Privacy and Security Law Blog

Posted By Joe Addiego

The Identity Theft Enforcement and Restitution Act of 2007 recently was introduced to the Senate Committee on the Judiciary by Senator Patrick Leahy, the Chair of that Committee. The purpose of the bill is “to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.”

The bill is aimed at “malicious spyware, hacking and keyloggers,” as well as “cyber-extortion,” and it offers a number of remedies that may be pursued by both the government and individuals in response to occurrences of identity theft. For example, if passed into law, any use of spyware or keylogging that causes damages to 10 or more computers would be punishable as a felony.   The government also would be able to pursue more incidents of such cybercrime, as the bill would allow prosecution where the victim and alleged cyber-criminal are residents of the same state (the current version of the law would require the theft to occur over interstate or international borders). Further, victims of identity theft would have the right to seek “criminal restitution” from the perpetrator for the time and expense related to the victim’s efforts to restore their credit that was damaged as a result of identity theft. The bill has not yet been scheduled for debate or vote.

Posted by Bruce E. H. Johnson

The Real ID Act has been described by Crosscut columnist Skip Berger as creating "what is in essence America's first national identity card using driver's licenses that could be embedded with computer chips and biometric information, such as fingerprints. It has been proposed that such cards be required of every citizen who wants to drive, access government buildings, apply for federal benefits, or fly on commercial aircraft. Management of the vast databases would fall to each state's department of motor vehicles."

Posted by Anne Shelby

Could this be the year that Congress enacts comprehensive data security and breach notification legislation? As the seemingly endless stream of news stories announcing the latest breaches continue, Members of Congress consistently voice their support for uniform national laws. Washington insiders and observers have expressed divergent predictions: some are optimistic while acknowledging the challenges of such legislation, while others are less so, often pointing to the fact that similar circumstances surrounded the proposed CAN-SPAM Act, which took four years to become law.    

Posted by Charlene Brownlee

Congress approved S. 1608, the “Undertaking Spam, Spyware, And Fraud Enforcement with Enforcers beyond Borders Act of 2006,” (the US SAFE WEB Act of 2006) on December 9, 2006. The US Safe Web Act amends the Federal Trade Commission Act (FTCA) and improves the Federal Trade Commission (FTC)’s ability to protect consumers from international fraud by: (1) improving the FTC’s ability to gather information and coordinate investigation efforts with foreign counterparts; and (2) enhance the FTC’s ability to obtain monetary consumer redress in cases involving spam, spyware, and Internet fraud and deception.

Posted by Randy Gainer

Senator Arlen Specter attempted to attach an amendment to the Senate version of the Supplemental Appropriations bill that was passed by the Senate on May 4, 2006. The amendment would have prevented government agencies from using any funds "appropriated by this or any other Act" to carry out the NSA program acknowledge by President Bush on December 17, 2005, or to carry out any related programs unless the administration briefed the House and Senate Intelligence Committees about the programs. The proposed amendment, SA 3679, was rejected by the Senate.

Posted by Teena Lee

On March 23, 2006, the House Energy and Commerce Committee announced that it reached a bipartisan agreement on the Data Accountability and Trust Act (DATA), H.R. 4127. The amendments appear to address a couple of the concerns raised by various consumer advocacy groups to the original bill.

As reported here previously, objectors complained the Act left the target of a security breach too much discretion to determine whether notification should be made and failed to allow parties other than the FTC enforcement powers. The "manager's amendment" appears to try to address those concerns and changes the threshold for consumer notification from a "significant risk of identity theft" to a "reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct" and provides enforcement powers to state attorneys general, in addition to the FTC.

Posted by Randy Gainer

Many businesses favor a federal data breach law. Businesses need to respond to the perception among consumers that, if consumers provide sensitive private data to businesses, the data are at risk of being misused for fraud and identity theft. That perception has apparently contributed to a decrease in the number of consumers who are willing to provide their information, for example, to on-line businesses.

There are currently more than 20 state laws that require consumers to be notified when sensitive data are disclosed. They include several different standards for when such notices must be sent. This generally requires businesses with consumers from multiple states to apply the most restrictive standard, which is to notify consumers when there is any unauthorized disclosure. Many business officials would like to see a uniform national standard regarding the circumstances in which they must notify consumers. Because notifying consumers is expensive, may trigger class action lawsuits against a business, and causes harm to businesses' reputations and goodwill, many businesses a favor a notification standard that requires that consumers be notified only when consumers are likely to be exposed to fraud or identity theft as a result of a data breach.

Posted by Teena Lee

On October 25, 2005, Representative Cliff Stearns (R-Fla.), introduced Bill H.R. 4127 in the House of Representatives, the Data Accountability and Trust Act (DATA). Purportedly in response to the ChoicePoint and LexisNexis breaches and failures of security, the Act, in brief, charges the FTC to promulgate regulations requiring persons engaged in interstate commerce that own or possess data containing personal information in electronic form to establish and implement information security policies and procedures concerning the treatment and protection of personal information. Notably, the bill would preempt state information security laws. On November 3, 2005, the DATA Act was approved on a vote of 13-8 by the Energy and Commerce Committee's Subcomittee on Commerce, Trade and Consumer Protection, and has been forwarded to the full Energy and Commerce Committee, where it presently sits.

Posted by Brian Bennett

Several federal spyware proposals would pre-empt state spyware legislation. Proponents of the federal proposals argue that the public is clamoring for the federal government to address the problems of spyware. Critics of federal spyware proposals point to the federal Can-Spam Act, which, by pre-empting stricter state laws, arguably may have increased the volume of spam. Critics warn that the same thing could happen with federal spyware legislation.

Posted by Kraig Baker

The Personal Data Security and Privacy Act, the bill originally sponsored in the wake of the high profile data breaches this summer and shelved while the Judiciary Committee was considering the confirmation of Chief Justice Roberts, has again moved to the forefront. Senators on the Judiciary Committee have agreed on a revised bill that harmonizes a number of the provisions in the original proposals. Chairman Specter and Senator Leahy have suggested that a Committee Vote could take place as early as next week.

Last week, the Senate's Commerce, Science and Transportation Committee unanimously approved an identity theft bill, entitled the "Identity Theft Protection Act of 2005" (S. 1408), designed to "set[] national standards to safeguard individual personal information, to notify consumers of data breaches, to require businesses to improve their safeguards for sensitive consumer information, to give consumers the right to freeze their credit reports to thwart identity theft, and to limit the solicitation of social security numbers by commercial entities." If enacted, the bill would authorize the Federal Trade Commission to specify "physical and technological safeguards" that business and other entities that collect personal information would be required to put in place.

Last week the U.S. Congress concluded its summer session amid a flurry of activity in connection with privacy and security matters, including a Senate vote to extend the USA Patriot Act and committee action on several identity theft bills. The congressional response to the widely-reported security breaches over the past several months follows action in a number of state legislatures, most notably California.

More specifics on what Congress is doing in our next posts...