State lets out private data

March 24, 2006

By Matthai Chakko Kuruivila, Mercury News

The state Employment Development Division confirmed Thursday that it sent out about 64,000 tax forms containing Social Security numbers and income information to the wrong addresses, potentially exposing those taxpayers to identity theft.

The 1099 tax forms, which summarize annual benefit payouts, were sent to people who had changed addresses over the past 18 months and had received unemployment, paid family leave or disability payouts from the state.

The EDD said a ``software glitch'' resulted in 1099s being sent in January to garbled addresses that combined old street addresses with recipients' new cities and ZIP codes.

The incident represents only the latest example of consumers seeing sensitive personal information mishandled by others. Just Wednesday, Hewlett-Packard acknowledged the theft of a laptop containing the names, Social Security numbers and other information for 196,000 current and former employees. The laptop belonged to Fidelity Investments, which administers HP's retirement plans.

Data breaches have become increasingly publicized, in large part because of California's pioneering consumer protection laws, which require that consumers be notified if their personal information is exposed -- whether or not it was misused. But that safeguard, along with the power to lock out potential fraudsters by freezing credit reports, is threatened by Congressional legislation that would lessen those protections.

Unlike the EDD case, many data breaches have involved electronic data, which can be easily stored and transferred in any number of ways. Missing or stolen laptops, data tapes and even compact discs have all been the sources of recent data breaches.

Still, the EDD's mistake had the same effect of exposing sensitive personal information.

``I think I'm particularly outraged because it's a government agency,'' said Ken McEldowney, executive director for San Francisco-based Consumer Action. ``I think people expect government agencies to protect their personal financial information more than private industry. As this shows, that's not the case: They're just as sloppy.''

McEldowney said it was ``one of the most serious'' data breaches he had heard of.

The department sent out the 1099s in January, learned of the problem in February and notified potential victims last week, said EDD spokeswoman Velessata Kelley. Kelley said the department waited to inform people because ``we had to identify who had been impacted and how to correct the problem.''

The latest data breach comes as federal policy-makers are pushing a bill that critics say will erode California's strict notification law.

Just a week ago, the House Financial Services Committee voted to approve a bill that would leave many notification decisions to the discretion of businesses.

In addition, the same bill would allow individuals to ``freeze'' their credit only if they've already been victims of identity theft. Currently, Californians can put a freeze on their credit as soon as they discover their information was misplaced -- essentially preventing fraudsters from opening an account under someone else's name.

``It's so important to give consumers the tools, like a security freeze, that allow them to proactively protect themselves,'' said Michael McCauley, a spokesman for Consumers Union.

Rosetta Jones, a vice president for Visa USA, said ``there are no specific requirements'' for how issuers should verify an applicant's true identity beyond a name and Social Security number.

But, she added, ``it's in the issuers' best interest to make sure to screen their applications closely so as not to let a fraudster into the system.''

With more and more personal data living in the public sphere -- from medical records to certain Google Groups where Social Security numbers are traded -- private industry has moved in.

The credit bureaus, which maintain credit reports, each sell credit monitoring services -- as do a growing number of other companies.

But McEldowney, the consumer activist, noted that consumer protections, meanwhile, could be at risk.

``The problem is that given the current political environment, the credit and banking industry is so strong in Washington, there's no chance of getting decent legislation or to prevent Congress from pre-empting stronger state laws, such as in California.''

[an error occurred while processing this directive]