[Dataloss] State lets out private data

Fri Mar 24 11:55:58 EST 2006

State lets out private data
http://rds.yahoo.com/S=53720272/K=state+development+department+california+br
each/v=2/SID=w/l=NSR/R=1/;_ylt=A9iIgNQMJCREDVMBPiTQtDMD;_ylu=X3oDMTBjMHZkMjZ
yBHBvcwMxBHNlYwNzcg--/SIG=13oraod0s/EXP=1143305612/*-http%3A//www.broward.co
m/mld/mercurynews/business/14176227.htm?source=rss&channel=mercurynews_busin
ess

64,000 TAX FORMS SENT TO WRONG ADDRESSES
By Matthai Chakko KuruvilaMercury News
The state Employment Development Division confirmed Thursday that it sent
out about 64,000 tax forms containing Social Security numbers and income
information to the wrong addresses, potentially exposing those taxpayers to
identity theft.
The 1099 tax forms, which summarize annual benefit payouts, were sent to
people who had changed addresses over the past 18 months and had received
unemployment, paid family leave or disability payouts from the state.
The EDD said a ``software glitch'' resulted in 1099s being sent in January
to garbled addresses that combined old street addresses with recipients' new
cities and ZIP codes.
The incident represents only the latest example of consumers seeing
sensitive personal information mishandled by others. Just Wednesday,
Hewlett-Packard acknowledged the theft of a laptop containing the names,
Social Security numbers and other information for 196,000 current and former
employees. The laptop belonged to Fidelity Investments, which administers
HP's retirement plans.
Data breaches have become increasingly publicized, in large part because of
California's pioneering consumer protection laws, which require that
consumers be notified if their personal information is exposed -- whether or
not it was misused. But that safeguard, along with the power to lock out
potential fraudsters by freezing credit reports, is threatened by
Congressional legislation that would lessen those protections.
Unlike the EDD case, many data breaches have involved electronic data, which
can be easily stored and transferred in any number of ways. Missing or
stolen laptops, data tapes and even compact discs have all been the sources
of recent data breaches.
Still, the EDD's mistake had the same effect of exposing sensitive personal
information.
``I think I'm particularly outraged because it's a government agency,'' said
Ken McEldowney, executive director for San Francisco-based Consumer Action.
``I think people expect government agencies to protect their personal
financial information more than private industry. As this shows, that's not
the case: They're just as sloppy.''
McEldowney said it was ``one of the most serious'' data breaches he had
heard of.
The department sent out the 1099s in January, learned of the problem in
February and notified potential victims last week, said EDD spokeswoman
Velessata Kelley. Kelley said the department waited to inform people because
``we had to identify who had been impacted and how to correct the problem.''
The latest data breach comes as federal policy-makers are pushing a bill
that critics say will erode California's strict notification law.
Just a week ago, the House Financial Services Committee voted to approve a
bill that would leave many notification decisions to the discretion of
businesses.
In addition, the same bill would allow individuals to ``freeze'' their
credit only if they've already been victims of identity theft. Currently,
Californians can put a freeze on their credit as soon as they discover their
information was misplaced -- essentially preventing fraudsters from opening
an account under someone else's name.
``It's so important to give consumers the tools, like a security freeze,
that allow them to proactively protect themselves,'' said Michael McCauley,
a spokesman for Consumers Union.
Rosetta Jones, a vice president for Visa USA, said ``there are no specific
requirements'' for how issuers should verify an applicant's true identity
beyond a name and Social Security number.
But, she added, ``it's in the issuers' best interest to make sure to screen
their applications closely so as not to let a fraudster into the system.''
With more and more personal data living in the public sphere -- from medical
records to certain Google Groups where Social Security numbers are traded --
private industry has moved in.
The credit bureaus, which maintain credit reports, each sell credit
monitoring services -- as do a growing number of other companies.
But McEldowney, the consumer activist, noted that consumer protections,
meanwhile, could be at risk.
``The problem is that given the current political environment, the credit
and banking industry is so strong in Washington, there's no chance of
getting decent legislation or to prevent Congress from pre-empting stronger
state laws, such as in California.''