We haven’t heard much from the Legislature on this issue other than a few murmurs here and there. But the House did weigh in last week on a related issue when it passed this bill regarding identity theft. Officially, it’s called the Security Breach Notification Act, or HB 2245.
In a nutshell, HB 2245 sets up penalties for failing to disclose a breach of “personal information” contained in a database maintained by government, nonprofit or private industry. But it stops far short of the “kitchen sink” approach as to what constitutes personal information according to the new Supreme Court rule.
The bill passed the House by a vote of 98-0 and is now headed to the Senate.
Here’s how HB 2245 defines “personal information” in Section 2, Part 6:
6. Personal information means the first name or first initial and the last name in combination with and linked to any one or more of the following data elements that relate to a resident of this state, when the data elements are neither encrypted or redacted:
a. social security number
b. driver license number or state identification card number issued in lieu of a driver license, or
c. financial account number, or credit card or debit card number, in combination with any required security code, access code, or password that would permit access to the financial accounts of a resident.
The term does not include information that is lawfully obtained from publicly available information, or from federal, state or local government records made available to the general public.
Now, here’s how the Supreme Court defined “personal data identifiers” in its rule:
A. Social Security Numbers. If an individual’s social security number must be included in a pleading or other document, only the last four digits of that number shall be used.
B. Taxpayer Identification Numbers. If a taxpayer identification number must be included in a pleading or other document, only the last four digits of that number shall be used.
C. Names of Minor Children. If the involvement of a minor child must be mentioned in a pleading or other document, only the initials of that child shall be used. In the alternative, the filer may refer to the child in the manner that shields the identity of the minor in the context of the proceeding (i.e., by symbol [Child A, Child B]; as Doe1, Doe2; or by the child’s status in the litigation [Witness, Victim, Ward, Beneficiary]).
D. Dates of Birth. If an individual’s date of birth must be included in a pleading or document, only the year shall be used.
E. Financial Account Numbers. If financial account records are relevant or mentioned in a pleading or other document, only the last four digits of these numbers shall be used.
F. Home Addresses. If a home address must be included in a pleading or other document, only the city and state shall be used.
You could probably make a decent case for not having Social Security numbers, account numbers and names of minor children in some court filings. But it’s a stretch for the Supreme Court to redact addresses and dates of birth, especially in the age of Facebook, MySpace and online telephone directories.
In the offline world, I’ve had at least three thick telephone directories land on my porch in the last six months. Included in there? Literally hundreds of thousands of home and business addresses.
Meanwhile, on the identity theft and fraud front is the latest report from Javelin Strategy & Research, a technology consulting group in California.
Here’s the highlights:
- “Although many people believe that most identity theft only occurs over the Internet and that hackers are responsible for all identity theft and fraud, Javelin’s research has found that many thefts occur in the physical world.”
- “Among the 35 percent of victims who knew how their data was taken, lost or stolen wallets, checkbooks or credit cards accounted for more than twice as many instances of theft than all online channels put together.”
- “Over the past 12 months, 8.1 million Americans were victimized by identity fraud, a crime amounting to $45 billion. Although both the total number of victims and overall monetary losses have steadily decreased over the past four years, consumers and their financial institutions must continue to take protective measures against this serious crime.”
Javelin’s research was funded by in part by CheckFree Services Corp., Visa USA and Wells Fargo Bank. But it did note, “To preserve the project’s independence and objectivity, the sponsors of this project had no involvement in any portion of the tabulation, analysis or reporting of the final results.”
Written by Paul Monies