[ISN] No Fed Security Laws, Hurrah!!

From: InfoSec News (isn@private)
Date: Fri Nov 11 2005 - 00:39:04 PST


http://www.wired.com/news/politics/0,1283,69525,00.html

By Ryan Singel
Nov. 10, 2005

Despite the seemingly unending torrent of citizens' data pouring into
the hands of identity thieves, Congress is unlikely to pass any
data-security bills by the end of the year, according to Hill
watchers.

And consumer advocates say that's a good thing.

After the nationwide uproar when ChoicePoint admitted it sold 145,000
dossiers to Nigerian identity thieves, 20 states followed California's
lead and passed laws requiring companies to notify citizens when their
data had been compromised.

Now, companies are already acting as if the country had a national
notification law, said Gail Hillebrand, a senior attorney at Consumers
Union [1]. In addition, Hillebrand said the strict state laws are more
consumer-friendly than any proposals in Congress.

"I would rather see Congress fail to act than pass a weak federal bill
that gives less notice than consumers are already getting due to
stronger state laws," Hillebrand said.

Chris Hoofnagle, director of the Electronic Privacy Information Center
West [2], echoed Hillebrand's assessment, adding that as new state
laws go into effect in the beginning of 2006, federal lawmakers will
face pressure from states that don't want their legislation overridden
by Congress.

"Consumers will get a better deal with no federal bill this year,"  
Hoofnagle said.

In particular, Hoofnagle and Hillebrand point to portions of several
congressional bills that would require notification only if the
company determines it is likely that identity theft will happen.

By contrast, California requires businesses or agencies to notify
anyone whose name and Social Security number, or credit card number,
was acquired by an unauthorized person.

Though banks and data brokers have long opposed federal privacy
legislation in favor of self-regulation, both industries are now
asking Congress to step in to create a single national standard and
cap the limits on their liability in case of a breach.

Congress' progress toward a final bill has been stalled by the sheer
number of proposed bills and the number of committees that claim
jurisdiction over consumer rights, financial institutions and data
brokers.

Just last week, a House consumer-protection subcommittee approved, by
a party-line vote, a bill [3] by Florida Republican Cliff Stearns,
while a House financial-services subcommittee will hear testimony on a
separate bill [4] Wednesday.

It is unlikely that Congress will be able to decide on a single bill
before it recesses in December, though the issue is expected to remain
a priority when Congress reconvenes.

Also at issue in the debate are state laws that allow consumers to
pre-emptively "freeze" their credit reports so identity thieves cannot
open new accounts without knowing a security code.

For instance, New Jersey's new law, which goes into effect Jan. 1,
allows residents to freeze their credit for free and then pay a $5
dollar fee to each credit bureau to open the report when they apply
for a line of credit.

Notification laws help, but credit freezes protect you from thefts you
don't even know about, according to Abigail Caplovitz, legislative
advocate for New Jersey Public Interest Research Group [5].

"We now live in the identity-theft world," Caplovitz said. "We need
credit bureaus to change how they do business."

[1] http://www.consumersunion.org/
[2] http://www.epic.org/west/
[3] http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=h4127ih.txt
[4] http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=109_cong_bills&docid=h3997ih.txt
[5] http://www.njpirg.org/



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Fri Nov 11 2005 - 01:21:43 PST