Richard Holober: Landmark privacy law deserves an update

by Richard Holober, CFC Executive Director, Santa Cruz Sentinel

There’s an old joke that goes like this: What’s worse than finding a worm in your apple? Finding half a worm in your apple.

This is not unlike having your personal information lost or stolen. Let me explain.

If you are one of the many Californians who had your confidential information compromised in a security breach, you probably found out by receiving a letter in the mail. After reading it, you were probably quite upset. But trust me: like the worm in the apple, it’s better to know sooner rather than later.

As consumers, we depend on corporations and government agencies to protect the security of our most intimate financial data. Unfortunately, the number of people who suffer privacy breaches is staggering. According to the Privacy Rights Clearinghouse, at least 263 million sensitive records have been exposed nationwide since 2005.

These privacy lapses open the door to identity theft. Yet until 2002, no state in the nation required businesses and agencies that lost your personal information to let you know about it.

That’s when state Sen. Joe Simitian then an assemblyman authored AB 700, which requires any business or state agency that exposes your personal information to send you what’s known as a security breach notification letter. This law played a major role in highlighting the extent of the problem — information businesses had preferred to keep under wraps.

This year, Sen. Simitian is back with SB 20, a bill now on its way to the governor’s desk. If signed, it would provide an important upgrade to California’s landmark privacy protection law. SB 20 spells out which key details must be included in that notification letter, and would make sure the attorney general hears about the breach.

Notification letters empower consumers to better monitor their accounts for evidence of identity theft, and to take concrete steps that make identity theft less likely. Those steps range from freezing your credit report to simply alerting your bank that a breach occurred.

Requiring these details also creates a strong incentive for companies and state agencies to be careful with your information. No one wants their signature at the bottom of that notification letter.

It won’t come as a surprise to anyone that technology puts our private information, from social security numbers to medical files, at risk. The exponential growth of electronic records — while beneficial in many respects — makes breaches more likely and far more severe.

Losing a filing cabinet with 500 records is difficult. Losing a laptop with 5 million records is all too easy. For this reason, laws such as Sen. Simitian’s have become standard practice across the country. More than 40 states now require security breach notification.

Privacy notification laws won’t stop every security lapse from happening. But they will make businesses and agencies take more precautions to safeguard their data files. And if you ever do get that dreaded letter in the mail, you’ll be able to do something about it — before there’s only half a worm in your apple.

As the tally of victims grows, so must our commitment to strengthen privacy protections. That’s why the Consumer Federation of California and a host of other consumer advocates across the state are asking Gov. Schwarzenegger to sign Sen. Simitian’s SB 20. California’s landmark privacy law deserves his support.

Richard Holober is the executive director of the Consumer Federation of California.