Watch Out: State Mishmash Can Be Worse Than Federal LawWatch Out: State Mishmash Can Be Worse Than Federal Law

More than 27 million Americans had their identities stolen in the last five years,10 million last year alone, according to the Federal Trade Commission's recent Identity Theft Survey Report, the FTC's first in-depth look at this crime. Identity theft cost businesses $47.6 billion in 2002 and individual victims $5.0 billion, the report says.

To combat the problem, Congress and state legislatures have passed laws with stiff penalties for thieves, and consumers are encouraged to closely monitor information in their credit reports. The latest tack aims to get companies that hold sensitive information to better secure it and warn customers of the breach.

The first law of its kind went into effect in July in California. It requires companies to inform California customers if certain unencrypted data is accessed by an unauthorized person. The law is triggered when an unauthorized person accesses someone's first name or first initial and last name, along with his or her Social Security, driver's license, or California ID-card number; or an account, credit-, or debit-card number, and a required access code or password

The California statute "focuses on public embarrassment," says Michael Overly, a partner at the Los Angeles office of law firm Foley & Lardner. "This law has caused more companies to step back and look at their security procedures." And since almost every large company is likely to have California residents as customers, the law has become a de facto national standard, Overly says. "It's just a matter of time before we see a class-action suit following a security breach."

It's also just a matter of time before similar state laws crop up. Federal legislation--the Identity Theft Consumer Notification Act (H.R. 818)--already is pending. If passed, it would require financial institutions to promptly notify and assist customers whose personal information is breached. U.S. Sen. Dianne Feinstein, D-Calif., has drafted legislation known as the Database Security Breach Notification Act that would create a nationwide law modeled after California's state law.

That may be welcome news to many companies, who say a mishmash of state laws would create a compliance nightmare. "If each state passes similar, but slightly different, laws, complying with each state could prove very difficult," says Gene Fredriksen, VP of information security at financial-services provider Raymond James & Associates. "A single federal law, depending on how it's crafted, would be easier for companies to make sure they're in compliance."

One of the challenges with the California law is defining what a security breach is, Fredriksen says. Breaches that would likely trigger notification include a hacker, an unauthorized employee, and a worm or virus infection that contains a tool to log user keystrokes and send that information back to the attacker. But it's not entirely clear that all attacks would. "You could get 50 people in a room and get 50 different opinions as to what qualifies as a breach," Fredriksen says. The law is "cloudy" on the definition of a breach, so it's critical that companies come up with clear definitions, Fredriksen says.

Spotting denial-of-service attacks and most worm and virus infestations is relatively easy because of the wake of destruction, but that's not true of clandestine hacker attacks. Spotting a hacker requires constant study of servers, applications, firewalls, and intrusion-detection logs. That's a familiar routine for James Pu, director of technology service in the systems division at the Los Angeles County Employees Retirement Association. "From E-mail to Internet connections, back to the firewall and database sources, everything is logged, and we constantly look for security violations and breaches," Pu says. It's this kind of oversight that will keep customer data away from unauthorized eyes and companies from having to implement the provisions of the California law.

It's not only about the law, Fredriksen says, "it's just the right thing to do when handling this type of information."

Illustration By Craig LaRotonda

Return to main story: Rules Of The Road