Identity Theft—Senate Action

The Senate Judiciary Committee has approved a new identity theft bill which would compel mandatory notification when personal data has been compromised; increase the penalties for identity theft crimes; regulate data brokers; compel businesses that aggregate personal data to create frameworks to ensure the protection of that data; create “safe harbors” for companies who conduct assessments of their security systems; require government contractors to take personal data security into account when being awarded government contracts; allow the FTC, State attorneys general, and the Federal attorney general to bring civil suits against entities which fail to provide notice of data breaches; define personal data; forbid private causes of action for the victims of a security breach; define “security breach”; and define “data broker.”^[1]

The bill would amend Title 18 of the U.S. Code in a number of ways.

First, it would amend 18 U.S.C. § 1030(a)(2) (Fraud and related activity in connection with computers) by adding subsection (D), which would include “information contained in the databases or systems of a data broker” in the list of locations for which criminal penalties can attach for exceeding authorized access.^[2]

Second, it would add the new 18 U.S.C. § 1030(a)(2)(D) to 18 U.S.C. § 1961(1), thereby including it in the definition of “racketeering activity.”^[3] In doing so, it also broadens the scope of “unlawful activity” in the money laundering statutes.^[4]

Third, it would amend Chapter 47 of Title 18 (Fraud and False Statements), by adding a new section, 18 U.S.C. § 1039 (Concealment of security breaches involving sensitive personally identifiable information). Under this new section, it would be a crime for a person or entity having knowledge of a security breach, and having an obligation to provide notice of the breach, to intentionally and willfully conceal the fact that a breach and economic damage have occurred.^[5] The penalty for such concealment would be a fine, imprisonment for up to five years or both.^[6]

Fourth, it would further amend Chapter 47 of Title 18, by adding a new section, 18 U.S.C. § 1030A (Aggravated fraud in connection with computers). Under this new section, it will be a crime for a person, during a felony violation of 18 U.S.C. §§ 1030(a)(2)-(7), to knowingly obtain, access, or transmit, a means of identification of another person.^[7] Doing so can yield an additional sentence of up to 2 years in prison.^[8]

Fifth and finally, the bill would give the authority to the United States Sentencing Commission to review and amend the Federal sentencing guidelines which relate to identity theft.^[9]

The bill has come out of the Senate Judiciary Committee without a written report, and it has been placed on the Senate Legislative Calendar. It is one of many identity protection bills that have been introduced in the Senate.^[10]

---

[1] Senator Dianne Feinstein, Senate Judiciary Committee Approves Bill to Protect Americans from Identity Theft, US Senate, Nov. 17, 2005, available here. See also, S. 1789, 109th Cong. (2005).
[2] S. 1789, 109th Cong. § 101 (2005).
[3] Id. § 102.
[4] See, e.g., 18 U.S.C. § 1956(c)(7)(A).
[5] S. 1789, § 103(a).
[6] Id.
[7] Id. § 104(a).
[8] Id.
[9] Id. § 105.
[10] See, e.g., S. 768, 109th Cong. (2005); S. 884 109th Cong. (2005); and S. 1326, 109th Cong. (2005).