Search This Blog

Tuesday, February 12, 2008


The state of Indiana is trying to pass legislation requiring any company suffering a data breach to notify the state’s Attorney General’s office. According to a C/Net article, the big guns are out, including Microsoft, AT&T, and Verizon, “frantically” attempting to kill the bill. It would be the first instance of a state requiring this action by data breaching companies, providing for a central location to search by consumers, the media, and researchers. Lobbyists against the legislation claim that phishers could have a field day using a fraudulent AG site to which a victim would link to and give up private information. That is a possibility, and the Indiana AG should place a prominent warning on their site, in close proximity to the breach information, that they do not request personal data, and that ID thieves might contact them attempting the phishing technique. New Hampshire is already doing this as a policy of the AG’s office, but not required by law. Chris Soghoian, author of the C/Net article states that he was unable to confirm that phishing had occurred as a result of the NH reports. Paul Stephens of Privacy Rights Clearinghouse backs this up, dismissing the lobbyists’ claims stating that “we have not heard of anything of that nature. All of the information on our site is otherwise available elsewhere, we are just creating a handy compilation of information." However, sites like the one in Indiana will have minimal results unless the breaching company is required to notify the AG’s office immediately, meaning 24, 48 hours maximum. Otherwise, the fraud of identity theft could already be in the process considering that it has been proven that stolen private information hits the underground Internet in less than 24 hours. More grist for my concept that consumers should have control over their names and personal data. I did check a recent announcement on the NH site; the Young Womens Christian Assn. Retirement Fund had a breach on October 1, 2007. It wasn’t reported to the AG’s office until November 13. The damage, if any, was already done by then. There are currently 40 states with data breach notification laws. You can check your state here for more specifics, or if you don’t find it listed, ask your state representative why he or see isn’t concerned over the identity crisis. While state laws have had to take up the slack of an ineffective U.S. Congress on federal privacy legislation, in the long run it probably won’t work. In all fairness to business and government agencies, interpreting and initiating fifty separate laws to stay in compliance is ridiculous when it is obvious that the identity theft problem is a national issue, even international. We need a federal law that grants consumers control over their names and personal data, and in the same legislation compensate them when it is sold.

No comments: