http://www.redherring.com/Article.aspx?a=11839
April 19, 2005
New York Attorney General Eliot Spitzer has urged his state's
legislators to do more to protect consumers from digital fraud and
taken a swipe at computer criminals.
"The theft of one's identity and personal information is not a matter
of "if," but a matter of "when," Mr. Spitzer said on Monday. "New
York State must enact reforms to strengthen consumers' ability to
control personal information and to facilitate the prosecution of
identity theft crimes."
The proposed legislation would make it easier for consumers to file
identity fraud complaints, put "security freezes" on credit files, and
provide "opt-out" lists for consumers who do not want their data
passed along to third parties.
Mr. Spitzer's legislation would make it tougher for businesses. It
would require companies to notify customers whenever they send out
reports containing their information. The notification would include
the address of the entity which had requested the private information.
Companies would also have to inform New Yorkers of any exposure of
their personal information that affected more than 500 people.
The proposal resembles California Senate Bill 1386, which became law
in July 2003. It requires companies to inform California of data
leaks. On Tuesday, the Senate Judiciary Committee was scheduled to
consider ways to augment the existing legislation. Senate Bill 852
would make companies as responsible for theft of records as they are
now for digital data theft.
More than 785,000 Americans learned that they may have been the
subject of identity theft in the last three months. HSBC, a U.K. bank,
recently informed 180,000 of its customers that information the
company kept on them had been exposed to potential criminals (see HSBC
Warns 180,000 of Fraud) [1].
Earlier the same week, data-collection firm LexisNexis announced it
would mail 280,000 letters to Americans who had their information
tapped into inappropriately (see LexisNexis Leaks 280,000 IDs [2]).
Before that, the San Jose Medical group lost 185,000 patient records
and social security numbers when someone walked out of the hospital
with a computer under each arm.
The recent rash of identity theft started with ChoicePoint's
announcement in February that it had lost detailed data on 145,000
people at the hands of a low-tech fraudster (see The Choicepoint
Incident [3]).
Cyber trespassers
On top of the legislation designed to protect consumers, Mr. Spitzer
has called for tougher penalties on computer criminals. He wants to
prosecute people who gain access to computers surreptitiously, but who
do not do any harm. The proposed legislation would also make
encrypting information a crime if it concealed some other crime.
The anti-hacker part of Mr. Spitzer's proposed legislation has drawn
criticism from computer experts.
"I've always admired Elliot Spitzer because of the types of bad guys
he went after," said noted cryptographer Phil Zimmermann. "But I think
it would be a mistake to make it a crime to use crypto. It's
pervasive, and built into our web browsers and applications. It would
be hard for most people to avoid using crypto because of its
ubiquity."
Making cryptography a crime when it is used to conceal illegal
activity would be a step in the wrong direction, said Mr. Zimmermann,
who created an encryption program called Pretty Good Privacy. "We need
an ever-increasing ubiquity of crypto deployment across all relevant
applications on the Internet, in databases, in access control, in
authentication, in backup utilities: everywhere," he said. "That will
help reduce identity theft, which is certainly a goal shared by Mr.
Spitzer."
[1]
http://www.redherring.com/Article.aspx?a=11798&hed=HSBC+Warns+180%2c000+of+Fraud
[2]
http://www.redherring.com/Article.aspx?a=11763&hed=LexisNexis+Leaks+280%2c000+IDs
[3] http://www.redherring.com/Article.aspx?a=11336&hed=The+Choicepoint+incident
_________________________________________
InfoSec News
http://www.infosecnews.org
