Reproduction permitted for personal use only. For reprints and reprint permission, contact email@example.com.
- Every week, we read high-profile stories about personally identifiable information being misplaced or stolen, usually from a laptop computer or computer network. This sensitive information is being misplaced or stolen from both private industry and the government, with little accountability for such security breaches.
So it's not surprising that our knights in shining armor, the Wisconsin Legislature
and Gov. Jim Doyle
, have come to our rescue again to protect us from this threat and do what they do best. They claim to have provided us with a sword in our fight against identity theft in the form of new identity theft legislation. But have they?
As it turns out, Wisconsin's new identity theft law, Act 138
, is really just a cheap plastic sword. It's shiny, rattles, and looks like a sword, but in reality it provides no real protection. Like any good politicians, the Legislature and Governor rattled their new saber and touted how this law would help protect individuals from identity theft when the law was passed. But the law really does little, if anything, to protect individuals.
Act 138, enacted March 31, 2006 as Wisconsin Statute 895.507, requires that businesses and state and local governments notify us under limited circumstances of unauthorized access to our personally identifiable information, such as Social Security
numbers, credit card numbers, driver's license numbers, DNA profiles, and other biometric data in combination with our first initial or first name and last name. This sounds good on its face, but when you read the law further, it really doesn't provide us with much, if any, protection from identity theft.No penalty flag
First, this law imposes absolutely no penalties on companies and governmental entities that don't protect our personally identifiable information. The law does provide the potential basis for individuals to bring a negligence suit for an entity's failure to provide notice of a data security breach, but in the same breath it states that failure to comply with the law is not negligence or breach of a duty. The law merely reflects that the common law of negligence may apply to such compliance failure.
Second, the law only requires notice of unauthorized disclosure of personal information in limited cases. No disclosure is required if the ill-gotten data does not create a material risk
of identity theft or fraud. By default, such determinations are left to the same people entrusted with guarding the compromised data in the first place. This is kind of like letting the fox guard the hen house.
There's little incentive to make such a disclosure, given that the downside of making such a disclosure may outweigh the upside. Such a disclosure could trigger an expensive defense of a consumer class action lawsuit or governmental investigation, such as occurred earlier this year when Providence Health System
in Oregon, without any regulatory requirement to do so, notified patients that it had experienced a data breach.
Further, a recent survey of businesses by The Ponemon Institute
, an organization that promotes responsible information and privacy management practices, revealed that data breaches cost companies an average total of $4.7 million, or $182 per compromised record, in 2006. About 70 percent of the costs were considered indirect, a result of lost business, also known as churn. Few consumers will continue to patronize businesses that tell them their credit card numbers and other entrusted information have been accessed or stolen by an unauthorized party.
Not surprisingly, since Act 138 has been enacted, there have only been a handful of publicized data security breach notices issued by companies doing business in Wisconsin. Most of these notices have been issued by companies required to do so under foreign state data breach notice laws, not under Wisconsin law. Because there is little incentive to disclose a data breach, the majority of the 32+ states that have passed data breach notice laws (California being the first) require that entities provide consumers with notice of unauthorized disclosure of personal information regardless of the risk of identity theft. Many of these laws also contain express penalties, including criminal penalties, for failure to make the required disclosures.
If you're a business, Wisconsin's law isn't necessarily a bad thing. In fact, it's probably a good thing. There's been a national clamor by consumers for protections from identity theft. What better way to quiet the masses than with new legislation that appears to be a strong weapon to combat identity theft, but in reality is just a cheap plastic sword.Related stories
Safe Internet requires total network security, prof. says
Joseph Campana: Identity theft: The business time bomb
Managing the nightmare of identity theft
Gov. Jim Doyle: Cracking down on identity theft
Businesses can't hide personal information losses, theft
Mark Garsombke is an attorney with Whyte Hirschboeck Dudek, S.C., specializing in information technology, telecommunications, and HIPAA privacy and security law. He can be reached at (414) 978-5518 or firstname.lastname@example.org.
The opinions expressed herein or statements made in the above column are solely those of the author and do not necessarily reflect the views of Wisconsin Technology Network, LLC. WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.