• printer friendly
• mail this article
• iPod format
• digg

Since the Security Breach Information Act became law in California, what is perceived as the nature of identity theft has changed.

A bill proposed Monday in the U.S. Senate by Sen. Dianne Feinstein, D-Calif., that seeks to expand California law to the national level is largely a reaction to a series of security breaches at the University of California over the past two years.

Should it be made law, the bill would require that consumers be notified when their personal information is compromised.

“We desperately need a strong national standard that says whenever a data system is breached, everyone who is at risk of identity theft must be notified,” Feinstein said in a statement.

The state Legislature passed the California bill in July 2003, expecting it to combat computer hacking. But, said Chris Hoofnagle, senior counsel for the West Coast branch of the Electronic Privacy Information Center, “the scope of threats envisioned by the bill are different than what has been discovered.”

Hoofnagle, who worked with Feinstein to develop the bill, said that many of the security breaches this bill attempts to mitigate are in fact the result of stolen or lost laptop computers rather than hacking into data systems.

Because of this, some have criticized the bill, suggesting that notifying the public about stolen data might alert a thief to the fact that they have sensitive information.

“That stands to reason,” said Andi Murray, a spokeswoman for Feinstein, acknowledging the possibility that notification could backfire in this way.

But, as she said, the most important effect of the proposed legislation would be to ensure that consumers are informed that their privacy has been compromised.

“Then they can take steps to protect themselves,” she said.

Hoofnagle also acknowledged that alerting the public of a security breach might also alert the thief that the stolen material was sensitive.

“That, theoretically, is a problem,” he said.

But, he said, the proposed legislation does take that possibility into consideration.

“Under the law, police can stop a company from giving notice for a certain amount of time, exactly to deal with that type of threat,” he said.

He cited a security breach that occurred in February when digital information was stolen from ChoicePoint, a major data broker. In this instance, he said, notification was delayed to prevent alerting whomever had the material that it was sensitive.

Companies that deal with data are the bill’s most likely opposition, Hoofnagle said. Since the California law went into effect, many such companies have chosen to refrain from requesting certain personal information, thus avoiding the possibility of a security breach altogether.

The law has also had the effect of encouraging companies to update their databases more often, he said.

“A lot of entities are keeping data a lot longer than they have to,” he said. But because the law requires that customers be notified of a security breach, it encourages companies to take greater care in the management of their data systems, he said.