Washington State Passes RFID Anti-Skimming Law

There's some really good news about identity theft. The legislators in the State of Washington are keeping up with new technologies. During the last week of March 2008, ComputerWorld Magazine reported:

"Washington Gov. Chris Gregoire this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone. The bill was signed about a week after the Washington State Senate unanimously passed Bill 1031, which makes it a crime to intentionally scan people's IDs remotely without their knowledge and consent, for the purpose of fraud, identity theft or some other illegal purpose. The bill specifically cites RFID and facial recognition technology. Violators face a prison sentence of up to 10 years. In addition, if the illegally gathered data is used in a separate crime, up to 10 years could be added to whatever sentence violators receive for the second crime."

Why is HB 1031 important? First, according to the Seattle Times:

"The Senate took out an 'opt in' provision that would have made it illegal for any company or person to slip an RFID chip into objects such as loyalty cards or cellphones without consumer consent, said state Rep. Jeff Morris, D-Anacortes, the bill's sponsor. "This is a technology that the consumer is clearly unaware of unless it's pointed out to them," he said."

In other words, it is difficult to impossible for the average consumer to look at a credit card and tell if it is a standard card or an RFID card. When I've discussed RFID cards with most people, 99 out of 100 are  unaware of the RFID technology and its associated data security issues. Some type of legislation is sensible and appropriate. Plus, consumers need notification from card issuers.

Second, other federal legislation requires states to use RFID technology in identification cards. In Washington, HB 2729 governs the use of RFID in driver's licenses:

"As a state with many travelers who cross the border frequently, Washington has become a test bed for RFID. It's one of four states that have signed agreements with the U.S. Department of Homeland Security to use RFID technology in optional-enhanced driver's licenses that became available in January."

Third, most states do not have any laws about skimming for identity theft. So, criminals can steal identity data from RFID cards via skimming today with little risk. Fourth, there needs to be some type of coordination across countries because identity theft skimming poses risks for travelers.

If this situation is scary and unacceptable to you, I encourage you to write to your elected officials.

Thoughts on Privacy, The Constitution, 'Heavy-Handed' Government, And the Presidential Candidates

Like many people, I've done some research and soul-searching about whom to vote for in the 2008 presidential campaign. My preferred candidate, John Edwards, dropped out of the presidential race before the primary in my state. During the Massachusetts primary, I voted for Edwards anyway with the hope of giving him some clout to influence the party platform at the Democratic convention this summer.

Last year, i read Naomi Wolf's book ("The End of America: Letter of Warning To A Young Patriot"), which I believe should be required reading for all Americans; especially youth. Then, I read Wolf's recent article, "Why Barack Obama Got My Vote" which also resonated with me.

After doing some research, I can tell you that both NSPD-51 and HR 1955 scare the living daylights out of me. If you read about these two items, I think that they will scare you, too. These are not partisan issues, since politicians and citizens and both sides of the aisle find this legislation extremely troubling. I've written to my Congressional House representative, Stephen Lynch (D-MA), a couple times and so far he refuses to reply about why he voted for HR 1955.

I fully understand why the Bush administration would craft something like NSPD-51, and would this administration would love for the House and Senate to approve something like HR 1955. (The Senate version of HR 1955 -- S 1959 - is under discussion.) It's no surprise given the Vice President's interest in Executive Privilege. (If you want to learn more about HR 1955 -- or S 1959 --, Ronnie Bennett has written an excellent description in her Time Goes By blog.)

Regardless, I worry that our Congress is not functioning as a co-equal third branch of our federal government, while the Executive branch has co-opted the Judicial branch, which has lost its independence. To me, all of this combined spells bad times for a government that is supposed to be of-, by-, and for people -- not of-, by-, and for- the rich or corporations.

If you haven't read the United States Bill of Rights, and the Declaration of Independence, please take a moment to read them. They are wonderful documents.

What does all of this have to do with identity theft? Plenty. As government agencies collect more and more personal data bout citizens, that data must be stored someplace. And, government often contracts out many functions to private companies. Which means our personal data ends up in lots of places. We citizens have a right to expect our government to be responsible and to explains what it's doing (and not hide behind "we can't discuss that due to national security"). Many call this "transparency." For me, part of transparency is an explanation of where our personal data is collected, used, shared, and archived; plus adequate data security protections, and timely notice after a data breach.

