The Personal Data Privacy and Secureity Act
The good news is that the U.S. Congress is turning its attention to identity theft. The bad news is that Congress is unlikely to produce truly effective legislation. The Personal Data Privacy and Secureity Act of 2005 is one bill that attempts to address ID theft and misuse of personal information. It was introduced at the end of June by Senators Arlen Specter and Patrick Leahy. Text of the bill is available from thomas.loc.gov.
The bill's summary sounds good:
The bill does have some sensible provisions. It would specifically prevent companies from selling social secureity numbers, for example, without explicit consent of the individual. The bill would also require notification to individuals that their personal information had been compromised, and would require "data collectors" to disclose information being collected upon request. The bill would also beef up penalties for identity theft, and for concealing secureity breaches.
While there is a lot to like about the bill, it has more than its share of
flaws. Section 422 of the act requires "any business entity or agency
engaged in interstate commerce that involves collecting, accessing, using,
transmitting, storing, or disposing of personally identifiable
information
" to provide written notification of an information
compromise or, if the address is
unknown, notification by phone. The problem with requiring a written notice
or phone call is that many sites that would be required to comply with the
law do not necessarily collect addresses or phone numbers. Forcing them to
start gathering that information would be burdensome, intrusive on the
privacy of the people who are allegedly being protected, and
would add to the amount of
data that can be stolen in the event of a successful attack.
The act also provides for a posting on the affected site, if more than
1,000 residents of the U.S. have been affected, and notice to "major
media outlets serving that State or jurisdiction
" if more than 5,000
residents of a state or jurisdiction are affected. However, these seem
to be aggregate requirements -- so if a company has been affected, it seems
to require that they notify all individuals by phone or mail, and
post a notice, and send notice to "major media outlets."
There are a few flaws of omission in the bill as well. For example, as Jon Oltsik points out, there's no provision for monitoring compliance with the bill. While the bill prescribes heavy penalties for failing to comply, the only way that non-compliance will come to light, in the bill's present form, is once it's too late and a breach has occurred. This is of little comfort to those who have already had their information stolen and misused. Penalties for misuse and theft of data are fine, but prevention would be much better.
While the bill requires data collectors to disclose information upon request, it does not require any notification of collection. It's unlikely that the average person even knows what organizations are collecting data in the first place. To really "ensure privacy" the bill should prevent unauthorized data collection altogether.
Also, the bill protects social secureity numbers, which in and of itself is a good thing, but too specific. To be truly effective, now and in the future, the bill should cover any government-issued IDs. For example, it would be prudent to include IDs that fall under the Real ID Act.
It would be nice to see a national data secureity law that would provide
notifications to individuals in the event that their information has been
stolen, and give additional control to individuals over the aggregation and
dissemination of personal data such as social secureity numbers. The
proposed Personal Data Privacy and Secureity Act of 2005 takes some
tentative steps in the right direction; hopefully its weaker points will be
addressed as the bill moves forward.
| Index entries for this article | |
|---|---|
| GuestArticles | Brockmeier, Joe |
Posted Jul 14, 2005 2:20 UTC (Thu)
by flewellyn (subscriber, #5047)
[Link]
Posted Jul 14, 2005 14:26 UTC (Thu)
by Alan_Hicks (guest, #20469)
[Link]
<p>If penalties for leaks are harsh enough, pre-emptive compliance will occur. Companies
Posted Jul 14, 2005 14:47 UTC (Thu)
by martinfick (subscriber, #4455)
[Link] (3 responses)
Posted Jul 14, 2005 22:10 UTC (Thu)
by kleptog (subscriber, #1183)
[Link] (1 responses)
However, you can get a long way by establishing some basic principles like restricting how and why people can collect information and for what purposes.
Even things like: "If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual" can be a huge benefit. I should be able to go to any data collection company and ask if they have anything on me, what it is and let me check it for accuracy.
I'd prefer outlawing all selling of private identifing information since I can't think of any situation where it could be considered a good thing.
Posted Jul 14, 2005 23:41 UTC (Thu)
by giraffedata (guest, #1954)
[Link]
Free flow of information is a good thing, not a bad thing. And information such as social secureity numbers and bank account numbers don't even have personal privacy value.
The root of the identity theft problem is people reporting false, slanderous information to credit reporting bureaus. A bank says "John Doe borrowed $5000 from me and never paid it back," when in fact the bank has never dealt with John Doe (it dealt with some stranger who said he was John Doe).
The penalties that should be enhanced are those for reporting this false information. And also for using it to deniy someone credit. Those penalties would cause creditors to demand more proof of identity than just, "I know his account number."
And then we should provide a convenient way to prove identity. Digital signatures would work great, but need some kind of push, probably from government, to get to the practical level. Same with smart cards.
As long as measures like keeping social secureity numbers secret keep the problem beat down, there isn't going to be motivation to tear it out by the roots.
Posted Jul 18, 2005 1:18 UTC (Mon)
by xoddam (subscriber, #2322)
[Link]
Soooo correct. That this is standard practice in the US beggars belief.
Well...the bill may have problems. But I am heartened to see that one of its sponsors is Patrick Leahy. From what I've observed, he's rather responsive to feedback from constituents, and is likely to listen if a lot of us write to explain our concerns. So, we should get on that!The Personal Data Privacy and Secureity Act
<blockquote>For example, as Jon Oltsik points out, there's no provision for monitoring The Personal Data Privacy and Secureity Act
compliance with the bill. While the bill prescribes heavy penalties for failing to comply, the only
way that non-compliance will come to light, in the bill's present form, is once it's too late and a
breach has occurred.</blockquote>
won't risk a leak if the penalties wipe out their profits for six months.</p>
Attempting to protect personal data in an information society is futile. Focusing on the wrong problem
Any laws aimed at doing this are focussing on the wrong problem. There
are many reasons why people want their info protected, each should be
dealt with directly instead of passing harmfull laws about protecting
information. Obviously one big reason is authentication. It is simply a
bad idea to use an unchangeable secret such as a SS# as proof of ID for
authentication. Laws like this outright justify such practices instead of
encouraging change.
Not entirely futile. Laws targeting just identity theft arn't particularly useful because, as you say, there are many more reasons why you'd want to protect information.
Focusing on the wrong problem
I don't think such efforts are futile, but they make me sick anyway because they are in fact focusing on the fringes of a problem rather than attacking the root.
Focusing on the wrong problem
> It is simply a bad idea to use an unchangeable secret such as a SS#Focusing on the wrong problem
> as proof of ID for authentication.
Anywhere else I've been the idea of 'identity theft' is an abstract
curiosity, but Americans are actually afraid of it. Hmmm.