Perspective: Navigating the law of unintended consequences

While the U.S. Congress dickers over how to respond to a series of high-profile data mishaps by ChoicePoint and other companies, state legislators are wasting no time.

Legislators in more than 20 states, including New York, Washington, Illinois and Texas, have already proposed laws in response to a series of security snafus involving Bank of America, payroll provider PayMaxx and Reed Elsevier Group's LexisNexis service.

While details vary, most of the state proposals follow the lead of a California law that took effect in 2003. It requires customers to be notified when "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

That's a reasonable principle for companies to follow. But many of the new state bills seem to have been written in haste and could create more problems than they solve.

These are common problems that politicians, who rarely understand technology, face when they try to regulate it.

One measure introduced last month in New Jersey, for instance, would require that customers be alerted if any personal information--even an e-mail addresses or home page address--is acquired by an "unauthorized person." Companies that fail to disclose this can be fined $10,000 for the first offense and $20,000 for the second.

Perhaps an e-mail address or home page address could be as sensitive as a bank account number and PIN, but for most people that seems unlikely. Is such a sweeping definition of "personal" information really in the best interests of business owners in New Jersey?

North Dakota's approach suffers from the opposite problem: It may not be broad enough.

Companies would have to reveal a security breach only if it involved driver's license numbers, mother's maiden name, birth dates and so on. The disclosure requirement wouldn't cover a leak or theft involving passwords used on Web sites--a glaring oversight, in a world where so many people reuse passwords online.

Then there's Missouri's freshly introduced security breach bill. Like many other state proposals, it would regulate only the "unauthorized acquisition of computerized data."

Why should "computerized data" be singled out for special treatment? Sure, it may be easier for an identity thief to download a database than haul away a file cabinet. But the potential for harm is the same. (An Illinois version, by contrast, encompasses "non-computerized" data as well.)

Unintended consequences?
Ohio is taking a different approach. Its legislation, introduced on March 1, would require reporting of security breaches involving any record of "actions done by" a person.

That could be problematic for the many Web sites, from My.yahoo.com to Slashdot, that let visitors log in and customize how information is displayed. Would those companies be required to contact each of their users if an access log on a Web server were accidentally made public? Nonprofit groups, such as charities and churches, would be subject to the same rules. Could they afford to comply?

The politicians drafting these laws are no doubt sincere in their efforts to improve information security. But some business groups are becoming concerned about the unintended consequences of hastily prepared state laws.

"We're worried about that," said Jerry Cerasale, vice president for government affairs at the Direct Marketing Association. Cerasale said that while database security must be improved, the laws must be carefully worded.

"I always worry that too much notice is no notice at all, from our point of view," Cerasale said. "For example, say someone misplaced a tape and they found it an hour later. Is that a potential breach? That's the kind of thing we have to worry about. If there's constant notice, does that help the consumer?"

These are common problems that politicians, who rarely understand technology, face when they try to regulate it. Economic knowledge among politicians also tends to be lacking: Only infrequently are the costs that regulations impose on businesses weighed against the benefits they are said to provide.

The recent snafus at ChoicePoint and other companies have demonstrated the importance of good information security. It's so important, in fact, that politicians should be doubly careful in their responses.

Biography
Declan McCullagh is CNET News.com's chief political correspondent. He spent more than a decade in Washington, D.C., chronicling the busy intersection between technology and politics. Previously, he was the Washington bureau chief for Wired News, and a reporter for Time.com, Time magazine and HotWired. McCullagh has taught journalism at American University and been an adjunct professor at Case Western University.

More Perspectives

[patsimon]

Largest risk is US Post Office

Did you know that anyone can change you mailing address? No identification is required. A thief can simply fill out a card with your existing name & address, put the forwarding name & address, and sign your name. The new address is recorded in the U.S. Post Office database and is sent to credit card companies, who in turn send it to the 3 major credit reporting agencies in the U.S. Meanwhile, your first class mail gets forwarded to the address the thieves have chosen. In this manner the thieves have gotten all of my personal information, including SS#, medical information, and even a copy of my credit report from one of the big 3 (TransUnion, Equifax, Experian). They changed my address 4 times in as many months. No proof of identity is required to do this, and the Post Office folks responsible for the central forwarding database in Tennessee have no way to flag your account so that it does not get changed. Check it out for yourself if you don't believe me. Even if you speak with the folks at your local post office and tell them not to forward, the mail gets forwarded from the central forwarding service before it ever reaches your local post office. This seems to me a bigger security risk than any of the computerized databases.

[declan00]

Post Office as privacy risk

Patricia: That's a very good point! Thanks for bringing it up.

Postal Service protects privacy

In response to Patricia Simon, the U.S. Postal Service safeguards the privacy of individuals and by law employes Postal Inspectors to investigate crimes involving mail theft and fraud. In addition, it was one of the first government agencies to employe a Chief Privacy Officer. I understand that Ms. Simon may have had a very bad experience and it may have occurred some time ago, but here is what happens today. The USPS does not give Change Of Address (COA) to credit card companies or credit reporting agencies. The USPS does provide COA information to mailers ? but only if they have a name and old address so the customer can continue to receive his or her mail. We presume that is why a COA was filed: so a customer can continue to get their mail at their new address. We have built in safeguards to prevent fraudulent COAs. A letter is sent to both the customers? new address and old address confirming receipt of a COA and providing contact points in case a COA was not intended.

same goes for hastily written columns

lol

I mean his comments could cause more damage than 'good' so why listen to them at all.

Its all about the 'straw man'; journalists think they hold some special place in straw man theory, only they can propose thoughtless or thoughtful proposals.

Welcome to the new world where lawmakers take on the art of the 'pose', as well.

You know its the old one about "life imitating art, imitating life", or somesuch nonsense like that.

I Say Shoot First And Sort Out The Details Later

I would like to see every State and several Federal agencies come out with their own regulations governing the mess these companies have created.

These companies should have to prove why they need this information. They need to prove why they are collecting it. They need to guarantee the security of the data. They need to notify people when they fail at any of the above.

One can always find a reason for not doing something -- and this ain't one of them. I never thought I would see the day that I long for more government regulation....

[Michael Grogan]

Best interest?

"Is such a sweeping definition of "personal" information really in the best interests of business owners in New Jersey?"
Do we really care what's in the best interests of the business owners who have been inventing all of these ways to screw with our privacy? Let 'em eat cake and leave my personal info alone...

[declan00]

"best interest"

You're taking an unfortunately narrow view of "best interest." Last I checked, without NJ businesses to pay taxes and employ their workers (directly) and government workers (indirectly), NJ would be bankrupt quickly. Imposing onerous requirements on small businesses will, at the margin, make them less likely to hire, less likely to expand, or less likely to remain in the state.

I'm not saying that this requirement by itself will make businesses flee, but it is one more regulation that small business owners will consider.

Ironically, it's the large corporations (who you apparently dislike so) that will have an easy time of complying with regulations. They've got the full-time legal department. A sole proprietor doesn't.