Identity Theft Guide to the 2008 Election

Democratic Candidates

Hillary Clinton

In 2005, Sen. Clinton and six other co-sponsors, including Republican presidential rival McCain, signed on to the Identity Theft Protection Act. The bill would have provided for the creation of a national standard for institutions to notify consumers of a breach of sensitive personal data—among its provisions was an authorization for consumers to “freeze” credit. But rather than mirror the most rigorous of laws similarly conceived at the state level, laws requiring that consumers be notified of any and all data breaches—the proposal favored by Clinton, McCain and the others offered businesses exceptional latitude, allowing businesses themselves to determine whether a data security breach posed a “reasonable risk” to consumers (and thus, needed to be disclosed). Consumer advocacy groups equated the dynamic enabled by such language to the proverbial fox guarding the henhouse, and opposed the measure. 

Though that bill never made it out of committee, the following year Sen. Clinton once again attached her name to legislation intended to address the issues of identity theft and privacy. In 2006, she introduced two separate bills, the first a sweeping, multi-tiered proposal known as the Privacy Rights and Oversight for Electronic and Commercial Transaction (PROTECT) Act. Clinton likened this to a “privacy bill of rights” and could hardly be accused of understating the importance of the problems it hoped to rectify. Quoted by The New York Times in June 2006, shortly after introducing the bill to Congress, she collectively referred to rampant identity theft and security breaches of federal records as “one of the most important issues facing us as individuals and as a nation.”

“Modern life makes many things easier and many things easier to know, and yet privacy is somehow caught in the cross hairs of all these changes,” Clinton was further quoted.

The PROTECT Act, which also failed to make it out of committee, included the following provisions:

• Creating a “Chief Privacy Officer” in the Office of Management and Budget.
• Making institutions potentially liable for $1,000 in damages to any individual whose data is compromised.
• Prohibiting a financial institution from sharing “usage” data (i.e. records of previous purchases) with third parties without a consumer’s express consent.
• Requiring businesses to notify consumers when their personal identifying information is sent to another country.
• Requiring businesses to notify consumers when sensitive personal information has been compromised.
• Allowing consumers, for a “reasonable” fee determined by credit reporting agencies, to place security freezes on their credit files.
• Creating additional penalties for violations of the Health Insurance Portability and Accountability Act, which created standards for the security and privacy of health care data.

Sen. Clinton’s next major identity theft foray, the Debit and Check Card Consumer Protection Act, would have limited liability for consumers whose debit or check card numbers have been stolen (thus codifying into law policies similar to those that banks already follow on their own). Like the PROTECT Act, that bill never made it to the floor of the Senate.

Like her rival, Sen. Barack Obama, Clinton voted in June 2007 against a proposal introduced by Sen. John Cornyn (R-Texas) that would have denied legal status to illegal immigrants who had ignored deportation orders or had been convicted of identity theft or fraudulent use of identification documents.

Barack Obama

During a May 2006 Senate hearing regarding the Department of Veterans Affairs data woes, Sen. Barack Obama spoke up about the circumstances that led to the agency’s loss of 26.5 million veterans’ personal identifying information. “The system is so poorly designed that one employee can compromise the whole thing,” Obama was quoted in the Washington Post.

The following year, in the heat of a hotly contested campaign for the Democratic presidential nod, Sen. Obama laid out his own “Technology and Innovation Plan,” a nine-page roadmap for what he says he hopes to accomplish if elected this fall. Published on his campaign Web site in Nov. 2007, the position paper identified database management as a key area of concern: “Dramatic increases in computing power, decreases in storage costs and huge flows of information that characterize the digital age bring enormous benefits, but also create risk of abuse,” his plan states. “We need sensible safeguards that protect privacy in this dynamic new world.”

