With identity theft a growing concern for many in the United
States, California Democratic Sen. Dianne Feinstein introduced a
bill that is aimed at making people equipped to protect their
personal information.
The bill was introduced Monday and will now move into the
lengthy process of approval.
If passed, it will require that anyone whose personal
information has been leaked due to a security breach be notified of
the situation, said Scott Gerber, a spokesman for Feinstein.
“It basically says you should be told what category of
information has been breached, including social security number,
driver’s license or financial data,” Gerber said.
The notification would also give people a means for following up
and getting more information, he added.
As a consumer, UCLA Director of Information Technology Policy
Kent Wada said he liked the idea of being notified of security
breaches.
“If something goes wrong with my personal information, I
think it is a good thing that I know about it,” he said.
With notification, people will have the opportunity to protect
themselves from identity theft whereas if they are not informed
they will not be able to do anything to prevent it.
Agencies responsible for the breach will face financial
penalties for failure to notify their customers of the breach and
may be charged $50,000 for each day that they do not send out
notifications under the proposed bill.
A similar law already exists in California, but the new bill
would make a nationwide standard for privacy practices.
The push for the bill was prompted by a series of security
breaches that have put many people at risk across the country as
well as at the University of California.
The breaches range from stolen laptops containing social
security numbers and medical records to hackers stealing bank
account numbers.
“This has drawn a lot of attention to the problem,”
said Andi Murray, a spokeswoman for Feinstein’s office.
“That helps in terms of moving things forward.”
The bill has received support due to the many prominent security
leaks in the past year, but some say it is impractical and does not
get to the heart of the problem.
“The real fix is to prevent the data from leaking out in
the first place,” said Paul Eggert, a professor of computer
science at UCLA.
He said the notification bill is like “closing the barn
door after the horse has already got out” and said a more
effective bill would prevent information from being lost in the
first place.
“I just don’t think it goes nearly far
enough,” he said.
One of the major concerns is that it is not cost-effective or
efficient for companies to keep information safe.
“If you’re designing a system and you’re
trying to do it efficiently and at a low cost … you don’t
make (security) a priority,” Eggert said.
There are also objections to the bill on practical grounds,
particularly when dealing with e-mail.
On the side of the company, it can be a hassle to contact the
thousands or even millions of people who may have been adversely
affected by a security breach.
“From the point of view of an institution that has other
people’s data, it is often a lot of work to do that,”
Wada said.
And even when all the notifications are sent, outdated or
incorrect information may mean that people do not actually receive
the information.
Or, with an overflow of spam in e-mail inboxes, messages may be
automatically sent to the junk folder or disregarded.
“Even if the company tries to contact people in reasonably
good faith, it just doesn’t get through,” Eggert
said.
The next step toward approval will be a hearing in the Senate
Judiciary Committee on Wednesday and then passed on to discussion,
but there is no definite time frame for the process, Murray
said.
“We don’t have any sense now of when that’s
going to happen,” she said.
The notification bill is only one of many things that can be
done to protect personal identity, including encryption and tighter
regulations on what information is kept on devices that can be
easily stolen, like laptops.