Cybereye | ID theft plan: It's a start
- By William Jackson
- Apr 30, 2007
A presidential task force on identity theft from 17 federal agencies and departments labored for 11 months to determine the obvious: Both the public and private sectors need to do a better job of protecting personal information and helping victims.
Although the conclusions are obvious, the task force has managed to produce some recommendations that could help provide this much-needed protection. They would put controls on the use of Social Security numbers as universal identifiers and establish some standards for responding to breaches of sensitive data.
The report, titled Combating Identity Theft: A Strategic Plan
, would not eliminate identity theft and fraud, but would make a start if the administration follows through on the recommendations.
The task force, co-chaired by U.S. Attorney-General Alberto Gonzales and Federal Trade Commissioner Deborah Platt Majoras, was established by executive order in May 2006. This was seven years after the Identity Theft and Assumption Deterrence Act made ID theft a federal crime and put the FTC in charge of combating it. But despite prosecutions by the Justice Department and the FTC's establishment of the Identity Theft Data Clearinghouse for victims and law enforcement, the theft, loss and leakage of personal information, particularly in digital form, has become such as high-profile problem that some new effort clearly was needed to address the problem.
The task force held hearings, solicited public comment and studied the problem, issuing a set of interim recommendations in September. The strategic plan with final recommendations was released this month.
The recommendations focus on regulatory requirements and guidelines rather than legislation. This has the advantage of meaning that the offices of Management and Budget and of Personnel Management could implement many of these recommendations without the approval of 535 senators and congressmen, as long as the White House has the will to do it.
Some of the key recommendations focus on making it more difficult for thieves to get access to Social Security numbers. These numbers, originally intended to keep track of workers' earnings for their Social Security accounts, have over the last 70 years grown to be accidental general-purpose identifiers; the gold standard for authentication and the golden egg for identity thieves.
The task force recommended that OPM this year 'take steps to eliminate, restrict or conceal the use of SSNs,' going as far as amending if necessary a 1943 executive order requiring the use of the numbers for permanent account numbers.
Unfortunately, the recommendations do not cover broad use of SSNs in the private sector and still would allow their broad use outside of the Social Security Administration. 'The use by federal agencies of SSNs for the purposes of employment and taxation, employment verification, and sharing of data for law enforcement purposes, however, is expressly authorized by statute and should continue to be permitted.'
Within the private sector, the recommendations call for national standards for safeguarding personal information and breach notification. The standards would cover 'any private entity that collects, maintains, sells, transfers, disposes of or otherwise handles' this data, whatever form it is in. Requirements for notification would exempt data that is rendered unusable, probably by encryption although the recommendations are explicitly technology neutral. Data that is at low risk of being exploited also would be exempted.
What I like best about these recommendations is that they call for standards rather than legislation. This not only streamlines their implementation, but also makes it likely that they would not pre-empt more stringent state laws on these subjects.
To date, more than 35 states have passed laws calling for notification of individuals whose data has been exposed. These laws have not only helped consumers protect themselves from or respond to fraud, but have helped raise the profile of this problem. Industry, of course, would like to see this patchwork overwritten by a national law that would pre-empt them. Especially if industry could have a say in drafting it. But a national standard on data protection and breach notification could establish a minimum set of national requirements without gutting more stringent provisions in some state laws.
Would this be inconvenient for industries handling my personal data? Possibly. But, as I have said before, if they handle that data properly, they won't have to worry about notifying me of a breach.
William Jackson is a Maryland-based freelance writer.