http://www.azstarnet.com/dailystar/business/126149 By Scott Simonson arizona daily star Tucson, Arizona 04.25.2006 If a hacker steals your bank card number in Arizona, there's no state requirement that your bank or a merchant involved notify you. That could change if Gov. Janet Napolitano signs a bill passed by the Legislature last week. Consumers Union, the non-profit group that publishes Consumer Reports magazine, has criticized the proposed law as ineffective. Arizona's law would allow companies to decide whether a computer-security breach is serious enough to deserve a consumer warning, said Gail Hillebrand, who heads Consumers Union's financial privacy campaign. "Who's going to decide?" she said. "It's going to be the company who failed to protect your data." Currently, Arizona receives much of its information about thefts of computer data from California, said Andrea Esquer, spokeswoman for Arizona Attorney General Terry Goddard. California requires all companies to report stolen information. In 2003, California passed the first U.S. law requiring customer notification of breaches in companies' computerized data. At least 10 other states have followed suit, said Hillebrand. Arizona's bill differs from California's in two important ways, she said. California requires companies to report any security breach, Hillebrand said. Under the Arizona legislation, only breaches that "materially compromise" people's information must be reported. Depending upon how that language is interpreted, companies may be allowed to choose whether to tell consumers, Hillebrand said. Arizona's law also exempts banks, hospitals and some government agencies. California's law requires all companies to report problems. As of Monday, Napolitano had not acted on Senate Bill 1338, said Shilo Mitchell, spokeswoman for the governor. The sponsor of the Arizona bill, Sen. John Huppenthal, R-Chandler, could not be reached for comment on Monday. Rep. Marian McClure, R-Tucson, helped sponsor the bill in the House but said that consumers should be told about all computer security breaches. Senate Bill 1338 represents a step in the right direction, she said, although she introduced a stronger bill that failed earlier in the session. "A consumer should have a right to know that the information has been stolen," she said, "to make sure who stole that information cannot steal my identity." Consumer notification might help, but better enforcement and better information sharing are crucial, according to a Tucson couple who have been victims of identity theft. Elisabeth and Stephen Kling- ler have discovered that three other people have been using his Social Security number. The Klinglers traced some of the thefts to other states, but law enforcement has not investigated, Elisabeth Klingler said. The identity thefts have caused incorrect information about their credit to be reported to data brokers - businesses that collect people's information and sell it to other companies. The Klinglers said consumers need better laws to help clear false information from the files that companies keep. The bad information has hindered them in buying a cell phone and taking out a store credit card, Elisabeth Klingler said, and it could one day affect their ability to buy another home. "We're kind of giving up hope," she said. "It would take a lifetime to get the information corrected." What the bill says * Senate Bill 1338 would require businesses operating in Arizona to notify customers if a computer-security breach compromises their personal information. * Companies that do not notify customers could face fines from the state attorney general. * Government agencies would face the same requirements. The proposed law would not apply to banks, hospitals, health insurance companies, law enforcement agencies or courts. Data thefts * Some of the largest reported thefts of customer data since March 2005, according to ChoicePoint Asset Co.: Disclosed by Date Customers affected Bank of America February 2005 1.2 million* DSW shoes March 2005 1.4 million Ameritrade April 2005 200,000 Bank of America, Wachovia, other banks April 2005 680,000 CitiFinancial June 2005 3.9 million MasterCard June 2005** 40 million OfficeMax February 2006 200,000 * data of federal employees only ** related to security breach at CardSystems Solutions Inc. service center in Tucson _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Apr 26 2006 - 00:23:53 PDT