Security Watch | Matt Hines » Calif. Rep. wants tougher breach, ID theft laws

February 01, 2008 | Comments: (0)

Calif. Rep. wants tougher breach, ID theft laws

TAGS: Security

California State Senator Joe Simitian -- a Democrat representing the tech-heavy Palo Alto constituency -- is back on the war path fighting for consumer rights relating to the use of information technology, in this case seeking stronger laws regarding data breach reporting guidelines and promoting new legal tools for use in punishing identity thieves.

Simitian -- who still has four individual bills under consideration by the state legislature aimed at curbing the use of RFID technology in government-issued IDs and documents, in the name of protecting individual privacy rights -- has pushed two new bills through the California State Senate that address breaches reports and identity theft, respectively.

All six of the bills are now waiting for potential approval by the California State Assembly.

With Senate Bill (SB) 364 -- passed by the Senate in a vote of 30-7 -- Simitian is pushing for a law that would require companies that experience breaches to send individuals whose data is exposed a "clear, informative notification letter," versus the vague notifications they are allowed to distribute under California's landmark 1386 measure, which the legislator also helped author.

California 1386 is the data breach notification law passed in 2003 that arguably triggered the entire data security revolution and spawned markets including the DLP sector by forcing companies to inform consumers that are affected by exposures and report the incidents publicly.

More than 40 other states have adopted similar laws since 1386 was initially passed.

Simitian argues that while the existing notifications are helpful, there are no standard guidelines for what types of information must be included in the notices, allowing some firms to "sugarcoat" the details or twist it up in legal jargon that most consumers won't understand.

If passed, the measure would require companies to provide toll-free telephone numbers of the major credit reporting agencies, the name and contact information of the business that has experienced a breach, the type of information that might have been taken, the date of the breach and of its discovery, a general description of the breach and the estimated number of persons affected.

Bill 364 would also require the state to establish a central reporting site to catalog security breaches.

"No one likes to get the news that information about them has been stolen, but when it happens, people are entitled to get a notice they can understand, and that helps them decide what to do next," Simitian said in a statement. "The premise is simple; what you don't know can hurt you. Ignorance is not bliss. And you can't protect yourself if you don't know you're at risk."

By passing the bill into law, California would greatly improve the reach of 1386, he said.

Some data security experts are already backing the measure.

"Senator Simitian's amendments will reduce the incidence and severity of breaches, because security professionals learn from incidents at other organizations, and take action at their own companies to fix problems or recognize previously unforeseen risks," said Chris Hoofnagle, senior staff attorney at the Samuelson Clinic at the Technology & Public Policy Clinic at the University of California - Berkeley School of Law.

In his second piece of legislation, Bill (SB) 612, Simitian and co-authors Dave Cogdill and Bob Margett, both Republican state senators in California, are seeking passage of a law that would allow identity theft to be prosecuted in the county in which a victim lives.

Currently, California law permits prosecution in the county in which the theft occurred or the county in which the information was subsequently used, which makes it harder for those people affected and any involved prosecutors to seek justice against individuals caught stealing identities, the bill argues.

SB 612 received a unanimous 40-0 vote of favor from the California State Senate.

"Too often identity thieves can act with impunity simply because their victims live in a remote community, expecting a local district attorney to prosecute a case when the victim or victims are all at the other end of the state is simply unrealistic," Simitian said in a statement.

SB 612 would permit, but not require, prosecution in the county where the victim resides, with a judge eventually deciding where to hold the trial.

Experts have also endorsed that piece of legislation.

"Senator Simitian's legislation puts some teeth into our existing laws regarding identity theft. Without prosecution, there's no deterrent," Lenny Goldberg, a lobbyist for the non-profit Privacy Rights Clearinghouse, said in a statement.

Posted by Matt Hines on February 1, 2008 03:28 PM

RATE THIS ARTICLE: