[ISN] Proposed AZ data-theft bill has critics

InfoSec News isn at c4i.org
Wed Apr 26 03:18:14 EDT 2006


http://www.azstarnet.com/dailystar/business/126149

By Scott Simonson 
arizona daily star 
Tucson, Arizona 
04.25.2006

If a hacker steals your bank card number in Arizona, there's no state
requirement that your bank or a merchant involved notify you.

That could change if Gov. Janet Napolitano signs a bill passed by the
Legislature last week.

Consumers Union, the non-profit group that publishes Consumer Reports
magazine, has criticized the proposed law as ineffective.

Arizona's law would allow companies to decide whether a
computer-security breach is serious enough to deserve a consumer
warning, said Gail Hillebrand, who heads Consumers Union's financial
privacy campaign.

"Who's going to decide?" she said. "It's going to be the company who
failed to protect your data."

Currently, Arizona receives much of its information about thefts of
computer data from California, said Andrea Esquer, spokeswoman for
Arizona Attorney General Terry Goddard. California requires all
companies to report stolen information.

In 2003, California passed the first U.S. law requiring customer
notification of breaches in companies' computerized data.  At least 10
other states have followed suit, said Hillebrand.  Arizona's bill
differs from California's in two important ways, she said.

California requires companies to report any security breach,
Hillebrand said.

Under the Arizona legislation, only breaches that "materially
compromise" people's information must be reported.

Depending upon how that language is interpreted, companies may be
allowed to choose whether to tell consumers, Hillebrand said.

Arizona's law also exempts banks, hospitals and some government
agencies. California's law requires all companies to report problems.

As of Monday, Napolitano had not acted on Senate Bill 1338, said Shilo
Mitchell, spokeswoman for the governor.

The sponsor of the Arizona bill, Sen. John Huppenthal, R-Chandler,
could not be reached for comment on Monday.

Rep. Marian McClure, R-Tucson, helped sponsor the bill in the House
but said that consumers should be told about all computer security
breaches.

Senate Bill 1338 represents a step in the right direction, she said,
although she introduced a stronger bill that failed earlier in the
session.

"A consumer should have a right to know that the information has been
stolen," she said, "to make sure who stole that information cannot
steal my identity."

Consumer notification might help, but better enforcement and better
information sharing are crucial, according to a Tucson couple who have
been victims of identity theft.

Elisabeth and Stephen Kling- ler have discovered that three other
people have been using his Social Security number.

The Klinglers traced some of the thefts to other states, but law
enforcement has not investigated, Elisabeth Klingler said.

The identity thefts have caused incorrect information about their
credit to be reported to data brokers - businesses that collect
people's information and sell it to other companies.

The Klinglers said consumers need better laws to help clear false
information from the files that companies keep.

The bad information has hindered them in buying a cell phone and
taking out a store credit card, Elisabeth Klingler said, and it could
one day affect their ability to buy another home.

"We're kind of giving up hope," she said. "It would take a lifetime to
get the information corrected."


What the bill says

* Senate Bill 1338 would require businesses operating in Arizona to
  notify customers if a computer-security breach compromises their
  personal information.

* Companies that do not notify customers could face fines from the
  state attorney general.

* Government agencies would face the same requirements. The proposed
  law would not apply to banks, hospitals, health insurance companies,
  law enforcement agencies or courts.


Data thefts

* Some of the largest reported thefts of customer data since March
  2005, according to ChoicePoint Asset Co.:

Disclosed by Date Customers affected
 
Bank of America February 2005 1.2 million*

DSW shoes March 2005 1.4 million

Ameritrade April 2005 200,000

Bank of America, Wachovia, other banks April 2005 680,000

CitiFinancial June 2005 3.9 million

MasterCard June 2005** 40 million

OfficeMax February 2006 200,000

* data of federal employees only

** related to security breach at CardSystems Solutions Inc. service
   center in Tucson





More information about the ISN mailing list