[A closer look] Supporters address concerns about Feinstein’s proposed bill

Since the Security Breach Information Act became law in
California, what is perceived as the nature of identity theft has
changed.

A bill proposed Monday in the U.S. Senate by Sen. Dianne
Feinstein, D-Calif., that seeks to expand California law to the
national level is largely a reaction to a series of security
breaches at the University of California over the past two
years.

Should it be made law, the bill would require that consumers be
notified when their personal information is compromised.

“We desperately need a strong national standard that says
whenever a data system is breached, everyone who is at risk of
identity theft must be notified,” Feinstein said in a
statement.

The state Legislature passed the California bill in July 2003,
expecting it to combat computer hacking. But, said Chris Hoofnagle,
senior counsel for the West Coast branch of the Electronic Privacy
Information Center, “the scope of threats envisioned by the
bill are different than what has been discovered.”

Hoofnagle, who worked with Feinstein to develop the bill, said
that many of the security breaches this bill attempts to mitigate
are in fact the result of stolen or lost laptop computers rather
than hacking into data systems.

Because of this, some have criticized the bill, suggesting that
notifying the public about stolen data might alert a thief to the
fact that they have sensitive information.

“That stands to reason,” said Andi Murray, a
spokeswoman for Feinstein, acknowledging the possibility that
notification could backfire in this way.

But, as she said, the most important effect of the proposed
legislation would be to ensure that consumers are informed that
their privacy has been compromised.

“Then they can take steps to protect themselves,”
she said.

Hoofnagle also acknowledged that alerting the public of a
security breach might also alert the thief that the stolen material
was sensitive.

“That, theoretically, is a problem,” he said.

But, he said, the proposed legislation does take that
possibility into consideration.

“Under the law, police can stop a company from giving
notice for a certain amount of time, exactly to deal with that type
of threat,” he said.

He cited a security breach that occurred in February when
digital information was stolen from ChoicePoint, a major data
broker. In this instance, he said, notification was delayed to
prevent alerting whomever had the material that it was
sensitive.

Companies that deal with data are the bill’s most likely
opposition, Hoofnagle said. Since the California law went into
effect, many such companies have chosen to refrain from requesting
certain personal information, thus avoiding the possibility of a
security breach altogether.

The law has also had the effect of encouraging companies to
update their databases more often, he said.

“A lot of entities are keeping data a lot longer than they
have to,” he said. But because the law requires that
customers be notified of a security breach, it encourages companies
to take greater care in the management of their data systems, he
said.