The new national strategy, which spans two volumes and 190 pages, calls for rewriting existing criminal laws to penalize use of malicious spyware and keyloggers, to expand mandatory minimum prison sentences for certain levels of electronic data theft, and to allow identity theft victims to receive monetary compensation not only for their direct financial losses, but also for the time they spent piecing their lives back together.
Scores of state and federal laws, such as one President Bush signed in October 1998, already outlaw identity fraud, and federal prosecutors have successfully to secure convictions against phishers, miscreants who typically use fraudulent Web pages and spam to trick people into giving up personal data. The National Conference of State Legislatures has compiled an exhaustive list of state statutes that also have resulted in felony convictions. In addition, fraud itself has been unlawful for hundreds of years.and another that President Clinton
Nevertheless, the task force members called for still more laws. "Much has been accomplished, and there are more protections in place now than ever before," Gonzales said at a press conference here during an FTC workshop about identification and authentication tactics. "But the president and the task force recognize we need to do more."
Bush created the task force within the White House last May, just before that devices housing personal data on more than 26 million veterans had been stolen. The task force consists of cabinet-level and high-ranking officials from a total of 17 federal agencies and departments.
The final report repeats many suggestions contained in an interim document released last September.
Many of the recommendations differ little from policies that Congress has already been exploring. The plan, for example, calls for limitingby federal agencies and for establishing a dictating how private companies should safeguard the personal data they hold and when they must notify the public about security breaches.
The group also suggests setting up a so-called National Identity Theft Law Enforcement Center, which would allow law enforcement, regulatory agencies and the private sector to consolidate and share such information around the clock.
"One thing is clear," Majoras said, "Only a coordinated approach will have the reach and impact necessary to effectively attack this crime."
The Business Software Alliance, whose members include Apple, Microsoft and Cisco Systems, applauded the task force findings, particularly the provisions aimed at closing perceived gaps in criminal computer crime laws.
The task force had called for changes to current computer-related identity theft laws because it said they aren't broad enough to allow for prosecution of all wrongdoers. One provision, for instance, requires that the data in question be stolen through "interstate communications" before a prosecution can occur, and another provision stipulates that the damage caused by cybercrooks to a person's computer must exceed $5,000 in most cases--a condition the task force says is often difficult or even impossible to prove.
Some privacy advocates said they believe the report fell far short of assuaging concerns about safeguarding personal data.
"We don't think the final strategic plan does enough to address the root causes of the identity theft problem," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. EPIC had filed comments urging the government to focus on getting government agencies and private companies to employ better privacy and security practices, not just on expanding law enforcement powers.
Ari Schwartz, deputy director of the Center for Democracy and Technology, said the report made some important suggestions, but his organization was disappointed that it "only addresses the symptoms of an ailing national privacy framework that is badly in need of an overhaul."
CNET News.com's Declan McCullagh contributed to this report.