A government that isn't open, honest, and transparent with the explanations it provides, basically treats its citizens like children... or slaves. I do not want to be treated like a child, or a slave.

To me, Barack Obama seems most trustworthy with balancing the needs of government, consumers, and corporations. Barack Obama seems to provide a healthy balance of trust and competence without going overboard with a hawkish, pro-war tendencies while returning our government to a government of-, by- and for the people. I feel that if we don't bring some order, sense, and accountability to our government now, we may lose the chance forever.

Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?

California Senate Approves Two Measures To Strengthen Identity Theft Laws

California has always led the way with strong identity-theft laws to help consumers. Recently, SC Magazine reported:

"The State Senate in California has passed by wide margins measures that require more extensive notification to consumers of data breaches, establish a central reporting center for breaches, and permit local prosecution of identity theft."

California legislators are trying to make it much clearer what the contents of a breach notification letter must contain. SB364 requires:

"... that consumers receive a clear, informative notification letter when their personal data kept by a business or public agency has been stolen. It also requires the state to establish a central reporting site to catalog security breaches... a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach. The notice also must include the type of information, such as names and Social Security numbers, that might have been taken; the date of the breach and of its discovery; a general description of the breach; and the estimated number of persons affected."

This is great news! When IBM notified me of the IBM data breach, their notification didn't disclose the number of persons affected, nor did it disclose much describing the breach. After I called and spoke with IBM, they didn't disclose much more. The above law in my state would have been a big help.

California's legislators went even further with a second proposed law:

"... SB612, would allow identity theft to be prosecuted in the county in which the victim lives, which is not always the case now... The current California law permits prosecution in the county in which the theft occurred or the county in which the information was illegally used, both of which may be hundreds of miles away from the victim's home."

This too is great news, since it facilitates prosecution of the identity thief, who usually doesn't live in the same town or jurisdiction as the identity-theft victim.

However, these two bills are not law yet. Both bills must be acted upon by the California State Assembly. If you are a California resident, I encourage you to call your California State representatives and ask them to pass these two new laws. If you live elsewhere,  you should contact your state representatives and ask them why your state doesn't have strong laws like the ones California is considering.

California Senate Votes For Anti-Skimming Bill (RFID)

The InformationWeek blog reported:

"The California State Senate voted to make it a crime to skim information stored on RFID tags. The Senate voted 36 to 3 to pass the bill, introduced by State Sen. Joe Simitian (D-Palo Alto). The bill, SB 31, goes to the California State Assembly."

The sentiment of the proposed law is nice, but I wonder how it will actually prevent skimming. The law makes it clear what the penalties are for skimmers who are caught, but as with most identity theft thieves seem to never get caught. Hence, the popularity of this crime.

Want to learn more about RFID and identity theft? Start here.

New California 'Shine The Light' Law Hotly Debated

The State of California's 2005 "Shine The Light" law (Civil Code 1798.83) provides California residents with the right to ask a retailer whom else that retailer has shared their personal information with. I think that it is instructive to look at California, which was the first state to enacted strong first identity theft laws with mandatory data breach notification.

While it is against the law for retailers to share consumers' credit card information, retailers legally can share consumers' name, address, and telephone information with data brokers (companies that buy and sell lists of consumer data). Some argue that this makes consumers more vulnerable to data theft.

Consumer advocates argue for more transparency by retailers, including more opt-out choices so consumers have some control over where their personal data is shared. Not surprisingly, small business lobbyist groups argue against additional legislation in California. Given the massive TJX/T.J. Maxx data breach, retailers definitely need to do more to protect consumers' personal data. I encourage you to view this San Francisco television news broadcast from January 18.

to learn more, read this Privacy Rights Clearinghouse article and this Lyris guide for retail businesses.

Whistleblower's Personal Data Published On the Internet

Imagine a doctor has published your most personal information online because that doctor didn't like your opinions of their medical services. Sounds like something far-fetched or science fiction? Nope. This is exactly what happened to Glenn Hagele, a patients' advocate. According to Glenn's web site:

"Glenn Hagele created a nonprofit Lasik patient advocacy organization to help inform the public of the potential risks and benefits of Lasik surgery. The Council for Refractive Surgery Quality Assurance that Glenn Hagele founded evaluates Lasik doctors to determine if their outcomes are at or above the norm. The organization's sister website Complicated Eyes assists those who have poor Lasik outcomes."

