[Dataloss] Proposed AZ data-theft bill has critics

security curmudgeon jericho at attrition.org
Wed Apr 26 03:31:09 EDT 2006 

Courtesy of ISN:


http://www.azstarnet.com/dailystar/business/126149

By Scott Simonson
arizona daily star
Tucson, Arizona
04.25.2006

If a hacker steals your bank card number in Arizona, there's no state 
requirement that your bank or a merchant involved notify you.

That could change if Gov. Janet Napolitano signs a bill passed by the 
Legislature last week.

Consumers Union, the non-profit group that publishes Consumer Reports 
magazine, has criticized the proposed law as ineffective.

Arizona's law would allow companies to decide whether a computer-security 
breach is serious enough to deserve a consumer warning, said Gail 
Hillebrand, who heads Consumers Union's financial privacy campaign.

"Who's going to decide?" she said. "It's going to be the company who 
failed to protect your data."

Currently, Arizona receives much of its information about thefts of 
computer data from California, said Andrea Esquer, spokeswoman for Arizona 
Attorney General Terry Goddard. California requires all companies to 
report stolen information.

In 2003, California passed the first U.S. law requiring customer 
notification of breaches in companies' computerized data.  At least 10 
other states have followed suit, said Hillebrand.  Arizona's bill differs 
from California's in two important ways, she said.

California requires companies to report any security breach, Hillebrand 
said.

Under the Arizona legislation, only breaches that "materially compromise" 
people's information must be reported.

Depending upon how that language is interpreted, companies may be allowed 
to choose whether to tell consumers, Hillebrand said.

Arizona's law also exempts banks, hospitals and some government agencies. 
California's law requires all companies to report problems.

As of Monday, Napolitano had not acted on Senate Bill 1338, said Shilo 
Mitchell, spokeswoman for the governor.

The sponsor of the Arizona bill, Sen. John Huppenthal, R-Chandler, could 
not be reached for comment on Monday.

Rep. Marian McClure, R-Tucson, helped sponsor the bill in the House but 
said that consumers should be told about all computer security breaches.

Senate Bill 1338 represents a step in the right direction, she said, 
although she introduced a stronger bill that failed earlier in the 
session.

"A consumer should have a right to know that the information has been 
stolen," she said, "to make sure who stole that information cannot steal 
my identity."

Consumer notification might help, but better enforcement and better 
information sharing are crucial, according to a Tucson couple who have 
been victims of identity theft.

Elisabeth and Stephen Kling- ler have discovered that three other people 
have been using his Social Security number.

The Klinglers traced some of the thefts to other states, but law 
enforcement has not investigated, Elisabeth Klingler said.

The identity thefts have caused incorrect information about their credit 
to be reported to data brokers - businesses that collect people's 
information and sell it to other companies.

The Klinglers said consumers need better laws to help clear false 
information from the files that companies keep.

The bad information has hindered them in buying a cell phone and taking 
out a store credit card, Elisabeth Klingler said, and it could one day 
affect their ability to buy another home.

"We're kind of giving up hope," she said. "It would take a lifetime to get 
the information corrected."

What the bill says

* Senate Bill 1338 would require businesses operating in Arizona to
   notify customers if a computer-security breach compromises their
   personal information.

* Companies that do not notify customers could face fines from the
   state attorney general.

* Government agencies would face the same requirements. The proposed
   law would not apply to banks, hospitals, health insurance companies,
   law enforcement agencies or courts.


Data thefts

* Some of the largest reported thefts of customer data since March
   2005, according to ChoicePoint Asset Co.:

Disclosed by Date Customers affected

Bank of America February 2005 1.2 million*

DSW shoes March 2005 1.4 million

Ameritrade April 2005 200,000

Bank of America, Wachovia, other banks April 2005 680,000

CitiFinancial June 2005 3.9 million

MasterCard June 2005** 40 million

OfficeMax February 2006 200,000

* data of federal employees only

** related to security breach at CardSystems Solutions Inc. service
    center in Tucson

More information about the Dataloss mailing list