Massachusetts Gets Tough On Data Security (Part Two)

Yesterday's post discussed new legislation to protect Massachusetts residents. As you might expect, some businesses have protested the changes. Forbes Magazine reported:

"Massachusetts business owners and advocates protested new identity theft regulations at a hearing, saying the rules to protect customers' credit card numbers and personal information will be too costly and time-consuming in a down economy. The Office of Consumer Affairs and Business Regulation hearing was about again extending deadlines for the rules, which require businesses to encrypt laptops, wirelessly transmitted data and consumers' financial and personal information."

The complaints are ones you'd expect to hear:

"... the identity theft law will impede interstate commerce, hurt job creation, and cost too much for small businesses who have to hire outside technology support and upgrade their systems."

Some experts estimated the cost at $50,000 for a small business to comply with the new law. The Massachusetts Government estimated the cost at $10,000 for operation and maintenance in the first year. The companies asked the Massachusetts Government to reissue new regulations on May 1, 2009 and give them two years to comply.

Two years? I can see some foot-dragging due to the recessionary economy. However, business-as-usual just won't work. 2008 saw a record number of data breach incidents and records lost or stolen. And that's based on the fact that about 75 percent of companies release the number of records stolen or consumers affected. So, the real numbers are worse.

Plus, the cost of a data breach is rising significantly. These small businesses should compare the cost of compliance to the post-data-breach costs. $50,000 may seem like a lot, but at a $202 post-data breach cost per record, the break-even is only 248 records. Most small businesses probably have more than 248 customers. So, it is less costly for a small business to avoid data breaches by implementing strong data security now, rather than gamble with consumers' sensitive personal data and incur large post-data breach costs later.

Companies have to take responsibility for protecting consumers' sensitive personal data they use and archive: customers, employees, and former employees. While small businesses do not have the resources that large, multinational companies have to implement effective data security methods, business-as-usual won't work. Consumers have even less resources to protect their sensitive data, to pay for credit monitoring ($12 per month or more) and credit repair services (rates vary) after a data breach, and to pay fees to place and life Security Freezes ($5 - 10 per instance) on their credit reports. Plus, many consumers are unemployed.

Business has to pick up its rightful share of implementing data security methods, since they make money by using consumers' data. If this concerns you (and I hope that it does), I encourage you to write to your elected officials and tell them no more delays for small businesses to comply with the new data security laws.

Massachusetts Gets Tough On Data Security (Part One)

Changes are coming to Massachusetts businesses. Bank Systems & Technology reported:

"... come May 1, [companies and banks] will have to be mindful of strict new rules coming from the Commonwealth of Massachusetts around data security. The Massachusetts Data Security Regulations are perhaps like no other in terms of their depth and scope... They go beyond the rules of other states and the federal government that simply require companies to notify their customers of theft of their personal information."

There are several personal data items consumers must protect. Companies and banks keep a wide range of sensitive data about consumers (e.g., customers, employees, contractors, and former employees) which they don't always protect. What makes the Massachusetts law stricter:

"... companies, including banks, that handle the personal data of a Massachusetts resident must show they have in place a comprehensive, written information security program with heightened security procedures around how this information is handled. The rules also extend to entities' service providers and the degree to which they too much show they comply with the Massachusetts rules of handling data on residents. Companies have until May 1 to amend their vendor contracts to reflect this and until Jan. 1, 2010 to certify their vendors comply. Furthermore, companies must comply with these rules even if they do not have a single office in the Bay State or if they are in an already heavily regulated industry, like financial services. As long as customers in businesses' databases reside in Massachusetts, those companies are affected by the rules."

Now that's a law I like. Clear data security protections for consumers. There's more:

"Under the rules, companies have a duty to monitor their security programs on an ongoing basis... The safeguards in the program must be administrative, technical and physical in nature. Entities will be required to identify all records used to store personal information... Businesses must also identify and assess both internal and external risks to the organization. Once these steps are completed, they must then evaluate (and improve, if necessary) the safeguards in place around such areas as employee training and physical security... companies will be obligated to limit the collection and use of personal information. They must identify the purposes for which they collect this kind of information and identify how long the wish to keep it and who can access it."