Like many people, Glenn believes the individual should have control of their personal information. According to the news release at the VNUNet.com site:

"Within weeks of notifying authorities of what he believed to be bankruptcy fraud, Glenn Hagele, of Sacramento California, learned that archived government documents with his private identity information were being published on the internet."

Apparently, one doctor didn't like Glenn's advocacy effort and retaliated by posting Glenn's most sensitive personal data (e.g., name, birthdate, SS#) on the internet. Some call this type of retaliation "cyber assassination." Obviously, it's meant to intimidate and to cause harm. And it created risks for Glenn where identity thieves could abuse his personal data and wreck his finances.

Glenn took action, researched the situation, sued the doctor, and won. From the VNUNet.com news release:

"A US court had ordered that the personal details of a Californian man be removed from the web, ruling that the information was posted online in retaliation for him blowing the whistle on a bankruptcy fraud case. In a civil lawsuit, Hagele alleges Lauranell Burch, a staff scientist at the National Institute of Health (NIH), used secure government computer resources to manage and hide ownership of the websites controlled through a Thailand intermediary."

Glenn was kind enough to provide a link to the new North Carolina law -- named the Burch Clause. I congratulate the North Carolina legislature for passing the Burch Clause.

This story is important for two reasons. First, consumers should have control over their personal data. Burch did not have Glenn's consent to publish his personal data on the internet, or anywhere else. Second, there has to be penalties when individuals (or companies) willfully publish an individual's personal information without their consent and with intent to harm or intimidate. The North Carolina legislature obviously agreed.

I expect that Glenn will closely monitor his credit reports and financial accounts. And If Glenn becomes an identity theft victim, I expect that he will sue Burch for reimbursement of both credit restoration and credit monitoring costs to repair any damage -- as the North Carolina law allows.

For Credit Card Purchases, Are Retailers' Demands For More Personal Information Legal?

In the MSNBC Red Tape Chronicles blog, Bob Sullivan has raised some interesting questions about what questions, if any, by retail cashiers are appropriate during a purchase with a credit card. Bob wrote:

" 'Can I see your driver's license'? 'Can I have your phone number'? 'Do you have another form of ID'? But how do you answer? It seems that to shop is to be interviewed. Everywhere you go, you are asked invasive questions. And every time you look at the news, you see another company is losing consumers' data. So you would probably rather not answer those kinds of questions, but can you say '€œno'€? Yes, say legal experts."

Bob has raised several important issues. First, it's a great idea for consumers to know their rights. Second, it makes good sense for consumers to not disclose more personal data than required. Third, consumers have a choice about whether or not to shop at a retailer that asks more questions than they feel comfortable asking.

Fourth, Bob Sullivan highlighted the Visa merchant agreement policy. This gives consumers an option to complain about retailers than violate Visa's policy:

"Complaining is simple. Call your credit card issuer (your bank) and tell them. They will in turn pass the complaint along to the acquiring bank (the store's bank). That might sound like a meaningless paper trail exercise, but it isn’t. Violation of Visa terms can actually get a merchant knocked off the credit card network, which is nearly the death penalty in today's retail world.

For consumers who are interested, see page 2-21 of the MasterCard Merchant Rules document (PDF).

Also, I checked the Privacy Rights Clearinghouse Web site and merchant laws vary by state. This is important both for consumers to know their rights, and for consumers considering a lawsuit of a retailer that requested too much personal data. For example, in Massachusetts consumers are encourage to, "notify the office of consumer affairs and business regulation or the office of the attorney general."

Bipartisan Bill Toughens Laws And Penalties For Identity Theft and Fraud

So far, I have not written about Federal identity theft and fraud legislation. That will change starting with this post.

