIntyre, president of TriWest Healthcare Alliance, at the hearing. His company's computer hard drives, containing data for half a million customers, were stolen last December.
Under the bill, companies must notify customers whenever their personal data -- such as Social Security, driver's license, credit, or debit card numbers -- are compromised through computer hacking or other unauthorized access.
Companies that fail to comply would be fined up to US$5,000 per violation or up to $25,000 each day.
The bill leaves enforcement to the Federal Trade Commission and the state attorneys general -- none of whom is equipped for the job, say privacy advocates.
"We are talking about mammoth databases containing records on anywhere between a few million to 210 million Americans," Evan Hendricks, editor of Privacy Times, told the Senate panel. "Given this scope, you will never be able to build a bureaucracy large enough to carry out adequate enforcement. The private right of action needs to include minimum statutory damages."
Furthermore, the FTC does not act on individual complaints, according to Chris Hoofnagle, of the Electronic Privacy Information Center, who was not at the hearing. "There has to be a pattern of abuse" before the FTC will step in, Hoofnagle said later.
Hendricks told the senators the bill should also require companies to give consumers access to the types of data kept, so people can assess potential threats to their privacy.
"A right of access will promote better security because organizations will need to authenticate individuals seeking access to their records," Hendricks said. He argued that since consumers now have right of access to credit reports, medical records, and other documents, they should also have access to other personal data.
Some companies like TriWest notify their customers immediately, while others are more reticent because they fear the public's response to an admission of failure in the security infrastructure. TriWest's McIntyre said none of the customers affected by the stolen database had reported fraud or other related identity-theft problems. TriWest deployed a communication plan that included press alerts and letters to its customers whose personal data had been compromised.
Companies like Visa USA support legislative attention on identify fraud, but say they are already implementing advanced technological solutions protecting consumer data.
Echoing the concerns related to the tangible and intangible costs of the bill, Mark MacCarthy of Visa USA stated that "notification of a security breach should only be undertaken when there is clear evidence that the information...is being used for fraudulent purposes."
If enacted, the bill would override conflicting state laws. It would not affect a similar California law enacted last July. Feinstein said the bill is necessary because the prompt notice alerting consumers of their compromised personal data would give them an opportunity to take preemptive measures, such as canceling credit cards and monitoring their credit reports.
The bill would exempt companies from notifying their customers under the following circumstances: The stolen data is encrypted.
The notification costs are too expensive or impractical. The company may use alternative notice in such cases. For example, it may post announcements in major media outlets or on the company Web site.
The company already has developed a "reasonable" notification policy. A Feinstein spokesperson says the FTC would determine what is reasonable.
According to the Identity Theft Resource Center, a typical identity theft victim takes six to 12 months to discover that a fraud has taken place.