State laws on data breaches need overhaul

The Olympian

BY BOB FERGUSON, JOHN BRAUN AND ZACK HUDGINS - SPECIAL TO THE OLYMPIAN

Chances are, in the last six months, your information has been stolen in at least one data breach. Last month, Premera Blue Cross announced that millions of its Washington customers were affected by a cyberattack. In February, Anthem, the nation’s second-largest health insurer, confirmed that nearly 80 million names and Social Security numbers were compromised in a data breach – including Washington Apple Health enrollees. In December, criminals stole the personal information of 40 million Target customers. At Home Depot, 56 million credit and debit card numbers were exposed.

Meanwhile, a 10-year-old Washington state law on data breaches is increasingly obsolete. That’s why we propose legislation to update our statutes and require meaningful, timely notification when breaches of sensitive personal information occur.

In many cases, the stolen information shows up for sale in black-market outlets within days. Sometimes it has everything a crook needs to steal your identity or perpetrate credit card fraud. Consumers end up paying billions of dollars each year to clean up the mess from this identity theft.

As consumers, we trust that the information we provide in the marketplace, whether online or at brick-and-mortar establishments, is kept safe. But when your personal information is stolen—you need to know so that you can take steps to monitor your accounts, change passwords, and protect your information.

Combatting fraud and identity theft should be a top priority this legislative session. We have proposed bills that would strengthen our data breach notification laws to ensure consumers are notified timely whenever their information is at risk. The Attorney General has also proposed a second bill that would ensure the continuation of two highly successful law enforcement task forces that are arresting and prosecuting identity thieves.

Our current state law requiring notification when a data breach occurs has not been updated since it was enacted 10 years ago—despite wholesale advances in technology and increasing sophistication by cyber criminals. It is time to refresh this law.

In the present statute, there are too many loopholes about when notification must be provided, leaving consumer’s vulnerable to financial fraud and identity theft. The current law is alarmingly vague on the timeline to notify consumers when data has been compromised. And unlike other states, our current statute does not require notification to the Attorney General when a data breach puts state residents at risk.

Our proposal ( SB 5047/HB 1078) would update our state’s data breach notification laws. It would close existing loopholes, require notification to affected individuals and the Attorney General within 45 days of a data breach, and ensure that notification is written in plain language.

When consumers are notified, they will be able to better protect themselves and secure their identities. When the Attorney General’s Office is notified, we can provide information and better service to individuals whose data may have been compromised. By collecting data on breaches happening statewide, the office can examine patterns of activity and identify trends to help law enforcement crack down on cyber criminals.

We must also go after the source of the problem: the perpetrators of identity theft. In 2009, the Legislature established two financial fraud and identity theft (FFIT) task forces, one for the greater Puget Sound, the other for Spokane County. Bringing together federal, state, county, and local law enforcement with private financial industry investigators, these task forces are a strong tool to combat the worst offenders in a complex, multi-jurisdictional category of crime.

In 2013, the task forces conducted 555 investigations, made arrests in 535 cases involving 1,392 counts, resulting in 495 convictions on cases prosecuted.

Without legislative action, the authority and funding for these task forces sunsets on June 30. The attorney general, Sen. Joe Fain (R-Auburn) and Rep. Steve Kirby (D-Tacoma) are proposing legislation ( SB 5058/HB 1090) to renew these highly effective task forces and to expand their reach.

Data breaches show no signs of abating in our increasingly digital, data-driven world. As consumers, we must ensure that our state laws and enforcement capabilities keep up with evolving threats and protect our personal information from those who seek to do harm.