Bill takes aim at identity theft
- By William Jackson
- Jun 27, 2003
Federal agencies would be required to notify citizens of unauthorized access to their computerized personal data under a bill introduced yesterday by Sen. Dianne Feinstein (D-Calif.).
The bill, which Feinstein called a 'practical measure to curb identity theft,' is modeled on a California state law that goes into effect July 1. Unlike the California law, S 1350 would apply to federal agencies, state governments and businesses engaged in interstate commerce.
According to a draft, the bill defines personal information as a person's full name or first initial and last name, together with that person's Social Security number, driver's license number, state identification number, or bank or credit card account number. Owners or controllers of databases with such information would have to notify individuals 'as expediently as possible and without unreasonable delay' following discovery of a breach.
Notification could be in writing or by e-mail or, if that were too expensive or impractical, by conspicuously publicizing the persons' names on a Web site or through media.
The bill does not apply to encrypted data. Unlike the California law, it exempts agencies and companies that already have reasonable notification policies in their security programs. Notification also could be delayed if a law enforcement agency determined it would interfere with an investigation.
The Federal Trade Commission would enforce the provisions in Feinstein's bill. State attorneys general could file suits under its provisions, and fines might range from $5,000 per violation up to $25,000 per day. The bill would allow the California law to remain in effect but would pre-empt other, conflicting state laws.
The Feinstein bill has been referred to the Senate Judiciary Committee.
William Jackson is a Maryland-based freelance writer.