States Keep Watchful Eye on Personal-Data Firms
By Brian Krebs washingtonpost.com Staff Write Wednesday, June 1, 2005; 6:33 AM
A legislative push by states to punish companies that maintain sensitive customer data when they hide a security breach could trigger congressional intervention to set a national standard on when people must be notified that their personal information may have fallen into the wrong hands.
Seizing upon recent incidents in which companies admitted losing or failing to secure their customers' financial and personal information, nearly two dozen states are debating or have passed new legislation, including a tough North Dakota law -- which takes effect today -- that forces companies to reveal unauthorized access to information that is commonly found in phone books.
A number of commercial data aggregators -- companies like ChoicePoint Inc. and Axciom that assemble dossiers of information on people for sale to corporate clients -- have recently alerted hundreds of thousands of people whose records they kept that their data may have been compromised. The disclosures resulted -- at least in part -- from a recent California law that uses the threat of civil lawsuits to goad companies into disclosing when a digital break-in or data theft exposes customers in the state to identity fraud.
Encouraged by the law's apparent success in forcing disclosures, a number of states are rushing to establish penalties for companies that don't alert customers in a timely manner if they discover that personal and financial information has been lost, stolen or otherwise improperly disclosed. In the past four months alone, laws went on the books in Arkansas, Georgia, Montana, North Dakota and Washington.
Similar pieces of legislation in Florida and Illinois are awaiting governors' signatures. Last month New York City Mayor Michael Bloomberg signed a security breach notification bill, while New York state also appears to be on track to pass a theft-disclosure bill. Indiana lawmakers recently passed legislation that would require state agencies to notify residents if their Social Security numbers are divulged.
The fines envisioned in some of the state measures are substantial. The Florida statute would fine companies $1,000 for each day that they fail to disclose a data breach to customers. After the first 30 days, companies would be hit with monthly fines of $50,000. A spokesman for Florida Gov. Jeb Bush (R) said the governor had not yet received the measure, and so could not comment on whether Bush intended to sign it. If signed into law, the measure would take effect July 1.
Lawmakers in Georgia were spurred into action in February when Alpharetta-based ChoicePoint said fraud artists had posed as Los Angeles businessmen to access personal information about at least 145,000 people. A key sponsor of that bill, Georgia state Sen. Bill Hamrick (R), said he backed the law when it became clear that consumers may never have known about the breach had it not been for the California law.
The Georgia law applies mainly to companies like ChoicePoint, but Hamrick said data firms lobbied for the law to apply to all businesses. "That would have essentially killed the bill since we only had 40 days to debate it" before the end of the state's legislative session, Hamrick said. Still, he said he intends to examine expanding the scope of the law next year.
Robert Ellis Smith, a privacy expert and publisher of Providence, R.I.-based Privacy Journal, applauded the state actions, saying it is important for people to know about such incidents so that they can take the appropriate steps to ensure that their identity is not stolen. "It seems to me elementary that people are entitled to know if their information is compromised," Smith said.
Georgia's new law went into effect in April, the one in Washington activates July 24, and Arkansas's goes live Aug. 12. Montana residents will see protection starting in March 2006. In North Dakota, where most laws go into effect on Aug. 1 of a legislative year, state lawmakers made it effective June 1 by declaring the bill an "emergency measure," which required passage by at least a two-thirds vote in both houses.
But taken together, the state laws may backfire as businesses lobby Congress to enact new -- and most likely less stringent -- federal statutes to preempt what critics say is quickly amounting to a patchwork of disparate, confusing and costly new regulations.
"It's really hard to defend against these types of laws. No [state lawmaker] wants to be on record saying, 'Maybe this is a bad idea,' because they're going to get beaten up and cast as not caring about consumers," said Stewart Baker, a partner with Washington, D.C.-based law firm Steptoe & Johnson. "But to the extent that all of these state laws deviate from the California statute, they create a massively confusing situation in which businesses have to go state by state to figure out what their obligations are to consumers."
Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the most stringent law.
Currently that state is North Dakota, where in April Gov. John Hoeven (R) signed a law that goes far beyond the California statute in its classification of what constitutes "personal identifying information." Beginning today, companies doing business in the state will be required to disclose a data theft if the company loses track of any customer information -- including information not generally considered "private," such as names, addresses or telephone numbers.
"Business aren't going to laugh and say, 'Well, North Dakota's just being silly,'" Baker said. "They're going to be pushed in the direction of doing what North Dakota says across the board."
Faced with this prospect, business groups might consider supporting a federal law that would preempt state laws. U.S. Sen. Dianne Feinstein (D-Calif.) in January introduced a bill that would effectively make California's statute the law of the land. Mike Zaneis, director of congressional and public affairs for the U.S. Chamber of Commerce, said support for a federal approach is building within the business community, but that any federal legislation would need to strike a reasonable balance between notifying consumers and needlessly scaring them or inuring them to such notices.
"There has to be some trigger for notifications that distinguishes between a breach that is quickly contained and one that is likely to do harm," Zaneis said. "What we don't want is for consumers to become desensitized to these notices, because then no one is going to react when there's a real problem, to take the appropriate precautions."
Many consumer groups are quietly advocating a national law because it would make it easier to educate consumers about their rights and about what to look for in such disclosures, said Ari Schwartz, associate director at the Center for Democracy and Technology in Washington.
But Schwartz said his and other privacy groups would like to ensure that any national notification law also sets basic security standards for businesses. The California law and other state measures adopted in its wake would not require companies to disclose a security breach if, for example, the data compromised in the break-in was scrambled with encryption technology.
Montana Attorney General Mike McGrath said the states would fight vigorously any attempt to pass federal legislation that supercedes stronger state laws. Montana's new law would fine companies up to $10,000 per violation for failing to disclose a security breach that endangers customer data. Companies also could face criminal charges if they take steps to hide consumer data thefts.
"I don't think there should be any sort of laissez-faire attitude in Washington about protecting the privacy of consumers," McGrath said. "I think it's fair to say that on a bipartisan basis, the state attorneys general are very concerned about federal preemption in this area, which obviously the industry folks would just love."
ChoicePoint spokeswoman Kristen McCaughan declined to comment on the Georgia law or say whether the company would support any specific proposed bills currently before Congress. But McCaughan said ChoicePoint supports a mandatory notification law that is national in scope and preempts state laws. She said the company also would support a bill that defines "personally identifiable information" the same way it is spelled out in the California law: a person's name along with either their Social Security or driver's license number, or financial information.
Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions. After the ChoicePoint breach, media reports soon followed that Bank of America Corp. lost computer tapes containing financial data on 1.2 million federal workers, including U.S. senators, and that credit card numbers were stolen by hackers from 103 of shoe retailer DSW Inc.'s 175 stores.
In May, Wachovia Corp. and Bank of America Corp. notified more than 100,000 customer that their financial records may have been stolen by bank employees and sold to collection agencies; investigators are still looking into that case, which may involve the unauthorized sale of data on nearly 700,000 customers of various banks.
The California Department of Consumer Affairs reported May 27 that since the state's notification law went into effect in July 2003, it has been aware of 61 significant breach notifications involving an average of 163,500 individuals each. About one-fourth of the breaches occurred at financial institutions and another one-fourth at universities, with 15 percent reported by medical institutions, 8 percent by government and 7 percent by retailers, according to the figures.