Lawmaker: Consumers need details in data breach warnings

California State Sen. Joe Simitian says consumers should be given more information to understand the threat to their privacy when their data is affected by a security breach.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

BERKELEY, Calif.--Six years after California enacted the country's first data breach notification law, many state residents have received letters warning them that their data was exposed by a breach but usually they don't know how or how long, experts said at a privacy conference on Friday.

That would change with the passage of a measure proposed by California State Sen. Joe Simitian, who authored the country's first bill requiring companies to notify customers when a breach has occurred that exposes their data.

Senate Bill 20 would require that notification letters to consumers have a standard set of information such as information about the timing and circumstances of the breach.

It would also require that a state entity be notified at the same time so that law enforcement, lawmakers, and researchers "can spot larger trends and don't have to rely on what they read in the newspaper," Simitian said in a luncheon address at the Security Breach Notification Symposium in Berkeley.

California State Sen. Joe Simitian discusses his proposed data protection legislation at a privacy symposium on Friday. Elinor Mills/CNET

Some privacy advocates have called for including breaches involving paper in notification laws. But because of the "sheer volume of information and the speed with which it can be moved" with electronic information, digital data remains the priority, Simitian said.

"Paper is a problem," he said. "The ability to move legislation on that subject through the California State Legislature today is questionable at best, but it is an issue I will continue" looking into, Simitian said.

Another area of concern to tackle is biometric and RFID-enabled data, particularly in connection with government-mandated use such as in identification documents like passports, according to Simitian. With government-required use of such technologies there is an obligation to raise the standards for protecting the data to a higher level by limiting the type of data used or requiring encryption, he said.

Simitian said he learned firsthand the dangers of RFID technology during a demonstration showing how easy it is to steal data from his RFID-enabled state Senate ID. A Berkeley student who looked like "central casting for hacker dude, twentysomething, long, scraggly blond hair...glasses, black T-shirt," walked into Simitian's office, he recounted. Simitian handed his Senate ID to the student and the student handed it right back and said he had "read" the data on the card and even cloned it, all in the split second it took to pass it back and forth.

"I can now come into the California State capitol anytime I want to, and even better, people will think I'm California State Sen. Joe Simitian," the student told him.

Joanne McNabb, chief of the California Office of Privacy Protection, said in an interview after she sat on a panel that her office was analyzing the proposed legislation and that she did not have a position on it yet.

Meanwhile, McNabb said something needs to be done to better protect consumers who are victimized by identity fraud involving criminal records, health care, and employment. With financial identity fraud, consumers can put a freeze on their credit, but there are no easy steps someone can take when a scammer gets a criminal record in their name or uses their Social Security number to get a job, she said.

"We don't know how to address this," McNabb said.

In another presentation at the symposium, researchers discussed effects of security breach notification laws around the country.

Surprisingly, identity theft due to data breaches dropped only 2 percent after adoption of the laws, said Alessandro Acquisti, an assistant professor at Carnegie Melon University. However, that rate is in the range of impacts with other types of disclosures, like stock price drops after a company discloses a toxic waste issue, he said.

Of consumers who have been notified that their data may have been exposed during a data breach, 20 percent claim they ended their relationship with the company breached but the actual churn rate is less than 7 percent, said Deirdre Mulligan, assistant professor at the School of Information at the University of California at Berkeley.

The scope of the data breach problem was illustrated when a speaker asked the 90 or so attendees if they had received a data breach notification letter. At least two-thirds of the crowd raised their hand.