Security Watch: Congress loves identity thieves

http://reviews.cnet.com/4520-3513_7-6381707-1.html?tag=nl.e497


<snip from cnet email>
Dear CNET members,
Let me start by asking you this: If your personal data, for example, was breached because a company accidentally lost it, wouldn't you want to be notified of it regardless of whether your information was at risk of identity theft? Well, be very wary, folks, because you may not be notified at all in the future. According to a press release on a new U.S. House bill (HR 4127 DATA) currently in review, "The House DATA bill would require companies to contact customers only when there is a reasonable basis to conclude that there is a significant risk of identity theft." I don't know about you, but I'd like to be notified, period. Let me--and not the company!--determine what is deemed a significant risk for identity theft. If this new proposed bill has rattled some of your nerves, read the latest Security Watch article: "Congress loves identity thieves" by Senior Editor Rob Vamosi for the entire scoop on this new bill. And when you're done, tell us what you think of it. Should you be notified whenever your personal data is stolen from a data warehouse? Speak up and let everyone know what's on your mind. (While I know many of you readers live outside of the United States, and this proposed bill doesn't apply to you, share with us what your country's laws state about personal information being exposed--do you get notifications?)

Cheers!
Lee Koo
Manager, CNET community


Earlier this year, I wrote about several major data breaches at ChoicePoint, then LexisNexis. Headlines screamed how thousands--and in the case of CardSystems, millions--of individuals had their names, social security numbers, and other personal information exposed to god-knows-who. These revelations came only because of a California law, SB 1386, which requires companies to inform California residents if any data breaches occur. The Senate is currently considering a national version of the California law, but a weaker House of Representatives bill is rapidly gaining influence in Congress. If the House bill passes and becomes law first, future data breach revelations will be silenced, and data thieves will be free to run amok.

California SB 1386 is the gold standard
Passed in 2003, California law SB 1386 states that any organization conducting business with California residents must notify those individuals if files containing their names, addresses, and other personal information have been breached. Chances are very few of the customers contained within the breached data files have ever suffered actual identity thefts. The numbers, in the millions, are rough estimates of potential victims, not reported ID thefts. But they're an important insight into the unregulated data warehouse industry, where your purchases at Wal-Mart, combined with your driving history and online newsgroup postings, could someday determine whether you get a job or get that promotion you've long deserved.

Like having the name "Bob Jones" ???