On Tuesday October 16, Senators Patrick Leahy (D-VT) and Arllen Specter (R-Pa.) introduced a new bill, the Identity Theft Enforcement and Restitution Act of 2007 (S 2168), to provide federal prosecutors with new and stronger tools to fight identity theft and online crime. This new bill builds upon prior proposed legislation. Features of the new bill:

• "Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft; "
  
• "Expand the jurisdiction of federal computer fraud statutes to cover small businesses and corporations;"
• "Eliminate the prosecutorial requirement that sensitive identity information must have been stolen through an interstate or foreign communication and instead focuses on whether the victim's computer is used in interstate or foreign commerce, allowing for the prosecutions of cases in which both the identify thief's computer and the victim's computer are located in the same state; "
  
• "Make it a felony to employ spyware or keyloggers to damage ten or more computers regardless of the aggregate amount of damage caused, ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence;"
• "Eliminate the requirement that the loss resulting from damage to a victim's computer must exceed $5,000; under this bill violations resulting in less than $5,000 damage would be criminalized as misdemeanors; "
  
• "Add the crime of threatening to obtain or release information from a protected computer to the definition of a cyber crime and expands the definition of a cyber crime to include demanding money in relation to a protected computer, where the damage to the victim computer was caused to facilitate the extortion. By expanding this definition, violators of this provision are subject to a criminal fine and up to five years in prison."

Access to restitution. Stronger penalties. Enhanced powers for federal prosecutors. All of this sounds good to me, especially since identity theft crimes do severe damage and are, obviously, premeditated. I also like the bipartisan support of this new bill.

Governator Terminates New California Identity-Theft Bill

From the Sunday Oct. 14 Orange County Register:

"An ID theft protection bill that would have made businesses that take credit cards for purchases more accountable to consumers and card issuers was vetoed Saturday by Gov. Arnold Schwarzenegger. In a message explaining his veto of AB779, the governor claimed the marketplace already provides the necessary protections for consumers and that the state bill might conflict with private security standards."

This is sad news, since:

"The bill would have required businesses to follow new guidelines for the handling and storage of sensitive material; to notify consumers with a detailed protocol of how to address identity theft; and to incur out-of-pocket costs to provide restitution to consumers and share the burden of card issuers. Currently, when a security breach is suspected or detected, businesses only must notify card issuers, but have no liability themselves. AB779 would have made the business (or any other entity that utilized cards for payment) share responsibility."

According to the news report, the California Governor's reasons included the bill was vague and conflicted with existing identity=theft laws. To learn more, see my prior post and the California Progress Report.

The Data Companies Often Keep, And Should Protect Vigorously

After my experience with IBM's data breach, I first questioned why IBM archived all former employee data forever. Then I began to wonder what types of data companies archive about their employees and former employees -- not just about their customers.

The SearchSecurity.com site has a good summary article about the types of information companies archive:

Employee	Health	Financial
Name Social Security numbers Birth dates Home phone numbers Health records Home addresses Ethnicity and citizenship Veteran and disability status Email addresses Drivers' license numbers	Medical record numbers Health plan numbers Account numbers Certificate or license numbers Device identification/serial numbers Facial photographs	Account balances ACH numbers Bank account numbers Credit card number and Exp. Date Credit rating Income data Payment data Account numbers Expiration dates

This is a wealth of information. A virtual gold mine! What identity thief wouldn't want access to this? And, if you and I are aware of the wide range of information companies archive, you can be sure that identity thieves are aware, too.

What I like most about this article is that it clearly explains many of the key State and Federal US laws and standards that require companies to protect this personal data:

• California SB-1386
• HIPAA
• PCI Data Security Standard
• Gramm-Leach-Bliley Act (GLBA)
• Federal Information Security Management Act (FISMA)

I was amazed while reading this article that some privately-held companies don't think that these laws and standards apply to them:

There is a huge misconception among information security professionals today that data privacy laws are not applicable to private companies, but are only designed for publicly traded companies, government organizations or financial institutions. This is not the case. Whether your company is public or private, large or small, today's information privacy regulations may affect you and your organization on many different levels, not just financially and legally.

This definitely clarifies the problem among companies.

Governator To Decide On California's New Identity Theft Bill

From the October 2, 2007 Los Angeles Times:

"The bill, recently approved by lawmakers on bipartisan votes, now goes to Gov. Arnold Schwarzenegger for his signature or veto. The bill would require banks, credit unions and credit card companies to tell people the name of the retailer where the hackers grabbed their confidential information, including Social Security numbers, account numbers and personal identification numbers, or PINs."

