California Enacts New ID Theft Law, Federal Bill Introduced
The law, expected to be a model for pending federal legislation, came in response a hacking incident in which the personal records of 265,000 state employees were compromised last year. It took the state nearly six weeks to notify the affected individuals, time they could have spent minimizing the damage by putting fraud alerts on all their accounts. The incident spurred incensed state lawmakers to take action.
The Federal Trade Commission reports a two-fold increase in identity theft over the last year, with more than 160,000 reported cases. Credit card fraud led the pack, with 42 percent of all complaints.
The law requires all businesses, agencies and nonprofits that have customers in California to take the necessary steps to ensure they can notify potential victims immediately.
Companies that fear public reprisals for failing to adequately protect their customers’ names, social security numbers, drivers license numbers and other sensitive data, were flocking to security firms and companies that sell encryption software. Data that is stored in encrypted format is exempt from the law.
"Organizations that are following near-best practices for data security should be OK," said Ray Wagner, research director for information security strategies at Gartner. "However, you could read (the law) very conservatively: If you don't encrypt data...and maintain good audit trails, you open yourself up to lawsuits."
The lawsuit has been a boondoggle for security software makers. "It's dramatic," said Jim Schoonmaker, CEO of Liquid Machines, which sells software to keep data encrypted. "They are coming from all over the United States. Any large enterprise has customers in California, and more importantly, they are looking at this as a harbinger of what is to come."
California Senator Diane Feinstein (D-CA) introduced a federal identity theft bill last week, which follows the lead set in California.
"I strongly believe individuals have a right to be notified when their most sensitive information is compromised--because it is truly their information," Feinstein said in a statement. "This is both a matter of principle and a practical measure to curb identity theft."