SCHUMER INTRODUCES COMPREHENSIVE ID THEFT BILL TODAY; IDENTITY THEFT AT LEXIS NEXIS 10X’S LARGER THAN EXPECTED

Recent Examples of Egregious Loopholes That Are Compromising Personal Information Need Immediate and Thorough Action by Congress

Schumer-Nelson Bill Would Empower FTC, Inform Consumer to Prevent ID Theft in Future, Not Just Punish Wrongdoers after the Fact

On the heels of numerous and significant identity theft breaches, U.S. Senators Charles E. Schumer (D-NY) and Bill Nelson (D-FL) are introducing major and comprehensive legislation today to prevent ID theft, to give broader authority to the Federal Trade Commission, and require more disclosure. The Schumer-Nelson ID Theft Prevention bill is the first and most comprehensive effort to really prevent ID theft, not just punish those who commit ID theft. Sen. Schumer is a member of almost all the committees that would have jurisdiction over this bill including the Finance, Judiciary, and Banking Committees, and Sen. Nelson is a member of the Commerce Committee, which also has jurisdiction.

Schumer said, “What bank robbery was to the Depression Age, identity theft is to the Information Age. Identity theft has become so pervasive and so out-of-hand, that we must make a real effort to prevent it before it happens. When a company like Lexis-Nexis so badly underestimates its own ID theft breaches, it is clear that things are totally out of hand.”

According to Lexis-Nexis today, they found a 300,000 person sensitive personal information breach, not a 30,000 person breach, which was originally reported last month.

“This bill not only will help stop the erosion of privacy,” said Nelson, a longtime champion of consumer privacy. “But it also will cut through the red tape identity theft victims now face when they try to restore their credit.”

Schumer continued, “Everyone knows that once your identity has been stolen, you can’t get it back. That is why our comprehensive measure focuses on making sure that your personal information isn’t surfing the Internet without your permission and that companies handling your Social Security number and other sensitive information should come under the watchful eye of the Federal Trade Commission immediately.”

Schumer Nelson ID Theft Prevention Bill will:

Create FTC Office of Identity Theft to help the millions of victims of ID theft each year to get their identity back through an easily accessible website, toll free phone number and consumer-service teams, and authorizes $60 million a year, for five years for this office.

Regulate data merchants (akin to regulation of credit bureaus) by:
- Make them register with the FTC;
- Institute safeguards to prevent fraudulent access by unauthorized parties;
- Develop authentication process for their customers with individualized passwords;
- Users allowed these passwords are people who have passed a reasonably effective background check;
- Data Merchant should track who accessed what records and for what lawful purpose they were accessed;
- Allow consumers, like with their credit reports, to obtain reports showing which data-merchants have their information and mandates a correction process to fix errors;
- Demands accuracy standards for their information;
- Regulates Credit Bureaus only if, and as far as, they sell credit header information currently unregulated by the Fair Credit Reporting Act and its amendments.

Disclosure Box:
Any company that is collecting your sensitive personal information and plans to sell or transfer your information to an unaffiliated third party, must put a “Disclosure Box” on it, which lets the consumer know in PLAIN ENGLISH that “this information may be sold or given to an unaffiliated third party without your additional consent.”

Notification provisions in the case of an information breach are very similar to current California law (the law that forced ChoicePoint to notify consumers). But there is a new provision, allowing any consumer who is notified of a breach of their information to request, in writing, that their information be completely expunged from the company’s database.

Every company required to take “Reasonable Steps” to protect sensitive personal information they are storing.

Social Security Number Specific Provisions:
- Prohibits any company from asking for a Social Security number unless they actually need it in the normal course of business;
- Prohibits SSN’s displayed on employee IDs and prohibits inmates in prison from having any access to them as part of their prison jobs;
- Bans SSN purchase and sale, except for law enforcement, national security and fraud purposes;
- Grants U.S. Attorney General the ability to further define the exemptions as situations arise and exempt more if needed.

Would also require the FTC to:
- Study national, state and local governments’ public postings of Social Security numbers, come up with recommendations and forward them on to the relevant national, state and local governments;
- Require a thorough annual report each year on ID theft;
- For each section there’s a maximum penalty, usually $1,000 per individual record per violation, which can be administered by the FTC or Attorneys General.
- Study international identity theft and determine ways to combat it;
- Create a blue-ribbon working group representing both industry and consumer groups to find the best ways for private entities to protect consumer data;

Stop public postings of private financial account numbers (i.e. mutual fund companies posting shareholder information on Internet).

Preempts state law to the extent that it is inconsistent with the provisions of this bill and then only to the extent of the inconsistency. If the statute offers greater consumer protections than this bill, it shall not be preempted by this bill.

Create an Assistant Secretary for Cyber Security in the Department of Homeland Security, which is what an earlier Schumer amendment to the 9-11 bill and a bi-partisan house bill in the 108th would have done.

# # #