Skip the navigation

California leads way on ID theft legislation

December 13, 2002 12:00 PM ET

Computerworld - WASHINGTON -- Businesses often fail to disclose security breaches to police, let alone to the public, out of fear they will damage their reputation and open themselves to lawsuits. But Sen. Diane Feinstein (D-Calif.) is circulating a draft bill that would change that practice by requiring companies to reveal security breaches to their customers.
The Feinstein measure, called the Database Security Breach Notification Act, is modeled on a California law that will require companies to notify customers if the companies believe a systems breach has led to the release of personal information. The law takes effect next July.
No decision has been made yet about whether to introduce the Feinstein bill next year, according to Scott Gerber, a spokesman for the senator.
"What's clear is that identity theft is a major problem," Gerber said. "We're looking at ways to address it, and this is one of the ways."
The California law, as well as Feinstein's draft legislation, requires companies to tell customers when their name -- along with either their Social Security number, driver's license number or credit card or debit account number in combination with security or access codes -- has been accessed by an unauthorized person.
California's law is "a potential public relations nightmare to any company; they have to report not only actual compromises, but suspected compromises as well," said Mark Rasch, former head of the Computer Crime Unit at the U.S. Department of Justice and now senior vice president and chief security counsel at Omaha-based managed security services company Solutionary Inc.
The Investment Company Institute in Washington, which represents nearly 9,000 investment companies, opposed the California law because, once someone has hacked into a system, "you don't know if they have acquired information or if they have just looked at information," said Tamara Salmon, a counsel for the group.
"Potentially, you will have to send out notices to a lot of people just because you don't know" whether a system has been hacked, she said.
But Alan Paller, director of research at the Bethesda, Md.-based SANS Institute, said the California law is probably necessary because of the kinds of crime that are occurring. A group in Russia and Ukraine has been acquiring customer data, extorting money to prevent its release and then selling it anyway. Paller believes some companies are paying off the extortionists in an attempt to contain the damage.
"You have to make the price of paying off the extortionists higher than the price of not paying them off, and this bill is the first thing that does that," said Paller.
Opposition by high-tech trade groups to the California measure, SB 1386, which was authored by state Sen. Steve Peace, a San Diego Democrat, was strong at first. The Information Technology Association of America and AeA opposed it. But their objections were tempered by Peace's willingness to narrow the conditions under which customers would be notified of a breach.
The new California law was prompted by a breach earlier this year, when hackers gained access to the state's Stephen P. Teale Data Center in Rancho Cordova and accessed the names, Social Security numbers and payroll information of 265,000 state employees. The employees were angry (see story).
"The trick for dealing with and overcoming IT theft is early detection -- the earlier you know, the easier it is for you to stop the damage," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego.
The ID theft law in California may be the first of its kind to require businesses to report security breaches. The Bush administration has been urging businesses to voluntarily share incidents as part of its homeland security strategy and has opposed legislation that would force companies to either upgrade security or report such breaches. As part of that effort, the homeland security legislation signed by the president includes Freedom of Information Act exemptions for businesses that share this information.
The number of bills dealing with ID theft is on the rise in California; the Peace bill was just one of 14 ID-theft-related measures approved in this session, according to the state's privacy office. A few years ago, there were only a few ID-theft-related bills.
Many of the new California laws, most of which take effect in January, increase penalties and offer assistance to victims. Some bills also seek systems improvements. For instance, one new law requires an electronic death-registration system by January 2005 to improve the timeliness and efficiency of the death-registration process and the ability to spot fraudulent use of birth and death records.
ID-theft legislation is also on the rise in other states. Earlier this year, the U.S. General Accounting Office surveyed three credit-reporting agencies and found that identity theft increased 36% from 1999 to 2000, based on the number of fraud alerts (89,000 in 2000) placed on customer records.




Read more about Privacy in Computerworld's Privacy Topic Center.



Our Commenting Policies