Thursday, May 03, 2007

Identity Theft Legislation Approved by Senate Committee

The proposed "Identity Theft Prevention Act” (S. 1178) was approved by the Senate Commerce Committee on April 25. The measure would require businesses, organizations, and federal agencies to "develop, implement, maintain, and enforce a written program for the security of sensitive personal information” that the entity collects, maintains, sells, transfers, or disposes of.

The entity would be required to comply with Federal Trade Commission rules, which would be promulgated by the Commission within one year of the enactment of the statute. The proposal would also mandate notification of consumers in the event of a security breach.

If that breach affects at least 1,000 individuals, the entity would have to inform the individuals, report the breach to the FTC, and notify all consumer reporting agencies. The FTC would be required to post a report of the security breach on its web site, without disclosing any sensitive personal information. If the breach affects fewer than 1,000 individuals and the breach does not create a reasonable risk of identity theft, the entity shall inform the individuals and report the breach to the FTC. The FTC would not publish such a report on its web site.

Violation of the identity theft statute would constitute an unfair or deceptive act or practice under the Federal Trade Commission Act, which could be enforced by the FTC and other enumerated agencies. State attorneys general would also be empowered to bring civil actions as parens patriae on behalf of their residents.

The bill would preempt state or local laws, regulations, or rules that require a covered entity to give notice of security breaches or that require the implementation, maintenance, or enforcement of information security programs.

Full text of the bill—and a report on its status—appears at the Thomas web site of the Library of Congress.

No comments: