NEW YORK SENATE TO PASS FOUR IDENTITY THEFT BILLSFrom the Desk of Senator Kemp HannonFrom the Desk of Senator Kemp Hannon
Hannon: Senate to Act on Four Identity Theft Bills
Senator Kemp Hannon announced the New York State Senate is expected to give final legislative passage to legislation that would help protect consumers from fraud and identity theft by requiring businesses and state agencies whose computer security is breached to notify individuals whose private information was stolen. The bill is one of four bills the Senate will act on that address the escalating problem of identity theft.

"Just last week we learned that 40 million credit card holders are at risk of fraud and identity theft because their private information was stolen by data thieves," Senator Hannon said. "Right now there is nothing in state law that requires consumers to be notified if their private information has been stolen as a result of a security breach. This bill would ensure that New Yorkers receive quick notification so they can protect themselves from being further victimized."

It was reported recently that 40 million Visa, Mastercard and other credit card accounts were exposed to a risk of fraud after data thieves stole records from CardSystems Solutions, a firm that provides information services to the credit card companies.

As computers become more a part of people's daily lives, people increasingly transact business over the Internet. This increases, or in many cases necessitates, businesses placing sensitive personal or private financial information on computers, which are accessible through the Internet. As the amount of personal and financial information accessible via the Internet increases, these computers become increasingly attractive targets of computer hackers seeking to obtain information needed to commit fraud and identity theft.

The case of ChoicePoint, provider of identification and credential verification services in California, exemplifies both the existence of this problem and the usefulness of a state law such as the one proposed in this bill. Identity thieves posing as legitimate businesses obtained access to consumers' personal information maintained on ChoicePoint's computer system and stole the personal information of 145,000 people.

Under the provisions of this bill (S.3492A), businesses must notify customers that their private information was stolen, as soon as possible, once the breach is discovered. This bill strikes a balance between the interests of consumers and the needs and abilities of businesses by permitting businesses to use a variety of means to contact their customers of security breaches.

The legislation requires businesses to provide notice in writing or by telephone. However, because timeliness is of great importance in these cases, and because many people prefer to receive electronic communications over written notices, this bill also allows businesses to send an electronic notice. However, federal law requires consumers to consent to receiving required notices in electronic form for all manner of commerce within their jurisdiction. This bill would also require the customers' express consent to electronic notice.

In the event that the breach exceeds 500,000 names or $250,000 in notification costs, the business may notify the news media, post notification on its website and e-mail the customers.

Government agencies may also be the target of computer hackers seeking personal or financial information. This bill imposes the same notification requirements on state agencies as it does on business.

While the majority of companies can be expected to follow the law, this legislation also calls for appropriate penalties to ensure compliance from businesses that might otherwise fail to comply. Court imposed civil fines would begin at $5,000 and could reach $10 per person who did not receive the requisite notice, with a maximum of a $150,000 fine.

Compared to the cost of notification and potential negative publicity that may or may not follow the announcement of a security breach, these fines should be sufficient to secure compliance. In addition, under this bill, the attorney general would be authorized to bring an action on behalf of victims for a violation of the provisions of this measure.

The Senate will also act on a bill (S.5178) that would mandate the proper disposal or destruction of records containing private information in order to help address the growing problem of identity theft.

"The identity thefts that result from activities such as dumpster diving have a very real economic effect," Senator Hannon said. "The Federal Trade Commission reported that there were approximately 9.9 million victims of identity theft in 2002, costing consumers and businesses $53 billion."

The Senate will also act on bills that would expand and clarify the crimes of identity theft as well as strengthen penalties in the following ways: increase the penalty for identity theft in the first degree from a Class D to a C felony; expand the period between prior convictions of identity theft from five to 10 years; expand the list of unlawfully possessed personal identification information for identity theft in the second degree; and decrease the number of such items possessed from 250 pieces to a more reasonable 10 pieces.

The Senate will also act on legislation (S.5406) that would prohibit employers from putting Social Security numbers on checks, drafts or vouchers issued to employees.

"Under this new legislation, paychecks can display no more than the last four digits of an employee's Social Security number," Senator Hannon said. "This preventative measure has been used extensively in credit and debit card transactions with almost all receipts today displaying only the last four digits of a cardholder's number."

Senator Hannon pointed out that colleges across the United States are doing away with the outdated practice of using Social Security numbers for student identification. Currently 18-29-year-olds are the most subjected demographic to identity theft. "Colleges across the United States have seen the risk of their practices and have responded accordingly. Employers unfortunately have not taken the same initiative. Other states, such as California and Texas, have already passed similar legislation," he added.

The bill would require any medical business, tax preparation business or other business person to properly dispose of records containing personal information through one of the following means: shredding, destruction, modification or other reasonable action to ensure that no unauthorized person will have access to the personal information.