The Personal Data Privacy and Security Act [LWN.net]

July 13, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The good news is that the U.S. Congress is turning its attention to identity theft. The bad news is that Congress is unlikely to produce truly effective legislation. The Personal Data Privacy and Security Act of 2005 is one bill that attempts to address ID theft and misuse of personal information. It was introduced at the end of June by Senators Arlen Specter and Patrick Leahy. Text of the bill is available from thomas.loc.gov.

The bill's summary sounds good:

To prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

The bill does have some sensible provisions. It would specifically prevent companies from selling social security numbers, for example, without explicit consent of the individual. The bill would also require notification to individuals that their personal information had been compromised, and would require "data collectors" to disclose information being collected upon request. The bill would also beef up penalties for identity theft, and for concealing security breaches.

While there is a lot to like about the bill, it has more than its share of flaws. Section 422 of the act requires "any business entity or agency engaged in interstate commerce that involves collecting, accessing, using, transmitting, storing, or disposing of personally identifiable information" to provide written notification of an information compromise or, if the address is unknown, notification by phone. The problem with requiring a written notice or phone call is that many sites that would be required to comply with the law do not necessarily collect addresses or phone numbers. Forcing them to start gathering that information would be burdensome, intrusive on the privacy of the people who are allegedly being protected, and would add to the amount of data that can be stolen in the event of a successful attack.

The act also provides for a posting on the affected site, if more than 1,000 residents of the U.S. have been affected, and notice to "major media outlets serving that State or jurisdiction" if more than 5,000 residents of a state or jurisdiction are affected. However, these seem to be aggregate requirements -- so if a company has been affected, it seems to require that they notify all individuals by phone or mail, and post a notice, and send notice to "major media outlets."

There are a few flaws of omission in the bill as well. For example, as Jon Oltsik points out, there's no provision for monitoring compliance with the bill. While the bill prescribes heavy penalties for failing to comply, the only way that non-compliance will come to light, in the bill's present form, is once it's too late and a breach has occurred. This is of little comfort to those who have already had their information stolen and misused. Penalties for misuse and theft of data are fine, but prevention would be much better.

While the bill requires data collectors to disclose information upon request, it does not require any notification of collection. It's unlikely that the average person even knows what organizations are collecting data in the first place. To really "ensure privacy" the bill should prevent unauthorized data collection altogether.

Also, the bill protects social security numbers, which in and of itself is a good thing, but too specific. To be truly effective, now and in the future, the bill should cover any government-issued IDs. For example, it would be prudent to include IDs that fall under the Real ID Act.

It would be nice to see a national data security law that would provide notifications to individuals in the event that their information has been stolen, and give additional control to individuals over the aggregation and dissemination of personal data such as social security numbers. The proposed Personal Data Privacy and Security Act of 2005 takes some tentative steps in the right direction; hopefully its weaker points will be addressed as the bill moves forward.

(Log in to post comments)

Focusing on the wrong problem

Posted Jul 14, 2005 22:10 UTC (Thu) by kleptog (subscriber, #1183) [Link]

Not entirely futile. Laws targeting just identity theft arn't particularly useful because, as you say, there are many more reasons why you'd want to protect information.

However, you can get a long way by establishing some basic principles like restricting how and why people can collect information and for what purposes. Even things like: "If an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual" can be a huge benefit. I should be able to go to any data collection company and ask if they have anything on me, what it is and let me check it for accuracy.

I'd prefer outlawing all selling of private identifing information since I can't think of any situation where it could be considered a good thing.

Focusing on the wrong problem

Posted Jul 14, 2005 23:41 UTC (Thu) by giraffedata (subscriber, #1954) [Link]

I don't think such efforts are futile, but they make me sick anyway because they are in fact focusing on the fringes of a problem rather than attacking the root.

Free flow of information is a good thing, not a bad thing. And information such as social security numbers and bank account numbers don't even have personal privacy value.

The root of the identity theft problem is people reporting false, slanderous information to credit reporting bureaus. A bank says "John Doe borrowed $5000 from me and never paid it back," when in fact the bank has never dealt with John Doe (it dealt with some stranger who said he was John Doe).

The penalties that should be enhanced are those for reporting this false information. And also for using it to deny someone credit. Those penalties would cause creditors to demand more proof of identity than just, "I know his account number."

And then we should provide a convenient way to prove identity. Digital signatures would work great, but need some kind of push, probably from government, to get to the practical level. Same with smart cards.

As long as measures like keeping social security numbers secret keep the problem beat down, there isn't going to be motivation to tear it out by the roots.

Focusing on the wrong problem

Posted Jul 18, 2005 1:18 UTC (Mon) by xoddam (subscriber, #2322) [Link]

> It is simply a bad idea to use an unchangeable secret such as a SS#
> as proof of ID for authentication.

Soooo correct. That this is standard practice in the US beggars belief.
Anywhere else I've been the idea of 'identity theft' is an abstract
curiosity, but Americans are actually afraid of it. Hmmm.