With all the millions of cases of identity theft you would think we would want everybody to know when their sensitive data is in the wrong hands. But your right to know is far from guaranteed.
Lee Block was checking his credit card statement online when a scary message popped up that said his account ay be at risk. There had been a data breach. It happened at some merchant he had used. But who? Where?
Lee had to know.
"I don't' know which company, which merchant with whom I've been dealing with was been breached. And I don't know what information they got," he said.
Lee wondered if some crook out there was now armed with his personal information and wondered which merchant had let it leak out.
"Did they get just my name and address, did they get my firstborn child, my dog's name, did they get my Social Security number or did they just get my credit card number?" he said.
Lee wanted to protect himself from becoming the next harried victim of identity theft, so he asked his bank more about the breach. Only Citibank wouldn't tell him more, just that he was getting a new credit card and not to worry.
"How do we find out this information and why is it they don't share it? You know what are they hiding," said Lee. "I see on your show all these nightmares that happen to people. Something happens, they get hacked, and then they spend the next five years of their life trying to untangle the mess that's been created."
So Lee contacted 7 On Your Side and we contacted Citibank. The bank said for security reasons, it does not reveal specifics about data breaches. It assured us that Visa and MasterCard work with merchants to shore up any weakness in their databases.
In a statement, they said: "We do not discuss details of the potential compromises, such as the number of customers potentially at risk, or our specific actions. We want our customers to know that they are not liable for any unauthorized use of their accounts."
That's nice, but what about potential identity theft?
"If they are not legally bound to provide me this information, why not?" asked Lee.
That's what State Sen. Joe Simitian, D-Palo Alto, wants to know.
"When somebody else who holds your information loses that information, they've got an obligation to tell you and they ought to tell you in a way that allows you to help yourself," said Simitian.
Simitian wrote the 2002 California law that requires companies to notify you if your data has been hacked. But companies don't have to tell you anything more about it.
So this year Simitian wrote a new law that does go further. It would require companies to tell you what information was stolen and when it was taken.
The bill sailed through the Legislature only to be vetoed this month by Governor Schwarzenegger. The governor said the current law is working fine and the bill would place "unnecessary mandates on businesses without any consumer benefit."
But not according to Simitian.
"Any and all of us are at risk 24 hours a day, seven days a week. This was a way to make sure that when our information is compromised, we can protect ourselves," said Simitian.
Ironically, California was the first state to require notification of data breaches, now other states offer more protections than we do.
If you live in New York, Oregon, Hawaii and six other states, companies would have to tell you all about your data breach, including what personal information may be in the wrong hands.
Lee's not moving to another state just yet, but he's keeping an eye on his credit report.
"I'm still OK. I think I haven't yet heard from Equifax or any of the other credit agencies saying my credit is in the toilet," he said.
Simitian says he plans to try again to get that law passed so companies would have to tell you all about the theft of your personal information. We'll be keeping tabs.