November 9, 2005
Chairman Specter
Ranking Member Leahy
Senate Committee on the Judiciary
224 Dirksen Senate Office Building
Washington, DC 20510
Re: A Policy Framework for Effective ID Theft Legislation
Dear Chairman Specter and Ranking Member Leahy,
We applaud your efforts to secure individuals' personal information in light of recent security breaches that have exposed data of over 50 million Americans this year alone. These data security problems were brought to the public's attention because of a California law that required disclosure of all security breaches, regardless if fraud has occurred. The disclosures have raised public awareness of important privacy and security issues, among them, a new and growing consumer awareness of commercial data brokers, an industry that trades in Americans' personal information with little oversight or accountability.
We are concerned, however, that recent proposals to address privacy, identity theft, and data security would preempt state law and establish a much weaker set of protections than are currently available to many consumers. In addition, these proposals largely address data security only, rather than whether the sale of detailed dossiers on individuals for vague "fraud management" purposes is legitimate and fair to consumers. Legislation contemplated by the Committee should be guided by a strong policy framework for effective identity theft legislation. Such a framework would include:
-
Notice of Security Breaches. Standards that require a proof of harm are unworkable, and will result in bad practices being obscured that currently are subject to disclosure. It is not possible for breached entities to know if or when personal data will be used to commit fraud. Because risk is not assessable, the affected individuals must be notified in all instances in order to take the necessary precautions.
-
A Broad Definition of Identity Theft. Individuals are harmed by all forms of identity theft, whether impostors open new accounts or engage in simple credit card fraud. "Identity theft" should be defined to encompass all situations where personal data, including account numbers, are used for fraud or attempted fraud.
-
A Consumer-Friendly Security Freeze. All consumers need the right to secure their credit reports with a passcode to prevent the most harmful forms of identity theft. Because the security freeze only prevents fraud if consumers use it, it must be designed to be consumer friendly: it should be free, easy to initiate, easy to temporarily lift, and quick to take effect.
-
Limits on Collection, Use, and Disclosure of Social Security Numbers. Congress should place substantial limits on the private sector's collection, use, and disclosure of the SSN. Protecting the SSN is critical to reducing identity theft. Congress should also prohibit the publication of Social Security Numbers in public records at the federal, state, and local level.
-
Preservation of State Law. We know of the spate of recent security breaches only because California enacted legislation that required disclosure of all security breaches. Federal legislation that adequately addresses privacy and security concerns need not be preemptive, because states will not pass stronger laws in the presence of a good national measure. Binding the hands of the states will restrict their role as laboratories of democracy, and ultimately hamper experiments in addressing privacy, identity theft, and data security risks.
-
Special Measures to Address Commercial Data Brokers. Legislation concerning these sellers of personal information should give individuals the right to view all their information in their file at no charge, to correct that information, and to see an audit log showing who gets personal information and why. Furthermore, Congress should carefully examine how commercial data brokers use information because these companies, through legal artifice, have skirted the reasonable limits on data use set by the Fair Credit Reporting Act. This is especially urgent for victims of identity theft who have acquired felony records, and false records that become apparent when they are denied employment. Their lives are ruined and they have no present right to correct the data broker files.
We look forward to working with you on these matters.
Sincerely,
Jeff Chester
Executive Director
Center for Digital Democracy
Chris Hoofnagle
Senior Counsel
Electronic Privacy Information Center
Linda and Jay Foley
Co-Executive Directors
Identity Theft Resource Center
Susan Grant
VP Public Policy
National Consumers League
Robert Ellis Smith
Publisher
Privacy Journal
Evan Hendricks
Editor
Privacy Times
Pam Dixon
Executive Director
World Privacy Forum
Ken McEldowney
Executive Director
Consumer Action
Mari J. Frank, Esq.
Attorney, Mediator, Privacy Consultant
Michael D. Ostrolenk
Founder/National Director
Liberty Coalition
Linda Ackerman
PrivacyActivism
Beth Givens
Executive Director
Privacy Rights Clearinghouse
Edmund Mierzwinski
Consumer Program Director
US PIRG