Last year, President Bush established an identity-theft task force. The report came out in April. The task force was composed only of federal agencies, with the Federal Trade Commission and the Department of Justice as co-chairs. The report is just what it represents to be – a product of the bureaucracy.
You can find the full text at www.idtheft.gov.
The report focuses on four main areas. First, it addresses keeping sensitive consumer data out of the hands of identity thieves through better data security and more education. Second, the report wants to make it more difficult for identity thieves who obtain consumer data to use it to steal identities.
A third area is assisting the victims of identity theft in recovering from the crime. Finally, another goal is deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.
I could point out that the report fails to address some innovative activities such as synthetic ID theft. That occurs when a crook creates a new identity out of existing and newly created data elements. Since there is no existing individual who is the victim, the crime is harder to detect. Some evidence suggests that synthetic ID theft now represents a significant part of the overall problem. The task force should have discussed it.
Some of the recommendations border on the ludicrous. For example, the task force wants the federal government to better educate the private sector on safeguarding data. Most federal agencies consistently receive failing grades on computer security and have for years. The report acknowledges that agency performance on information security has been “uneven.”
It’s not that the recommendations are terrible or anti-consumer. Most of the ideas have some merit. But the report as a whole takes a narrow-minded, uncreative, tactical approach to identity theft. There is no strategic vision.
The task force did not consider ideas that are inconsistent with current political views.
The report includes a discussion of security breach notification, an entirely appropriate subject. No one can be surprised that this administration wants preemptive federal legislation, and there is a legitimate but not overwhelming case for it.
What about a private right of action for victims of security breaches? The report dismisses it in one conclusory sentence. The idea is apparently so politically toxic that the merits and demerits of private remedies could not be discussed seriously.
One of the best ideas that the privacy community has discussed for years is credit-grantor liability. Credit grantors have never much cared about identity theft because their losses from ordinary credit operations far exceed the losses from identity theft.
If an ID theft victim could sue a credit grantor for negligently giving credit to a crook, the incentives might shift. A few jury verdicts with huge damages would change the dynamic more than any minor response recommended by the task force. The report says make the crooks pay, but the handful of criminals actually caught are mostly judgment proof.
You don’t have to support expanded credit grantor liability, but it has been on the table for a while. The report does not mention it, not even to say why it is not a good idea. The task force did not even try to be an honest broker.
Volume II of the report lists laws, agencies and resources about identity theft. That’s fine. Which of the laws, agencies and resources have worked the best? The report offers no evaluation. We don’t have a case of throwing spaghetti at a wall to see what sticks. The report just throws the spaghetti and turns away. It gets worse.
The report tells federal agencies to take steps to deal with their own security breaches. Unfortunately, the method selected would give agencies new authority to make vast and virtually unqualified disclosures of personal information to nearly anyone in the universe in the hope that the disclosures might help deal with the mess. The task force didn’t value privacy enough to find a better way of achieving a reasonable objective without adding unnecessary disclosures.
I’d like to say that I am disappointed with the task force report, but I can’t. It’s just as useless as I expected. Creativity in year seven of an administration is a rare commodity.