[Dataloss] Proposed AZ data-theft bill has critics
security curmudgeon
jericho at attrition.org
Wed Apr 26 03:31:09 EDT 2006
Courtesy of ISN:
http://www.azstarnet.com/dailystar/business/126149
By Scott Simonson
arizona daily star
Tucson, Arizona
04.25.2006
If a hacker steals your bank card number in Arizona, there's no state
requirement that your bank or a merchant involved notify you.
That could change if Gov. Janet Napolitano signs a bill passed by the
Legislature last week.
Consumers Union, the non-profit group that publishes Consumer Reports
magazine, has criticized the proposed law as ineffective.
Arizona's law would allow companies to decide whether a computer-security
breach is serious enough to deserve a consumer warning, said Gail
Hillebrand, who heads Consumers Union's financial privacy campaign.
"Who's going to decide?" she said. "It's going to be the company who
failed to protect your data."
Currently, Arizona receives much of its information about thefts of
computer data from California, said Andrea Esquer, spokeswoman for Arizona
Attorney General Terry Goddard. California requires all companies to
report stolen information.
In 2003, California passed the first U.S. law requiring customer
notification of breaches in companies' computerized data. At least 10
other states have followed suit, said Hillebrand. Arizona's bill differs
from California's in two important ways, she said.
California requires companies to report any security breach, Hillebrand
said.
Under the Arizona legislation, only breaches that "materially compromise"
people's information must be reported.
Depending upon how that language is interpreted, companies may be allowed
to choose whether to tell consumers, Hillebrand said.
Arizona's law also exempts banks, hospitals and some government agencies.
California's law requires all companies to report problems.
As of Monday, Napolitano had not acted on Senate Bill 1338, said Shilo
Mitchell, spokeswoman for the governor.
The sponsor of the Arizona bill, Sen. John Huppenthal, R-Chandler, could
not be reached for comment on Monday.
Rep. Marian McClure, R-Tucson, helped sponsor the bill in the House but
said that consumers should be told about all computer security breaches.
Senate Bill 1338 represents a step in the right direction, she said,
although she introduced a stronger bill that failed earlier in the
session.
"A consumer should have a right to know that the information has been
stolen," she said, "to make sure who stole that information cannot steal
my identity."
Consumer notification might help, but better enforcement and better
information sharing are crucial, according to a Tucson couple who have
been victims of identity theft.
Elisabeth and Stephen Kling- ler have discovered that three other people
have been using his Social Security number.
The Klinglers traced some of the thefts to other states, but law
enforcement has not investigated, Elisabeth Klingler said.
The identity thefts have caused incorrect information about their credit
to be reported to data brokers - businesses that collect people's
information and sell it to other companies.
The Klinglers said consumers need better laws to help clear false
information from the files that companies keep.
The bad information has hindered them in buying a cell phone and taking
out a store credit card, Elisabeth Klingler said, and it could one day
affect their ability to buy another home.
"We're kind of giving up hope," she said. "It would take a lifetime to get
the information corrected."
What the bill says
* Senate Bill 1338 would require businesses operating in Arizona to
notify customers if a computer-security breach compromises their
personal information.
* Companies that do not notify customers could face fines from the
state attorney general.
* Government agencies would face the same requirements. The proposed
law would not apply to banks, hospitals, health insurance companies,
law enforcement agencies or courts.
Data thefts
* Some of the largest reported thefts of customer data since March
2005, according to ChoicePoint Asset Co.:
Disclosed by Date Customers affected
Bank of America February 2005 1.2 million*
DSW shoes March 2005 1.4 million
Ameritrade April 2005 200,000
Bank of America, Wachovia, other banks April 2005 680,000
CitiFinancial June 2005 3.9 million
MasterCard June 2005** 40 million
OfficeMax February 2006 200,000
* data of federal employees only
** related to security breach at CardSystems Solutions Inc. service
center in Tucson
More information about the Dataloss
mailing list