Obama’s identity theft-related goals, as delineated in the proposal, are as follows:

• Provide “robust protection against misuses of particularly sensitive kinds of information, such as e-health records and location data that do not fit comfortably within sector-specific privacy laws.”
• Implement restrictions on how information in “powerful databases containing information on Americans that are necessary tools in the fight against terrorism” can be used. He also would enact measures to verify how the information actually has been used. 
• Increase the Federal Trade Commission’s enforcement budget and step up international cooperation to track down cyber-criminals, thus enabling U.S. law enforcement to better prevent and punish “spam, spyware, telemarketing and phishing intrusions into the privacy of American homes and computers.”

In 2007, Obama voted against an amendment that would have denied legal status to illegal immigrants who had flouted deportation orders or had been convicted of identity theft or fraudulent use of identification documents.

Republican Candidates

John McCain

While McCain joked about identity theft in a speech during his 2004 presidential run (the pun being that Democrats had co-opted his “identity” for photo ops and other demonstrations of bipartisan spirit), the issue has not played prominently at any juncture of his current presidential campaign.

Along with Clinton, McCain co-sponsored the Identity Theft Protection Act in 2005, which would have enabled consumers to “freeze” credit reports but preempted strong state data security laws with a weaker federal standard. The following year, however, McCain voted against a legislative amendment that would have denied Social Security benefits to illegal immigrants who work under a Social Security number obtained through identity fraud—a move that bolstered the opposition that he continues to face from hard-line conservatives. In 2007, he voted (along with Clinton and Obama) against an amendment that would have denied legal status to illegal immigrants who had flouted deportation orders or had been convicted of identity theft or fraudulent use of identification documents.

While chairman of the Senate Commerce, Science and Transportation Committee, McCain was quoted in the Feb. 28, 2001, Washington Times about the growing pressure on the federal government to enact online privacy protections: “There’s a groundswell of pressure to pass legislation to protect Internet users’ privacy. This is all well-intentioned, and some legislation is needed, but we must be extremely cautious that any legislation passed correctly balances privacy rights against overzealous regulations that cripple the burgeoning Internet economy.” It remains to be seen whether he still embraces this ethos seven years later, insofar as anything he publicizes on the campaign trail.

Mike Huckabee

Being the only major party presidential nominee who hasn’t served in Congress, the former Arkansas Gov. Mike Huckabee hasn’t had a chance to assert himself legislatively at the federal level, though his campaign Web site offers some insight into his views on identity theft as it ties to illegal immigration. “I will take our country back for those who belong here.  No open borders, no amnesty, no sanctuary, no false Social Security numbers, no driver’s licenses for illegals,” it reads.

Nevertheless, during his time as Arkansas Gov., Huckabee found himself dealing with the issue of identity theft both in intentional and unexpected ways. In 2005, Huckabee signed into law the state’s “Personal Information Protection Act,” a measure requiring organizations that handle sensitive data to notify affected consumers when their private identifying information is compromised. Arkansas’ law stood among the less stringent of similar state measures, requiring businesses to disclose the details of a breach only if unencrypted information “was, or is reasonably believed to have been acquired by an unauthorized person.”

But before Huckabee ever rubberstamped his state’s consumer data protection measure, the governor found himself the subject of attacks from critics including columnist Meredith Oakley from the Arkansas Democrat-Gazette in October 2002. Oakley had taken umbrage to the way in which the governor’s administration handled criticisms of its multi-million dollar Arkansas Administrative Statewide Information System (AASIS). Among the computerized accounting system’s flaws was an oversight that allowed any of the hundreds of state employees who had an AASIS password to access the Social Security numbers of other state employees, including Huckabee himself. The problem had been going on for a year, at least since the Arkansas Times first broke news of the security flaw (and Huckabee’s administration subsequently ordered a police investigation to determine which state employee leaked the story).

Quoted by the Batesville Daily Guard in October 2002, Huckabee acknowledged that “identity theft is a serious issue” and pointed out that only those in a position of trust could access information on AASIS. But like McCain, the governor was also quick to play the issue for a joke, suggesting that if his identity was stolen, he could only hope the culprit could somebody who resembles him—someone like Brad Pitt or Tom Cruise.