ID Task Force Ideas Receive Cool Reception

By Brian Krebs Staff Writer
Monday, April 23, 2007; 5:31 PM

A federal task force Monday urged the Bush administration to back certain policy proposals to help combat identity theft, but critics say the recommendations will do little to curb the loss or needless collection of sensitive consumer data.

President Bush's Identity Theft Task Force, co-chaired by Attorney General Alberto Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras, called for a review at the state and federal level of the use of Social Security numbers in consumer records. The panel also broadly supported national standards for requiring organizations to notify consumers if they experience a data breach or loss that jeopardizes personal or financial data. Thirty-five states have data breach disclosure laws. Lawmakers on Capitol Hill are drafting and circulating similar measures.

"Identity thieves steal consumers' time, money and security, just as sure as they steal their identifying information, and they cost businesses enormous sums," Majoras said in a written statement. "The strategic plan submitted to the president provides a blueprint for increased federal prevention and protection."

Consumer groups were unimpressed with the group's suggestions, which also called for a broader sharing of victim data among state and local identity theft investigators, and amending existing criminal statutes to allow stricter punishment for identity thieves.

Marc Rotenberg of the Electronic Privacy Information Center said the task force's recommendations would create a framework for a weak national privacy law.

"It really seems like the focus of these recommendations is what to do about the crime of identity theft after it occurs, rather than creating a comprehensive approach that would minimize the risk of the crime itself," said Rotenberg, who is executive director the Washington-based policy group. "We really have to go after those practicing bad data practices with the same energy we're willing to use against those who commit identity theft.

The task force said a federal data breach notification law should supersede state laws, and require notification only when there is a significant risk of identity theft due to the loss or compromise of sensitive data. For example, if a victim's Social Security number or driver's license was stolen in tandem with identifying information like the victim's name and address. The panel also said such a law should not create or provide a right for identity theft victims to sue organizations that lose control over consumer data.

Ari Schwartz, deputy director at the Center for Democracy and Technology, noted that federal agencies already are required under a 1974 privacy law to limit the storage and use of Social Security numbers, but added that the Bush administration has failed to consistently enforce it.

"If [the White House] had any leadership on the broader privacy issues here, the recommendations in this report to the federal agencies on Social Security numbers would all be second nature," Schwartz said.

A Government Accountability Office report in 2003 warned that more leadership was needed from the White House on compliance with privacy law given the swiftly changing nature of electronic records and new data mining programs.

Jay Foley, co-founder of the Identity Theft Resource Center, said he was pleased to see the task force call for the creation of a national identity theft law enforcement center. The task group suggested a center should be designed to "allow law enforcement agencies to coordinate their efforts and information more efficiently and prosecute identity thieves more effectively."

"We see so many cases where the identity thief is operating out of one state and his victims are scattered over 16 cities across the country," Foley said. "There desperately needs to be more clarity on who should take the lead in investigating these types of cases, and a cohesive program to tie all these victim records together into a single case file."

© 2007 The Washington Post Company