As a consumer affected by a corporation's data breach and identity theft, I am quite excited about Massachusetts' new identity theft law which will be implemented during the next few months. On Sunday evening, I sent the following e-mail letter to Massachusetts Attorney General Martha Coakley:
To: The Office of the Attorney General
One Ashburton Place
Boston, MA 02108
Dear Attorney General Coakley:I am resident of Boston and I am writing to you about Massachusetts' new identity theft law (St 2007, c.82: Security Freezes and Notification of Data Breaches). I look forward to the implementation of this new law since I have been the victim of identity theft. Specifically, a prior employer lost my most sensitive personal data. So, as soon as the Security Freeze option is available in Massachusetts, i will sign up to better protect my identity and finances.My letter to you today is about the notification part of the new state law, specifically the portions about "Breach Notification" and "Substitute Notification" by companies. When IBM Corporation lost my data in February 2007, the company finally notified me in May 2007. This delay was unacceptable to me since identity thieves could have done much damage during the interim. So, while IBM's written notification to me was helpful, speedy notification is also important to me since media coverage wasn't immediate.Since then, I have researched identity theft. During my research, I have found that New Hampshire posts on its Department of Justice web site the breach notifications N.H. received from corporations.My question to your office is this: when will Massachusetts post online the breach notification letters it receives? The online posting of breach notifications by your office would be a huge benefit to consumers for several reasons:
- Consumers can access a reputable, reliable site for the full content of breach notifications
- Online postings can solve the speed concern other consumers like me have
- In the situations defined by St. 2007, c.82, the online posting of breach notifications would also solve the requirement of "Substitute Notification."
- The online posting of breach notifications by Massachusetts would be comparable to another New England state.
- The online posting of breach notifications would be a positive signal that Massachusetts is serious about being a leadership state when it comes to identity theftI look forward to hearing from your office soon. Thank you in advance for your attention to this and reply to my letter.
I sent this letter to the Mass. AG since the comparable office in New Hampshire posts breach notifications online. It is critical for consumers (e.g., customers, employees, and former employees) to receive prompt notification from companies which suffer a data breach. And, since Massachusetts' new law provides for "Substitute Notification" instead of a personal letter to each consumer, I want to know exactly how my state plans to provide "Substitute Notification."
I also sent copies of this letter to my federal and state representatives via the Congress.org web site. If you are a Massachusetts resident who feels as I do about identity theft, I encourage you to contact your state representatives.