STATE OF MASSACHUSETTS TO PASS DATA BREACH BILL COMPARABLE TO CALIFORNIA’S SB 1386
According to an article in the Boston Globe by April Simpson, the state of Mass. will pass into law a bill giving consumers much more control over their sensitive data. They can stop any action to open new credit card accounts, and business and government must notify consumers of data breaches. Breached information would require things like a Social Security number, or anything likely to help ID thieves open accounts in a victim’s name. The drawback, as I see it—and understand that I haven’t yet studied the full bill—is that the requirement to notify carries that vague and potentially catastrophic terminology for security breaches identifying the contingency factor as those that “may place their (the consumer) personal information at risk.” (This differs from California SB 1386 which requires notification if data not encrypted) Who decides, and if it’s business or government, we already know what to expect. Eric Bourassa, an advocate for Massachusetts Public Information Research Groups (PIRG), while agreeing with parts of the bill, even expresses concern over the term, “deemed to be at risk.” However, for the first time, a state has dictated a method of compliance that puts the consumer in at least some control over a portion of their sensitive data. Mass. Consumers will create a password or PIN number to authorize the release of information by the big-three credit bureaus. In my concept, the individual should have full control over their name and personal data, and they should be compensated when it is sold. With a system similar to the PIN number approach, they would approve any transaction involving their name and private information instantly by e-mail or telephone. So now when the Mass. Bill passes, California won’t be the only leader in protecting consumers in the identity crisis.