Information Security Consumer Alert

Technology (A Special Report): Information Security
Consumer Alert: In 2003, California passed its security breach notice law; Its effect has extended well beyond the state

The Wall Street Journal 07/18/05
author: Dionne Searcey
(Copyright (c) 2005, Dow Jones & Company, Inc.)

EARLY IN MAY, Keith Brown had to write a letter that any executive would dread: "I am sorry to inform you that my company has recently been defrauded by an individual who . . . may have acquired personal information about you."

Mr. Brown's data-collection company, Kalispell, Mont.-based Merlin Information Services Inc., had its computer systems hacked. The names and Social Security numbers of nearly 9,000 consumers were compromised.

A short time ago, nothing would have required Mr. Brown to notify the individuals that they were victims of this identity theft. But because of a two-year-old California law, Mr. Brown had to inform the residents of that state in his database that their personal information had fallen into the wrong hands. He chose to do more, telling everyone in the country who had fallen victim.

Since the California security breach notice law was enacted in July 2003, its effects have rippled far beyond the borders of the Golden State. Companies, health-care institutions and universities around the country have been forced to acknowledge security lapses that have resulted in the potential loss of personal information of California residents. Some institutions are beefing up their security systems to avoid future embarrassing disclosures, and laws similar to California's are sprouting up across the country.

At least 30 states already have passed such legislation, and many others are considering notification bills. Washington, meanwhile, is contemplating a national notification standard.