Anti-Real ID Rebellion Spreads To California

On March 10, 2008, Wired magazine reported:

"Assemblyman Pedro Nava (D-35) introduced a non-binding resolution to that effect Monday afternoon in response to concerns about privacy, security and the high price of the federal mandate -- which the government's most recent estimate pegs at $4 billion nationally...Howard Posner, a policy consultant to the Transportation Committee, said that last year the committee contemplated moving legislation to accept Real ID, but reconsidered after 'looking at the cost, and the incredible inconvenience for driver's license holder and the privacy issues.' "

The Real ID Act and the proposed rules by DHS have important implications about how the federal government and states will manage, store, and update citizen's identification data -- and consumer privacy. How such an expensive, unfunded piece of federal legislation happened:

"Congressman James Sensenbrenner (R-WI) added the Real ID mandate to a must-pass defense spending bill in 2005, leaving the details to be determined by the Department of Homeland Security. After much delay, the final regulations were issued in February of 2008."

If the California legislature passes this resolution, then California would join a group of 17 states that have expressed opposition to the unfunded mandate:

"Three states have outright rejected Real ID, setting up a showdown on May 11, when the federal government says it will not allow residents of Montana, Maine, South Carolina and New Hampshire to use their state I.D. cards for federal purposes."

Consumers should notify their elected officials of any concerns you have with the Real ID Act. Learn more about the Real ID Act at this web site.

California Senate Approves Two Measures To Strengthen Identity Theft Laws

California has always led the way with strong identity-theft laws to help consumers. Recently, SC Magazine reported:

"The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft."

California legislators are trying to make it much clearer what the contents of a breach notification letter must contain. SB364 requires:

"... that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches... a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected."

This is great news! When IBM notified me of the IBM data breach, their notification didn't disclose the number of persons affected, nor did it disclose much describing the breach. After I called and spoke with IBM, they didn't disclose much more. The above law in my state would have been a big help.

California's legislators went even further with a second proposed law:

"... SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now... The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home."

This too is great news, since it facilitates prosecution of the identity thief, who usually doesn't live in the same town or jurisdiction as the identity-theft victim.

However, these two bills are not law yet. Both bills must be acted upon by the California State Assembly. If you are a California resident, I encourage you to call your California State representatives and ask them to pass these two new laws. If you live elsewhere,  you should contact your state representatives and ask them why your state doesn't have strong laws like the ones California is considering.

California Senate Votes For Anti-Skimming Bill (RFID)

The InformationWeek blog reported:

"The California State Senate voted to make it a crime to skim information stored on RFID tags. The Senate voted 36 to 3 to pass the bill, introduced by State Sen. Joe Simitian (D-Palo Alto). The bill, SB 31, goes to the California State Assembly."

The sentiment of the proposed law is nice, but I wonder how it will actually prevent skimming. The law makes it clear what the penalties are for skimmers who are caught, but as with most identity theft thieves seem to never get caught. Hence, the popularity of this crime.

Want to learn more about RFID and identity theft? Start here.

New California 'Shine The Light' Law Hotly Debated

The State of California's 2005 "Shine The Light" law (Civil Code 1798.83) provides California residents with the right to ask a retailer whom else that retailer has shared their personal information with. I think that it is instructive to look at California, which was the first state to enacted strong first identity theft laws with mandatory data breach notification.

While it is against the law for retailers to share consumers' credit card information, retailers legally can share consumers' name, address, and telephone information with data brokers (companies that buy and sell lists of consumer data). Some argue that this makes consumers more vulnerable to data theft.

Consumer advocates argue for more transparency by retailers, including more opt-out choices so consumers have some control over where their personal data is shared. Not surprisingly, small business lobbyist groups argue against additional legislation in California. Given the massive TJX/T.J. Maxx data breach, retailers definitely need to do more to protect consumers' personal data. I encourage you to view this San Francisco television news broadcast from January 18.

to learn more, read this Privacy Rights Clearinghouse article and this Lyris guide for retail businesses.

Governator Terminates New California Identity-Theft Bill

From the Sunday Oct. 14 Orange County Register:

"An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger. In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards."

This is sad news, since:

"The bill would have required businesses to follow new guidelines for the handling and storage of sensitive material; to notify consumers with a detailed protocol of how to address identity theft; and to incur out-of-pocket costs to provide restitution to consumers and share the burden of card issuers. Currently, when a security breach is suspected or detected, businesses only must notify card issuers, but have no liability themselves. AB779 would have made the business (or any other entity that utilized cards for payment) share responsibility."

According to the news report, the California Governor's reasons included the bill was vague and conflicted with existing identity=theft laws. To learn more, see my prior post and the California Progress Report.

Governator To Decide On California's New Identity Theft Bill

From the October 2, 2007 Los Angeles Times:

"The bill, recently approved by lawmakers on bipartisan votes, now goes to Gov. Arnold Schwarzenegger for his signature or veto. The bill would require banks, credit unions and credit card companies to tell people the name of the retailer where the hackers grabbed their confidential information, including Social Security numbers, account numbers and personal identification numbers, or PINs."

Assemblyman Dave Jones (D-Sacramento), author of the new bill, asserts that, "about 40% of retailers and other organizations that accept credit card payments were complying with security guidelines developed by major credit card companies."

The new bill, Jones' AB 779, also allows:

"... banks and credit card companies to sue allegedly negligent retailers for the cost of closing accounts and issuing new cards. Schwarzenegger, who is being lobbied heavily on the identity theft issue, has not taken a position and has until Oct. 14 to make up his mind."

It's important to watch California, which was the first state with a bill requiring data breach notification and a credit report freeze option (often called a Security Free).This newest bill is good because it affirms the need for all companies to get serious about data security. It is good if it also ensures that accountability lies with the company with the lax data security, regardless if that company is the credit card issuer or the retailer. This is bad if it encourages credit card issuers to push all liability to retailers.

According to the newspaper article, credit unions support the bill and large business trade groups oppose it. I look forward to hearing what Governor Schwarzenegger says during the coming days.