States Keep Watchful Eye on Personal-Data Firms

Correction to This Article
An earlier version of this story incorrectly stated that the new North Dakota law required businesses in that state to disclose a data breach if only basic types of personal information were lost, such as a victim's name and address. The law actually requires the disclosure of least one other piece of personal information, such as a Social Security or bank account number. The version below has been corrected.

Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the most stringent law.

Faced with this prospect, business groups might consider supporting a federal law that would preempt state laws. U.S. Sen. Dianne Feinstein (D-Calif.) in January introduced a bill that would effectively make California's statute the law of the land. Mike Zaneis, director of congressional and public affairs for the U.S. Chamber of Commerce, said support for a federal approach is building within the business community, but that any federal legislation would need to strike a reasonable balance between notifying consumers and needlessly scaring them or inuring them to such notices.

"There has to be some trigger for notifications that distinguishes between a breach that is quickly contained and one that is likely to do harm," Zaneis said. "What we don't want is for consumers to become desensitized to these notices, because then no one is going to react when there's a real problem, to take the appropriate precautions."

Many consumer groups are quietly advocating a national law because it would make it easier to educate consumers about their rights and about what to look for in such disclosures, said Ari Schwartz, associate director at the Center for Democracy and Technology in Washington.

But Schwartz said his and other privacy groups would like to ensure that any national notification law also sets basic security standards for businesses. The California law and other state measures adopted in its wake would not require companies to disclose a security breach if, for example, the data compromised in the break-in was scrambled with encryption technology.

Montana Attorney General Mike McGrath said the states would fight vigorously any attempt to pass federal legislation that supercedes stronger state laws. Montana's new law would fine companies up to $10,000 per violation for failing to disclose a security breach that endangers customer data. Companies also could face criminal charges if they take steps to hide consumer data thefts.

"I don't think there should be any sort of laissez-faire attitude in Washington about protecting the privacy of consumers," McGrath said. "I think it's fair to say that on a bipartisan basis, the state attorneys general are very concerned about federal preemption in this area, which obviously the industry folks would just love."

ChoicePoint spokeswoman Kristen McCaughan declined to comment on the Georgia law or say whether the company would support any specific proposed bills currently before Congress. But McCaughan said ChoicePoint supports a mandatory notification law that is national in scope and preempts state laws. She said the company also would support a bill that defines "personally identifiable information" the same way it is spelled out in the California law: a person's name along with either their Social Security or driver's license number, or financial information.

Millions of consumers have been exposed to potential identity theft in 14 major breaches in the past year at various brokers, universities, banks and other institutions. After the ChoicePoint breach, media reports soon followed that Bank of America Corp. lost computer tapes containing financial data on 1.2 million federal workers, including U.S. senators, and that credit card numbers were stolen by hackers from 103 of shoe retailer DSW Inc.'s 175 stores.

In May, Wachovia Corp. and Bank of America Corp. notified more than 100,000 customer that their financial records may have been stolen by bank employees and sold to collection agencies; investigators are still looking into that case, which may involve the unauthorized sale of data on nearly 700,000 customers of various banks.

The California Department of Consumer Affairs reported May 27 that since the state's notification law went into effect in July 2003, it has been aware of 61 significant breach notifications involving an average of 163,500 individuals each. About one-fourth of the breaches occurred at financial institutions and another one-fourth at universities, with 15 percent reported by medical institutions, 8 percent by government and 7 percent by retailers, according to the figures.