Friday, June 10, 2005

We welcome you to Crackerbox Palace

I guess all it will take is a senator or congressman to have their identity stolen (and have to go through the hassle that the average citizen faces) to get the legislation moving in a positive direction.

The Scramble to Protect Personal Information - New York Times: "A 2003 California law is widely credited with what Bruce Schneier, a highly recognized data security expert whose books include 'Secrets and Lies: Digital Security in a Networked World,' calls the 'public shaming' method of security enhancement. The law, which requires that the state's consumers be notified of security breaches involving data on them, has prompted a string of previously unheard-of corporate confessions - from big data brokers like ChoicePoint and LexisNexis, and from other financial and investment companies, like Wachovia and Ameritrade.
That is a start, Mr. Schneier said, but he said the fact that highly sensitive data was still being shipped by courier - on unencrypted tapes, as in the CitiFinancial case and in a loss of Time Warner employee data in transit earlier this year - is evidence that data aggregators of all stripes, acting rationally, have no particular incentive to speed the adoption of new and expensive methods of handling data.
'This is a capitalist society,' Mr. Schneier said, suggesting that no company can be expected to spend money to improve things simply 'for the public good.'
Rather, 'I believe we need actual liability or penalties associated with doing this,' Mr. Schneier said. 'It doesn't matter if it's made public or not. There must be a penalty. If you could say you have to pay the government $1,000 per name lost, the risk of the loss triggers the increased security.'
Just such a bill, along with dozens of others, are pending at the national level.
Senator Charles E. Schumer, Democrat of New York, has proposed the creation of an Office of Identity Theft under the auspices of the F.T.C., which would establish minimum security standards for any entity handling sensitive personal data, including Social Security and driver's license numbers, medical information and credit and bank account information. Failure to meet such "reasonable standards," according to Mr. Schumer's proposal, could result in fines of up to $1,000 per consumer affected.

Hard lobbying is almost certain to pull some of the teeth out of any such proposal - if shipping by U.P.S. were considered unreasonable, Citigroup might have faced a fine of about $4 billion - but the mission is clear.

"The world has changed and this kind of information is as valuable as cash and any institution dealing with it ought to treat it that way," Mr. Schumer said. "The old systems just aren't good enough."

At least 22 bills dealing specifically with the problem of identity theft have been proposed since January - from both sides of the aisle. Taking a stand against identity theft is, after all, an easy position. Betting sorts have suggested that the legislation most likely to win approval is a national law emulating California's notification law. But as the number of consumers affected by each loss, each theft, each compromise creeps upward through the millions, the odds of getting more comprehensive legislation improve.