by Doug Pollack

The Santa Fe Group, an industry consortium, announced today an identity crime victims’ bill of rights that proposes the rights that should be provided to all individuals and recommending an approach to legislation for adopting this bill of rights.

“The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available at http://santa-fe-group.com/whitepapers/register.php.”

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:

• Assessment of the nature and extent of the crime that removes the procedural ‘Catch-22s’ when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

“The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts (www.idexpertscorp.com).

‘Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,’ said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. ‘We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.’”

The Santa Fe Group, ID Experts and other members of the Vendor Council will be holding meetings in Washington, DC later this spring in order to drum up support for this concept and related legislation.

by Doug Pollack

The Securities and Exchange Commission (SEC) is proposing amendments to the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) that would create more specific requirements for safeguarding information and responding to information security breaches.

“Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information.”

The amendments are currently open for comment. If they go through in substantially their current form, the SEC will be requiring public companies to analyze each data breach for the risk of exposure of personal information, and then, if their determination is that the risk of unauthorized access is “reasonably possible”, notify all individuals affected by the data breach.

Currently, there are no federal regulations that require notification of individuals affected by a corporate data breach. There are however numerous states that have notification laws with varying provisions.

It would be a very positive step for all of us if there are federal laws and regulations that would ensure that those affected by data breaches are notified on a timely basis and provided with useful, instructive information. All too often, individuals (millions of them each year) are notified of a data breach in such as way that it causes them great concern, but provides them with little help.