MAINE NARROW IDENTITY THEFT LAW BEING TARGETED FOR MAJOR EXPANSION Maine's narrow identity-theft law being targeted for major expansion
The Maine law designed to prevent identity theft would require every business to notify consumers of security breaches, under a proposal to greatly expand the law's scope.

The recommendation is part of a report that state regulators plan to submit to a legislative committee next week. It would extend the notification law to thousands of institutions, from banks, credit unions, insurance companies, investment advisers and loan brokers to retailers, restaurants, and even doctors and hospitals
.
The goal is to broaden a much narrower law that goes into effect Tuesday. That statute will require only information brokers, such as ChoicePoint, to notify people whose personal information may have been accessed by computer hackers or others. Examples of sensitive data include Social Security, credit-card and bank-account numbers.

The notification requirement will be triggered when: a broker realizes security systems have been bypassed; if it's determined that information has been misused or could be misused.

Notification is intended to give consumers time to secure their financial information, notify banks and credit card issuers, and try to prevent their credit reports from being adversely affected.

William N. Lund, director of the state's Office of Consumer Credit Regulation, said his department's proposal recognizes that identify theft can occur on either a large or small scale.

"From a consumer's perspective, it doesn't really matter if it was an information broker who lost their information or any other business," Lund said. "Consumers have grown to expect this type of notification."

Lund's office also is suggesting that lawmakers let consumers file suit if a business fails to investigate a possible breach or doesn't notify consumers. The proposal would limit damages to the actual harm suffered, rather than allowing people to sue for punitive awards.

Business groups worry that expanding the law could be a burden for small companies.

"One of our concerns was smaller members who might not be very sophisticated might be swept into this," said Jim McGregor, executive vice president of the Maine Merchants Association.

McGregor said his group is not opposed to the idea of notifying consumers about problems, but he's worried about the costs of allowing people to sue over security breaches.

Other business groups have noted that many businesses, such as restaurants and retailers, may have credit card information but no addresses for notifying people about problems. Lund said the proposal allows businesses in those cases to post a notice on a publicly accessible Web site and to notify the media when security has been compromised.

But "there's a potential for negative publicity that could hurt somebody" as a result of that method, McGregor said.

Lund said other states have adopted similar laws, so the step doesn't necessarily put Maine businesses at a disadvantage.

Lund's office estimates that more than 52 million people have potentially had personal information at peril in dozens of security breaches reported nationwide in just the last year. The first big one involved ChoicePoint, an information broker that had its security measures circumvented by identity thieves who gained access to information on 140,000 people and used it to set up bogus accounts.
On Thursday, the Federal Trade Commission fined ChoicePoint $10 million and the company agreed to pay consumers $5 million to settle charges that the security and record-handling procedures in the incident violated privacy rights.

Other cases included a lost data tape that contained information on more than a million customers of Bank of America.

In a separate report, Richard Thompson, Maine's chief information officer, is recommending that his office be allowed to develop a policy for notifying people about security problems in state computers, rather than extending the law to cover government.

Thompson said there have been "a couple" of security breaches involving state computers in which information on employees may been have accessed. Those employees were warned of the problem, Thompson said, and he would like to develop a policy that requires notification in future cases.

"We've actually been following that practice," he said, and the policy would simply establish methods for continuing that approach.
In Rhode Island this week, hackers claimed to have broken into the state's Web site and said they stole as many as 53,000 credit card numbers. Officials confirmed the break-in but said the number of financial records accessed was far fewer.

The site is run by New England Interactive, a private company that also runs government sites in Maine, New Hampshire and Vermont. Maine officials said there are no reports of the state's Web site being hacked.

A spokesman for New England Interactive said the company does not notify people of break-ins but informs credit card companies, which are supposed to tell cardholders.