Posted on: Saturday, March 19, 2005

Identity-theft proposal gaining

Los Angeles Times

U.S. regulators voted yesterday for a policy that would require banks to notify customers in certain cases of identity theft — a proposal that consumer activists called inadequate.

Federal Deposit Insurance Corp. officials said the proposal, which its board of directors approved, had nothing to do with recent disclosures of security breaches at information brokers ChoicePoint Inc. and Reed Elsevier's LexisNexis unit, as well as at Bank of America Corp.

The proposal, which sets the rules for financial institutions to follow in designing their notification policies, still must be approved by the Federal Reserve before taking effect.

It requires banks to quickly notify federal regulators if there is a security breach that might have compromised personal files. It defines sensitive data to include names, addresses, Social Security numbers and credit card numbers.

Still, the policy would require banks infiltrated by identity thieves to notify affected customers only if the bank determined that it was "reasonably possible" his or her private information had been misused.

The standard for when banks must notify customers is weaker than in a first draft of the proposal released in 2003. Under that standard, banks would have had to notify customers unless they could prove "misuse of the information accessed is unlikely to occur," according to a report released by the FDIC and three other federal agencies.