HOUSE BILL REPORT
SSB 6043
As Reported by House Committee On:
Financial Institutions & Insurance
Title: An act relating to breaches of security that compromise personal information.
Brief Description: Addressing breaches of security that compromise personal information.
Sponsors: Senate Committee on Financial Institutions, Housing & Consumer Protection (originally sponsored by Senators Brandland, Fairley, Benson, Keiser, Schmidt, Spanel, Benton, Franklin, Berkey, Kohl-Welles and Rasmussen).
Brief History:
Financial Institutions & Insurance: 3/24/05, 3/29/05 [DP].
Brief Summary of Substitute Bill |
|
|
|
HOUSE COMMITTEE ON FINANCIAL INSTITUTIONS & INSURANCE
Majority Report: Do pass. Signed by 10 members: Representatives Kirby, Chair; Ericks, Vice Chair; Roach, Ranking Minority Member; Newhouse, O'Brien, Santos, Serben, Simpson, Strow and Williams.
Staff: CeCe Clynch (786-7168).
Background:
"Identity theft" is defined, by the Federal Trade Commission (FTC), as "someone
appropriating your personal information without your knowledge to commit fraud or theft."
With 5,654 complaints reported in Washington in 2004, this state is eighth among the states
in the per capita reporting of identity theft.
Recently, ChoicePoint, a business which collects and compiles personal and financial
information about consumers, reported that it had inadvertently sold personal information
relating to almost 145,000 people to a criminal enterprise. As required by laws enacted in
California in 2002, the company first disclosed the breach to California residents whose
personal information had been included in the sale. California was the only state with laws
requiring disclosure of the breach to the affected persons but, at the request of authorities in
several other states, ChoicePoint later disclosed that residents in other states, the District of
Columbia, and three territories also may have been affected by the breach of security. More
than 3,000 of the affected persons were Washingtonians.
At this time, legislation relative to the privacy of personal information and prevention of
identity theft is being considered in at least 20 states.
Summary of Bill:
Upon discovery or notification of a breach in the security of a computerized data system, any
"agency," person, or business that "owns and licenses" computerized data that includes
"personal information" is required to notify Washington residents whose unencrypted
personal information may have been accessed in the breach. Any agency, person, or business
that maintains but does not own computerized data that includes personal information must
notify the owner or licensee of the information of the breach.
Definitions.
"Agency" includes "all state agencies and all local agencies. 'State agency' includes every
state office, department, division, bureau, board, commission, or other state agency. 'Local
agency' includes every county, city, town, municipal corporation, quasi-municipal
corporation, or special purpose district, or any office, department, division, bureau, board,
commission, or agency thereof, or other local public agency."
"Personal information" means an individual's first name or first initial and last name in
combination with any one of the following data elements, when either the name or the data
elements are not encrypted: (a) social security number; (b) driver's license number or
Washington identification card number; or (c) account number or credit or debit card
number, in combination with any required security code, access code, or password that would
permit access to an individual's financial account.
The phrase "owns or licenses" is not defined in the bill or in the particular California code
section which it parallels. In a related section of the California Code, it is stated that the
phrase "is intended to include, but is not limited to, personal information that a business
retains as part of the business' internal customer account or for the purpose of using that
information in transactions with the person to whom the information relates."
Notice Requirements.
Notice of the security breach is to be provided by (a) written notice; or, (b) electronic notice
if the electronic notice is consistent with federal rules governing consumer disclosures in
global and national commerce.
In certain circumstances, substitute notice will suffice, but only if the agency, person, or
business demonstrates that (a) the cost of providing written or electronic notice would exceed
$250,000; (b) the affected class of subject persons to be notified exceeds 500,000; or (c) it
has insufficient contact information. Substitute notice, when permitted, must include email
notice if the email address of the person is available, conspicuous posting on the website of
the agency, person, or business required to provide the notice, and notification to major
statewide media.
Unlike the California statute after which this bill is apparently modeled, there is an exception
to the disclosure and notification requirements if there has been a technical breach of the
security system that does not seem reasonably likely to subject customers to a risk of criminal
activity.
Any waiver of the notice requirements is considered contrary to public policy and void and
unenforceable. Any customer injured by a violation of the notice requirements may
commence a civil suit for damages, and any business that violates, proposes to violate, or has
violated the notice provisions may be enjoined.
Appropriation: None.
Fiscal Note: Requested on March 17, 2005.
Effective Date: The bill takes effect 90 days after adjournment of session in which bill is passed.
Testimony For: It was when the ChoicePoint story broke that it became generally known
that only the state of California requires disclosure of a security breach that involves a
consumer's personal information. This language is modeled after the California law. There
may be a similar effort underway at the federal level but it is appropriate for Washington to
move forward on this now.
It may be useful to compare the definition of personal information to the definition found in
the Governor's Executive Order concerning privacy. The exception for technical breaches
uses the term "seems" which is very loose and may not be the best term to use. With respect
to what agencies are required to do, these new requirements may be a better fit in Chapter
43.105 having to do with agency databases rather than in the public disclosure laws.
(With concerns) While this language mirrors the California law in most respects, it includes
an exception for technical breaches which is not found in the California law and which
should be removed. This exception renders the rest of the bill ineffective and leaves it to the
consumer reporting agencies to decide whether to notify consumers or not. These agencies
cannot be trusted to keep data safe and should not have the discretion to decide whether to
notify a consumer or not.
A federal solution would be preferable rather than a patchwork of different state laws and at
this time Senator Feinstein is moving legislation forward at the federal level to address this
problem In addition, federal agencies are working on procedures to address this problem. If
Washington moves forward with legislation in this area, the exception for technical breaches
is necessary. Even with this exception, ChoicePoint would have had to report the breach to
its consumers. ChoicePoint situations are rare, however. Breaches may occur that have
nothing to do with criminal activity. Every day, hackers try to access information and
sometimes they get through a single security layer but are stopped by additional layers of
security. If every attempt had to be reported to consumers, consumers would be inundated
and would start to ignore the notices.
Testimony Against: None.
Persons Testifying: Senator Brandland, prime sponsor; Greg Overstreet, Office of the Attorney General; Robert Pregulman, Washington State Public Interest Group; and Denny Eliason, Washington Bankers Association.