Several prominent U.S. Senators, including the leaders of the Commerce Committee, have introduced another bill that takes on the growing online menace of identity and data theft.
Last week, Sen. Gordon Smith (R-Ore.) introduced the Identify Theft Protection Act, the tenth identity theft bill put into play this session. Like another piece of legislation rolled out in June by Sen. Arlen Specter (R-Pa.) and Sen. Patrick Leahy (D-Vt.), Smith's bill has bi-partisan support. Both Sen. Ted Stevens (R-Alaska) and Daniel Inouye (D-Hawaii), the chairman and ranking member, respectively, of the Commerce Committee have put their names on the bill as co-sponsors.
"This bill strikes an appropriate balance," said Smith in a press conference announcing the bill, "and we think it will win broad bi-partisan support in the Senate."
Smith and others at the press conference acknowledged that little has been done on the House side. Rep. Joe Barton (R-Texas), who has led the charge there, has only released what's called a "discussion draft" of proposed legislation. Later this month, the House Subcommittee on Commerce, Trade and Consumer Protection will hold hearings on the proposal.
As in previous bills, including those introduced by Specter and Leahy, as well as earlier bills put before the Senate by Dianne Feinstein (D-Calif.) and Charles Schumer (D-N.Y.), the Identity Theft Protection Act demands that companies, schools, or other groups which collect personal information disclose any data breach. Failure to do so could mean up to $11 million in fines.
Breaches that involve more than 1,000 people require that the company or institution inform the Federal Trade Commission (FTC), but unlike other bills, this one has a low bar when it comes to consumer notification. Even if only one consumer's information is disclosed by a breach, that consumer must be notified. Other bills, such as the Specter/Leahy legislation, require disclosure only when the number affected cracks the 10,000 mark.
Some in the technology industry are wary of this bill, and others, because they don't specifically exempt data that's encrypted.
"The standard should be 'no harm, no foul,'" said Greg Garcia, the vice president for information security of the trade group Information Technology Association of America (ITAA). "If data is encrypted, there's a very low likelihood of that information being accessed," he said. Requiring notification of data breaches that involve encrypted data would only raise unnecessary alarm, he said, and further contribute to the unease people feel about e-commerce.
Or the practice would just become so much background noise. "We should try to bring a rational level of requirements to the table," said Garcia, "and not flood the marketplace with notifications. People get jaded. We receive privacy statements from virtually everyone these days -- banks and credit card companies, health care providers -- but do we read them closely? I don't."
One of the main provisions of the Identify Theft Protection Act would allow consumers to "freeze" his or her credit report, preventing its release to a third party without the consumer's authorization. The idea is to keep identity thieves from taking out credit using a hijacked name.
Meanwhile, keeping an eye on one's credit report is often given as stock advice in the case of data breaches, but according to a privacy advocacy group, accessing the report via a federal Web site may be dangerous.
Consumers have the right to one free credit report per year under a provision of the "Under the Fair and Accurate Credit Transactions Act," and can order those from a Web site co-sponsored by the three largest U.S. credit bureaus. (Fourteen states in the Northeast, however, aren't scheduled to receive access until Sept. 1.)
But this site -- AnnualCreditReport.com -- has a legion of hangers-on that are trying to bamboozle users, said a report just released by the World Privacy Forum.
In its second look this year at imposter sites -- ones which use the words "annual" and "credit" and "report" and even "free" in various combinations, or rely on close misspellings of the official site -- the group found that the number of bogus sites had more than doubled in just four months.
In June, there were 112 imposter domains active and online, a 124 percent increase over the 50 active domains scoped out in February, said the group's report.
Such sites, said Pam Dixon, the Forum's head and also the author of the report, vary in what they're after. The most malicious try to trick users into entering their Social Security numbers, others are "link farms" that send consumers to for-fee services that are subsidiaries of the major credit bureaus, and a few even forward users straight to a data broker.
"Imposter domains typically target any Web site that receives high traffic and then use that traffic to make money from referrals," said Dixon in the report. "What is unique about the AnnualCreditReport.com site is that tens of millions of consumers may potentially access the official site once per year, every year. These consumers are accessing the site prepared and willing to enter their Social Security numbers and other higher personal data in order to get a credit report."
Rather than access the online site, said Dixon, consumers may want to call for their free credit report (a toll-free number, 877-322-8228, is available), or request one through the mail.
"Both the phone and the mail options generally expose consumers to fewer potential hazards than the online option," said Dixon.