Shostack + Friends Blog Archive


Breach Laws

The Washington Post reports:
States Keep Watchful Eye on Personal-Data Firms:

Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the most stringent law.

Currently that state is North Dakota, where in April Gov. John Hoeven (R) signed a law that goes far beyond the California statute in its classification of what constitutes “personal identifying information.” Beginning today, companies doing business in the state will be required to disclose a data theft if the company loses track of any customer information — including information not generally considered “private,” such as names, addresses or telephone numbers.

Isn’t that the case now? Everyone complies with California law? Is that a bad thing for our citizenry?

The California Department of Consumer Affairs reported May 27 that since the state’s notification law went into effect in July 2003, it has been aware of 61 significant breach notifications involving an average of 163,500 individuals each. About one-fourth of the breaches occurred at financial institutions and another one-fourth at universities, with 15 percent reported by medical institutions, 8 percent by government and 7 percent by retailers, according to the figures.

That’s almost 10 million people, more than I or the Privacy Rights Clearinghouse list are aware of, by a factor of two. I can’t find the data on the Office Of Privacy Protection, whose press release page hasn’t been updated in years.