Assemblyman Dave Jones (D-Sacramento), author of the new bill, asserts that, "about 40% of retailers and other organizations that accept credit card payments were complying with security guidelines developed by major credit card companies."

The new bill, Jones' AB 779, also allows:

"... banks and credit card companies to sue allegedly negligent retailers for the cost of closing accounts and issuing new cards. Schwarzenegger, who is being lobbied heavily on the identity theft issue, has not taken a position and has until Oct. 14 to make up his mind."

It's important to watch California, which was the first state with a bill requiring data breach notification and a credit report freeze option (often called a Security Free).This newest bill is good because it affirms the need for all companies to get serious about data security. It is good if it also ensures that accountability lies with the company with the lax data security, regardless if that company is the credit card issuer or the retailer. This is bad if it encourages credit card issuers to push all liability to retailers.

According to the newspaper article, credit unions support the bill and large business trade groups oppose it. I look forward to hearing what Governor Schwarzenegger says during the coming days.

New ID Theft Law in Massachusetts (Part 2)

Since IBM notified me about their data breach, I've paid more attention to Identity Theft legislation in Massachusetts, where I live and work. If you live in Massachusetts, then this new law affects you. If you live in another state, this is an opportunity to evaluate your state's identity theft laws.

Before Massachusetts' new ID-theft law becomes effective in November 2007, I wanted to understand the details and what to expect. Of course, I want to judge how well my state implements this new law.

So, I read both the Massachusetts House and Senate draft versions of the proposed law, plus the final version of the new law. This helped me understand the features and benefits of the new law (and which features didn't made it into the final version of the new law). Negotiations between state lawmakers, companies, and credit bureaus weren't covered much in the local news media, but I firmly believe that it affected the features in the new law.

If you want to read the new law, see the St.2007, c.82: Security Freezes and Notification of Data Breaches. The link is also listed in the right column under "Massachusetts Resources." The major features in Massachusetts' new identity theft law:

• Personal data to be protected: regardless of the format it is stored in, the personal data companies and state agencies must protect includes first name and last name or first initial and last name of a resident with the resident's SS#, driver's license number, state identification number, financial account data (e.g., debit or credit card number in combination with or without a security code, access code, or password)
• Data breach notification for consumers: companies and government agencies must notify as soon as possible affected Massachusetts residents whose personal data (e.g., SS#, driver's license number, etc.) have been lost or stolen. Notice is triggered by unauthorized access to the personal data, regardless of whether there is a likelihood of harm. It doesn't matter if the data is encrypted or not.
• Data breach notification: Companies and state agencies must also notify the Massachusetts Director of Consumer Affairs and the Attorney General. The notice must describe the nature of the data breach, the number of Massachusetts residents affected, and any steps taken relating to the data breach. The notice to consumers does not have to include these details
• New "Security Freeze" option: allows consumers to "lock" their credit reports to prevent identity thieves from fraudulently creating new accounts in their names. This option is free for ID-theft victims; up to $5 for others. Credit bureaus must provide a PIN within 5 days of the consumer's Security Freeze request. The PIN is used by the consumer to control access to their credit report. Credit bureaus must implement a Security Freeze within 3 days of the consumer's request; and lift (or remove) the freeze within the same number of days
• Disposal of records with personal data: the new law sets rules about the proper destruction of records by companies and government agencies
• Consumer access to police report: local police must provide ID-theft victims with a copy of their police report within 24 hours, even if the identity theft occurred elsewhere. This provision of the law takes effect February 3, 2008 and not in November 2007 with the rest of the law

This is great news and a huge step forward. Previously, data breach notification was not required. Now, it is. The Security Freeze provision offers better and stronger protection than the existing Fraud Alert tool from the credit bureaus. However, there are some limitations in the law:

