CHICAGO, May 11 (UPI) -- California passed a law to protect consumers from identity theft two years ago, when the issue first was seen as an Internet social problem, and now security breaches at ChoicePoint and Time Warner are prompting attorneys general in other states to press for comparable legislation.
Legal and technology experts told UPI's The Web, however, it might be better public policy to wait for the federal government to pass further ID theft protection legislation -- which Congress is considering -- than to create a hodgepodge of possibly conflicting state and local laws.
Congress this week holds hearings over whether to make credit card companies and third-party data providers adhere to the same regulations that govern banks and other financial services companies.
"ID theft is a great way for state legislators to appear to be acting on behalf of constituents without doing anything controversial," said Harold J. Krent, dean and professor of law at the Chicago-Kent College of Law.
Norbert Kugele, a partner at the law firm of Warner Norcross & Judd in Michigan, said this seemingly uncontroversial tactic by legislators could cause significant problems for many corporations.
"Because states often enact laws that are not entirely consistent with laws of other states, companies that do business across state lines would prefer to have federal legislation that governs and pre-empts state laws," Kugele said.
The federal government already has begun to enforce the privacy of information accessed by the Internet, through measures like the Health Insurance Portability and Accountability Act of 1996, which protects healthcare data, and the Sarbanes-Oxley Act of 2002, which safeguards financial information.
New laws that include criminal provisions -- whether they are state or federal -- would enhance the ability of law enforcement to stop hackers.
"(The) problem is not so much one of insufficient penalties, but (of) inadequate means to prevent ID theft," Krent said.
Technology companies are working on that. Software developer Anonymizer, based in Silicon Valley in California, is preparing to announce it will provide ID protection through the Firefox browser. The security software will be sold as a Web download and marketed through retail channels, too.
Other technology developers are devising even more sophisticated tools to stop ID theft. BioPassword is offering biometric security. The company's software analyzes a computer user's unique typing patterns and then marries their biometric typing template with an assigned password to create a hardened password nearly impossible to break.
Technology companies still hope state legislators continue to press the issue, though, as that keeps the concern over ID theft in the public consciousness and might lead to regulations that require the purchase of their products.
"Within the next two or three years, I anticipate that most states will have promulgated ID theft protection legislation that not only puts in place stiff penalties for criminals, but places a strong regulatory pressure on financial institutions, data centers and other organizations to take clear and reasonable steps to curtail the problem," said Andrew Tull, executive vice president of BioPassword.
Action on the state level eventually would compel the federal government to come out with a more comprehensive legislative approach to stopping Internet-based ID theft.
"The passage of a state law often motivates companies and other organizations to hire lobbyists to help build momentum to get federal law passed, which we see happening here, too," Kugele said.
The genesis of cutting-edge legislation on the state level may be a social good, even if it winds up being replaced by federal law in the coming years.
"In terms of quality, federal laws aren't necessarily better than state laws," Kugele said. "States can be more innovative and come up with different approaches to the problem. Although this can result in a patchwork of different laws, it also gives people the opportunity to see which approach is the most effective."
Such lawmaking also will help keep consumers on alert and encourage them to take proactive steps to protect their identity.
"There is a silver lining," Krent said. "The more publicity focused on ID theft, the more that consumers will take commonsense steps to protect themselves, from checking credit reports to refusing to give out social security numbers unless absolutely necessary, to withstanding the allure of fraudulent e-mail requesting private information."
Some experts, however, see much of this legislative work as wasteful and reckon the only way to end ID theft immediately is to eliminate easy credit.
"Most of the laws being proposed have become platforms for politicians to get re-elected," said Robert Siciliano, a Boston-based IT security expert. "All of a sudden, dozens of politicians have become identity theft experts. Few laws have any teeth. The only legislation that makes sense is credit freezes across the board.
"However, banks, credit card companies and retailers are lobbying against freezes because they feel credit freezes will eliminate instant credit, which will mean 'Joey Beans' can't buy a $10,000 plasma TV at Best Buy during lunch," Siciliano added.
--
Gene Koprowski is a 2005 Winner of a Lilly Endowment Award for his columns for United Press International. He covers telecommunications for UPI Science News. Contact [email protected]
