Lawmakers want businesses to be required to tell customers when private data is stolen.

Share story

WASHINGTON — Responding to outrage from consumers whose personal information has been stolen from companies, Congress is primed to pass new laws to try to prevent break-ins and to require businesses to tell customers when private data is taken.

The government’s new interest in requiring such embarrassing disclosures reverses the long pattern of FBI and U.S. prosecutors to shield corporations hit by hackers from bad publicity by keeping such crimes out of headlines.

But now, consumers want to know if their private information has been stolen.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

The Senate is considering at least two proposals to crack down on companies suffering breaches of private customer information. The chairwoman of the Federal Trade Commission (FTC) has endorsed the idea, and Senate Judiciary Committee Chairman Arlen Specter, R-Pa., hinted this week a new law might be inevitable.

“We may well face a necessity for some really tough legislation,” Specter said.

The new push for government action responds to frustrated constituents who are among more than 10 million victims of identity theft each year. It comes after years of reluctance by most companies to voluntarily report break-ins that put customers’ financial information at risk.

“Congress is primed to take a very serious look at this and pass comprehensive legislation,” said Sen. Charles Schumer, D-N.Y., sponsor for one bill. “Nobody has given this problem the focus it deserves. This is a high priority.”

A California law already requires disclosures to victimized consumers who live there, and roughly 30 states are looking at similar laws.

“The last thing a merchant wants to do is tell all his longtime customers he’s been hacked and lost all their information,” said Keath Nupuf, chief technology officer for CardCops of Malibu, Calif. The company monitors Internet chat rooms and other hacker communications for stolen credit-card numbers, then notifies merchants and consumers.

CardCops contacted 80 consumers earlier this week to report their card numbers and other personal details were circulating among Internet thieves, Nupuf said. The card numbers were pilfered from merchants that range from mom-and-pop shops to upscale retailers on New York’s Fifth Avenue.

“One guy was blowing a blood vessel,” Nupuf said. “He was going to drive across country and kill the merchant.”

Peiter “Mudge” Zatko, a computer expert who consulted for the Bush and Clinton administrations, often is hired by companies to tighten security and clean up the digital mess after a data breach. Zatko said companies “almost never” tell the FBI or customers when sensitive data is stolen.

“Maybe they have a government contract, and it would look bad,” he said. “Maybe they’re trying to keep it quiet so they don’t scare the financial markets.”

Sometimes companies warn customers. Howard Schmidt, a former White House adviser, said thieves took a computer from the store where he buys eyeglasses. The computer contained his credit and medical information, Schmidt said, and the owner contacted him.

“That was a good thing,” Schmidt said. “I want to do business with these guys.”

Yet, the FBI and Justice Department have worked hard to shield identities of victimized corporations. To encourage businesses to contact them after such break-ins, investigators and prosecutors have publicly promised to seal court records, keep top executives off witness stands and use protective orders to keep details of these crimes out of the headlines.

“There is still some reluctance to call law enforcement, some hesitancy because of the negative impact on reputation,” said Amit Yoran, the Bush administration’s former top cyber-security official.

He said requiring companies to acknowledge a break-in “may be of value, but it should not be done as a knee-jerk reaction to the handful of high-profile and significant disclosures of the past few weeks.”

FTC Chairwoman Deborah Majoras estimated consumers lost $5 billion and businesses lost $48 billion because of identity theft in 2003. The FTC is studying how it can use existing banking statutes and laws against consumer fraud to prosecute companies that fail to report serious breaches.

Majoras said government should consider requiring companies to tell customers about break-ins when thefts put them at financial risk. She endorsed minimum-security requirements for businesses that collect sensitive personal information.

“The challenge is to come up with a way of defining when notice should be sent and when it doesn’t make sense,” said Joel Winston, associate director at the FTC’s division for financial practices.