Despite Rash of Data Thefts, Laws Slow in Coming
MELISSA BLOCK, host:
This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block.
ROBERT SIEGEL, host:
And I'm Robert Siegel.
If you learned that your Social Security or credit card number was stolen this year, then you're in good company. 2005 saw an unparalleled number of big information thefts reported. Initially, there was a sense of urgency in Congress to plug these data leaks, but as NPR's Larry Abramson reports, there has been little new federal action on the problem.
LARRY ABRAMSON reporting:
A few weeks ago, Boeing workers learned that a thief had stolen a laptop computer with personal information belonging to 151,000 employees. Connie Kelliher of the International Association of Machinists and Aerospace Workers says her members now face years of uncertainty as they try to figure out whether their identities have fallen into the hands of crooks.
Ms. CONNIE KELLIHER (International Association of Machinists and Aerospace Workers): Well, I think people were very upset. It caused a lot of anxiety. And we're still pushing to try to find out why was there such sensitive information on a laptop computer that wasn't encrypted.
ABRAMSON: A lot of people are feeling upset. This year there have been over 130 disclosed incidents like this, affecting more than 57 million people. And Beth Givens of the Privacy Rights Clearinghouse says those are just the data breaches that we know about.
Ms. BETH GIVENS (Privacy Rights Clearinghouse): Some people call it the year of the breach, but actually, breach--there's nothing new about security breaches. What's new is that we're learning about them.
ABRAMSON: We learned about the problem thanks in large part to a California law that mandates disclosure of most data thefts. The resulting attention led to a national uproar, to congressional hearings and to proposed federal laws requiring notice of information spills. But Givens is worried that federal action could undermine the California law that helped get the ball rolling.
Ms. GIVENS: They would all pre-empt what's happening in the states, and they'd be wiping out laws that are much stronger than anything they're considering in Congress.
ABRAMSON: At the same time, companies that already fall under existing privacy laws, like financial institutions, are worried they will face yet another mandate. Andrew Barbour of the Financial Services Roundtable doesn't want to see a federal requirement for disclosure of every single data spill, even if no harm is done.
Mr. ANDREW BARBOUR (Financial Services Roundtable): There is some technically, I guess, personal information that you can pull out of a phone book. So is that really the kind of information that we're trying to protect and that we're notifying folks about when there's an instance of a breach?
ABRAMSON: Most proposals in Congress would not require reporting of every single breach. That's why some privacy advocates prefer to stick with the many state disclosure laws that have been passed recently. If a notification law does pass, it will only raise the profile of future incidents. It may not stop the thefts in the first place. Several pieces of proposed legislation try to tighten the screws on so-called data brokers, companies like ChoicePoint, which was duped by thieves into selling information about 162,000 Americans. ChoicePoint's Carol DiBattiste has worked as a federal prosecutor and with the Transportation Security Administration. She was brought in to revamp security at ChoicePoint. DiBattiste says her company is taking its own steps to stop information spills by paying a personal visit to companies that want to buy ChoicePoint's data.
Ms. CAROL DiBATTISTE (ChoicePoint): So any customer that receives that most sensitive, personally identifiable information, they get a site visit to ensure that they are who they say they are.
ABRAMSON: Some congressional proposals would make that voluntary step mandatory for data brokers like ChoicePoint, but Carol DiBattiste says there's no reason to single out her industry. Many of the biggest data thefts this year came from retailers, banks and other institutions, not from data brokers.
Ms. DiBATTISTE: ChoicePoint supports accountability and regulation of not just information service providers, but of the entire industry.
ABRAMSON: All of these competing interests may make this a tempting issue to dodge as Congress learns that identity theft is too complicated to be addressed with a single law. Even if Congress does pass aggressive legislation, identity theft isn't going away. Thieves face a growing supply of data online, and they can always return to Dumpster diving for information if they have to. Larry Abramson, NPR News.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.