Can Legislation Stop Identity Theft?

The recent US$15 million settlement between ChoicePoint and the Federal Trade Commission (FTC) signals regulators have cranked up the heat on companies that allow personal customer data in their possession fall victim to breach or exposure.

ChoicePoint, a broker of consumer data, acknowledged that information on 163,000 consumers was exposed when its database was infiltrated. It agreed to pay a $10 million fine imposed by the FTC and to set up a $5 million account to help those who fell victim to identity theft as a result.

Millions Exposed

ChoicePoint will also undergo regular audits for the next 20 years and implement additional privacy measures -- as will another company that settled with the agency, CardSystems, which was accused of exposing some 20 million customer credit card records.

As much as the FTC had hoped to send a message, it seems that get-tough approaches from regulators and even promises from lawmakers to address identity theft with tougher legislation are not likely to provide enough protection for consumers.

Almost three years after California made history by implementing the first law requiring that companies notify customers if databases containing personal records are breached, lawmakers regularly vow to beef up penalties for companies that let information in their control fall into the wrong hands.

According to the Privacy Rights Clearinghouse, more than half the states have passed database-breach notification laws since California's took effect in July of 2003, with Congress now mulling several proposals to extend the requirement nationwide.

The laws have led to scores of disclosures in the past year, according to the clearinghouse, which said that since the start of 2005, more than 53 million individual records had been exposed through hacking, insider theft or simple human error leading to misplaced or lost data storage tapes. The new year has gotten off to a busy start as well, with some 18 incidents reported by the clearinghouse by mid-February, or about three per week.

Falling Short

Many believe legislative efforts will fall short of the mark. While lawmakers recognize the urgency of addressing the ID theft trend, the laws they are likely to pass will often be softened on their way through the legislative process thanks to heavy lobbying from corporations, trade groups and others, Todd Davis, the chief executive officer of LifeLock, which offers a proactive anti-identity theft service, told the E-Commerce Times.

"Any legislation that makes it through is going to be watered down," Davis said. "The federal government is also going to rein in any state that tries to do too much in this area, especially if they're reaching beyond their borders."

The bigger issue, as he sees it, is that notification laws give corporations an incentive to avoid taking responsibility. Companies are often reluctant to admit fault, and some may feel that offering to help prevent identity theft based on a data breach may be the equivalent of admitting wrongdoing -- and opening the door to hefty legal claims.

"The first thing that happens is that lawyers get together and say we're not going to offer them services to protect their identity because that implies we've accepted liability," Davis added. "Most of the legislation is more grandstanding. The lawmakers can say they've done something -- they put legislation in place. But with all the corporate lobbyist groups, the odds of us getting true notification and prevention are pretty small."

LifeLock is one of several firms that have sprung up to address the issue. Davis said his company is the only one that offers a guarantee, with LifeLock saying it will pay up to $1 million in losses incurred if a paying client -- the service costs about $10 a month -- is victimized by ID theft.

Davis did not disclose how many people have signed up for his service, but said it is growing rapidly thanks to the intense attention the issue of data theft and identity pilfering is garnering in the media.

"It's gone from something that no one worried about to something that everyone is aware of in a very short time," he added. "Private enterprise is better equipped to solve this problem."

Mistakes Continue

That doesn't mean lawmakers won't keep trying to address it or that regulators won't continue to beef up their own efforts. Still, the drum beat of data exposures continues, with colleges, hospitals and private corporations continually stubbing their toes with high-profile mistakes. One recent example involved the Boston Globe, which said as many as a quarter-million subscribers may have had their credit card numbers exposed when they were inadvertently printed on sheets sent out with bundles of newspapers.

The New York Times subsidiary moved quickly to address the issue, disclosing the breach in its own pages, on its Web site and in letters to those impacted, and offering them a chance to enroll in a credit-monitoring service for a year. So far, no incidents of identity theft stemming from the exposure have been reported.

In many instances, companies are turning over control of data to third parties for processing or storage, often without first ensuring they can keep it safe, noted Privacy Rights Clearinghouse Director Beth Givens.

"The easier it gets to transfer billions of bits of confidential data by pushing a button, the more difficult it is to safeguard our private records," she noted.

The Privacy Rights Clearinghouse supports the strongest possible federal standards and believes that existing state laws regarding database breaches and notification must not be pre-empted, according to Givens.

Many privacy groups also support extending database breach laws to include paper files, as well as digital formats, and more protections for consumers who are victims of breaches, including credit freezes that raise the standards for issuing new credit cards.

That legislation may be difficult to come by, said Davis, but may be necessary, since existing regulations haven't had the desired impact.

"There was supposed to be an element of shame -- and the bad publicity driving companies to do better," he said, "but given all the breaches that are happening, I don't think too many companies have been shamed too badly yet."