Since so many company data breaches have involved laptop computers and flash drives, the rules also cover employee training and:

"Companies will be required to encrypt data that is not only stored but also when it is being transmitted over networks or physically moved as when an employees take a laptop home."

Amen. That's pretty good legislation which covers most of the problem areas that cause data breaches. However, I would have liked to have seen specific protections in the legislation about RFID, and jail time for executives at companies that don't comply or experience repeated data breaches.

I encourage Massachusetts residents to write to their elected officials and thank them for these new data security. I encourage residents in other states to ask their elected officials what they are doing about data security so their state does not fall behind Massachusetts.

Data Breach At Auto Dealership Affects Thousands in New Hampshire And Massachusetts

Last week, the New Hampshire Union Leader newspaper reported the data breach at the Bill Dube Ford/Toyota dealership when computer data tapes were stolen. The stolen data included the:

"Personal information from thousands of people in New Hampshire and Massachusetts...The pilfered data include names, addresses, Social Security numbers and driver's license information, but no financial data such as credit card information, from customers at Bill Dube's dealerships in Dover and Wilmington, Mass."

The number of people affected by this data breach was estimated at over 10,000. It's unacceptable that, four months later, the dealership doesn't know the contents of the stoen data tapes. A computer security expert should have been hired to help determin the tape contents.

Also, the dealership was extremely slow to notify affected consumers since the theft was were discovered on August 5 and customers were notified in a letter dated December 5. That delay is totally unacceptable.

This breach is also noteworthy due to the crisis in the auto industry. As the U.S. Federal Government debates whether or not to provide bailout monies to the U.S. auto manufacturers, the result has implications for hundreds of auto dealerships.

Should one or more auto companies go out of business, the same would likely happen with hundreds of auto dealerships. Yes, hundreds of thousands of people could lose their jobs. Beyond that, the closing of auto dealerships raises the question about the data security of the sensitive personal data archived at those dealerships. Will those dealerships adequately protect that data? Will dealerships that go out of business effectively destroy sensitive data? Who is looking out for the consumers' interests?

Here's an idea. The oil companies should bail out the auto companies. Why?

First, the oil companies have huge amounts of cash. Remember the oil companies made record profits over the past few years as gas rose near $4.00 per gallon. Second, the oil and auto industries have a symbiotic relationship. One industry sells what the other industry's products consume. The oil companies have a stake in the health of the auto industry.

Third, it gets the Federal government out of the corporate bailout game, a place where government doesn't have the necessary skills and expertise. Fourth, it's an opportunity for oil companies to do something patriotic: save several major American companies and save thousands of jobs. Just think of the goodwill oil companies would collect.

Massachusetts Regulators Adopt Tougher Identity Theft Rules

Last week, the Boston Globe newspaper reported:

"The regulations, issued by the Massachusetts Office of Consumer Affairs and Business Regulation, require companies that handle personal information such as credit card accounts and Social Security numbers to encrypt data stored on laptops, monitor employee access to data, and take other steps to protect customer information, beginning Jan. 1. Governor Deval Patrick also signed an executive order requiring state agencies to take similar measures."

After the TJX Companies / TJ Maxx data breach, in 2007 Governor Patrick signed new legislation for Massachusetts residents requiring companies to notify consumers of data breaches, new data protection and disposal rules for companies and state agencies, and new Security Freeze laws to help consumers. Back in August 2008, the I've Been Mugged blog reported the continual data breach problems nationwide. In June, we discussed the poor state of data security by companies. It's good to see the Boston Globe also summarize the continual problem of data breaches:

"Since then, companies have reported nearly 320 security breaches to the state, affecting more than 625,000 residents. Many involved stolen laptops and hard drives. In three of four cases, the data were not encrypted or protected by a password."

