Apr. 27, 2007 – As stolen identities undercut the assets and privacy of Americans, public-interest groups say the White Houseâ€™s new strategy to combat identity theft ignores core challenges of securing data in the Digital Age.
To privacy-rights and consumer groups, identity fraud reflects structural vulnerabilities, as technology casts sensitive records into more unknown hands. In response, groups are calling for much-tighter controls than those the White House proposes on how corporations and government agencies harvest personal information.
In recent years, the Federal Trade Commission (FTC) has recorded approximately 250,000 complaints of identity-theft fraud annually. A survey study by the data-analysis group Javelin Strategy and Research estimated total adult victims in the United States at nearly nine million in 2006, with the value of the fraud totaling $56.6 billion. Common violations, perpetrated by individuals as well as organized groups, range from credit-card forgery to assuming a new identity to cover up other crimes.
This week, a multi-agency White House task force led by the FTC and the Department of Justice released a plan to combat identity theft. Proposed measures include establishing national "breach-notification" requirements â€“ procedures for notifying consumers when databases are broken into or improperly used â€“ as well as a centralized "National Identity Theft Law Enforcement Center" to coordinate criminal investigations.
Privacy-rights groups say identity fraud reflects structural vulnerabilities, as technology casts sensitive records into more unknown hands.
But overall, the report is light on explicit recommendations for new regulations on companies and agencies that handle sensitive information. Rather, it emphasizes further monitoring of the problem, such as studying how companies use social-security numbers.
Groups that have long tracked identity-theft issues say the plan shies away from glaring systemic problems.
David Sohn, counsel with the Center for Democracy and Technology (CDT), said the nation needs a "baseline privacy law" to replace the lattice of state and federal regulations that currently guard consumer data.
CDT and other groups are calling for national reforms to replace what they see as an outmoded federal regulatory regime. Currently, the Privacy Act of 1974 places limits on the exposure and management of records in government databases. And some companies that handle personal data, such as credit-reporting firms, are subject to various consumer-protection statutes, including safeguards for data-quality and confidentiality.
But Sohn said existing laws miss new security and privacy threats posed by the "revolution in data technology, in terms of the ability to gather, store and manipulate large quantities of data."
Reform advocates say consumer protections should not only keep people informed when data-security is breached, but also afford greater control over personal records before and after violations occur.
Groups like CDT say federal laws should explicitly guarantee consumersâ€™ right to know what data is gathered about them, and the power to "freeze" credit reports to preempt fraud and misuse. As a preventative measure, they say, companies should be required to implement policies for securely storing and using data, backed with potential civil penalties for non-compliant firms.
Fundamentally, critics argue that the most effective way to combat identity theft is to minimize the amount of data available for stealing.
Some of the groupsâ€™ proposed reforms would nationalize consumer-protections already in place on the state level. They would also expand disclosure and transparency in the relatively unregulated "data-broker" industry â€“ companies that cull and sell consumer information for marketing and other purposes.
Fundamentally, privacy and consumer groups say the most effective way to combat identity theft is to minimize the amount of data available for stealing. Groups such as the Electronic Privacy Information Center (EPIC), for example, support strict limits on the use of social-security numbers as an identifier.
EPIC Executive Director Marc Rotenberg said fraud could also be deterred through laws that "make [companies] liable when harm results from the misuse of the data they collect." Forcing information-hording institutions to foot the cost of potential mishaps, he said, would be a built-in security check, as they would "internalize the real cost of collecting and using personal information."
The federal task force, however, does not support a "private right of action" for victims against companies involved in data-breaches. To report states that "the national standard should expressly call for actions that are reasonableâ€¦ and should not adopt a one-size-fits-all approach to the implementation of safeguards."
Privacy advocates warn that a federal plan for mandatory national identification could impinge on, rather than shield, privacy.
Jay Foley, executive director of the consumer and research group Identity Theft Resource Center, which is partially funded by ChoicePoint and other corporations, said imposing dramatic reforms on industry could backfire.
"If you were to take all these privacy rights and put them into one bill," he said, "youâ€™re going to be fighting so much of the business community, from so many different directions, that the bill stands zero chance of getting anywhere."
But that potential resistance is precisely why others are trying to rein in companies.
Ed Mierzwinski, consumer-program director with the US Public Interest Research Group, criticized the task-force plan for not targeting loose credit-granting practices by retailers and other businesses. Companies recruit customers by extending credit as rapidly as possible, he said, which discourages data-security measures and invites identity theft.
On the lack of civil-liability provisions in the White House plan, Mierzwinski added, "There is no reason that the federal government should explicitly recommend against giving companies liability to consumers, unless it is in cahoots with industry."
Entanglement between the public and private sectors complicates regulatory issues, Sohn said. Though the Privacy Act guides the governmentâ€™s handling of data and records, agencies today frequently investigate people using commercial databases. He said lawmakers must determine "to what extent those kind of protections should still apply when the government is relying on outsourcing to private-sector data brokers instead of doing it itself."
The data-screening firm ChoicePoint illustrates the high stakes of public-private cooperation. The company reported in 2005 that a massive data breach had affected the records of some 145,000 consumers. Yet soon afterward, ChoicePoint signed a five-year deal to help manage public records for the Internal Revenue Service. And its track record has not hindered it from becoming a service provider in assisting organizations with anti-terrorism background checks under the USA PATRIOT Act.
Ever-tightening links between information merchants and government bureaucracy helped prompt the recent introduction of the Personal Data Privacy and Security Act by Senator Bernie Sanders (I-Vermont) and Patrick Leahy (D-Vermont). The bill would authorize federal review of companies with government contracts with data brokers and impose penalties on them for failure to protect consumers.
The task-force plan has further alarmed critics by citing controversial security laws as deterrents to identity theft. For instance, the report touts extensive identity-verification rules under the REAL ID Act and related anti-terrorism statutes as consumer-protection measures, because they purportedly standardize how an individualâ€™s data is documented and screened by authorities. Yet privacy groups oppose such laws, fearing they would lead to excessive surveillance under a single identification system and would create massive databases that were susceptible to inaccuracies or abuse.
In Rotenbergâ€™s view, a federal plan for mandatory national identification could impinge on, rather than shield, privacy â€“ especially when pursued under the rubric of national security.
"This administration has not aggressively enforced current privacy laws," he said, "and I think the consequence has been increasing risks to the privacy and security of the American public."
Sohn warned that entrusting too much data to any one system, private or government-run, is inherently dangerous. "Centralization and broad reliance on a single identifier," he said, "simply increases the risk of abuse by government, identity thieves, or others."