CALIFORNIA IDENTITY THEFT LAW NEEDS TO BE EXPANDEDMercuryNews.com | 07/05/2005 | Notification needs to be expandedPosted on Tue, Jul. 05, 2005

Notification needs to be expanded

CALIFORNIA LAW HAS EXPOSED ENORMITY OF PROBLEM

Mercury News Editorial


In the annals of identity theft, 2005 is likely to be remembered as the year of the security breach.

Since giant data broker ChoicePoint disclosed in February that thieves had made off with detailed personal records on 145,000 individuals, every passing week seems to bring news of other massive data breaches. The incidents have touched businesses small and large and government agencies. Tens of millions of individuals have been affected.

There's no reason to think that the rash of data thefts is a new phenomenon. What's new is that the break-ins are being exposed by a California law that forces business that are victims of a breach to notify the individuals whose information has been stolen. The notices empower individuals to take measures to protect themselves from the consequences of identity theft.

The success of this consumer protection law has ignited a debate across the country about broadening and strengthening notification requirements. Thirteen states have passed notification laws this year, and 22 more are debating them. And so is Congress.

But not all notification laws are created equal. The California law has been effective because it is simple: If your data is lost or stolen, you must be told. Notification can be delayed only in cases where law enforcement agencies are investigating an incident. The law should serve as a model for federal legislation.

Business groups are lobbying Congress for a weaker federal standard. It would require notification only if a business determines that a breach puts individuals at risk. They argue that mandatory notices would unnecessarily alarm customers, and that individuals would ignore notices if they became too frequent. They also insist that any federal law should trump stronger state laws.

The optional notification requirement would render the law meaningless. Businesses would have wide discretion on when to notify customers. They may decide to stay silent simply because they don't want the bad publicity that comes along with a data breach. Individuals -- not businesses -- should make the decision on whether protection is needed.

The battle on Capitol Hill is certain to be hard fought. Just look at California. Last week, business groups derailed a bill that would have expanded the state's notification law, which now only covers data stolen from computer records, to include paper records and backup tapes. The bill, SB 852, by Sen. Debra Bowen, D-Redondo Beach, makes sense and deserves to be taken up again.

The problem is the same whether your Social Security, credit card or bank account number has been stolen from a piece of paper or a computer. And, if it has been stolen, you should be able to inoculate yourself against the potentially devastating consequences of identity theft.