While the new, stronger rules are a step in the right direction, Massachusetts legislators need to do more. Consumers need Anti-Skimming laws for protection against RFID identity theft. The State of Massachusetts should also publish copies of the data breach notifications it receives, so consumers have convenient access to these documents. Online access to these documents has many benefits, including help consumers verify data breach notification letters as authentic and not spam.

Security Freeze: Peace Of Mind And Protection For Your Credit Reports

Since I started this blog in July 2007, I've learned a lot about identity theft. I had to after IBM exposed my sensitive personal data. First, I placed a 90-day Fraud Alert on my credit reports. Then, I signed up for the free credit monitoring service IBM provided from Kroll. 90 days later, I renewed my Fraud Alerts.

So far, so good. No problems with identity fraud.

Given the ongoing risk, I wanted more protection for my credit reports than what the credit bureaus provide with their Fraud Alert tool. The fact is, the credit bureaus just append the alert to your credit report whenever they sell it to a potential creditor. A shady creditor could still issue new credit in my name to an identity criminal. So, I placed a Security Freeze (also called a "Credit Freeze") on my credit reports at the three national credit bureaus.

While the Fraud Alert tool is free, that didn't seem to be a good value for me given the risk. The free credit monitoring service IBM arranged with Kroll was only for one year, and it did not provide an automatic Fraud Alert renewal service. While I could have continued to renew my Fraud Alerts every 90 days, stronger protection was more important to me than a freebie.

I didn't want to pay a credit monitoring service (e.g., LifeLock) to renew my Fraud Alerts because this is an easy task any consumer can do by their self -- for free. I've done it and I know. More importantly, I wanted stronger protection for my credit reports. The Security Freeze option fills that need.

To place the Security Freeze, first I visited each credit bureau's web site and printed their Security Freeze instructions page. All three credit bureaus have similar instructions. You have to provide them with documentation verifying, a) who you are, b) your current residential address, c) valid payment; and send a letter via snail mail (or overnight express) requesting the Security Freeze. You can't place a Security Freeze over the phone, via e-mail, nor via text messaging.

While all three national credit bureaus offer the Security Freeze option nationwide, the fees vary by state. According to Massachusetts law, each credit bureau can charge a Massachusetts resident a maximum of $5 to place, lift, and remove a security freeze. Each credit bureau's web site lists the fees for your state. If you are an identity theft victim (e.g, you can prove so by providing a copy of a filed police report), then the Security Freeze is usually free. In many states, the Security Freeze is free for residents 65 years of age or older.

Should IBM have paid for my Security Freeze fees? That's a discussion I'll save for another post. For me, the $15 total fees is a good investment for both protection and peace of mind. I'd like to thank my state's legislators and Governor Patrick for keeping the Security Freeze fee low for Massachusetts residents.

Next, I assembled my Security Freeze letters. Some credit bureaus require a photocopy of your Driver's License, and/or an insurance or bank statement. This was time consuming, but easy to do. The whole process took me about 4 hours.

At the post office, I mailed all letters via Certified Mail - Return Receipt. While this cost a little more, it is a smart investment because it minimized my worries. The Return Receipt notice informed me when each credit bureau received my Security Freeze letter. About 8 business days later, I received confirmation letters from the credit bureaus.

Each confirmation letter included an explanation of that credit bureau's Security Freeze process, additional instructions, and my personal PIN number. You'll need this PIN when communicating with the credit bureau to temporarily lift or remove your Security Freeze. I stored these confirmations in a secure location.

Will a Security Freeze prevent all types of identity theft and fraud? No. A Security Freeze is not a cure-all. I don't have any illusions about this. While a Security Freeze will prevent criminals from opening new credit and new financial accounts in your name, it won't stop criminals from committing a crime in your name, if your personal data has already been stolen or exposed -- like IBM exposed mine. Nor will a Security Freeze prevent criminals from breaking into my financial accounts. There are other things consumers must do like use rotating and stronger passwords, and set up e-mail or text messaging alerts for your financial accounts.

