Sunday, February 10, 2008

Recently, Georgetown University informed thousands of students, alumni, faculty and staff that a computer hard drive containing their personal information -- names, birth dates and Social Security numbers -- had been stolen from an administrator's office [Metro, Jan. 30]. This story is one that has been repeated dozens of times over the past few years with little variation: A laptop is taken from the Department of Veterans Affairs; tapes vanish at IBM; and hackers download records from a server at UCLA. Sometimes, the records are actually lost. Other times, the information turns up for sale on Web sites run by international criminal organizations. No one knows what will happen with the information stolen from Georgetown.

Our identities are not simply bits of information stored on hard drives or tapes in dusty warehouses. When sensitive information is compromised without our knowledge, we are still physically and psychologically complete (or at least no less so than before). At the same time, identity theft can do enormous harm to our finances and reputations. We put our trust in business, government and educational institutions to do their best to protect us from that harm. With great consistency, those institutions have failed us.

Georgetown, for its part, has done a poor job of protecting sensitive data with which it was entrusted. The real concern, however, should not be with the details of any particular incident, but instead with a system that allows and encourages the collection and retention of so much personal information in the first place.

Congress has failed to respond to what has become the most pervasive economic crime of the 21st century. Legislative proposals to eliminate or reduce the use of the Social Security number for identification purposes have stalled. But even if passed, these measures would not prevent the theft of data collected and retained by institutions. A more ambitious approach is needed.

Existing statutes restrict governmental and educational institutions' disclosure of student information. But these statutes do not effectively address the problem of information theft. In considering legislation, policymakers should try to revamp policies and introduce new ones to regulate not only disclosure but also the collection and storage of sensitive information. This would require significant effort and imagination. The new policies must, at a minimum, require institutions that collect or retain sensitive information to meet minimal security requirements. The policies could also expressly allow someone whose information is stolen to bring a lawsuit against an institution whose failure to meet the statutory standard harmed that person. Such a measure would serve as an effective deterrent against the sort of recklessness that allows our information to be lost or stolen.

The chances of decisive congressional action may be slim. But maybe, just maybe, one of the Georgetown alumni serving in Congress will receive the same e-mail I did and conclude, as I did, that something needs to be done.

-- Daniel R. Kahan

Washington

The writer is a second-year law student at the Georgetown University Law Center.