The growing online menace of identity and data theft has resulted in the introduction of another bill to address the problem. Last month, Senator Gordon Smith (R-Ore.) introduced the Identify Theft Protection Act, the 10th identity theft bill put into play this session.
As in previous bills, the Identity Theft Protection Act requires companies, schools or other groups that collect personal information to disclose any data breach. Failure to do so could result in fines of up to $11 million. Breaches that involve more than 1,000 people require that the organization inform the Federal Trade Commission (FTC). But, unlike other bills, this one has a low bar when it comes to consumer notification. Even if only one consumer's information is disclosed by a breach, that consumer must be notified.
Some in the technology industry are wary of the new bill, however, because it doesn't exempt data that's encrypted. "The standard should be 'no harm, no foul,'" according to Greg Garcia, VP for information security with the trade group Information Technology Association of America (ITAA). "If data is encrypted, there's a very low likelihood of that information being accessed," he says.
Requiring notification of data breaches involving encrypted data would only raise unnecessary alarm, Garcia asserts. "We should try to bring a rational level of requirements to the table and not flood the marketplace with notifications," he says.
Meanwhile, though experts advise consumers to check their credit reports when data breaches occur, accessing reports online may present its own dangers, according to a privacy advocacy group. Consumers can order one free credit report per year from Web sites cosponsored by the three largest U.S. credit bureaus. But one site - AnnualCreditReport.com - has a legion of hangers-on that are trying to bamboozle users, reports the World Privacy Forum (www.worldprivacyforum.org).
In June, the group identified 112 imposter domains that use the words "annual," "credit" and "report" in various combinations, or rely on close misspellings of the official site. The most malicious of these sites, according to Pam Dixon, the World Privacy Forum's head and author of the report, try to trick users into entering their Social Security numbers.
"Imposter domains typically target any Web site that receives high traffic," said Dixon in a report. "What is unique about the AnnualCreditReport.com site is that tens of millions of consumers may potentially access the official site ... prepared and willing to enter their Social Security numbers." Rather than access the online site, Dixon suggests consumers call for their free credit report (toll-free: 877-322-8228).