Monday, June 13, 2011

CA Legislation To Provide Data Breach Transparency Needed

One of the privacy bills we were very active on the past few years that was vetoed twice by Governor Schwarzenegger is back, with a much better chance of being signed due to a more privacy conscious Jerry Brown as Governor and increasing amounts of evidence its needed. The reason why I'm going back to this legislation, and the larger issue of data breaches today is that the excellent consumer reporter from the Los Angeles Times - David Lazarus - penned a great article last Friday on why this bill is so needed.

For readers of this blog - this bill info may sound familiar, but let me review some of what I have written about it in the past, and then I'll provide some key passages to the article by Lazarus, because new data has come to light recently that greatly adds to the argument that data breaches are becoming increasingly common, and damaging.

SB 24 (Simitian) - Protecting Personal Information - was vetoed in the form of SB 1166 last year. This was a particularly stinging loss because, while the Governor vetoed a nearly identical bill the year before (that's right...third times a charm!), he said to bring it back again with just a minor modification - which was made. Apparently, the Governor changed his mind.

Here's why this bill is important: A recent study by the Privacy Rights Clearinghouse indicated upwards of 530 million data breaches since 2005, including personal medical records, credit card numbers and Social Security numbers - with consumer accounts have been compromised in 2,520 known data breaches. According to a 2009 Javelin Research&Strategy, individuals are four times more likely to be the victim of identity theft in the year after receiving a data breach notification letter.

It goes without saying then, that these findings epitomizes the need for SB 24 (Simitian). California’s current security breach notification law does not require public agencies, businesses, or persons subject to that law to provide any standard set of information about the breach to consumers. As a result, security breach notification letters often lack important information - such as the time of the breach or type of information that was breached - or are confusing to consumers.

The bill will rectify this problem by amending California's security breach notification law stating that any public agency, person or business required to issue a security breach notification to more than 500 residents must submit the notification electronically to the Attorney General. This measure also would have required that the notification be written in plain language and include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach.

With that, here's some of what David Lazarus added to this case today:

Sam Greyson was surprised to receive a new credit card the other day from Bank of America. He was also surprised to learn that the bank had changed his account number because of a security breach involving another business. But the thing that surprised Greyson most was that when he called BofA to find out more about the breach, he was essentially told to pound sand.

"They wouldn't tell us anything," he said. "They said we could read about it in the newspaper." That would change if legislation now making its way through Sacramento becomes law. The bill from state Sen. Joe Simitian (D-Palo Alto) would tighten California's existing breach-notification rules to require more detailed disclosure of privacy violations.
The latest breach came to light Thursday when Citigroup said the names, account numbers and email addresses of as many as 200,000 bank customers were accessed by hackers who broke into Citi's online account site. The Citi breach was discovered by the company in early May. Citi has declined to say why it took weeks to notify customers of the incident.
Greyson, 56, said he was told the same by a BofA service rep. But when he managed to get a supervisor on the line, he said the bank acknowledged that "at least 100,000" accounts had been affected. Betty Riess, a BofA spokeswoman, declined to confirm this when I called seeking more info. She said only that "if we think a customer's account may be compromised, we will take steps to protect customers."

That's not good enough. As Greyson told me, he'd like to know which company was robbed or hacked so he can take his business elsewhere in the future.

Simitian's bill wouldn't give us that much sunlight. But it would require that customers be informed about the nature of the breach and what kind of information was compromised, as well as when the breach occurred and how many other people might have been affected.

As I've said before, the keepers of our personal data have a great responsibility. If they're unable to keep the data safe, we have a right to know — and these businesses should bear the full weight of public accountability. Then we should go the next step and ensure that hacked companies share consumers' pain. I'm thinking their identities should have to be publicly revealed and they should pay a fine of, say, $500 for every customer account involved.

Maybe that would result in better security practices.

You can read more here.

SB 24 recently passed the Senate by an overwhelming vote of 31 to 6. Of course, last year, nearly identical legislation also won by similar margins in both houses of the legislature only to receive a puzzling veto message from then Governor Schwarzenegger that, "This bill is unnecessary, however, because there is no evidence that there is a problem with the information provided to consumers. Moreover, there is no additional consumer benefit gained by requiring the Attorney General to become a repository of breach notices when this measure does not require the Attorney General to do anything with the notices.”

As I wrote at the time, it's strange that the Governor saw fit to speak FOR consumers. Here's an idea, ask yourself whether its more helpful to receive a letter that provides more than just a notice that your information has been breached, but also what you can do about it, when it happened (so you can check that date against your credit card statements, etc.), and other useful, SPECIFIC information.

The bottom line is that this law IS NEEDED. The past few years have demonstrated that there are some holes that still need to be plugged. According to a survey of data breach victims, 28% of those receiving a notification did not understand “the potential consequences of the breach after reading the letter.”

For updates on how this legislation is progressing in the California Legislature, you can check out the page I've created on the Consumer Federation of California website.

No comments: