Identity Theft Legislation In The Works
Not surprisingly, the U.S. Congress is stepping into the identity theft arena with the potential for national legislation. Brian Krebs at the Washington Post reports Sen. Feinstein is working on an identity theft bill. Some elements of the bill are controversial, but that is no surprise - we're no where close to consensus on how to deal with identity theft.
According to Krebs,
Feinstein, who chairs the subcommittee on terrorism, technology and homeland security, asked the five witnesses their opinions of the most controversial part of her identity theft bill. That portion would permit entities that experience a data loss, theft or breach to avoid notifying affected consumers if the entity decides the incident poses no risk of harm to consumers. The Feinstein bill currently contains a check that would require the entity suffering the breach to give a copy of the breach assessment to the U.S. Secret Service, which could overrule that decision and require that notice be sent.
One of the witnesses in a recent hearing, Jim Davis of UCLA, pointed out one of the biggest questions about notifying victims of identity theft: when does a breach present a sufficient risk to warrant notifying them:
"The definition of what is 'significant risk' is very difficult, so when we do our own analysis, it actually is going to be very difficult for us to find a situation in which we wouldn't notify" consumers, he said.
There is no simple answer. Sometimes we have obvious data breach debacles, e.g. TJX, and other times we have much less serious breaches. We are not going to have any clear cut answers and I'll bet the final bill will not satisfy anyone completely but at the TJX breach shows, self-regulation is not up to the task.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
