New Study: 500 Million Sensitive Records Breached Since 2005

Last week I wrote about the good news (the bad news being the Governor vetoed the same bill last year...but has hinted this year is different) regarding the California Legislature approving a bill that would strengthen the notification required when databases of personal information are compromised. The legislation has long been supported by us (i.e. Consumer Federation of California), and a host of other privacy rights organizations.

Now we all breathlessly await the Governor's decision. And, depending on how you look at it, we got some good/bad news this week from the Privacy Rights Clearinghouse (PRC). The good news is their new study on data breaches could not come at a better time, as it could help convince the Governor that consumers deserve tougher and more effective notification requirements when their private data has been compromised. The bad news, as you may have guessed, is that there are way too many data breaches taking place in this country.

Now, before I get to a bit more about the bill, let's go directly to the op-ed written by Rainey Reitman of PRC on the California Progress Report (for full disclosure, I'm editor of the California Progress Report). She writes:

Employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online -- the Chronology of Data Breaches shows hundreds of ways that the personal information of consumers is lost, stolen or exposed.
The Chronology of Data Breaches, a project of the Privacy Rights Clearinghouse since 2005, lists incidents involving breached consumer information, such as personal medical records, credit card numbers and Social Security numbers. The most recent total, published August 24, 2010, is a wake-up call to consumers who think identity theft can’t happen to them.

Of course, 500 million is a conservative number. We generally learn about breaches that garner media attention. Unfortunately, many do not. And, because many states do not require companies to report data breaches to a central clearinghouse, data breaches occur that we never hear about. Our Chronology is only a sampling.

Data breaches of sensitive information, especially Social Security and credit card numbers, leave consumers vulnerable to identity theft. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

Unfortunately, consumers cannot completely protect themselves from a data breach. It is up to organizations that collect data on consumers to take the steps to ensure the privacy and security of the data they collect and maintain. And it’s up to the legislature to pass laws to safeguard consumer data and provide adequate standards for reporting breaches – so that consumers will know when a data breach has placed their personal information at risk.

It goes without saying then, that these findings epitomize the need for the Governor to sign SB 1166 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

So last year, when the Governor's veto message claimed "there is no evidence that there is a problem with the information provided to consumers", I was honestly confused. The best way to reach the correct conclusion on whether this legislation is needed is to simply ask consumers whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

As I wrote last Thursday, "The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

But, there is reason for more hope than usual, as Senator Simitian said he reintroduced his vetoed measure this year after conversations with the Governor’s office persuaded him that “a signature by the Governor seems possible this year.”

Specifying what information must be included in the notification, so that individuals might take steps to protect themselves against identity theft really is “the next logical step” to take since the Senator's initial data notification legislation, as Simitian as argued.

Current notifications of data breaches vary widely in the information they provide and in their helpfulness to individuals who are affected. Plus, as Simitian also argued, "the bill will also give law enforcement the ability to see the big picture and a better understanding of the patterns and practices developing in connection with identity theft"."

As I also wrote, "now we wait."