Blogging For Civil Liberties Workshop at the ACLU of Massachusetts Conference

On Saturday January 26, 2008, I attended the first ACLU Massachusetts conference on Reclaiming Our Civil Liberties. The conference was a real treat for me, since I'd only read about Daniel Ellsberg, the keynote speaker. It was great to hear him live and hear his experiences about the Pentagon Papers. (See also the National Security Archive at GWU.) Ellsberg also discussed his views on the Bush administration, U.S. foreign policy, the Iraq war, the "Blue Dog Coalition" (for perspectives, see C-Span, Common Dreams , and the New York Times), and the oath of government officials to the Constitution (and not a personal oath to the President). Much of today's policies of expansive Executive privilege by the Bush administration are rooted in VP Cheney's tenure in President Nixon's administration.

I attended the conference both as a member and as a panelist. There were over 400 attendees, by my rough count. I spoke at a workshop titled, "Blogging for Civil Liberties." Christopher Ott, the Communications Manager of the ACLU of Massachusetts, chaired the panel. The other panelist was Charles Blandy, Co-Founder and Co-Editor of BlueMassGroup.com.

The workshop went smoothly. About 35 people attended this workshop. Charles spoke first and reviewed many of the well-known sites political blogs (such as Daily Kos and TPMmuckraker) consumers can use to learn about civil liberties and to participate in the blogosphere. My talk focused more narrowly on Ive Been Mugged as an example of citizen journalism, consumers' rights about identity protection, and notification laws after a corporate data breach. About 30 people attended this workshop and at least 400 attended the conference.

If you missed the conference, you can listen to the "Blogging For Civil Liberties" podcast (52 minutes, MP3 file, 23 MBytes). You can list to the podcast on any MP3 player, including the iPod. I'd like to thank Christopher Ott and the Massachusetts ACLU for making the podcast available. Thanks to Marilyn Humphries for the photograph.

[Note to readers: Sorry for the delay publishing this post. I would have published it sooner, but the podcast was only recently available.]

Data Breach At Harvard University

Several news sources have reported a data breach at Harvard University. From ABC News:

"... at least one hacker launched an attack on a computer server at Harvard University, potentially viewing the personal information of up to 10,000 graduate students and applicants to the Graduate School of Arts and Sciences and posting some of the information on the Web. Harvard officials began notifying thousands of students and applicants this week... According to Harvard chief information officer Dan Moriarty, an attack was launched Feb. 16 on a server that contained summary information from applications for prospective students as well as the housing information of current students. About 6,600 of those applications included Social Security numbers. Some of the information on the server was copied and ultimately posted on The Pirate Bay, a well-known bit torrent Web site where people can download movies and music.

The Chronicle Of Higher Education reported:

"Harvard has sent notices to all affected people and is offering, at the university’s expense, to help them obtain credit reports, set up credit-monitoring services and fraud alerts, and take other steps to guard against identity thieves."

If that's all Harvard is offering, then Harvard's identity theft victims are getting much. First, free credit reports are already available online for consumers. Second, the credit bureaus already provide free Fraud Alerts for consumers. There is some value in free credit monitoring services, provided the services include flexible and timely alerts, access to credit reports throughout the year, two or more years of free services, and credit restoration services.

Since news stories don't provide much detail about the credit monitoring services offered, I checked the Harvard news release:

"In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc. At Harvard’s expense, Kroll is helping potentially affected persons obtain copies of their credit reports, set up credit-monitoring services and fraud alerts, and take other steps to protect themselves."

That is good news. Harvard is offering its identity theft victims credit restoration services from Kroll. the restoration service helps identity theft victims clean up accounts that have been taken over or new accounts established by criminals. The monitoring services helps identity theft victims check their credit repors frequently to discover abuse as soon as possible. I hope that all of harvard's identity theft victims take advantage of both services.

