California leads way on ID theft legislation
Computerworld - WASHINGTON -- Businesses often fail to disclose security breaches to police, let alone to the public, out of fear they will damage their reputation and open themselves to lawsuits. But Sen. Diane Feinstein (D-Calif.) is circulating a draft bill that would change that practice by requiring companies to reveal security breaches to their customers.
The Feinstein measure, called the Database Security Breach Notification Act, is modeled on a California law that will require companies to notify customers if the companies believe a systems breach has led to the release of personal information. The law takes effect next July.
No decision has been made yet about whether to introduce the Feinstein bill next year, according to Scott Gerber, a spokesman for the senator.
"What's clear is that identity theft is a major problem," Gerber said. "We're looking at ways to address it, and this is one of the ways."
The California law, as well as Feinstein's draft legislation, requires companies to tell customers when their name -- along with either their Social Security number, driver's license number or credit card or debit account number in combination with security or access codes -- has been accessed by an unauthorized person.
California's law is "a potential public relations nightmare to any company; they have to report not only actual compromises, but suspected compromises as well," said Mark Rasch, former head of the Computer Crime Unit at the U.S. Department of Justice and now senior vice president and chief security counsel at Omaha-based managed security services company Solutionary Inc.
The Investment Company Institute in Washington, which represents nearly 9,000 investment companies, opposed the California law because, once someone has hacked into a system, "you don't know if they have acquired information or if they have just looked at information," said Tamara Salmon, a counsel for the group.
"Potentially, you will have to send out notices to a lot of people just because you don't know" whether a system has been hacked, she said.
But Alan Paller, director of research at the Bethesda, Md.-based SANS Institute, said the California law is probably necessary because of the kinds of crime that are occurring. A group in Russia and Ukraine has been acquiring customer data, extorting money to prevent its release and then selling it anyway. Paller believes some companies are paying off the extortionists in an attempt to contain the damage.
"You have to make the price of paying off the extortionists higher than the price of not paying them off, and this bill is the first thing that does that," said Paller.
Opposition by high-tech trade groups to the California measure, SB 1386, which was authored by state Sen. Steve Peace, a San Diego Democrat, was strong at first. The Information Technology Association of America and AeA opposed it. But their objections were tempered by Peace's willingness to narrow the conditions under which customers would be notified of a breach.
The new California law was prompted by a breach earlier this year, when hackers gained access to the state's Stephen P. Teale Data Center in Rancho Cordova and accessed the names, Social Security numbers and payroll information of 265,000 state employees. The employees were angry (see story).
"The trick for dealing with and overcoming IT theft is early detection -- the earlier you know, the easier it is for you to stop the damage," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.
The ID theft law in California may be the first of its kind to require businesses to report security breaches. The Bush administration has been urging businesses to voluntarily share incidents as part of its homeland security strategy and has opposed legislation that would force companies to either upgrade security or report such breaches. As part of that effort, the homeland security legislation signed by the president includes Freedom of Information Act exemptions for businesses that share this information.
The number of bills dealing with ID theft is on the rise in California; the Peace bill was just one of 14 ID-theft-related measures approved in this session, according to the state's privacy office. A few years ago, there were only a few ID-theft-related bills.
Many of the new California laws, most of which take effect in January, increase penalties and offer assistance to victims. Some bills also seek systems improvements. For instance, one new law requires an electronic death-registration system by January 2005 to improve the timeliness and efficiency of the death-registration process and the ability to spot fraudulent use of birth and death records.
ID-theft legislation is also on the rise in other states. Earlier this year, the U.S. General Accounting Office surveyed three credit-reporting agencies and found that identity theft increased 36% from 1999 to 2000, based on the number of fraud alerts (89,000 in 2000) placed on customer records.
Read more about Privacy in Computerworld's Privacy Topic Center.
- Seattle Children's Accelerates Citrix Login Times by 500% with Cross-Tier Insight Seattle Children's is a leading research hospital with a large and growing Citrix XenDesktop deployment. With ExtraHop, the IT team at Seattle Children's...
- McKesson Makes Application Hosting for Hospitals Faster, More Efficient With ExtraHop, McKesson identified the root cause of slow Citrix XenApp application launches and adopted a more intelligent, proactive IT operations model that...
- Maintain Less. Create More. Spend less on maintenance and spend more time creating with Red Hat Enterprise Linux. Read on to learn how Red Hat can help...
- Flying High on the Use of Red Hat Enterprise Linux Flybe was one of the 21 companies that were interviewed for quantitative results on their operations as part of an IDC ROI analysis....
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!