National breach list? Pinch me!
H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16.
I haven’t read the full text of the bill (and it has been roundly criticized by folks whose opinions I trust) but I was happy to see this in the press release from the commitee:
An amendment offered by Rep. Barbara Lee (CA) would require the Federal Trade Commission to coordinate with other government entities to create a publicly available list of data security breaches that have triggered a notice to consumers within a twelve month period.
Another piece of legislation, which has been received rather better by privacy advocates and consumer rights groups, is the Data Accountability and Trust Act. Guess what? It also requires central reporting of breaches:
Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data–
[…]
(2) notify the [Federal Trade] Commission;
[…]
The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).
I am happy to see these elements make their way into national legislation.
April Fool’s Joke?
Nah, our april fools jokes are much more obvious
ChoicePoint keeps a complete list of data breaches online at http://www.privacyatchoicepoint.com. CreditBloggers.com has a must-read interview with a ChoicePoint insider about consumer privacy and identity theft online today – http://www.creditbloggers.com/2006/04/12_questions_fo.html
@Emily:
The ChoicePoint list is useful, but I would not call it complete. Part of the problem is that absent a central (even within each state with a law) reporting requirement, we probably only are hearing about a fraction of the breaches about which notices are sent. We are even less likely to hear about those about which notice isn’t required, or hasn’t occurred yet (due to ongoing police investigation, for example).