Approved on a voice vote, the Identity Theft Protection Act requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.
The evidence of possible identity theft includes such factors as whether the data containing sensitive information is useable by an unauthorized third party and whether the data is in the possession of an unauthorized third party that is likely to commit identity theft.
Under the bill's language, companies and other organizations are required to develop, maintain and enforce a written program for the security of sensitive information. Physical and technological safeguards will be mandated through rules and regulations developed by the Federal Trade Commission (FTC).
Within a year of the passage of the bill, the FTC is required to develop procedures for authenticating the credentials of any third party to which sensitive personal information is to be transferred or sold by a data broker or other organization.
For security breaches involving 1,000 or more consumers, the firms responsible for the breaches must not only notify consumers but also the FTC. The agency, in turn, will post a report of the breach on its Web site without disclosing any sensitive personal data.
For breaches of fewer than 1,000 records that do not create a reasonable risk of identity, the data broker must still notify the FTC.
The real work begins for those institutions who thought they were exempt from regulations like the FTC SafeGuard Rule and the Gramm-Leach-Bliley Act (GLBA). Now they must do what the banks,thrifts and other OCC controlled organizations have been doing for years. Spending more money and resources on Information Security. Sure, human factors will have their toll even on those who have been complying with these laws for years. Bank of America and others have been burned. What is more interesting to see going forward is how the third-party processors and other information supply chain companies will behave, and for that matter, what the largest institutions will do to audit these business partners.
Stealing and selling sensitive information is the work of increasingly criminal organizations, located in countries across the globe. And even in our own back yard here in the United States. Let's just hope that organizations who are taking our sensitive personal identifiable information to verify our identity have the right people, right resources and take this legislation seriously this time.