States failing to secure personal data

 A hacker in Nebraska last month broke into the state treasurer’s database of child-support data and gained access to the Social Security numbers, bank-account routing numbers and other personal data of 300,000 people.

Oregon taxpayers recently were notified they may have had personal data stolen from state computers when an ex-state employee downloaded a virus from a porn site while at work.

And personal information about thousands of Illinois state workers has been found in dumpsters twice in the past year, prompting the Legislature to pass a law last month making it a potential felony for state employees to knowingly throw away sensitive personal data.

These are just a few examples from more than 200 publicly disclosed cases of sensitive personal data being lost or stolen in the past year and half, the majority of which involved federal, state or local agencies, according to the California-based Privacy Rights Clearinghouse (PRC). Since the beginning of 2005, the personal data of 88 million people have been exposed because of security breaches, the group reported.

More than half of states have passed laws aimed at preventing identity thieves or other criminals from exploiting personal data held by corporations and businesses, and Congress is debating national legislation to combat identity theft. But a recent rash of stolen government laptops, hacked computer databases and misplaced government files has highlighted the difficulty public agencies are having protecting personal data.

For example, a laptop stolen from the home of a U.S. Veterans Affairs employee in May and later recovered contained personal data for 26.5 million veterans. And laptops stolen from public colleges in Vermont, Colorado and Ohio in recent months contained Social Security numbers and payroll information for more than 200,000 students and faculty members.

“Laptops appear to be a big weakness, but the whole issue of how public agencies should protect digital information for millions of taxpayers and state employees is really heating up,” said PRC director Beth Givens.

Illinois state Rep. Harry R. Ramey Jr. (R) said he sponsored a new state law making it a felony if state employees get caught more than once throwing sensitive documents in the trash after he witnessed such abuses while working in the secretary of state’s office.

 

“I wanted to put some teeth into the law and say, hey, we’re not going to accept this kind of behavior,” Ramey said.

States are cracking down on identity theft by requiring businesses and public agencies to notify people when their personal information has been compromised because of security breaches. California was the catalyst for requiring consumers to be notified of such data breaches when it passed first-of-its-kind legislation in 2003. Since then 31 other states also have adopted security-breach notification laws, according to the Consumers Union , a nonprofit group that publishes Consumer Reports Magazine .

However, only 22 of the 32 states with breach notification laws impose the requirement on government agencies. The 10 states with breach notification laws that don’t apply to government agencies are Colorado, Connecticut, Delaware, Georgia, Maine, Montana, North Carolina, North Dakota, Texas and Utah.

Givens said that in most cases states targeted business practices first, but exempted public agencies in an oversight. But she said it’s a mistake not to hold government agencies publicly accountable for security breaches. Lawmakers in at least one state that exempted public agencies from breach notification — North Carolina — gave preliminary approval to legislation last week (July 6) to close the loophole.

Consumer advocates said that notification laws are essential to allow victims to take action to prevent identity thieves from using personal data such as Social Security numbers to fraudulently obtain loans or credit cards.

About 43 percent of identity theft victims discover someone has stolen their identity within one month of the first instance of fraud, according to the Federal Trade Commission . However, a quarter of all victims don’t find out for two or more years, when identity thieves already may have racked up tens of thousands of dollars in debt in the victims’ names.

States also are passing laws to make it easier to block potential identity thieves by allowing consumers to freeze their credit reports, which are used by banks and business to grant loans or lines of credit. Credit-freeze laws kicked in July 1 in Colorado, Florida, Kentucky and South Dakota. Nine more states also adopted credit-freeze laws this year that go into effect by 2007: Delaware, Illinois, Kansas, Minnesota, New Hampshire, New York, Oklahoma, Utah and Wisconsin. Another 11 states already had adopted credit-freeze laws: California, Connecticut, Hawaii, Louisiana, Maine, Nevada, New Jersey, North Carolina, Texas, Vermont and Washington. 

Congress is considering legislation that would preempt all state identity-theft laws, including measures far stricter than the federal proposals, said Ed Mierzwinski , director of consumer programs for U.S. Public Interest Research Group (PIRG). 

Congress is considering several bills that would preempt laws in 17 states that allow anyone to freeze their own credit and instead would allow only ID theft victims that privilege. The federal proposals also would preempt security-breach notification laws adopted by 29 states. The federal legislation would set national criteria for data protection and breach disclosures and put banking and U.S. Treasury officials in charge of enforcing compliance.

Critics say the federal bills trample states’ rights and strip consumer protection authority from state attorneys general.

“This is another arrogant piece of federal legislation that proposes to strip states of their role as laboratories of democracy and hand corporations a huge giveaway,” Mierzwinski said. 

(Return to story.)