Action near in Congress on combating identity theft

Lawmakers also want businesses to tell victims

Associated Press

April 15, 2005

WASHINGTON - Responding to outrage from consumers whose personal information has been stolen from companies, Congress is primed to pass new laws to try to prevent break-ins and to require businesses to confess to customers when private information is taken.

The government's new interest in requiring such embarrassing disclosures reverses years of efforts by the FBI and U.S. prosecutors to shield corporations that have been victims of hackers from bad publicity.

Now, consumers want to know if their private information has been stolen.

The Senate is considering at least two proposals to crack down on companies whose private customer information is breached. The Federal Trade Commission's chairwoman has endorsed the idea, and the Senate Judiciary Committee's chairman hinted this week that a new law might be inevitable.

"We may well face a necessity for some really tough legislation," said Sen. Arlen Specter, a Pennsylvania Republican.

The new push for government action responds to frustrated constituents who are among more than 10 million victims of identity theft each year. It comes after years of reluctance by most companies to voluntarily report break-ins that put customers' financial information at risk.

"Congress is primed to take a very serious look at this and pass comprehensive legislation," said Sen. Charles E. Schumer, a New York Democrat, sponsor for one bill. "Nobody has given this problem the focus it deserves. This is a high priority."

A California law requires disclosures to victimized state residents, and about 30 states are looking at similar laws.

"The last thing a merchant wants to do is tell all his longtime customers he's been hacked and lost all their information," said Keath Nupuf, chief technology officer for CardCops Inc. of Malibu, Calif. The company monitors Internet chat rooms and other hacker communications for stolen credit card numbers, then notifies merchants and consumers to block bad purchases.

CardCops contacted 80 consumers this week to report that their card numbers and other personal details were circulating among Internet thieves, Nupuf said. The card numbers were pilfered from merchants that range from mom-and-pop shops to Fifth Avenue retailers.

Peiter "Mudge" Zatko, a computer expert who consulted for the White House during the Bush and Clinton administrations, often is hired by companies to tighten security and clean up the digital mess after a data breach. Zatko said victim companies "almost never" tell the FBI or customers when sensitive information is stolen.

"Maybe they have a government contract, and it would look bad," Zatko said. "Maybe they're trying to keep it quiet so they don't scare the financial markets."

Sometimes companies warn customers. Howard Schmidt, a former White House adviser, said thieves took a computer this year from the store where he buys eyeglasses. The computer contained his credit and medical information, Schmidt said, but the owner contacted his customers and encouraged them to watch for fraudulent purchases.

"That was a good thing," Schmidt said. "I want to do business with these guys."

The FBI and Justice Department have worked aggressively to shield the identities of corporations that have been hacking victims. To encourage businesses to contact them after such break-ins, investigators and prosecutors have publicly promised to seal court records, keep top executives off witness stands and use protective orders to keep details of these crimes out of the headlines.

"There is still some reluctance to call law enforcement, some hesitancy because of the negative impact on reputation," said Amit Yoran, the Bush administration's former top cyber-security official. He said requiring companies to acknowledge a break-in "may be of value, but it should not be done as a knee-jerk reaction to the handful of high-profile and significant disclosures of the past few weeks."

FTC Chairwoman Deborah Majoras estimated that consumers lost $5 billion and businesses lost $48 billion because of identity theft in 2003.

The FTC is studying how it can use existing banking statutes and laws against consumer fraud to prosecute companies that fail to report serious breaches.

Majoras said government should consider requiring companies to tell customers about break-ins when thefts put them at financial risk. She also endorsed minimum security requirements for businesses that collect sensitive personal information.