Businesses are required under several federal laws to develop, implement, and document evidence for “information security programs,” or they risk being fined. But problems with the laws are innumerable: they are too broad and too flexible; they fail to cover “people” within businesses who are given access to personal information; and they do not concern the “work processes” the people perform, such as financial transactions using applications containing personal information. Moreover, the laws do not state how to develop the specified information security program and, except for expecting information technology (IT) to secure computers and networks, the laws do not provide uniform security standards.

This failure to require security standards is particularly problematic because, as discussed in Chapter 4, personal information is widely disseminated worldwide. Databases of information distributed around the world to second, third, and other parties are under no one’s control and therefore are uncontrollable. Surprisingly, of the many laws enacted to prevent identity theft, not one contains provisions that actually would secure identities.