RETAILERS COULD SOON BE FINANCALLY RESPONSIBLE FOR DATA BREACHES
California Assembly Bill 779, which passed unanimously last week, would require third parties to inform financial institutions of data breaches and reimburse them for costs associated with notifying customers and restoring financial information.

An article in the Sacramento Business Journal states that the bill, authored by committee chairman Assemblyman Dave Jones (D-Sacramento), seeks to improve data security by requiring accountability and reimbursement of affected parties if a data breach occurs. This bill modifies the existing groundbreaking California security breach notification law by clarifying “that a retail seller that collects and maintains personal information for any purpose is subject to the breach notification law and prohibits a retail seller from retaining personal information for longer than 90 days after the transaction date.” It also requires a business or agency to provide a copy of the breach notification to the Office of Privacy Protection (OPP) and adds stipulations on what information must now be included in the notification letter.

California isn't the only state to initiate this type of law. Massachusetts was the first to move beyond consumer notification requirements of data breaches to make all commercial entities that keep consumer information bear the costs associated with identity theft. Massachusetts House bill 213 was introduced earlier this year, prior to the TJX and Stop & Shop incidents, hoping it would help compel companies to invest in better data security. The Massachusetts Bankers Association said it is now filing a class action lawsuit against TJX Companies

Inc. to recover damages in the tens of million of dollars. The association said the lawsuit also seeks to prove that TJX was responsible for “negligent misrepresentation,” since it said it was safeguarding and disposing of cardholder data.

Currently, expenses associated with fraudulent activity from stolen data such as canceling or reissuing credit and debit cards, stopping payment of unauthorized transactions, and reimbursing customers for charges to their cards, are now being absorbed by the banks that issue the cards to customers. The bill is intended to help them recoup this cost.

The author of AB 779 argues that a number of entities are simply not adequately protecting consumer personal information in such a way to minimize or mitigate security breaches. He believes this bill addresses deficiencies learned within the last three years and will force retailers to take greater steps to secure financial data and limit the opportunities for data breaches to occur.

---

ANOTHER IDENTITY PREVENTION BILL PASSES COMMERCE COMMITTEE
The Senate Committee on Commerce, Science and Transportation passed S. 1178 the “Identity Theft Prevention Act” this week. The sponsor of the bill, committee Ranking Member Ted Stevens, R-Alaska, asserts it would strengthen information safeguards and ensure notification to consumers whose sensitive personal information has been acquired without authorization. The bill would also direct the Federal Trade Commission (FTC) to enforce rules to protect such information.

According to the press release issued, the bill requires businesses, organizations, and federal agencies to maintain and protect sensitive personal information. The Federal Trade Commission establishes standards for companies safeguarding such information and is responsible for enforcing the Act against businesses and organizations, other than those that are regulated by other federal agencies. Violators may be fined up to $11,000 per violation per day with no cap. The bill also obligates these businesses, organizations, and federal agencies to notify consumers in the event of a security breach that creates a reasonable risk of identity theft.

S. 1178 allows for consumers to place a security freeze on their credit reports with ease, which has created concern for retailers. It also covers all types of security breaches by going beyond electronic or computerized information to include paper, which can contain the same type of sensitive personal information as computer records.

Although this bill gives consumers the ability to freeze their credit report so thieves can't open new accounts with their credit, it lacks in notification of their breached information. The obligation for companies to give notice of a security breach is based on whether the breached entity “determines that the breach of security creates a reasonable risk of identity theft.” States such as California, New York, Illinois and Texas that require notification without any risk standard would now be subject to a lower standard and allow companies to excuse notice when not enough information is available to determine the risk. This leaves consumers open to identity theft for a longer period of time or excuses the company from notifying them at all.

In 2006, it is estimated that the losses to businesses and financial institutions due to identity theft totaled $52.6 billion, and the out-of-pocket losses to consumers totaled $5 billion plus 297 million hours annually resolving the problems created by identity theft. Advocacy groups have urged the Senate to provide one uniform federal notification standard whereby companies conducting business in other states wouldn't have to deal with the complexity of 36 different state notification laws.

You can read the entire S. 1178 bill at Identity Theft Prevention Act.

---

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451