A Senate committee pondered national identity protection legislation in a hearing Thursday that took testimony and solicited answers from all five members of the Federal Trade Commission, the agency most likely to manage any new laws aimed to stop the recent wave of unwanted and illegal data disclosures.
Sen. Gordon Smith (R-Ore.) chaired the Commerce, Science, and Transportation committee hearing, which at various points involved all the senators who have plunged into the data theft and consumer notification problem.
Sen. Dianne Feinstein (D-Calif.), for instance, who has presented three different bills on the issue so far this session, said "Congress has a major issue before it here" and noted that some 18 million identities have been exposed in the last 12 months through theft or data breaches or loss during transportation.
Being from California, Feinstein couldn't help but tweak the committee by reminding it of her state's Security Breach Information Act, which requires businesses and government agencies to notify people via mail or e-mail when there's evidence that personal information has been exposed.
"At present, the states are out ahead of the Congress," she said, adding "that if it wasn't for California's law, we might not know about many of these data breaches."
But a national law may be hard to push through, she said, because "we're fighting big interests out there who don't want the public to know that they sell your data."
Sen. Charles Schumer (D-N.Y.), who has also proposed identity theft prevention legislation, waxed on the ridiculousness of transporting personal data "like a crate of oranges." Schumer was referring to one of the most recent data gaffes in which computer tapes from Citigroup were lost by UPS as they were transported to a credit agency.
Schumer also had one of the best quotes of the two-hour hearing: "What bank robbery was to the Depression, identity theft is to the information age," Schumer said.
Although the bills under consideration, as well as those which may be proposed -- Sen. Smith, for instance, hinted he would introduce his own bill this week -- are far from identical, they all would require companies to inform consumers when they lose or misplace personal data. That provision in the California law has been the reason why most of the past months' breaches or thefts were made public.
In their testimony, the five members of the FTC -- chairman Deborah Majoras, and all four commissioners -- recommended just that. Although she outlined the existing laws and regulations that governed data security, Majoras said "the Commission recommends that Congress consider whether companies that hold sensitive consumer data, for whatever purpose, should be required to take reasonable measures to ensure its safety."
The phrase "reasonable measures," however, didn't go down well with some of the lawmakers. Sen. Conrad Burns (R-Mont.) in particular questioned Majoras and the commissioners on what that would mean.
"It's definable," she answered, in effect refusing to be pinned down. Instead, she referred to the California law, and the list that the state has since created to define when notification must be sent to consumers.
Many of the senators also called for an "identity theft czar" position in the FTC. While Majoras said she would "never turn down additional resources," she gave only a conditional approval to the idea.
Also speaking at the hearing Thursday was William Sorrell, the Attorney General of Vermont as well as the president of the National Association of Attorneys General. While he said the states wanted a federal security breach law of some sort, he argued that "what the federal government does should be the floor, not the ceiling" of what is allowed.
"I'm not one who believes that we're going to throw a wrench into commerce by giving the states the right to go beyond the Congress on this," he added.
The only sure bet after Thursday's hearing -- which followed similar hearings by other committees as early as April -- is that a national identity theft law will have support from both sides of the aisle. Everyone, it seems, wants to hog pile on the issue.
"If this isn't a threat to Americans' privacy, I don't know what is," said Sen. Bill Nelson (D-Fla.), and a co-sponsor with Schumer of the ID Theft Prevention bill.