Correction to This Article
An earlier version of this story incorrectly stated that the new North Dakota law required businesses in that state to disclose a data breach if only basic types of personal information were lost, such as a victim's name and address. The law actually requires the disclosure of least one other piece of personal information, such as a Social Security or bank account number. The version below has been corrected.

States Keep Watchful Eye on Personal-Data Firms

By Brian Krebs Staff Writer
Wednesday, June 1, 2005; 6:33 AM

 A legislative push by states to punish companies that maintain sensitive customer data when they hide a security breach could trigger congressional intervention to set a national standard on when people must be notified that their personal information may have fallen into the wrong hands.

Seizing upon recent incidents in which companies admitted losing or failing to secure their customers' financial and personal information, nearly two dozen states are debating or have passed new legislation -- including a North Dakota law which takes effect today -- that forces companies to reveal unauthorized access to information.

A number of commercial data aggregators -- companies like ChoicePoint Inc. and Axciom that assemble dossiers of information on people for sale to corporate clients -- have recently alerted hundreds of thousands of people whose records they kept that their data may have been compromised. The disclosures resulted -- at least in part -- from a recent California law that uses the threat of civil lawsuits to goad companies into disclosing when a digital break-in or data theft exposes customers in the state to identity fraud.

Encouraged by the law's apparent success in forcing disclosures, a number of states are rushing to establish penalties for companies that don't alert customers in a timely manner if they discover that personal and financial information has been lost, stolen or otherwise improperly disclosed. In the past four months alone, laws went on the books in Arkansas, Georgia, Montana, North Dakota and Washington.

Similar pieces of legislation in Florida and Illinois are awaiting governors' signatures. Last month New York City Mayor Michael Bloomberg signed a security breach notification bill, while New York state also appears to be on track to pass a theft-disclosure bill. Indiana lawmakers recently passed legislation that would require state agencies to notify residents if their Social Security numbers are divulged.

The fines envisioned in some of the state measures are substantial. The Florida statute would fine companies $1,000 for each day that they fail to disclose a data breach to customers. After the first 30 days, companies would be hit with monthly fines of $50,000. A spokesman for Florida Gov. Jeb Bush (R) said the governor had not yet received the measure, and so could not comment on whether Bush intended to sign it. If signed into law, the measure would take effect July 1.

Lawmakers in Georgia were spurred into action in February when Alpharetta-based ChoicePoint said fraud artists had posed as Los Angeles businessmen to access personal information about at least 145,000 people. A key sponsor of that bill, Georgia state Sen. Bill Hamrick (R), said he backed the law when it became clear that consumers may never have known about the breach had it not been for the California law.

The Georgia law applies mainly to companies like ChoicePoint, but Hamrick said data firms lobbied for the law to apply to all businesses. "That would have essentially killed the bill since we only had 40 days to debate it" before the end of the state's legislative session, Hamrick said. Still, he said he intends to examine expanding the scope of the law next year.

Robert Ellis Smith, a privacy expert and publisher of Providence, R.I.-based Privacy Journal, applauded the state actions, saying it is important for people to know about such incidents so that they can take the appropriate steps to ensure that their identity is not stolen. "It seems to me elementary that people are entitled to know if their information is compromised," Smith said.

Georgia's new law went into effect in April, the one in Washington activates July 24, and Arkansas's goes live Aug. 12. Montana residents will see protection starting in March 2006. In North Dakota, where most laws go into effect on Aug. 1 of a legislative year, state lawmakers made it effective June 1 by declaring the bill an "emergency measure," which required passage by at least a two-thirds vote in both houses.

But taken together, the state laws may backfire as businesses lobby Congress to enact new -- and most likely less stringent -- federal statutes to preempt what critics say is quickly amounting to a patchwork of disparate, confusing and costly new regulations.

"It's really hard to defend against these types of laws. No [state lawmaker] wants to be on record saying, 'Maybe this is a bad idea,' because they're going to get beaten up and cast as not caring about consumers," said Stewart Baker, a partner with Washington, D.C.-based law firm Steptoe & Johnson. "But to the extent that all of these state laws deviate from the California statute, they create a massively confusing situation in which businesses have to go state by state to figure out what their obligations are to consumers."

CONTINUED     1        >

© 2005 The Washington Post Company