INDIANA BUSINESSES IN STATE MUST NOTIFY CUSTOMERS OF COMPUTER-SECURITY BREACHES http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20060606/NEWS02/60606018

EVANSVILLE, Ind. (AP) — Businesses must notify customers of computer-security breaches that could put them at risk for identity theft under a new law that goes into effect in Indiana July 1.

“It doesn’t matter if it was one (customer) or 500,000 or a million, you have to disclose that to your customer,” said Staci Schneider, spokeswoman for the attorney general’s office. “That will give the customer an opportunity to take ... precautions they need to protect themselves against identity theft.

” Sgt. Todd Ringle, a state police spokesman, said identity thieves are becoming increasingly high tech.

“They are much more sophisticated; they are able to go online and break into certain (Web) sites and break security codes and get that vital information,” he said.

The new law stems, in part, from a well-publicized case involving the data firm ChoicePoint Inc., whose massive database of consumer information was accessed by thieves in 2004. The company discovered the breach more than four months before disclosing it to the public in February 2005. ChoicePoint has said authorities asked it to keep the information secret initially.

Indiana victims were alerted because of a California law that required notification, Schneider said.

The Indiana law says a business or database owner must notify affected Indiana residents of security breaches “without unreasonable delay.” If more than 1,000 people are affected, the company also must notify the three credit bureaus.

“That way, the credit bureaus will be able to flag their reports to protect them,” Schneider said.

If the company fails to notify customers, the law says the attorney general can sue and seek penalties of up to $150,000.

Critics have questioned whether the law goes far enough.

If more than 500,000 people are affected by the security breach, or if cost of notifying victims exceeds $250,000, then the database owner can make its official notification simply by a posting on its Web site or by a news release to the media, the law says. And the law does not precisely define how much time the business has to notify customers.

Schneider says the attorney general’s office will evaluate notifications on a case-by-case basis.

“Our main priority is to make sure customers’ information has been protected,” Schneider said. “A reasonable delay is up for interpretation; we will look at all the facts and put the customer up front.”

Schneider said victims can file identity-theft complaints at the attorney general’s Web site, www.indianaconsumer.com.