"Governor Deval Patrick signed legislation that requires businesses and government agencies to promptly notify consumers when private information such as Social Security and driver's license numbers have been lost or stolen. The law also allows residents to place a "security freeze" on their consumer credit reports to prevent identity thieves from fraudulently creating new accounts in their names. It also establishes rules for the disposal of old records containing personal information. Under those rules, state officials would be required to delete the first few digits of Social Security numbers when handling documents involving personal information if federal authorities don't require the full number. The law also requires companies and state agencies to destroy documents that contain personal information."
This is great news!!! While the new law won't stop all forms of ID theft and fraud, the Credit Freeze provision is far better and stronger protection than the existing Fraud Alert tool from the credit bureaus. I also like the portions of the law that clarify which personal data elements entities (e.g., companies and government agencies) can and cannot retain, and when state government entities should destroy documents with our personal data.
More good news... the new law mandates data breach notification by companies. According to an August 10, 2007 e-mail message I received from Janet S. Domenitz, Executive Director of MASSPIRG:
"The new law, which will go into effect in November, will address the crime of identity theft on several fronts. It will set standards for how consumer information is protected and disposed of by both businesses and government agencies. It will require companies that store this type of data to notify affected individuals if it is lost or stolen. And it allows consumers to proactively prevent identity thieves from opening credit in their name by blocking access to their credit reports through a 'security freeze.' "
I am still reviewing the draft legislation and the text of the new law, to understand the provisions that made it to the final version of the new law... especially:
- Penalties for corporate violators,
- Protections for ID-theft victims of data breaches by former employers,
- Details about the fees and administration of the new "security freeze" option,
- Promotional guidelines to inform consumers, and
- Guidelines for outsourcing and/or off-shoring personal data.
If you want to read the draft state senate and house bills, plus the new law (St.2007, c.82: Security Freezes and Notification of Data Breaches), there are links in the right column under "Massachusetts Resources."
Next entry: Mistaken for a car thief, ID theft victim jailed