Published: 17 Jul 2008
| A national data protection law would help curtail identity theft and could boost international relations.
A by-product of almost every transaction people make today is personal data being stored electronically somewhere, usually in several places such as a retail outlet, bank or credit card company. At the same time, 8.3 million Americans were victims of identity theft in 2005, according to the Federal Trade Commission. But while identity theft is a federal crime, there are no federal laws to protect personal data. Regulations like HIPAA and GLBA only deal with specific industries. Individual states have enacted various laws to help protect citizens from identity theft and related incidents, typically in the form of breach notification.
What our country needs is a national data protection law--one that individual states and industries could opt to expand. This law would define baseline protections that must be afforded to personal information regardless of who is collecting, storing and using the data. Such a law would also mandate that the government define exactly what data elements are to be considered personal data. Anyone familiar with the existing regulations knows that what is considered personal in HIPAA is not the same for GLBA. And pending federal legislation--most of it focused on breach notification--doesn't definitively list the data types to be protected. Senate Bill 495, the Per-sonal Data Privacy and Security Act of 2007, is fairly comprehensive in the protection of sensitive personal information, but also fails to define protected data elements.
What's needed is a law that provides protections similar to those called for in S. 495, but with a broader scope. For example, the bill restricts covered entities to those that conduct interstate commerce involving 10,000 or more U.S. persons, but there are many businesses (local insurance agents, lottery organizations, regional retail stores, etc.) collecting personally identifiable information that may not conduct interstate commerce yet are targets for data thieves. Also, the threshold should be lowered to companies with 5,000 or more customers. This national data plan would apply to all entities--public, private and government.
The baseline for protected information should be name, address, telephone numbers, Social Security number/passport/driver's ID (truncated or otherwise), biometric identifiers, and any account number that can be linked to any of this information. Other data elements such as passwords, security codes, PIN numbers, etc., should also be protected if used in combination with any of the baseline elements.
Is this kind of law feasible? Well, we as a nation are heading in this direction now, albeit in a reactive manner. My plan is more proactive--let's not regulate industry-by-industry but on a national scale. Enforcement is another issue, but since many states now have a computer crime division, enforcement could potentially happen at the state and federal levels.
Enacting a national data protection law could help us on the international front. The European Union (EU) has a data protection directive, and several countries within the EU have adopted individual data protection laws. Australia, Japan, Canada and other countries have adopted similar legislation. Occasionally there are reports of certain negotiations between the U.S. and other countries, normally involving trade, being held up due to the lack of adequate protection of personal data from non-U.S. citizens. A national data protection plan may help these negotiations progress.
The various federal and state laws that have been enacted thus far are necessary for prosecuting criminals and assisting victims of identity theft. But a national data protection plan will go further in reducing the number of victims and the severity of consequences of identity theft and aid in negotiations with other countries to boot.