• The new law does not specify exactly how quickly (e.g., number of days, weeks, or months) data breach notification must be sent. Notice must be sent in writing to each Massachusetts resident affected by a data breach. In my opinion, speed is important since identity thieves act quickly
• Possible loophole: "substitute notice." The law reads, "Notice shall include: (iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice." Additionally, the company or government agency can notify ID-theft victims via e-mail, a posting on a web site, publication in broad news media, or via the state department of consumer affairs
• The "substitute notice" feature could be a problem for former employees and retirees. While consumers who are stockholders or have a retirement account with their former employer likely monitor the merger/acquisition/name changes of their former employer, others may not. Consumers who don't monitor the merger/acquisition/name change of a former employer may not recognize the substitute notice from the new company
• The new law doesn't state what the penalties are for credit bureaus that violate the Security Freeze features. Section 9 of the new law reads, "You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act." May be? To me, penalties are important should a credit bureau fail to implement a Security Freeze within the days specified, or discloses a consumer's credit report despite an in-place Security Freeze
• The new law doesn't state whether or not the Security Freeze feature applies to C.L.U.E. reports. The new law does mention "consumer reporting agency" which probably applies to ChoicePoint, the dominant C.L.U.E. reports provider
• Disposal of records feature: the penalty for violators seems very weak, in my opinion. the law reads, "Any person or agency who violates the provisions of this chapter shall be subject to a covol fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." $100? Geez! We need stronger laws here to encourage compliance, not weak laws to undermine compliance.
• The new law doesn't state whether the Massachusetts department of justice will post data breach notices online, like New Hampshire does

What do you think of the new law? How does it compare to your state's ID-theft law? Has your former employer provided substitute notice? I've Been Mugged readers want to know.

Next entry: data breaches and lawsuits

New ID Theft Law in Massachusetts

A prior blog entry discussed the pending identity theft legislation in Massachusetts. This month, our Massachusetts Governor signed a new identity theft law. According to the Boston Globe newspaper:

"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."

This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.

More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:

"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "

I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:

• Penalties for corporate violators,
• Protections for ID-theft victims of data breaches by former employers,
• Details about the fees and administration of the new "security freeze" option,
• Promotional guidelines to inform consumers, and
• Guidelines for outsourcing and/or off-shoring personal data.

If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."

Next entry: Mistaken for a car thief, ID theft victim jailed

Identity Theft Legislation in Massachusetts

Since I live in Massachusetts, any state legislation about Identity Theft is important. About 35 states have laws requiring companies to inform citizens of a data breach, but Massachusetts does not. About 25 states have laws providing their citizens with a Credit Freeze tool. Massachusetts is not on this list either. No matter where you live, you should check both lists to see how seriously your state government considers Identity theft.

Thankfully, change is underway in Massachusetts. And it is long overdue. An Identity Theft bill in Massachusetts has been passed by the state House and is under consideration by the state Senate. I haven't read the actual legislation yet. When I do, I will comment about the legislation and if it goes far enough with strong enough identity theft protections.

Some background: a Credit Freeze is a critical and powerful tool for consumers to protect against Identity theft. With a Credit Freeze, a company or a creditor cannot access a consumer's credit file unless the consumer provides consent. Today's U.S. financial system allows the national credit bureaus (and other companies) to freely share your credit information with creditors (good or bad)... even after you've placed a Fraud Alert on your credit file. As you might expect, the national credit bureaus oppose state legislation with the Credit Freeze tool.

If Massachusetts offered a Credit Freeze option, I would have used it immediately when IBM notified me of their data breach. As I mentioned in an earlier blog entry, the U.S. financial system is heavily tilted towards companies making money by freely sharing consumers' credit information, and tilted away from strong protections and notifications for consumers. In my case, IBM was a prior employer and not a retailer I'd purchased products from.

One reasons why I started this blog is to raise consumers' awareness of the identity theft problem, particularly where employers lose personal data about prior employees. And everyone has one or more prior employers. I believe we can fix this tilted system. As you might expect, the national credit bureaus view the Credit Freeze tool as a burden and oppose legislation with it at the state level. Surprisingly, there is a discussion about whether or not consumers should be notified about data breaches.

To me, consumer notification should be required of all companies, especially when that company is a prior employer who has chosen to archive personal data for an extended period. Consumer notification should be required for all data breaches. And, the Credit Freeze tool should be available to all consumers nationwide. These are two critical tools for protection against identity theft.

Next entry: a conversation with IBM (part 1)