Analysis of the Privacy Act of 2003: A title-by-titleinvestigation into the Privacy Act of 2003 and the effectivenessof legislation in reducing identify theft by limiting commercialand government access to and usage of personal identifiableinformationWesley C. [email protected] paper will look into the proposed laws and amendments contained in The Privacy Act of 2003 (TPA) and their ability to reduce and stymie future identity theft attempts that are a result of the compromising of sensitive information specifically defined in TPA.An investigation of TPA, at a limited level, will be able to determine the effectiveness of this Act, if it is enacted into law. The effectiveness of TPA, broken down by each applicable Title, will be measured by first: current policy and its impact on identity thefts and second: technological changes that would be required within both the private and public sectors. IntroductionIn March of 2003, Senator Dianne Feinstein (D-CA) introduced the Privacy Act of 2003 (S. 745). The legislation, introduced into the 108 congress, would establish a two-tiered system of protection for all personal and sensitive information. The bill specifies an opt-in system that would require any company to obtain an individual’s permission prior to the sale, or releasing of the individuals sensitive information to third parties. Noteworthyitems include: (1) a state department of motor vehicles can no longer disclose the most sensitive information on a driver's license, such as the driver's identification number or physical characteristics, without the driver's opt-in; (2) prohibits a business from denying service to a customer who refuses to provide his or her Social Security number, except in cases where the Social Security number is needed. Term DefinitionsThroughout this paper there are several terms used which will be defined here in context with respect to TPA.  The complete details of Feinstein’s’ Policy presentation can be found at http://thomas.loc.gov/ for Senate Bill 745. All subsequent references to The Privacy Act of 2003 (TPA) can be found by searching at the above URL. Commercial entity – The term “commercial entity” means any person offering products or services involving commerce among the several States or with 1 or more foreign nations, in any territory of the United States or in the District of Columbia, or between any such territories. Does not include any nonprofit entity that would otherwise be exempt from coverage under section 5 of the Federal Trade Commission Act (15 U.S.C. 45); any financial institution that is subject to title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.); or any group health plan, health insurance issuer, or other entity that is subject to the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 201 note).  Individual – The term “individual” means a person whose personally identifying information has been, is, or will be collected by a commercial entity. Medium – The term “medium” means any channel or system of communication including oral, written, and online communication. Nonaffiliated third party – The term “nonaffiliated third party” means any entity that is not related by common ownership or affiliated by corporate control with, the commercial entity, but does not include a joint employee of such institution.  Personally identifiable information – The term “personally identifiable information” means individually identifiable information about the individual thatis collected including-- (A) a first, middle, or last name, whether given at birth or adoption, assumed, or legally changed; (B) a home or other physical address, including the street name, zip code, and name of a city or town; (C) an e-mail address; (D) a telephone number; (E) a photograph or other form of visual identification; (F) a birth date, birth certificate number, or place of birth for that person; or (G) information concerning the individual that is combined with any other identifier in this paragraph. Collection and Distribution of Personally Identifiable Information and Individuals’ rightsto Privacy ControlTPA Section 101 in general states: It is unlawful for a commercial entity to collect personally identifiable information and disclose such information to any nonaffiliated third party for marketing purposes or sell such information to any nonaffiliated third party, unless the commercial entity provides – (A) notice to the individual to whom the information relates; and (B) an opportunity for such an individual to restrict the disclosure of sale of such information. In September 2002, JetBlue Airlines handed over to the defense contractor Torch Concepts 5 million passenger records. The apparent goal of the report, to be generated byTorch Concepts, was to determine whether it was possible to combine travel and personalinformation to create a profiling system that would make air travel safer. In doing so JetBlue violated its own privacy policy stating that “it would not disclose consumer information without first informing the consumer”. At this point there have been two  The complete details of JetBlue’s private policy violation can be found in MSNBC’s article found here: http://www.msnbc.com/news/969189.asp?cp1=1.class action lawsuits filed attempting to fine JetBlue for what the Federal Trade Commission (FTC) calls “deceptive trade practices”. However, what JetBlue did was legal as there is no Federal or State law to hold against JetBlue’s corporate malfeasance. It is the hopes of the FTC to establish a precedent in this case and aid in bolstering other future cases against entities that violate private policies, bound by contract, endangering individuals own personal information. If TPA were enacted into law, JetBlue’s actions would have been illegal and to some extent would result in fines up to 25,000 dollars per violation. Again, if TPA were law, JetBlue’s privacy policy would also have to be modified to accommodate the changes required by TPA. It should also be noted that, these changes would also have to be somehow incorporated into JetBlue’s corporate IT system to ensure no future misdoings could be done at a software layer, i.e. email, etc. This is no easy task, but there are quite a few software vendors who do offer internal corporate-control and damage-control applications and suites that