While 10,000 records is a sizable data breach, other colleges and universities have had far larger data breaches:

• George Mason University: January 2005: 32,000 records
• University of California at Berkeley: March 2005: 98,400
• Boston College: March 2005: 120,000
• Tufts University: April 2005: 106,000
• University of Hawaii: June 2005: 150,000
• University of Connecticut: June 2005: 72,000
• University of Utah: August 2005: 100,000
• University of Colorado: August 2005: 49,000
• Kent State University: September 2005: 100,000
• Metropolitan State College (Denver): March 2006: 93,000
• Georgetown University: March 2006: 41,000
• University of Texas McCombs School of Business: April 2006: 197,000
• Ohio State University: April 2006: 300,000
• Western Illinois University: June 2006: 180,000
• University of Tennessee: July 2006: 36,000
• University of California at Los Angeles: December 2006: 800,000
• University of Idaho: January 2007: 70,000
• East Carolina University: February 2007: 65,000
• Community College of Southern Nevada: May 2007: 197,000
• University of Colorado at Boulder: May 2007: 45,000
• Georgetown University: January 2008: 38,000

There are many more smaller data breaches at colleges and universities. Some schools don't announce the number of total records exposed. In my opinion, academia as a whole still does a poor job with data security. It'll be interesting to see if the number of records exposed in Harvard's data breach remains at 10,000 or goes up.

[Editor's note: in the interest of full disclosure, from 1992 to 1997 I worked in Baker Library at the Harvard Business School as a business analyst researching business and economics topics.]

A New Kind Of Identity Theft?

Last Friday, the CBS television affiliate (WBZ-TV) in Boston ran a news story about, "A New Form of Identity Theft." Apparently, an identity thief targeted and stole money from several women with the same name:

"The identity thief was posing as Lisa White. White never even owned a credit card until someone stole her identity and opened up 17 accounts using her Social Security and drivers license numbers. Now comes Lisa White, of Monson. She too is a victim of identity theft and is trying to cancel some $13,000 of debt someone spent on store accounts using her Social Security and license numbers... Then there's Lisa White from Somerset, who is also stuck with a pile of mystery credit cards. A thief stole her identity and wracked up about $35,000 of dept that she had nothing to do with."

The police haven't caught the identity thief yet, but they do have the thief on video tape. reportedly, about ten people in Massachusetts with the same name have reported problems.

My guess: this isn't a new type of identity theft. Rather, the police haven't yet discovered the connection, which may be very subtle. If all of the victims use the same bank, the police aren't saying. If not that, then it may be an inside job at the Social Security Administration or another equivalent state agency, like the Registry of Motor Vehicles or the Massachusetts Department of Revenue. That would explain why the thief did not steal the victims' existing credit card numbers, but instead opened new lines of credit with the victims' social security numbers.

Placing A Freeze (Or Lock) on Your Credit Files

In August 2007, the Massachusetts Governor signed a new law allowing Massachusetts residents to lock or place a "Security Freeze" on their credit reports with the three national credit bureaus. Residents can visit the Massachusetts Office of Consumer Affairs web site for instructions about how to add, lift, or remove a Security Freeze on their credit reports. Residents in other states can proceed directly to the three national credit bureaus for instructions:

• Equifax Security Freeze
• Experian Security Freeze
• TransUnion Security Freeze

The fees to add, lift, or remove a Security Freeze vary by state and by the consumer's status. For identity-theft victims, the fees are waived. For others, the fees apply and vary by state. For example: the add/remove/lift fees in Massachusetts for identity theft victims are waived, while the fees for others are a $5.00 each. In some states, the add/remove/lift fees are as high as $10.00 or $20.00 each.

