Feinstein cracks down on banking-related ID theft

In the fight against identity theft, one major problem is that the institutions that suffer security breaches are often incentivized not to report the incident to authorities, worrying as banks and data companies often do about bad public relations and the stiff arm of regulatory authority. The result, of course, is that the public is not made aware of latent problems at the companies in whom they place their trust, and therefore little pressure is brought to insist on tougher (but expensive) changes. This may not continue for long. Senator Dianne Feinstein (D-California) has proposed a law requiring companies handling sensitive financial data to disclose security breaches.

Drafted by Chris Jay Hoofnagle of the Berkeley Center for Law and Technology at the University of California, the proposed law covers banks, credit card companies, and payment firms like PayPal. “Currently our understanding of identity theft is clouded by politically motivated polls and bad methods for collecting data,” said Hoofnagle. One particular problem, he noted, is what is called synthetic identity theft, in which identity thieves use a pastiche of real and fictional information to open accounts. Such breaches are often unknown to consumers, and so the only way to measure their virulence is to ask banks to report them. Needless to say, however, the banking industry opposes the measure and argues that it would waste banks’ valuable time by forcing them to “take our eye off the ball” — the ball in question being the self-reporting system used among banks to exchange information on breaches. “We should be watching what’s happening today, not what happened in the past,” said Doug Johnson of the American Bankers Association. Not very comforting, we think.