Navigating the law of unintended consequences

Legislators in more than 20 states, including New York, Washington, Illinois and Texas, have already proposed laws in response to a series of security snafus involving Bank of America, payroll provider PayMaxx and Reed Elsevier Group's LexisNexis service.

While details vary, most of the state proposals follow the lead of a California law that took effect in 2003. It requires customers to be notified when "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

That's a reasonable principle for companies to follow. But many of the new state bills seem to have been written in haste and could create more problems than they solve.

One measure introduced last month in New Jersey, for instance, would require that customers be alerted if any personal information--even an e-mail addresses or home page address--is acquired by an "unauthorized person." Companies that fail to disclose this can be fined $10,000 for the first offense and $20,000 for the second.

Perhaps an e-mail address or home page address could be as sensitive as a bank account number and PIN, but for most people that seems unlikely. Is such a sweeping definition of "personal" information really in the best interests of business owners in New Jersey?

North Dakota's approach suffers from the opposite problem: It may not be broad enough.

Companies would have to reveal a security breach only if it involved driver's license numbers, mother's maiden name, birth dates and so on. The disclosure requirement wouldn't cover a leak or theft involving passwords used on Web sites--a glaring oversight, in a world where so many people reuse passwords online.

Then there's Missouri's freshly introduced security breach bill. Like many other state proposals, it would regulate only the "unauthorized acquisition of computerized data."

Why should "computerized data" be singled out for special treatment? Sure, it may be easier for an identity thief to download a database than haul away a file cabinet. But the potential for harm is the same. (An Illinois version, by contrast, encompasses "non-computerized" data as well.)

Unintended consequences?
Ohio is taking a different approach. Its legislation, introduced on March 1, would require reporting of security breaches involving any record of "actions done by" a person.

That could be problematic for the many Web sites, from My.yahoo.com to Slashdot, that let visitors log in and customize how information is displayed. Would those companies be required to contact each of their users if an access log on a Web server were accidentally made public? Nonprofit groups, such as charities and churches, would be subject to the same rules. Could they afford to comply?

The politicians drafting these laws are no doubt sincere in their efforts to improve information security. But some business groups are becoming concerned about the unintended consequences of hastily prepared state laws.

"We're worried about that," said Jerry Cerasale, vice president for government affairs at the Direct Marketing Association. Cerasale said that while database security must be improved, the laws must be carefully worded.

"I always worry that too much notice is no notice at all, from our point of view," Cerasale said. "For example, say someone misplaced a tape and they found it an hour later. Is that a potential breach? That's the kind of thing we have to worry about. If there's constant notice, does that help the consumer?"

These are common problems that politicians, who rarely understand technology, face when they try to regulate it. Economic knowledge among politicians also tends to be lacking: Only infrequently are the costs that regulations impose on businesses weighed against the benefits they are said to provide.

The recent snafus at ChoicePoint and other companies have demonstrated the importance of good information security. It's so important, in fact, that politicians should be doubly careful in their responses.