title: Congress not hearing the drumbeat

Congress not hearing the drumbeat

By Scott Bradner

Its now almost a year and a half since the ChoicePoint debacle in which personal information (including Social Security numbers) on about 145,000 people were "improperly accessed" (to use ChoicePoint's description) and information on tens of millions of others were put at risk. The resulting publicity was instrumental in getting identity theft related laws passed in almost 3 dozen states but not, as of yet, by the U.S. Congress. But, considering some of the bills under consideration, it might be better for you and me if Congress continues to not act.

The security breach at ChoicePoint (see "Dumber decisions - safer world? http://www.networkworld.com/columnists/2005/022805bradner.html) was not the first such incident and was certainly not the last. The Privacy Rights Clearinghouse maintains a list of the steady drumbeat of breaches reported since the ChoicePoint one. (http://www.privacyrights.org/ar/ChronDataBreaches.htm) The list, of over 250 breaches of various types as of this writing, is not fun reading. Far too many laptop thefts with far too little encryption but also far too many hacks of servers and missing unencrypted backup tapes. Most troubling, far far too many cases where people were keeping Social Security numbers (SSNs) because they could not because they actually needed them.

The reason that we know about most of these breaches is not because breached organizations always want to do the right thing but because of a 4 year old California law (http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html) mandating that people be notified if their non-public financial information might have been compromised. Specifically, in the words of the law, someone holding data must provide notification "to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Note that it’s the breach that triggers the disclosure requirement not an expectation that the breach might produce a risk to the individual whose data was compromised. The ChoicePoint case came to light when ChoicePoint got around to notifying California residents of the breach -- without the law there is no reason to believe that ChoicePoint would have told anyone since they did not do so after a breach that occurred before the California law went into effect. Companies are often reluctant to disclose breaches because it can cost real money, for example ChoicePoint has settled with the Federal Trade Commission for $15 M, on top of whatever the incident cost ChoicePoint in direct expenses. (http://www.ftc.gov/opa/2006/01/choicepoint.htm)

The sum total of people put at risk by the breaches in the Privacy Rights Clearinghouse list is just over 90 million. To put this into context, according to published reports, up to 9 million people in the US have suffered some form of identity theft.

Congress has held a number of hearings since the ChoicePoint publicity and they have been considering a number of bills that would ostensibly help reduce the threat of identity theft. All of the bills have one thing in common, they would preempt state laws in favor of a consistent national policy. But most of the bills look like they were written by lobbyists working for the likes of ChoicePoint. For example, a bill being considered by the US House (http://thomas.loc.gov/cgi-bin/query/D?c109:2:./temp/~c109phbwmI::) would let the breached company to decide if they should notify you of a breach, they would need to if they felt the data was going to be misused to cause you financial harm, but not under any other conditions. Under this proposal we will hear less about companies that are sloppy with your our data.

With friends like these in Congress it might be better to let them continue to fail to deal with the issue and keep the state laws in effect.

disclaimer: Harvard tries not to teach people to fail but in some cases it might be a good idea, if so its my idea not Harvard's