Move Over Sarbanes-Oxley; New Identity Theft Laws on the Table

Sen. Charles Schumer of New York introduced in April a bill called the Comprehensive Identity Theft Prevention Act. It is one more legislative option in the wake of the series of leaks of sensitive information involving millions of people over the last few months.

Among provisions included in the bill, the FTC is to create a new Office of Identity Theft and create regulations to enable the new office to protect consumers’ personal information that is gathered, kept, sold or transferred by commercial organizations.

Here’s an excerpt:

SEC. 5. REASONABLE STEPS TO PROTECT SENSITIVE PERSONAL INFORMATION.

(a) Regulations- Not later than 9 months after the date of enactment of this Act , the Federal Trade Commission shall promulgate regulations governing the sale, maintenance, collection, or transfer of sensitive personal information by covered persons, including a requirement that covered persons take reasonable steps to prevent unauthorized access to sensitive personal information the covered person sells, maintains, collects, or transfers.

(b) Penalties- A covered person that violates subsection (a) shall be subject to a civil penalty of not more than $500 per person per violation.

(c) Actions- An action to enforce a violation of subsection (a) may be brought by the Federal Trade Commission in any appropriate United States district court or any other court of competent jurisdiction.

The term “covered persons” is defined to mean a “commercial entity.”

While the penalty of $500 may seem low, it is a significant number if applied separately to failure to reasonably secure information of individual persons rather than treating them as a group. Reported data leaks over the past few months have ranged from involving the records of thousands of persons to more than one million persons in each incident. The California Department of Consumer Affairs said last month that an average of 163,500 individuals had been involved in each breach reported since a state law requiring disclosure took effect in 2003.

If legislation is implemented to create mandates for keeping information secure, instead of just requiring disclosure of leaks, the effect would be enormous from an implementation perspective.

A recent Internet.com article quotes a Gartner analyst as predicting that identity theft or data security legislation “will be the next Sarbanes-Oxley.” The likelihood that new federal laws will be implemented went even higher this week with disclosure of the loss of Citigroup information on 3.9 million individuals. Perhaps the bigger question is the scope of the almost-certain legal requirements – whether they will be limited to disclosure of leaks or will implement broader record-keeping measures like Sen. Schumer’s bill – rather than the question of whether new laws will be passed.

A bill like Sen. Schumer’s also could have a significant effect on liability exposure for violations of the requirements, particularly if the law aids in creating a right for a person whose information was leaked to sue, or if it influences a measure of damages for a mere leak of information without any showing the information was then used to that person’s detriment.