ID theft legislation slippery slope

Few things can be more infuriating than having someone steal your identity — Social Security number, bank account numbers, credit card numbers, even your medical records. Such “identity theft” — as well as the related simple loss or unauthorized release of personal information — is occurring more often in our digitized society.

On Monday, California Sen. Dianne Feinstein introduced revised legislation she first introduced in January to tighten rules on data collection and security. “We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified,” she said in a statement.

The problem has been highlighted by several recent, major losses of data. In February, ChoicePoint, a data-gathering service in Georgia, announced the personal information of 145,000 Americans might have been stolen, including Social Security numbers. In March, a laptop computer containing data on 98,000 graduate students and applicants at UC Berkeley was stolen.

And just Monday, LexisNexis, reported Reuters, said “identity thieves have stolen information on 310,000 U.S. citizens from its computer systems, 10 times more than its initial estimate last month.”

This is a serious matter that deserves at least robust discussion. But, although legislation may be necessary, new laws must be weighed against the competing values of normal contracts and data exchange, and against current private initiatives already at work in the marketplace.

The senator is proposing legislation involving three major reforms:

• Firms that lose data would have to notify victims by postal mail or e-mail. (ChoicePoint actually did notify people by postal mail.) Civil fines of $1,000 per person would be imposed on the company.
The best remedy would be to send a letter by postal mail to victims, said Deborah Pierce, executive director of Privacy Activism, a San Francisco-based privacy group. Many people ignore unexpected e-mails because they think they’re those “phishing” solicitations that want personal information.

Pierce also pointed out that due to an investigation, law enforcement delayed ChoicePoint’s notification of victims from October, when the security breach was first known, until February. The Feinstein legislation would continue authorizing that practice and also delays for national security. But what’s really needed, Pierce said, is legislation mandating that victims be notified immediately, so that you might begin action to protect yourself or limit the damage from the loss of your information.

We hope these factors are discussed at hearings before the Senate Judiciary Committee. The next two pieces of legislation will be discussed at hearings that have yet to be scheduled.

• Legislation that would, in the senator’s summary, “require companies to ask consumers whether they would allow their most sensitive personal information to be sold (opt-in). And for less critical data, consumers could tell companies that they don’t want their data sold (opt-out).”

One has to be careful here. As with some state banking laws, the “opt-in” requirement might make even more paperwork, slowing down financial and medical systems. (For example, a hospital might want to transfer one’s medical data to an outside facility to see if better treatment can be obtained. Requiring prior approval could slow the process.) Probably the best reform is to ensure only an opt-out provision.

• Finally, a third piece of legislation, in the senator’s summary, “would prohibit the sale or display of Social Security numbers to the general public without individuals’ knowledge and consent.” And government couldn’t display a person’s Social Security number on the Internet.

We recall that President Roosevelt promised, when Social Security was enacted in 1935, that the Social Security number never would become an ID number. So we certainly don’t object to government limiting its own use of this number.

But the use of the Social Security number as ID has become so common in commerce and law enforcement, restrictions here could, for example, require more paperwork and delay transactions such as mortgage or job applications.

Although the data theft issue has been in the news lately, we urge a “go slow” approach to new legislation.