about NCL»     publications»     NCL news»     join NCL»     search»     contact us»
 

A Policy Framework for Effective ID Theft Legislation

 

November 9, 2005

 

Chairman Specter

Ranking Member Leahy

Committee on the Judiciary

224 Dirksen Senate Office Building

Washington, DC 20510

 

Re: A Policy Framework for Effective ID Theft Legislation

 

Dear Chairman Specter and Ranking Member Leahy,

 

We applaud your efforts to secure individuals' personal information in light of recent security breaches that have exposed data of over 50 million Americans this year alone. These data security problems were brought to the public's attention because of a California law that required disclosure of all security breaches, regardless if fraud has occurred. The disclosures have raised public awareness of important privacy and security issues, among them, a new and growing consumer awareness of commercial data brokers, an industry that trades in Americans' personal information with little oversight or accountability.

 

We are concerned, however, that recent proposals to address privacy, identity theft, and data security would preempt state law and establish a much weaker set of protections than are currently available to many consumers. In addition, these proposals largely address data security only, rather than whether the sale of detailed dossiers on individuals for vague "fraud management" purposes is legitimate and fair to consumers.

 

Legislation contemplated by the Committee should be guided by a strong policy framework for effective identity theft legislation. Such a framework would include:

 

  • Notice of Security Breaches. Standards that require a proof of harm are unworkable, and will result in bad practices being obscured that currently are subject to disclosure. It is not possible for breached entities to know if or when personal data will be used to commit fraud. Because risk is not assessable, the affected individuals must be notified in all instances in order to take the necessary precautions.

  • A Broad Definition of Identity Theft. Individuals are harmed by all forms of identity theft, whether impostors open new accounts or engage in simple credit card fraud. "Identity theft" should be defined to encompass all situations where personal data, including account numbers, are used for fraud or attempted fraud.

  • A Consumer-Friendly Security Freeze. All consumers need the right to secure their credit reports with a passcode to prevent the most harmful forms of identity theft. Because the security freeze only prevents fraud if consumers use it, it must be designed to be consumer friendly: it should be free, easy to initiate, easy to temporarily lift, and quick to take effect.

  • Limits on Collection, Use, and Disclosure of Social Security Numbers.  Congress should place substantial limits on the private sector's collection, use, and disclosure of the SSN. Protecting the SSN is critical to reducing identity theft. Congress should also prohibit the publication of Social Security Numbers in public records at the federal, state, and local level.

  • Preservation of State Law. We know of the spate of recent security breaches only because California enacted legislation that required disclosure of all security breaches. Federal legislation that adequately addresses privacy and security concerns need not be preemptive, because states will not pass stronger laws in the presence of a good national measure. Binding the hands of the states will restrict their role as laboratories of democracy, and ultimately hamper experiments in addressing privacy, identity theft, and data security risks.

  • Special Measures to Address Commercial Data Brokers. Legislation concerning these sellers of personal information should give individuals the right to view all their information in their file at no charge, to correct that information, and to see an audit log showing who gets personal information and why. Furthermore, Congress should carefully examine how commercial data brokers use information because these companies, through legal artifice, have skirted the reasonable limits on data use set by the Fair Credit Reporting Act. This is especially urgent for victims of identity theft who have acquired felony records, and false records that become apparent when they are denied employment. Their lives are ruined and they have no present right to correct the data broker files.

 

We look forward to working with you on these matters.

 

Sincerely,

 

Jeff Chester

Executive Director

Center for Digital Democracy

 

Ken McEldowney

Executive Director

Consumer Action

 

Chris Hoofnagle

Senior Counsel

Electronic Privacy Information Center

 

Mari J. Frank, Esq.

Attorney, Mediator, Privacy Consultant

 

Linda and Jay Foley

Co-Executive Directors

Identity Theft Resource Center

 

Michael D. Ostrolenk

Founder/National Director

Liberty Coalition

 

Susan Grant

VP Public Policy

National Consumers League

 

Linda Ackerman

PrivacyActivism

 

Robert Ellis Smith

Publisher

Privacy Journal

 

Beth Givens

Executive Director

Privacy Rights Clearinghouse

 

Evan Hendricks

Editor

Privacy Times

 

Edmund Mierzwinski

Consumer Program Director

US PIRG

 

Pam Dixon

Executive Director

World Privacy Forum