Home Industries Banking & Finance Bill Would Require Notification of Records Breach

Bill Would Require Notification of Records Breach

In an attempt to fight identity theft, the state legislature recently passed a bill that would require businesses to notify customers if their personal information has been accessed illegally.

"We have a big concern with identity theft," said Rep. Jeff Fitzgerald (R-Horicon), one of the bill’s authors.

The legislation is awaiting Gov. Jim Doyle’s signature, along with a companion bill passed by the legislature that empowers consumers to freeze their credit reports if their identity has been stolen.

Identity theft was at the top of the Federal Trade Commission’s list of consumer fraud complaints last year, accounting for 37 percent of the total number of complaints.

Hackers accessing databases with financial information on millions of Americans, phishing scams luring unsuspecting people into giving their sensitive information and carelessness on the part of businesses all contribute to the increasingly problematic trend of identity theft.

According to the FTC, incidents of identity theft in Wisconsin rose 8.5 percent in 2005 to 2,782. However, identity theft in the metro Milwaukee area fell 39 percent last year from 1,877 in 2004 to 1,141 in 2005.

One state agency is expressing opposition to the bill that would require businesses to notify customers if their personal information has been accessed illegally.

"We are opposed to this legislation because we don’t think it goes far enough," said Janet Jenkins, administrator of the Division of Trade and Consumer Protection. "There are some major problems with it."

The law creates the right for a consumer to sue the company that doesn’t comply with the law, but there are no other penalties. In order for consumers to prevail in a lawsuit, they would have to prove that they suffered damages because they didn’t receive notice from a company that their information was obtained by an unauthorized individual, Jenkins said.

"If you think about it, no one is likely to be able to prove that the failure to give notice has resulted in an identify theft that may occur six months to two years later," Jenkins said.

Fitzgerald said Jenkins’ concern about lacking penalties was something the legislature debated.

"We didn’t want to make a business that was hacked, the victim," Fitzgerald said. The provision allowing civil action for a company’s failure to issue notice to a consumer was put in to strike a balance between businesses and consumers, he said.

In cases where significant amounts of information have been obtained, the cost of notifying consumers will be substantial, Jenkins said.

"Because giving notice is expensive, and because there are no penalties for failure to do so, I’m fearful that (companies) won’t," she said. "It’s ‘feel good’ legislation, but not effective legislation. If they’re serious, companies have to give notice, there should be penalties imposed on a company for not giving notice."

Before the notice requirement is triggered, there must be the determination that the acquisition of sensitive information creates a "material risk of identity theft."

"What’s a material risk?" Jenkins asked. "Apparently, under the legislation, it’s the company that would otherwise have to give the notice that determines what material risk is."

The bill requires notice, but if a company doesn’t wish to issue notice, the consumer will be hard-pressed to know otherwise.

"It’s a good bill in the sense that it says thou shall do this, but there is no penalty in a practical matter if they don’t," Jenkins said.

"Really, it was a tough balance between the business and consumer," Fitzgerald said. "That’s why there is no penalty."

Communication between the business and the consumer is an important proactive measure, he said.

"The problem I think is all of a sudden you turn the business into the victim (by including penalty provisions)," Fitzgerald said.

When consumers are made aware that their data has been compromised, they are able to take appropriate protective actions, he said.

"I think it’s legislation you’re going to see throughout the country," Fitzgerald said. "It’s good consumer protection and we’ve got to take a step in the right direction."

At press time, the governor’s office had not returned a phone call seeking comment about the bills.

In an attempt to fight identity theft, the state legislature recently passed a bill that would require businesses to notify customers if their personal information has been accessed illegally.


"We have a big concern with identity theft," said Rep. Jeff Fitzgerald (R-Horicon), one of the bill's authors.


The legislation is awaiting Gov. Jim Doyle's signature, along with a companion bill passed by the legislature that empowers consumers to freeze their credit reports if their identity has been stolen.


Identity theft was at the top of the Federal Trade Commission's list of consumer fraud complaints last year, accounting for 37 percent of the total number of complaints.


Hackers accessing databases with financial information on millions of Americans, phishing scams luring unsuspecting people into giving their sensitive information and carelessness on the part of businesses all contribute to the increasingly problematic trend of identity theft.


According to the FTC, incidents of identity theft in Wisconsin rose 8.5 percent in 2005 to 2,782. However, identity theft in the metro Milwaukee area fell 39 percent last year from 1,877 in 2004 to 1,141 in 2005.


One state agency is expressing opposition to the bill that would require businesses to notify customers if their personal information has been accessed illegally.


"We are opposed to this legislation because we don't think it goes far enough," said Janet Jenkins, administrator of the Division of Trade and Consumer Protection. "There are some major problems with it."


The law creates the right for a consumer to sue the company that doesn't comply with the law, but there are no other penalties. In order for consumers to prevail in a lawsuit, they would have to prove that they suffered damages because they didn't receive notice from a company that their information was obtained by an unauthorized individual, Jenkins said.


"If you think about it, no one is likely to be able to prove that the failure to give notice has resulted in an identify theft that may occur six months to two years later," Jenkins said.


Fitzgerald said Jenkins' concern about lacking penalties was something the legislature debated.


"We didn't want to make a business that was hacked, the victim," Fitzgerald said. The provision allowing civil action for a company's failure to issue notice to a consumer was put in to strike a balance between businesses and consumers, he said.


In cases where significant amounts of information have been obtained, the cost of notifying consumers will be substantial, Jenkins said.


"Because giving notice is expensive, and because there are no penalties for failure to do so, I'm fearful that (companies) won't," she said. "It's 'feel good' legislation, but not effective legislation. If they're serious, companies have to give notice, there should be penalties imposed on a company for not giving notice."


Before the notice requirement is triggered, there must be the determination that the acquisition of sensitive information creates a "material risk of identity theft."


"What's a material risk?" Jenkins asked. "Apparently, under the legislation, it's the company that would otherwise have to give the notice that determines what material risk is."


The bill requires notice, but if a company doesn't wish to issue notice, the consumer will be hard-pressed to know otherwise.


"It's a good bill in the sense that it says thou shall do this, but there is no penalty in a practical matter if they don't," Jenkins said.


"Really, it was a tough balance between the business and consumer," Fitzgerald said. "That's why there is no penalty."


Communication between the business and the consumer is an important proactive measure, he said.


"The problem I think is all of a sudden you turn the business into the victim (by including penalty provisions)," Fitzgerald said.


When consumers are made aware that their data has been compromised, they are able to take appropriate protective actions, he said.


"I think it's legislation you're going to see throughout the country," Fitzgerald said. "It's good consumer protection and we've got to take a step in the right direction."


At press time, the governor's office had not returned a phone call seeking comment about the bills.

Stay up-to-date with our free email newsletter

Keep up with the issues, companies and people that matter most to business in the Milwaukee metro area.

By subscribing you agree to our privacy policy.

No, thank you.
Exit mobile version