Many state lawmakers, like their counterparts in Congress, are itching to enact tough data privacy measures this year.
Bills have been introduced in 23 states, including New York, Illinois, Montana, and Texas, that would require companies to notify customers whenever sensitive data has been lost or stolen, according to Pam Greenberg, a program principal at the National Conference of State Legislatures.
California passed the first such law in 2003 — a pending bill would enhance it — and though other states have tried to pass similar laws, to date none have succeeded.
But momentum for tougher privacy laws is building in response to headline-grabbing security breaches at major corporations this year. Several bills have also been introduced in Congress, including one authored by Sen. Dianne Feinstein, D-Calif., that would require notification.
Given the choice, banks would generally prefer a federal law to a patchwork of state ones, industry sources say. In fact, Montana bankers say banks should be exempt from any such state law, because they are already subject to reporting guidelines that federal regulators issued this month.
Yet whether banks support the bills or not, Ms. Greenberg said state lawmakers are keen to do something this year.
The issue of data privacy has been front-page news since last month, when ChoicePoint Inc. disclosed that it had sold information on 145,000 consumers to fraudsters posing as legitimate businessmen. The breach occurred in October, but ChoicePoint, of Alpharetta, Ga., delayed a public announcement at the request of law enforcement officials.
Soon after that Bank of America Corp., Lexis-Nexis, and the shoe retailer DSW Inc. reported security lapses that led to either unauthorized access or huge losses of customer information.
“Those security breaches have prompted actions from quite a few states, and my guess will be that a lot of these bills will be passed,” Ms. Greenberg said.
New York Assemblyman Richard L. Brodsky, a Democrat, failed to persuade his colleagues to enact a notification bill in 2003 and 2004, but a measure he introduced this year is gaining steam, according to Jim Malatras, his legislative director. The bill, patterned after California’s law, has been referred to the Assembly Rules Committee. New York’s legislative session is scheduled to end June 20.
“After everything that has gone on, I think legislators here see a need to act, particularly since Congress has not moved very quickly on this,” Mr. Malatras said. “We wouldn’t mind also seeing a federal standard that would be enforced in every state.”
Bankers in New York say they would support legislation there if lawmakers give them leeway in deciding which breaches pose enough of a threat to warrant notifying customers.
Michael P. Smith, the president of the New York Bankers Association, said it is trying to negotiate amendments to Assemblyman Brodsky’s bill and similar ones. The trade group would like lawmakers to give companies enough time to assess whether a security breach would actually result in the loss or unauthorized use of customer information. The group also wants more flexibility in deciding how to contact customers.
“We’d like for the notification requirements to be reasonable, and ideally, we’d like for them to be consistent with federal guidelines,” Mr. Smith said.
Tempi Rith, the executive manager of the Montana Bankers Association, said it is lobbying to have banks exempted from a notification bill that has been introduced there, because banks already have to follow reporting guidelines required under the Gramm-Leach-Bliley Act and enhanced by federal regulators March 18.
Under these updated guidelines, banks and thrifts must tell their regulators about any breach of sensitive customer information but have more leeway in deciding whether to notify customers. If a bank determines that misuse of its customer information has occurred or is reasonably possible, customers should be notified in a “clear and conspicuous manner,” the guidelines said.
The notice should describe what went wrong, what type of information was involved, and what is being done to protect the information from future misuse. Banks and thrifts must include a telephone number for more information and remind customers they should closely monitor their accounts for signs of identity theft for the next two years.
Jay Foley, a co-executive director of the Identity Theft Resource Center, a San Diego nonprofit, said the federal guidelines may be a good thing, if regulators intend to closely monitor banks and thrifts that report breaches to determine if they really should notify customers.
California’s law requires companies to post notices on their Web sites or announce to the news media whenever systems that protect “sensitive” information — such as Social Security numbers or credit or debit account numbers — are invaded.
Mark A. Moore, a lawyer at Aldrich & Bonnefin PLC in Irvine, says the California law has helped banks prevent security breaches.
“Internally, banks have been more proactive in identifying weak spots and taking action to prevent damage or loss of control of data,” he said. “They’ve also been much more assertive in doing their due diligence in determining the security of their vendors’ systems, as well as negotiating indemnification and cost recovery clauses in contracts with their vendors.”
Still, Mr. Moore said that he would like Congress to enact a federal standard for customer notification, so that there will not be a “hodgepodge” of conflicting state laws that banks doing business in multiple states would have to follow.
