|
This week's announcement that UPS lost computer tapes containing personal information on 3.9 million Citigroup customers revealed one of the largest security breaches to date. They follow regular reports of similar incidents throughout the year that have prompted nearly three dozen states to consider legislation requiring companies to notify customers if their data has been compromised. Congressional leaders continue to say they'll act on some type of federal legislation soon too.
Five states have recently enacted notification laws. Most are modeled after the California law that went into effect two years ago. Those would not have a significant impact on most Kids in the Know members because they only apply to an unauthorized person getting sensitive information -- a combination of name and Social Security, driver's license, bank, or credit card numbers. That's the case for new requirements governing data on residents in Georgia, Washington, Montana, and Arkansas.
But a new law in North Dakota, which went into effect June 1, applies to businesses that own "computerized data" and any unencrypted personal information that the company knows or believes was "acquired by an unauthorized person." Even data commonly found in a phone book would be covered. A company that loses this data would need to notify customers of the breach "in the most expedient time possible." If the cost of notification would exceed $250,000 or involve more than 500,000 people, a company could send an e-mail, post a notice on its web site, or inform the public through the North Dakota media.
The more narrowly defined laws go into effect over the next year, with Georgia's taking effect last month, Arkansas' in August, and Montana's next March. Similar bills have passed the legislatures in Florida and Illinois and are awaiting the governors' signature. New York City has passed a similar measure and New York State is expected to follow.
Federal Legislation Still Expected
The flurry of state activity has raised concerns about the prospect of 50 different notification rules. That development, as well as ongoing concerns about the large number of security breaches in general, should prod Congress to act as well. According to The Washington Post, "support for a federal approach is building within the business community," as long as, a representative of the US Chamber of Commerce says, it strikes "a reasonable balance between notifying consumers and needlessly scaring them or inuring them to such notices."
After a series of hearings this spring, staff of key congressional committees are now meeting to determine how to proceed on notification and other privacy-related matters. Besides figuring out how to strike the balance the Chamber official described, a major issue they're struggling with is whether to go further than simply addressing security concerns. While the timing of congressional action is unclear, some movement is expected within the next couple of months.
For more information about the issues outlined in this update – or for information
about other Kids in the Know’s activities – send an e-mail to info@kidsintheknow.org.
|
|
|
