ChoicePoint says that most identity theft occurs as a result of offline tactics--someone stealing your mail or copying a credit card number from a receipt. However, the reports of security breaches in the online world have caused some people to rethink how identity thieves operate. "Most people don't know how they were struck," says RelyData's Steen. "But a lot of the stuff that you're never going to find out how it happened was electronic, was breaches, was the Internet."
As a result, lawmakers have hastened the call for more legislation dealing with these issues. A reference point for some of these bills is the landmark California law that requires companies to notify California residents in cases of unencrypted data theft or loss. This law is the reason so many companies have revealed breaches.
The bills wending their way through Congress and many state legislatures incorporate three ideas: restricting access to personal data, especially Social Security numbers; breach notification; and restricting access to credit reports.
Ten years ago the European Union enacted a far-reaching privacy directive. The directive declares that data can be collected only for a specific purpose and cannot be kept longer than necessary to fulfill that purpose. It also requires that data be accurate and up-to-date, and it restricts transfers of personal information to third parties without the permission of the data subject. Additionally, it regulates transfers of data to companies in any country that has insufficient privacy protection--including the United States.
The proposed Specter-Leahy Personal Data Privacy and Security Act of 2005, sponsored by Senators Arlen Specter (R-Pennsylvania) and Patrick Leahy (D-Vermont), incorporates a few of the concepts of the European directive. This bill would restrict companies' use of Social Security numbers. It would require that law enforcement, consumers, and credit reporting agencies be notified of security breaches. And it would require information brokers to create a mechanism for individuals to access and correct data.
Several states have passed laws to let consumers freeze their credit. "I'm a big fan of [the law] in California, where nobody can see your credit report unless you have previously authorized it by providing a very long password," says Wood. However, most of the laws allow credit bureaus to charge fees for implementing a freeze (in California, the fee is $10 for each bureau) and for temporarily lifting the freeze ($10 or $12 per request per bureau).
The Consumer Identity Protection and Security Act, introduced by Senator Mark Pryor (D-Arkansas), would address some of those limitations by establishing the right of consumers to freeze their credit reports at no cost and to authorize the release of credit files to specific parties or for a specific time by contacting a credit agency.
Meanwhile, Senator Dianne Feinstein (D-California) has introduced the Notification of Risk to Personal Data Act, which would require companies to alert consumers nationwide to any unauthorized acquisition of their information.
Privacy advocates have problems with nearly all of the bills under consideration. According to ITRC's Foley, "Congress wants to add a phrase such as 'if there is a 50 percent chance you will become a victim of ID theft.' What the businesses are going to say is, 'Well, we can't confirm that there's going to be a risk of harm until someone becomes a victim'."
Balancing the rights of individuals with those of people who have a legitimate need to know is a tricky issue. As Foley acknowledges, "Don't you want to know if the nanny you hire has a criminal record?" But consumers should be able to exercise far more control than they have now over who accesses their personal information and what they can do with it.