Of the legislation introduced in Congress in 2005, the following three bills are likely to proceed:
H.R.1745: Restricts the sale or "purchase" of Social Security numbers and their use on ID cards.
S.1408: Requires notification of security breaches and permits new "security freezes" on credit reports.
The fate of several other measures is less predictable:
S.29: Restricts the sale or "purchase" of Social Security numbers and their use in public records.
H.R.1078: Permits the Federal Trade Commission to restrict the sale of Social Security numbers.
H.R.3325: Orders a study on whether there is a link between methamphetamine and crimes relating to identity fraud.
H.R.3804: Amends the U.S. tax code to permit deductions of expenses related to repairing identity fraud.
S.768: Creates new Office of Identity Theft bureaucracy and regulations aimed at "data merchants."
H.R.1263: Requires businesses to offer "opt-out" before disclosure of personally identifiable information through a "self-regulatory" mechanism approved by the government.
S.1326: Requires notification of security breaches involving "computerized data containing sensitive personal information."
S.500: Forces the FTC to regulate "information brokers."
H.R.1099: Targets phishing sites that use fake domain names or send fraudulent e-mail posing as a business.
S.1594: Tells financial institutions to notify their customers of security breaches.
H.R.3997: Amends the Fair Credit Reporting Act to require credit agencies to focus more on identity fraud complaints.
H.R.220: Restricts governmental use of the Social Security number and prohibits a governmentwide uniform "identifying number."
S.116: Imports a European-style regulatory regime by broadly restricting the disclosure or sale of personal information.
By Declan McCullaghIt didn't take long for members of Congress to realize that the recent string of well-publicized security breaches amounted to a political opportunity.
Early this year, after Bank of America, LexisNexis and ChoicePoint acknowledged serious security problems, politicians scrambled to capitalize on the news by introducing an array of proposed solutions. Spurred by surveys showing Americans' dissatisfaction, at least two dozen ID fraud-related bills now exist.
But internecine squabbles between congressional committees and spats over states' rights have stalled that process, yielding only a handful of proposals with sufficient momentum to be enacted into law anytime soon.
Details vary widely. But one general theme requires that serious breaches involving personal information be reported to the customer. That broadly mirrors a California notification law, which took effect in July 2003 and led to some of the recent security incidents becoming public.
A more contentious topic is what to do about the ready availability of Social Security numbers. "Once again we're forced to ask, 'Why should it continue to be legal to sell a person's Social Security number without permission?'" Rep. Joe Barton, a Texas Republican who heads the Energy and Commerce Committee, said in April. "If it takes a new law to protect people from identity thieves, so be it."
Since then, though, it's become less clear whether Congress will take such a dramatic step. A leading proposal championed by Sen. Arlen Specter, a Pennsylvania Republican who heads the Judiciary Committee, originally banned the sale or "purchase" of SSNs. A revised version does not.
Another factor is opposition from business groups, which say that identity fraud is already illegal--and point out that Mastercard was subject to stringent government regulations but still managed to expose 40 million customer accounts. Academics and former Federal Trade Commission member Orson Swindle have cautioned against rushing into new regulations that could generate unintended consequences.
So what's likely to happen? Especially if security breaches continue to be well-publicized, Congress will feel pressured and is most likely to group a number of proposals together in one mammoth package. If not, setting security breach standards could remain in the hands of state governments.