MINNESOTA COMPUTERS STOLEN FROM SAN JOSE MEDICAL GROUP IN CALIFORNIA CREATE CONCERN OVER IDENTITY THEFT IN MINNESOTA DUE TO HOLE IN ID THEFT LAWSt. Paul Pioneer Press | 10/30/2005 | Big hole in ID-theft lawPosted on Sun, Oct. 30, 2005

Big hole in ID-theft law

Minnesota requires that companies notify consumers when their personal information is breached — but the new statute lists so many exemptions that critics say it has no teeth. And federal regulations don't fill the gaps.

BY LESLIE BROOKS SUZUKAMO

Pioneer Press

Earlier this year, two computers were stolen from the San Jose Medical Group that contained the confidential medical information and Social Security numbers of 185,000 current and former patients, putting them at risk for identity theft.

Because California had passed a law requiring businesses to notify customers whenever there's a breach of their personal information, the medical group had to send letters to those 185,000 people.

But if the same thing happened at a clinic in Minnesota, patients might never know.

That's because a new Minnesota law intended to combat the growing menace of identity theft has some gaping holes in it, including a big exemption for hospitals and medical providers.

Even more problematic, the federal law that's supposed to protect the medical privacy of patients has no notification requirement. To find out whether their information has been breached, patients have to ask.

It's a Catch-22 that catches many people off-guard, even the Minnesota law's chief author.

"That just really surprises me," said Rep. Jeff Johnson, R-Plymouth. "If that is the case, I would agree that is a pretty big hole."

"The Legislature might have to revise Minnesota's law next session," the legislator said.

More than 10 million Americans became victims of identity theft in 2004, according to the Federal Trade Commission, and as the numbers expand, so do efforts to attack it.

Minnesota was one of 35 states to introduce some form of financial privacy legislation this past year, according to the National Conference of State Legislatures Web site. By late May, seven states had enacted laws requiring that consumers be notified of the disclosure of their personal information. Minnesota's law, signed by Gov. Tim Pawlenty on June 2, became the eighth.

The disclosure laws address one of the big problems with identity theft for consumers: knowing when your identity has been stolen and where it slipped out.

But the state's top law-enforcement officer, Attorney General Mike Hatch, says the law, which goes into effect Jan. 1, has no teeth.

Besides health care, the law also exempts banks, savings and loans and other financial institutions covered under a set of federal banking regulations.

According to Hatch, the federal law is so broadly defined that the exemptions would include the banks of retailers who issue their own credit cards and even travel agencies.

The result would be few, if any, businesses actually falling under the state law, he said.

"The exemptions swallow the whole," Hatch complained. "I just get testy with these things. We've got a system where people pass laws that sound good and don't do anything."

Minnesota's law affects companies that electronically store unencrypted personal information, such as customer names, along with their credit card, bank account or Social Security numbers.

Businesses with that information must notify customers if they find evidence that someone has broken into their databases and there's a likelihood of identity theft.

Companies have collected this customer information for years, using it for everything from marketing campaigns to enabling quicker checkouts. But little thought was given to the consequences of having the data.

That changed after an Atlanta credit-checking service called ChoicePoint disclosed in February that identity thieves had gained access to the financial information of 145,000 consumers, including more than 2,300 in Minnesota. The company would not have had to make the disclosure if not for California's notification law, passed in July 2003. While California requires notice of security breaches only for its own citizens, the public outcry that ensued forced ChoicePoint to include people in all states.

Since the ChoicePoint disclosure, the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group based in San Diego, says it has tracked other breaches involving nearly 51 million identifying numbers.

"From what I can tell, there have been security breaches for years," George Meinz, an attorney in the commercial financial services group for the Minneapolis law firm Gray Plant Mooty Mooty & Bennett.

The difference then was that companies never had to admit when they were hacked, Meinz said. "A lot of the reason this is hitting the press right now is exactly because of that California law," he said.

In Minnesota, the Legislature exempted banking and health care because it felt those industries were adequately covered by federal regulations, Rep. Johnson said.

However, regulators who enforce privacy rules at the U.S. Department of Health and Human Services say their rules are not designed to ring a warning bell for consumers.

Health care companies do not have to send a notification to patients if their personal information leaks out, the regulators said. There's nothing stopping them from doing so, but there is no requirement under the federal rules, called the Health Insurance Portability and Accountability Act, or HIPAA.

Instead, patients must ask before they can find out if their information has been disclosed improperly.

"It wasn't intended to put you on notice for an impermissible use," said Sue McAndrew, the senior health information privacy policy specialist with the Office of Civil Rights in the Department of Health and Human Services, the office that enforces HIPAA rules.

The law was designed only to let consumers see everyone who had access to their information, including legitimate access from insurance companies, hospitals or health plans, McAndrew said.

On the banking side, federal regulations did not require banks to disclose when their information had been compromised until new guidelines were issued April 1 from the Federal Deposit Insurance Corp.

"If they are aware of a data breach and they do not disclose it, the FDIC will take appropriate action," FDIC spokesman David Barr said.

The FDIC could go as far as remove the bankers from their positions or end the bank's deposit insurance if they don't comply, Barr said.

Hatch isn't impressed with the enforcement he's seen from the federal level. "They've never done it and they won't do it," the attorney general said.

Johnson says Hatch is too pessimistic and partisan. "It's very easy for politicians to criticize a new tool. … To argue that this is not a positive step is politics," the Republican said.

Both the bill's author and its chief critic have higher political ambitions. Johnson, a lawyer and human resources consultant, is a Republican candidate for attorney general. If elected, he would be in charge of enforcing the law. Hatch, the Democratic-Farmer-Labor attorney general, recently announced he would challenge Republican Tim Pawlenty for governor.

Not everyone thinks Minnesota's law is too weak. "I believe it will protect consumers and their information in a lot of instances where they wouldn't have been informed by federal law," said Alok Gupta, a professor of management information sciences in the Carlson School of Management at the University of Minnesota.

Online retailers are building growing databases on the buying habits of their repeat customers as a way to personalize their services. Those businesses would be covered, Gupta said.

Customers need to evaluate their shopping sites, he said. The more reputable the vendor, the more attention it will pay to securing the data it holds, he said.

But some Minnesotans are upset by the lack of notification built into the federal laws governing the health care industry.

"I think it's pathetic that our legislators let this slide and didn't put those stopgaps in those areas," said Alvin Huff.

Huff, 78, is a retired farmer and regional legislative representative for AARP Minnesota from Glencoe, Minn. He said the AARP made strengthening identity-theft protections one of its legislative priorities last year.

He's never been a victim of identity theft himself, but he has heard horror stories from his peers.

"It totally ruins people, particularly if you're on a fixed income," he said. "What happens if your health information is stolen? Health care papers have our Social Security numbers on them and if they share that with anyone or if anyone moves in on that, it's pretty wild."

Leslie Brooks Suzukamo covers telecommunications and technology. He can be reached at lsuzukamo@pioneerpress.com or 651-228-5475.