(Samantha Stone/The Reasonable Reporter) – There’s an old saying. No man’s life, liberty, or property are safe while the legislature is in session. Let’s add to that list his personal identity.
In the 2009 session, the Reasonable Reporter counted 39 bills containing some element that would create a possibility of identity theft, or would potentially compromise data confidentiality and privacy. There may have been more than 39. Those were the ones that came to notice.
This could be another legislative session where ordinary Nevadans would toss and turn at night, if only they knew the extent to which their Personally Identifying Information serves as fodder for legislation.
The Reasonable Reporter is dismayed to announce the inaugural entry into her own 2011 Nevadans at Risk for Information Theft database. It’s AB 144, the Nevada Jobs First initiative, which has been highlighted as an important bi-partisan effort.
In the interest of putting unemployed Nevadans back to work, the bill stiffens the requirements for building contractors who bid on projects involving public money. The objective is laudable. The bill says Nevadans must comprise at least 50 percent of the workforce for such a project.
The method to carry out the objective is disconcerting. The workers must have a Nevada driver’s license or ID Card. The contractor is required to record driver’s license numbers, along with names, per diem compensation, and benefits paid. The contractor is further required to make this information available to the contracting city or other government agency in charge of the project. In turn, the city (or other agency) is required to make the information available for public inspection upon request.
Which means that the personally identifying information (PII is the term of art) belonging to Joe Sheet Metal Worker will be available to any member of the public upon request, along with the amount of money Joe is earning, and his employer’s name.
Questioned this morning about driver’s license numbers paired with names and other personal information, and packaged up as public information, the counsel to the Assembly Government Affairs Committee seemed unconcerned. The sponsors of the bill were not immediately available to comment.
But serving up this combination of data points about an individual conjures disturbing possibilities for abuse. There are, for instance, criminals who would manufacture a license featuring their own photo along with someone else’s name and driver’s license number for the purpose of boarding an airplane, or opening a bank account. This brand of identity theft is not only rampant by the actual perpetrators of such crimes, but there’s a multi-billion dollar worldwide black market for such PII.
The state of Nevada has addressed PII in statute, defining it as it relates to identity theft, and outlining certain requirements for entities who handle such data in the course of their business. Does the existing statute have application to the provisions of AB 144? Is Nevada placing building contractors in legal jeopardy under AB 144? Is Joe Sheet Metal Worker expected to trade the security of his personal identity in return for a chance to get back to work?
The Reasonable Reporter is no lawyer, but here is the definition of PII in NRS 205.4617
(a) The current or former name, driver’s license number, identification card number, social security number, checking account number, savings account number, credit card number, debit card number, financial services account number, date of birth, place of employment and maiden name of the mother of a person.
Business entities that keep PII are required by various laws to protect it. The businesses spend millions of dollars doing so, to avoid fines, lawsuits, dangers to their employees, and embarrassment to their companies. The building contractors referenced in AB 144 must certainly be required, at some legal level, to protect PII. And beyond the law, how about best practices for handling sensitive information?
It’s notable that protection of PII is not more central to the legislative process. The Reasonable Reporter had hoped that the increasing presence of Cybercrime in the headlines would heighten the awareness for state legislators this session. In fairness, lawmakers are generally very focused on policy objectives, and the money to accomplish their policy objectives. When the policy is developed, and the money has been won, they’ve done their jobs. Or so it used to be.
There is a constant legislative push, though, to digitize this and database that. To capture data about the citizen and to store the information. There is also drive for transparency, which is seemingly the objective AB 144. These goals raise PII concerns, and there should be a PII checklist for bill drafters.