16 Mar Businesses can't hide personal information losses, theft
Wisconsin businesses now are legally obligated to notify customers when their personal information has been stolen, a move that could require businesses to rethink the way they both protect information and track its use.
Under Senate Bill 164, signed into law Thursday by Governor Jim Doyle, companies must inform customers of a data breach, which typically occurs when computer systems are hacked, when dishonest employees sell information, or when businesses simply lose information.
An estimated 10 million Americans each year discover they have been victims of identity theft. After its computer system was hacked in June of 2005, the credit card processor CardSystems exposed the personal information of more than 40 million credit cardholders. During that same month, back-up tapes with the personal information of nearly four million customers were lost by CitiFinancial.
Stolen personal information has been used to open fraudulent bank, utility, and credit card accounts, and to commit other crimes. “Getting consumers’ personal information is the first step in identity theft,” said Doyle, who signed the bills during a ceremony at Brookfield Public Library in suburban Milwaukee. “And if consumers don’t know whether their information has been compromised, they can’t take steps to protect themselves.”
The bill likely to have the greatest impact on businesses is SB 164, which gained unanimous support in both houses of the Legislature. If there has been a security breach that leads to the theft of personal information, companies must inform victims of the breach in the manner in which they usually communicate, whether that is by e-mail or traditional mail. “Their duty is to protect certain kinds of personal data – credit, personal identifiers, and DNA information,” said State Senator Ted Kanavas, R-Brookfield, who worked to pass the bill.
Attorney Daniel J. Vaccaro, a partner in the Milwaukee office of Michael Best & Friedrich, said chief information officers and others in data monitoring positions will be on the front lines of theft notification. “They are going to be the ones that are going to have to report it on up to the CEO and the other business folks involved,” Vaccaro said.
Vaccaro said the notification requirement might force businesses to evaluate their IT policies and procedures. Specifically, their policies related to the preservation of electronic data and the retrieval of individual identifying information. He said the statute requires IT people to think and rethink the maintenance of logs that show who is moving in and out of systems. “Without IT being in an appropriate back-up situation,” he stated, “those questions are going to be difficult to answer.”
The two other bills that became law Thursday provide additional consumer protections. Under Assembly Bill 536, a municipal register of deeds is prohibited from recording documents with more than the last four digits of a person’s Social Security number. And for a cost of not more than $10, Assembly Bill 912 enables consumers to place a “security freeze” on their credit reports, giving them the authority to decide when and to whom their credit information is released.
Kanavas referred to the bills as the starting points of personal security, and said the Legislature would address new identity theft schemes and techniques as they emerge.
Previous coverage:
• Bill would require data keepers to notify consumers of info leaks
• After a successful attack on your computer systems, then what?
• Kanavas thinks personal ID theft bill will pass this year