By TED BRIDIS, Associated Press Writer
Responding to outrage from consumers whose personal information has
been stolen from companies, Congress is primed to pass new laws to try
to prevent break-ins and to require businesses to confess to customers
when private data is taken.
The government's new interest in requiring such embarrassing
disclosures reverses years of efforts by the FBI and U.S. prosecutors
to shield corporations that have been victims of hackers from bad
publicity by keeping such crimes out of headlines.
But now, consumers want to know if their private information has been
stolen.
The Senate is considering at least two proposals to crack down on
companies suffering breaches of private customer information. The
Federal Trade Commission's chairwoman has endorsed the idea and the
Senate Judiciary Committee's chairman hinted this week that a new law
might be inevitable.
"We may well face a necessity for some really tough legislation," said
Sen. Arlen Specter, R-Pa.
The new push for government action responds to frustrated constituents
who are among more than 10 million victims of identity theft each
year, some of them twice or three times. It comes after years of
reluctance by most companies to voluntarily report break-ins that put
customers' financial information at risk.
"Congress is primed to take a very serious look at this and pass
comprehensive legislation," said Sen. Charles Schumer , D-N.Y.,
sponsor for one bill. "Nobody has given this problem the focus it
deserves. This is a high priority."
A California law already requires disclosures to victimized consumers
who live there, and roughly 30 states are looking at similar laws.
"The last thing a merchant wants to do is tell all his longtime
customers he's been hacked and lost all their information," said Keath
Nupuf, chief technology officer for CardCops Inc. of Malibu,
Calif. The company monitors Internet chat rooms and other hacker
communications for stolen credit card numbers, then notifies merchants
and consumers to block bad purchases.
CardCops contacted 80 consumers earlier this week to report their card
numbers and other personal details were circulating among Internet
thieves, Nupuf said. The card numbers were pilfered from merchants
that range from mom-and-pop shops to Fifth Avenue retailers.
"One guy was blowing a blood vessel," he said. "He was going to drive
across country and kill the merchant."
Peiter "Mudge" Zatko, a computer expert who consulted for the White
House during the Bush and Clinton administrations, often is hired by
companies to tighten security and clean up the digital mess after a
data breach. Zatko said victim companies "almost never" tell the FBI
or customers when sensitive data is stolen.
"Maybe they have a government contract and it would look bad," Zatko
said. "Maybe they're trying to keep it quiet so they don't scare the
financial markets."
Sometimes companies warn customers. Howard Schmidt, a former White
House adviser, said thieves took a computer this year from the store
where he buys eyeglasses. The computer contained his credit and
medical information, Schmidt said, but the owner contacted his
customers and encouraged them to watch for fraudulent purchases.
"That was a good thing," Schmidt said. "I want to do business with
these guys."
In a twist, the FBI and Justice Department have worked aggressively to
shield the identities of corporations that have been hacking
victims. To encourage businesses to contact them after such break-ins,
U.S. investigators and prosecutors have publicly promised to seal
court records, keep top executives off witness stands and use
protective orders to keep details of these crimes out of the
headlines.
"There is still some reluctance to call law enforcement, some
hesitancy because of the negative impact on reputation," said Amit
Yoran, the Bush administration's former top cyber-security
official. He said requiring companies to acknowledge a break-in "may
be of value, but it should not be done as a knee-jerk reaction to the
handful of high-profile and significant disclosures of the past few
weeks."
The FTC chairwoman, Deborah Majoras, estimated consumers lost $5
billion and businesses lost $48 billion because of identity theft in
2003. The FTC is studying how it can use existing banking statutes and
laws against consumer fraud to prosecute companies that fail to report
serious breaches.
Majoras said government should consider requiring companies to tell
customers about break-ins when thefts put them at financial risk. She
also endorsed minimum security requirements for businesses that
collect sensitive personal information.
"The challenge is to come up with a way of defining when notice should
be sent and when it doesn't make sense," said Joel Winston, associate
director at the FTC's division for financial practices.
Copyright 2005 The Associated Press.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.