In the Blogosphere: Xconomy Reviews Blogtoberfest

A couple weeks ago, I met Wade Roush, one of the authors at the Xconomy blog. I met Wade at the Blogtoberfest event in Boston. If you are a blogger in the Eastern Massachusetts area, I suggest you read Wade's post about the Oktoberfest event and the bloggers he met. Wade's post also has a link to some photos.

In The Blogosphere: Chronicles of Dissent

A tip of the hat to the folks at Chronicles of Dissent blog for their coverage of my posts about correspondence with Attorney General Coakley's office about online breach notification. If you are a Massachusetts resident and you feel as I do, I hope that you'll contact Mass. Attorney General Coakley's office and tell them you want corporate breach notifications posted online.

Reply From Attorney General Coakley's Office

A few days ago, I sent an e-mail letter to Massachusetts Attorney General Martha Coakley's office. Yesterday, I received this e-mail reply:

From: Email Correspondence (AGO)

Thank you for contacting the office of Attorney General Martha Coakley. I have forwarded your e-mail along to the member of our staff who is handling this office’s compliance with the new breach notification laws which took effect on October 31, 2007. Although, there are currently no plans to post breach notifications online, due to your correspondence, this idea is currently being considered by our Consumer Protection Division. Thank you for taking the time to contact us. It is important that we hear from constituents about important issues such as this.

Sincerely,

Community Information and Education Division

It's nice to receive a quick reply. I'm glad that the state is considering the posting of breach notifications online. We'll see what they finally decide to do. If you are a Massachusetts resident, I hope that you'll write to them also, and tell them you want breach notifications published online.

Letter to Massachusetts Attorney General Coakley

As a consumer affected by a corporation's data breach and identity theft, I am quite excited about Massachusetts' new identity theft law which will be implemented during the next few months. On Sunday evening, I sent the following e-mail letter to Massachusetts Attorney General Martha Coakley:

To:   The Office of the Attorney General
        One Ashburton Place
        Boston, MA 02108

Dear Attorney General Coakley:

 

I am resident of Boston and I am writing to you about Massachusetts' new identity theft law (St 2007, c.82: Security Freezes and Notification of Data Breaches). I look forward to the implementation of this new law since I have been the victim of identity theft. Specifically, a prior employer lost my most sensitive personal data. So, as soon as the Security Freeze option is available in Massachusetts, i will sign up to better protect my identity and finances.

 

My letter to you today is about the notification part of the new state law, specifically the portions about "Breach Notification" and "Substitute Notification" by companies. When IBM Corporation lost my data in February 2007, the company finally notified me in May 2007. This delay was unacceptable to me since identity thieves could have done much damage during the interim. So, while IBM's written notification to me was helpful, speedy notification is also important to me since media coverage wasn't immediate.

Since then, I have researched identity theft. During my research, I have found that New Hampshire posts on its Department of Justice web site the breach notifications N.H. received from corporations.

My question to your office is this: when will Massachusetts post online the breach notification letters it receives? The online posting of breach notifications by your office would be a huge benefit to consumers for several reasons:

1. Consumers can access a reputable, reliable site for the full content of breach notifications
2. Online postings can solve the speed concern other consumers like me have
3. In the situations defined by St. 2007, c.82, the online posting of breach notifications would also solve the requirement of "Substitute Notification."
4. The online posting of breach notifications by Massachusetts would be comparable to another New England state.
5. The online posting of breach notifications would be a positive signal that Massachusetts is serious about being a leadership state when it comes to identity theft

I look forward to hearing from your office soon. Thank you in advance for your attention to this and reply to my letter.

I sent this letter to the Mass. AG since the comparable office in New Hampshire posts breach notifications online. It is critical for consumers (e.g., customers, employees, and former employees) to receive prompt notification from companies which suffer a data breach. And, since Massachusetts' new law provides for "Substitute Notification" instead of a personal letter to each consumer, I want to know exactly how my state plans to provide "Substitute Notification."

