A law requiring businesses to promptly notify customers of security breaches involving their personal information takes effect Sunday in Illinois, one of a growing number of states trying to curb identity theft.
But data security observers see several shortcomings in such laws, including that they could be difficult to enforce or could backfire for some consumers.
The Illinois legislature passed the Personal Information Protection Act last May, making it the second state, after California, to require companies to promptly alert consumers of security breaches involving their personal information, Susan Hofer, spokeswoman for the Illinois Department of Financial and Professional Regulation, said Friday.
Gov. Rod Blagojevich signed the legislation in June, and the law takes effect Sunday.
Nearly 20 other states have passed so-called “breach notification” laws, according to the Public Interest Research Group.
Illinois’ measure was inspired by a 2004 incident in which Georgia-based ChoicePoint sold the personal information of more than 145,000 people, including 5,000 Illinois residents, to identity thieves posing as legitimate businesses. Even after ChoicePoint caught on to the breach, consumers were not notified until months later, in response to a California law requiring the disclosure of security breaches of personal information, according to Blagojevich’s office.
The Illinois law “can help individuals take steps to protect their assets and identities before thieves wreak havoc on their credit,” Blagojevich said in a statement after signing the bill.
The law does not specify exactly how quickly consumers must be notified if data is lost or stolen, but generally says data collectors must notify consumers “without unreasonable delay” after learning of a security breach.
“Prior to this law, there were no requirements for companies to notify individuals about possible security issues,” Hofer said.
But one privacy and data protection lawyer said a federal law also is needed because state laws vary so widely.
“A company that does business in a lot of states may have problems,” said Chris Wolf, chairman of the privacy and data security group of law firm Proskauer Rose. “It’s like trying to play a game of Whack-a-Mole to try to comply with different laws” absent federal legislation.
The Illinois Bankers Association, however, doesn’t seem to think the new notification law will be onerous.
“In the case of banks, they have pretty much followed that anyway,” said association spokeswoman Debbie Jemison. “It’s not going to be a huge difference.”
Also taking effect in Illinois Sunday is a law allowing victims of identity theft to place a freeze on their credit report, preventing its release to any party without their consent.
That law “looks decent–no fee for placing the freeze or lifting it, reasonable time limits on when the credit bureau has to respond,” said Beth McConnell, director of the public interest group in Pennsylvania. However, “it could have been stronger by allowing any consumer to freeze their report as a preventive measure, not just ID theft victims.”
But Proskauer’s Wolf said the notification law will likely lead to companies ringing alarm bells when consumers needn’t be worried. In response, consumers might put a security freeze on their credit accounts, protecting them from misuse but also making it tougher to legitimately use credit and open new accounts, he said.
One identity fraud detection service said such laws do little to prevent the growth in identity theft.
“There are so many ways of using identity information,” said Terrence DeFranco, chief executive officer of Edentify Inc., a publicly traded Bethlehem, Pa.-based identity management firm. “If you’re the perpetrator you can skate around the alert.”
States might be better off putting some of the burden on, say, banks to do a better job of screening who’s applying for a credit card, DeFranco said.
———-
byerak@tribune.com.
