Companies now must divulge security breach details

February 1, 2012 7:39:31 PM PST
Every year, millions of people have personal information stolen in a data breach. Often it's of no consequence, but you're left to wonder if someone's going to steal your whole identity. Well, California now has a new law and 7 On Your Side can explain it.

The figures are staggering, so you can see why this law was passed. During the past three years, more than a quarter billion people have found their personal information was stolen or lost in a computer breach. New protections just took effect in California. But the question is: are they enough?

"I want to know where my information is," said Todd Evans-Longo.

The last time we saw Evans-Longo, he'd just received a frightening notice. HealthNet Insurance was missing several hard drives, containing medical records of two million customers, including him.

"Like they got everything somebody would need to know to be me," said Evans-Longo.

Since then, millions more Americans have received similar scary notices, like those 200 million Sony PlayStation customers who found out hackers got into their accounts. Thousands of City College students just learned their banking information may have been stolen.

"Too many people were getting a notice that said, 'Hi, some information was compromised,'" said St. Sen. Joe Simitian, D-Palo Alto.

Simitian authored the 2003 law that requires companies to notify you if they lose your data. Now, that law just got much stronger.

"Look, you want to know, 'Was it my bank account? Was it my credit card?' Not just that something was taken, but what," said Simitian.

Until now, companies that lost your information didn't have to tell you anything about the breach, just that it happened and that you were involved. Now they must give you more facts, like what information was stolen, when it happened, and how to contact credit bureaus in case someone's actually stealing your identity.

"...Providing more certainty that you'll get the information you need to protect yourself," said Simitian.

"I think notification is a good first step," said Steve Edelman, a Mill Valley resident.

Edelman is still worried. His wife's information was stolen in the big Sutter Health data breach in November. She was too ill to appear on camera, but Steve said he wishes the law were even stronger.

"The law should require some identity theft protection and any other service that are necessary to try to retrieve the information or limit the amount of damage it can do," said Edelman.

Evans-Longo agrees. One year after his information went missing he's still wondering if some crook is planning to pose as him.

"If there's a breach and it's not your doing, you're counting on somebody to protect your stuff, then they should have to protect you somehow," said Evans-Longo.

Simitian says these are common concerns.

"I've got the time, travel and expense of closing down the account, opening up another one. Shouldn't somebody be responsible for that? I think that's a long way off, for better or worse," said Simitian.

Simitian said it took four years to enact the new protections, so it's unlikely the law will change anytime soon. However, HealthNet notes it did provide Evans-Longo and other customers with a limited two years of identity theft protection services even though it wasn't required by law.

Sutter Health said it did not offer identity protection because the stolen data did not include any patient financial records or social security numbers.

"So many people are relying on identity theft monitoring services to protect them from identity theft and in fact that's not what they do," said Rainey Reitman from the Electronic Frontier Foundation.

Reitman says identity protection services aren't the cure-all anyway.

"They just notify you when certain information is on your credit report," said Reitman.

She says it's better to monitor your own credit reports, bank accounts and insurance statements, and hope no one poses as you when committing a crime.

"It's uncomfortable, a little spooky," said Edelman.

"You could be the safest person in the world and your information's out there. It's floating around," said Evans Longo.

There are several steps you should take if your information is stolen, such as filing a police report and setting up a fraud alert with the three major credit bureaus.