I also sent copies of this letter to my federal and state representatives via the Congress.org web site. If you are a Massachusetts resident who feels as I do about identity theft, I encourage you to contact your state representatives.

New ID Theft Law in Massachusetts (Part 2)

Since IBM notified me about their data breach, I've paid more attention to Identity Theft legislation in Massachusetts, where I live and work. If you live in Massachusetts, then this new law affects you. If you live in another state, this is an opportunity to evaluate your state's identity theft laws.

Before Massachusetts' new ID-theft law becomes effective in November 2007, I wanted to understand the details and what to expect. Of course, I want to judge how well my state implements this new law.

So, I read both the Massachusetts House and Senate draft versions of the proposed law, plus the final version of the new law. This helped me understand the features and benefits of the new law (and which features didn't made it into the final version of the new law). Negotiations between state lawmakers, companies, and credit bureaus weren't covered much in the local news media, but I firmly believe that it affected the features in the new law.

If you want to read the new law, see the St.2007, c.82: Security Freezes and Notification of Data Breaches. The link is also listed in the right column under "Massachusetts Resources." The major features in Massachusetts' new identity theft law:

• Personal data to be protected: regardless of the format it is stored in, the personal data companies and state agencies must protect includes first name and last name or first initial and last name of a resident with the resident's SS#, driver's license number, state identification number, financial account data (e.g., debit or credit card number in combination with or without a security code, access code, or password)
• Data breach notification for consumers: companies and government agencies must notify as soon as possible affected Massachusetts residents whose personal data (e.g., SS#, driver's license number, etc.) have been lost or stolen. Notice is triggered by unauthorized access to the personal data, regardless of whether there is a likelihood of harm. It doesn't matter if the data is encrypted or not.
• Data breach notification: Companies and state agencies must also notify the Massachusetts Director of Consumer Affairs and the Attorney General. The notice must describe the nature of the data breach, the number of Massachusetts residents affected, and any steps taken relating to the data breach. The notice to consumers does not have to include these details
• New "Security Freeze" option: allows consumers to "lock" their credit reports to prevent identity thieves from fraudulently creating new accounts in their names. This option is free for ID-theft victims; up to $5 for others. Credit bureaus must provide a PIN within 5 days of the consumer's Security Freeze request. The PIN is used by the consumer to control access to their credit report. Credit bureaus must implement a Security Freeze within 3 days of the consumer's request; and lift (or remove) the freeze within the same number of days
• Disposal of records with personal data: the new law sets rules about the proper destruction of records by companies and government agencies
• Consumer access to police report: local police must provide ID-theft victims with a copy of their police report within 24 hours, even if the identity theft occurred elsewhere. This provision of the law takes effect February 3, 2008 and not in November 2007 with the rest of the law

This is great news and a huge step forward. Previously, data breach notification was not required. Now, it is. The Security Freeze provision offers better and stronger protection than the existing Fraud Alert tool from the credit bureaus. However, there are some limitations in the law:

