Companies that stand to lose from customer-data breaches want lawmakers to get tough. "Although Congress has provided for several laws pertaining to identity theft, identity thieves can operate with the belief that ... the criminal penalties are not so severe as to deter their actions," said Robert Ryan, senior director of government relations at financial-services company TransUnion LLC, to the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security in March. "We believe more can be done to find, investigate, and prosecute identity thieves and to punish them more severely."
New laws are in the works at the national level. The Identity Theft Penalty Enhancement Act, with similar versions under review in both the House and the Senate, increases the sentences for identity-theft convictions by about two years and aims to restrict the court's ability to allow those convicted to serve concurrent sentences for other crimes they've committed, such as mail theft and fraud, money laundering, immigration fraud, and drugs and weapons trafficking. The law requires an additional five years in prison if the crime was committed as part of an act of terrorism.
In California, lawmakers are looking to stiffen the state's database security breach law, known as SB 1386, that went into effect in July. SB 1386 requires companies and organizations to report publicly any unauthorized access to their electronic databases that contain unencrypted financial information about California residents. The law is designed to provide residents with quick notice if their personal information is exposed, so they can take measures such as adding fraud alerts to their credit reports.
California Senate Bill 1279 seeks to broaden the original law to include personal financial information held on paper. The original law was the result of an incident in April 2002, when hackers accessed the state of California's payroll database. Many state employees said they weren't notified about the security breach quickly enough.
Missouri is considering perhaps the stiffest identity-theft law yet. Officials in that state are mulling a law that would sentence identity thieves to 10 years to life imprisonment if convicted of stealing more than $100,000 in property or services.
Illustraton by Brian Stauffer