23 Mar Bill would require data keepers to notify consumers of info leaks
A new bill being worked on by state legislators would require organizations that store personal information on Wisconsin residents to notify those residents if their personal data has been obtained by an unauthorized party.
LRB-2214, recently introduced by state Senator Ted Kanavas and state Representative Jeff Fitzgerald, aims to protect Wisconsin residents from being harmed by the kind of data breach suffered last month by giant California data aggregator ChoicePoint Inc. The company recently acknowledged that a theft ring used stolen identities to create presumably legitimate businesses, which the thieves then used to open dozens of accounts with ChoicePoint, according to an Associated Press report.
Several hundred people were defrauded by the ring, AP noted.
Fitzgerald noted that the bill is meant to take a proactive stance on an issue for which Wisconsin currently has no provision in law.
“There are some other bills out there that really focus on the use of the stolen data, but we felt that was after the fact,” said Fitzgerald, a Republican from Horicon. “This would focus on … a breach. Then the consumer would be notified. And when we talk about notification, we allow some flexibility in the methods.”
“If you have information that has been compromised, I think the main thing is that you are notified by this company before something could occur,” he added. “That’s the gist of the whole bill. We don’t want you to be notified after … somebody runs up a $10,000 bill on you.”
The bill covers many organizations, including those that conduct business in Wisconsin and maintain personal information in the course of business, store information within the state, lends money to Wisconsin residents, and virtually all state governmental bodies. Currently it stipulates that a business has 15 business days to notify a resident when it discovers of an information security breach.
“We’re in the early stages of the bill,” Fitzgerald said. “We’re kind of toying with that number; we’re not sure if 15 days is too long or not. We’re going to put it out there and see what we come up with.”
The bill is still in its infancy and carries no penalties. But Fitzgerald hopes it will serve as an impetus for companies to keep consumers in the loop if there’s a chance that their personal information has fallen into the wrong hands.
“We’re not really creating an oversight agency,” he said. “Really the legislation is designed as an incentive for the entitities to develop some kind of notification plan and to be aggressive in the data security field. Failure to meet these requirements could be used in a civil case against them.
“We don’t want to create more bureaucracy and more oversight, but we think something should be put in there to help the consumers of Wisconsin.”