• The new law does not specify exactly how quickly (e.g., number of days, weeks, or months) data breach notification must be sent. Notice must be sent in writing to each Massachusetts resident affected by a data breach. In my opinion, speed is important since identity thieves act quickly
• Possible loophole: "substitute notice." The law reads, "Notice shall include: (iii) substitute notice, if the person or agency required to provide notice demonstrates that the cost of providing written notice will exceed $250,000, or that the affected class of Massachusetts residents to be notified exceeds 500,000 residents, or that the person or agency does not have sufficient contact information to provide notice." Additionally, the company or government agency can notify ID-theft victims via e-mail, a posting on a web site, publication in broad news media, or via the state department of consumer affairs
• The "substitute notice" feature could be a problem for former employees and retirees. While consumers who are stockholders or have a retirement account with their former employer likely monitor the merger/acquisition/name changes of their former employer, others may not. Consumers who don't monitor the merger/acquisition/name change of a former employer may not recognize the substitute notice from the new company
• The new law doesn't state what the penalties are for credit bureaus that violate the Security Freeze features. Section 9 of the new law reads, "You may be entitled to collect compensation, in certain circumstances, if you are damaged by a person's negligent or intentional failure to comply with the credit reporting act." May be? To me, penalties are important should a credit bureau fail to implement a Security Freeze within the days specified, or discloses a consumer's credit report despite an in-place Security Freeze
• The new law doesn't state whether or not the Security Freeze feature applies to C.L.U.E. reports. The new law does mention "consumer reporting agency" which probably applies to ChoicePoint, the dominant C.L.U.E. reports provider
• Disposal of records feature: the penalty for violators seems very weak, in my opinion. the law reads, "Any person or agency who violates the provisions of this chapter shall be subject to a covol fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." $100? Geez! We need stronger laws here to encourage compliance, not weak laws to undermine compliance.
• The new law doesn't state whether the Massachusetts department of justice will post data breach notices online, like New Hampshire does

What do you think of the new law? How does it compare to your state's ID-theft law? Has your former employer provided substitute notice? I've Been Mugged readers want to know.

Next entry: data breaches and lawsuits

New ID Theft Law in Massachusetts

A prior blog entry discussed the pending identity theft legislation in Massachusetts. This month, our Massachusetts Governor signed a new identity theft law. According to the Boston Globe newspaper:

"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."

This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.

More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:

"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "

I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:

• Penalties for corporate violators,
• Protections for ID-theft victims of data breaches by former employers,
• Details about the fees and administration of the new "security freeze" option,
• Promotional guidelines to inform consumers, and
• Guidelines for outsourcing and/or off-shoring personal data.

If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."

Next entry: Mistaken for a car thief, ID theft victim jailed

Identity Theft Legislation in Massachusetts

Since I live in Massachusetts, any state legislation about Identity Theft is important. About 35 states have laws requiring companies to inform citizens of a data breach, but Massachusetts does not. About 25 states have laws providing their citizens with a Credit Freeze tool. Massachusetts is not on this list either. No matter where you live, you should check both lists to see how seriously your state government considers Identity theft.

Thankfully, change is underway in Massachusetts. And it is long overdue. An Identity Theft bill in Massachusetts has been passed by the state House and is under consideration by the state Senate. I haven't read the actual legislation yet. When I do, I will comment about the legislation and if it goes far enough with strong enough identity theft protections.

Some background: a Credit Freeze is a critical and powerful tool for consumers to protect against Identity theft. With a Credit Freeze, a company or a creditor cannot access a consumer's credit file unless the consumer provides consent. Today's U.S. financial system allows the national credit bureaus (and other companies) to freely share your credit information with creditors (good or bad)... even after you've placed a Fraud Alert on your credit file. As you might expect, the national credit bureaus oppose state legislation with the Credit Freeze tool.

If Massachusetts offered a Credit Freeze option, I would have used it immediately when IBM notified me of their data breach. As I mentioned in an earlier blog entry, the U.S. financial system is heavily tilted towards companies making money by freely sharing consumers' credit information, and tilted away from strong protections and notifications for consumers. In my case, IBM was a prior employer and not a retailer I'd purchased products from.

One reasons why I started this blog is to raise consumers' awareness of the identity theft problem, particularly where employers lose personal data about prior employees. And everyone has one or more prior employers. I believe we can fix this tilted system. As you might expect, the national credit bureaus view the Credit Freeze tool as a burden and oppose legislation with it at the state level. Surprisingly, there is a discussion about whether or not consumers should be notified about data breaches.

To me, consumer notification should be required of all companies, especially when that company is a prior employer who has chosen to archive personal data for an extended period. Consumer notification should be required for all data breaches. And, the Credit Freeze tool should be available to all consumers nationwide. These are two critical tools for protection against identity theft.

Next entry: a conversation with IBM (part 1)