The Information Technology Association of America (ITAA) yesterday announced a six-point strategy to enhance the privacy and security of consumer data. ITAA also called for all involved in assuring the privacy of consumer records, including government agencies, the financial services industry, data aggregators and other technology firms, to work together in implementing the strategy.

ITAA's plan focuses on three areas: improving law enforcement powers and capabilities to focus on the lawbreakers; reducing the number of breaches; and notifying affected individuals in the event personal data are improperly disclosed or obtained.

"Consumers should not have to worry about their information getting into the hands of identity thieves and other criminals," said ITAA President Harris N. Miller. "People have a reasonable expectation that information they disclose on a credit application or for other purposes will be treated responsibly and that their right to privacy will be protected.

"Custodians of data, government and individuals all have a share of the responsibility in protecting personally identifiable information and other sensitive data and assuring its appropriate use," said Miller.

The six points of the strategy include the following:

A reasonable and effective national breach notification law applicable to credit reporting agencies as well as other data custodians;

• Such a national law must meet several objectives: establish a clear definition of what constitutes a breach; specify means and methods of notification; identify the level of detailed information to be provided; describe special exceptions and conditions where notification is not provided (as in national security matters); take into account technological approaches to protect data, such as data encryption; assure that the financial risks of non-compliance outweigh the costs of compliance; and preempt state laws and eliminate state-to-state disparities.

A national law enforcement strategy that reinforces prosecutors' tools and increases penalties for individuals who engage in illegally obtaining consumer records, whether electronically or by other deceptive acts;

• A single national law enforcement agency should serve as the primary focus for combating identity theft. This will facilitate closer, systematic co-operation between law enforcement and the financial services and consumer data industries. The rapid exchange of information in real time concerning suspicious activity will help apprehend identity thieves. Similarly, consumers need a single point of contact for reporting incidents and clearing their records. The current patchwork of law enforcement response gives identity criminals extra time to commit their frauds and confuses consumers.

Stronger industry-law enforcement cooperation;

• A series of regional meetings between industry executives and federal, state and local law enforcement would also enhance cooperation between industry and law enforcement to prevent and react to identity theft incidents. Those meetings should be designed to culminate in a body of specific policy recommendations and best practices.

Additional resources for federal, state and local law enforcement to focus on identity thieves;

• Additional resources at all levels of law enforcement are necessary to support investigation of identity theft incidents as well as apprehension of suspects. This additional funding should also support training in identity theft investigations and cooperation with corporations or other industry entities.

Accelerated development and adoption by data aggregators of information security process and methods as well as new technology tools to foil perpetrators and catch offenders;

• A robust and meaningful information security policy is the first line of defense for any organization seeking to assure the confidentiality of electronic records. Promising technologies can improve the identity management process and thereby mitigate the risks of identity theft. Improvements in areas like authentication, credentialing, vetting and issuance must be explored to deter individuals considering identity theft, to block attempts in progress and to prevent breaches in the future. Preventative steps must recognize that identity theft is both an external and an internal threat. To the extent that breaches do occur, mechanisms must also be put in place to re-establish data integrity.

A coordinated inter-industry effort to establish a consensus set of best practices, policy standards, solutions and education;

• A national conference attended by high-level representatives of all industry stakeholders should be held to produce an agreement to develop and pursue a joint strategy to fight identity theft and associated breaches of private data.