A new bill was introduced in the US Senate that would establish a new FTC office. This notice is very timely for me since I have been talking about such legislation.
New York State Senator Charles Schumer has introduced a bill aimed at helping prevent and diagnose identity theft, reports the Evening Observer. The Personal Data Privacy and Security Act would increase penalties for those who commit the crime and would make it illegal for organizations to conceal a security breach involving personal data. The law would also require entities that hold personal data to establish data protection policies. "Identity theft is a scourge on hard-working Americans, and it is a problem that is getting worse," said Schumer. The act would also establish an Office of Federal Identity Protection within the Federal Trade Commission. Full Story
For about 6 years the Federal Trade Commission has offered guidelines for businesses and other enterprises that have files and records containing personal data either of employees past and present, or of customers, or client companies such as HR and payroll businesses.
These guidelines were offered as a way for industry to police its' own operations and to train personnel on protecting the non-public info they handle.
These recommendations have been largely ignored by all but the companies regulated by the banking authorities such as the FDIC. During that time identity theft has become epidemic and is currently costing American business and individuals in excess of $45 billion annually. This figure does not reflect the identity theft losses due to personal theft and fraud, only those incidents that are the result of database losses.
Now in 2009 we are faced with legislation that will require all businesses, schools, and municipalities to take specific measures to thwart these crimes. This will likely be more costly than the voluntary measures previously on the table.
Moreover, the reporting aspect of this bill requiring business to reveal breaches to potential victims will have a profound effect on the public confidence of the breached businesses. In economic times such as we are in that is something businesses can hardly afford. Investigations into breaches will also be hampered by this requirement, and I'm certain that we will see push back from business on that point.
It is sad to see that businesses would rather do nothing than to take basic measures to safeguard information. My mantra holds true that; "When you protect the information you hold on others you are protecting them. When someone else does it they are protecting you."
Our data is only as safe as the weakest link. And with literally thousands of databases containing our personal data there are thousands of weak links to contend with.