I'll admit, I haven't read the bill, so this may be pretty alarmist... but if you work in IT at a company that puts monitoring software on it's employee's computers... Will you now be a fellon?

Folks,

Anyone who has had Identity Theft happen to them would agree that fines are not enough punishment for the perpetrators.

My identity is all I was born with and all I'll take to the grave.

The crime combines fraud, slander and libel, with grand larceny and the mental anguish caused by having your identity stolen can never be valued monetarily.

Here is what I consider "Redress for the Victims".

The punishment should be a minimum term of no less than 10 years in a Federal Penitentary (with Bubba) and confiscation of all of the perp's worldly property to be sold at auction to pay the debt created when the victim's identity was stolen. If there is anything left over, it should go to the victim or his heirs.

The statute should also cover Phishing attempts and Trojan attack. Those perpetrators just get the death sentence!

ALL financial institutions should be mandated by law to co-operate with the victim and shut down the fraudulent credit on the day that the victim contacts his creditors. No arguements, no delays. ANY victim has enough identifying data stored by the Big 3 Credit agencies that they should never have allowed the theft in the first place.

However, IF the data used to commit the crime, was stolen from a credit agency, banking, governmental, hospital, university or financial institution; that agency should be fined to the tune of at least a million dollars for having such lax data security.

Only then will the people that collect all our personal data be concerned about it's ABSOLUTE privacy.

We also need to come up with a completely different ID method, beyond a Social Insecurity number. Preferably one that does not involve having the "Number of the Beast" broadcasting radio frequency from a chip under the skin of your left arm (or elswhere).

Given the consequences of over identification, adding nothing more than a 6 digit pin number (That has to be keyed in, not spoken) to the existing SSN would be a great start. Requiring multiple forms of ID, presented in person; for obtaining credit would be even better.

I would also like to see that ALL credit companies be prevented by law from sending unrequested credit applications in the mail or offering them via email.

Even then, someone will try to game the system but they will be easier to stop and when caught, the punishment will be more fitting.

About the only thing missing as far as I can see is a negligence portion that makes banks and other financial institutions liable for compensation if ID Theft results from their stupidity, illegal behaviour or their employees binning stack loads of paperwork without shredding it.

And that means real compensation. The most likely scenario should someone steal your identity is for them to try to take out loans or get hold of credit in some other way.

Anyone responsible for this, including for instance a credit card processing company that irresponsibly kept live customer data for their own very questionable purposes on unsafe networks, should be forced to deal with the collections calls on behalf of the people they've fucked over. If that means they'll have to pay the bills then good, because this is the sort of punishment that makes people a tad more careful in the future.

The next problem is paying exorbitant interest rates once your credit has been destroyed. Credit card companies will automatically jack them up, insurance companies increase your premiums (something that should be made illegal in itself) and if you're about to buy a home, you're well and truly fucked.

This is where the real compensation should come into play. Either by forcing banks and other financial institutions to offer equivalent credit at reasonable interest rates - or by forcing businesses not able to offer credit into making the payments on behalf of their victims.

Again, these are the only sorts of punishments that will force the pricks that negligently store personal data on insecure systems into changing their practices and actually respecting the privacy of their customers. Often this data retention is done without the permission of the person affected, it is often done despite written promises not to do so, and despite the rules and regulations that govern their types of businesses.

Token enforcement no real effort as far as I can tell is under way in the US to enforce the current laws it's merely more political pandering.

re :'but if you work in IT at a company that puts monitoring software on it's employee's computers... Will you now be a fellon?'

err...surely if you work in the IT Dept then the computers will be company computers, not those of the employee? And as such, the IT Dept is/should be the guardian/owner of those machines.

And if employees do bring their own personal machines into work (which i see an enormous amount of) then they will be subject to the guidelines, rules and procedures that a company SHOULD have in place for just this scenario.

to put someone behind bars if they get caught and criminally convicted. As should have happened, in my view, but didn't to the directors of Sony UK over the music CD rootkit they were responsible for. That is current UK law (Computer Misuse Act, section 3) as I understand it. I really can't see how letting a crook get away with 9 spyware installations unauthorised by system owners is in any way OK.

A companies putting a program on a computer used by an employee is acting completely legally if the employee is informed that what takes place on such a computer is the company's business.

Very few people suffer from actual identity theft. They suffer from incompetent/negligent banks and credit card companies whose security procedures fail to prevent them giving money to people who shouldn't have it.

They record this as identity theft as it then becomes a crime involving the customer and the perpetrator as opposed to a fraud commited against the company. The bank/credit agency then commits a secondary fraud by claiming that the customer is liable for the incurred debt.

"if you work in IT at a company that puts monitoring software on it's employee's computers... Will you now be a fellon?'

Only if you steal the employee's ID for fraudulent purposes.

Sen. Leahy ways that his bill will, "Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft." I wonder from whom the "victims of identity theft" will be seeking restitution? And in what forum?

Shall we be suing some oik in a civil court and attempting to put a lien on the computer in his parents' basement (his/her only possession)? Will the "restitution" be a part of the criminal trial and will local law-enforcement be charged with securing said restitution? As has been said above, will we now be able to secure restitution from the enterprises that conspired - through their poor practices - with the identity theft? (Typing this last one made me laugh out loud at the thought of even a Democrat proposing a bill that might hold American financial institutions to account.)

I believe there's a good intent to the bill. Sadly, by the time it gets through committee, it will probably contain nothing of the original intent but here's a thumbs up for trying, Sen. Leahy.