On the same day that Seisint, the division of LexisNexis, disclosed that there had a been a breach of the database, involving the exposure of the personal information of 310,000 people, Chuck Schumer and Bill Nelson, both Democrats, proposed what they call a comprehensive ID Theft bill.
According their press release:
"Sen. Schumer is a member of almost all the committees that would have jurisdiction over this bill including the Finance, Judiciary, and Banking Committees, and Sen. Nelson is a member of the Commerce Committee, which also has jurisdiction."
Schumer said, “What bank robbery was to the Depression Age, identity theft is to the Information Age. Identity theft has become so pervasive and so out-of-hand, that we must make a real effort to prevent it before it happens. When a company like Lexis-Nexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand.”
“This bill not only will help stop the erosion of privacy,” said Nelson, a longtime champion of consumer privacy. “But it also will cut through the red tape identity theft victims now face when they try to restore their credit.”
Schumer continued, “Everyone knows that once your identity has been stolen, you can’t get it back. That is why our comprehensive measure focuses on making sure that your personal information isn’t surfing the Internet without your permission and that companies handling your Social Security number and other sensitive information should come under the watchful eye of the Federal Trade Commission immediately.”
SUMMARY OF WHAT THE BILL WOULD REQUIRE
Create an FTC Office of Identity Theft to help the millions of victims of ID theft each year to get their identity back through an easily accessible website, toll free phone number and consumer-service teams, and authorizes $60 million a year, for five years for this office.
Regulate data merchants (akin to regulation of credit bureaus) by:
- Make them register with the FTC;
- Institute safeguards to prevent fraudulent access by unauthorized parties;
- Develop authentication process for their customers with individualized passwords;
- Users allowed these passwords are people who have passed a reasonably effective background check;
- Data Merchant should track who accessed what records and for what lawful purpose they were accessed;
- Allow consumers, like with their credit reports, to obtain reports showing which data-merchants have their information and mandates a correction process to fix errors;
- Demands accuracy standards for their information;
- Regulates Credit Bureaus only if, and as far as, they sell credit header information currently unregulated by the Fair Credit Reporting Act and its amendments.
Any company that is collecting your sensitive personal information and plans to sell or transfer your information to an unaffiliated third party, must put a “Disclosure Box” on it, which lets the consumer know in PLAIN ENGLISH that “this information may be sold or given to an unaffiliated third party without your additional consent.”
Notification provisions in the case of an information breach are very similar to current California law (the law that forced ChoicePoint to notify consumers). But there is a new provision, allowing any consumer who is notified of a breach of their information to request, in writing, that their information be completely expunged from the company’s database.
Every company required to take “Reasonable Steps” to protect sensitive personal information they are storing.
Social Security Number Specific Provisions:
- Prohibits any company from asking for a Social Security number unless they actually need it in the normal course of business;
- Prohibits SSN’s displayed on employee IDs and prohibits inmates in prison from having any access to them as part of their prison jobs;
- Bans SSN purchase and sale, except for law enforcement, national security and fraud purposes;
- Grants U.S. Attorney General the ability to further define the exemptions as situations arise and exempt more if needed.
Would also require the FTC to:
- Study national, state and local governments’ public postings of Social Security numbers, come up with recommendations and forward them on to the relevant national, state and local governments;
- Require a thorough annual report each year on ID theft;
- For each section there’s a maximum penalty, usually $1,000 per individual record per violation, which can be administered by the FTC or Attorneys General.
- Study international identity theft and determine ways to combat it;
- Create a blue-ribbon working group representing both industry and consumer groups to find the best ways for private entities to protect consumer data;
Stop public postings of private financial account numbers (i.e. mutual fund companies posting shareholder information on Internet).
Preempts state law to the extent that it is inconsistent with the provisions of this bill and then only to the extent of the inconsistency. If the statute offers greater consumer protections than this bill, it shall not be preempted by this bill.
Create an Assistant Secretary for Cyber Security in the Department of Homeland Security, which is what an earlier Schumer amendment to the 9-11 bill and a bi-partisan house bill in the 108th would have done.
SOURCE: Press Release by Senator Schumer, April 12, 2005.