WASHINGTON – Identity thieves who might have been worried that Congress would block their way into people's bank accounts will likely get a reprieve until at least early 2006, but that doesn't mean lawmakers are ignoring the problem.
"Congress is absolutely taking this seriously," said Consumers Union policy analyst Susanna Montezemolo. However, "there is no way this is going to get done at the end of this year."
Identity theft — the lifting of someone's personal information such as Social Security numbers, bank accounts and credit histories — allows criminals to steal bank account holdings, open credit lines under other people's names, complete electronic purchases as someone else and even earn utility and government benefits.
After this year's high-water mark for one problematic precursor to identity theft — massive private data security breaches at large data aggregators like ChoicePoint, MasterCard and LexisNexis — lawmakers introduced more than a dozen bills aimed at combating identity theft, and other legislation has included provisions to make personal information harder to access.
So far, none of the broader bills has become law, but two bills are ready for a vote on the Senate floor.
Earlier this month, the Senate Judiciary Committee approved Chairman Arlen Specter's bill on identity theft. The committee moved out a separate bill by Sen. Jeff Sessions in October. Passing the committee stage is a major step toward becoming law, but other big steps remain. Legislation in the House has not gotten as far.
Both Senate bills take aim at so-called data brokers like ChoicePoint, one of the companies that drew public scrutiny when it admitted that it had files stolen from it — in ChoicePoint's case, about 162,000 individuals have been notified of possible breaches.
Data brokers like ChoicePoint are responsible for collecting personal data on millions of Americans and then selling them for legal purposes like business marketing, employment background checks and law enforcement.
Industry watchdog groups estimate that this year alone, 50 million personal data files were accessed from ChoicePoint, LexisNexis and MasterCard accounts.
Unlike the banking industry, data aggregators are not subject to federal privacy laws. The Federal Trade Commission can bring civil action in ID fraud cases, but not criminal penalties. That is up to local, state and federal law enforcement agencies like the FBI and Secret Service. According to ChoicePoint's most recent quarterly filings with the Securities and Exchange Commission, the company it is being investigated by both the FTC and the SEC.
Specter's and Session's bills appear to be in conflict with each other, but aim to accomplish similar goals: to force currently unregulated companies like ChoicePoint to notify people whose files were breached that they could be at risk of identity theft.
Proponents of such a measure say that the single step of telling people about the risk goes a long way to help them prevent actual fraud. The ID theft victims can then begin checking their credit histories to watch out for possible fraud.
But concerns still bubble over such a bill.
Sessions has said legislation shouldn't force companies to send out notification to millions of people every time the slightest risk emerges that someone’s identity may have been stolen. Industry spokesmen say that would be too burdensome, overloading the industry and inundating the public with news of harmless system blips.
Sessions' bill allows companies that own or license personal data to first conduct "a reasonable investigation" to determine that a "significant risk of identity theft exists as a result of a breach." Only then would they have to notify people whose data they keep.
Specter's bill sets more specific triggers on when a data aggregator must notify people as well as provides separate guidelines for when law enforcement officials must be notified.
Sessions has said that defining a "significant risk" avoids the "pitfalls" of over-notification that lead to apathy, but still allows notices to reach consumers.
FTC Chairman Deborah Majoras, in written testimony submitted to the Senate Commerce, Science and Transportation Committee in June, supported the "significant risk" standard.
She said consumers should "receive notices when they are at risk of identity theft, but not require notices to consumers when they are not at risk." She also said "the goal of any notification requirement is to enable consumers to take steps to avoid the risk of identity theft. To be effective, any such requirement must provide businesses with adequate guidance as to when notices are required."
The concerns aren't limited to the consumer and regulatory sectors. Banking and computer industries also have weighed in.
The American Banking Association hasn't taken a position on any of the bills, said spokesman John Hall, but some laws could pose more difficulty for financial institutions.
"We're concerned with redundant rules," Hall said. Banks don't want to face more regulation in data security, an area in which federal law already guides banks. But a federal law could help smooth things out where state laws differ.
"This patchwork of state laws really doesn’t benefit anyone in the long run," Hall said. State privacy laws could be strict enough to discourage a business from working in one state, hurting consumers by decreasing business competition.
But consumer advocate Montezemolo said Sessions' bill poses specific concerns about watering down existing state notification laws. She said nearly two dozen states have notification laws, some of which, including California's, are credited with being strong enough to force national notification by companies like ChoicePoint, which is based in Georgia.
She said the weak "significant risk" language in the bill could allow companies to cover up the types of breaches uncovered by those laws this year.
"Consumers need to know, period," she said.
Computer industry representatives have been taking positions on the matter, too. In early November, computer software giant Microsoft called for comprehensive federal legislation that would pre-empt state privacy laws as well as match worldwide privacy standards, yet require minimum security standards for data storage and transmission and provide consumers the ability to control the release of their information.
Proposals before Congress also contemplate other security features, including:
— So-called security freezes that would allow consumers to call credit reporting bureaus to prevent others, including identity fraud artists, from accessing information without permission of the consumer.
— Giving consumers the right to correct bad information collected by data brokers.
— Protecting what is arguably the most-widespread used piece of personal data, the Social Security number, a highly coveted piece of information for identity thieves.
Montezemolo said her chief concern is for those people whose data is being collected without their knowledge. She said lack of information is not the problem.
"We are not hearing ... that consumers are receiving too many notifications," Montezemolo said. "We're hearing, 'We want the problem to stop."