Legislation Sponsored By Senator Saland To Protect Against Identity Theft Passes The Senate

Stephen M. Saland

June 21, 2005

Senator Steve Saland (R,C Poughkeepsie) today announced that legislation (S.3492-A) he has sponsored to help protect consumers from fraud and identity theft by requiring businesses and state agencies whose computer security is breached to notify individuals whose private information was stolen has passed the Senate. He has also sponsored legislation (S.2899) which passed the Senate today to expand and clarify the crimes of identity theft as well as strengthen the penalties.

As computers become more a part of our daily lives, people increasingly transact business over the Internet. This increases, or in many cases necessitates, businesses placing sensitive personal or private financial information on computers which are accessible through the Internet. As the amount of personal and financial information accessible via the Internet increases, these computers become increasingly attractive targets of computer hackers seeking to obtain information needed to commit fraud and identity theft.

It was reported last Friday that 40 million Visa, Mastercard and other credit card accounts were exposed to a risk of fraud after data thieves stole records from CardSystems Solutions, a firm that provides information services to the credit card companies. Identity thieves posing as legitimate businesses obtained access to consumer's personal information maintained on ChoicePoint's computer system and stole the personal information of 145,000 people.

Under the provisions of this bill (S.3492A), businesses must notify customers that their private information was stolen, as soon as possible, once the breach is discovered. The legislation requires businesses to provide notice in writing or by telephone. The bill also allows businesses to send an electronic notice. However, federal law requires consumers to consent to receiving required notices in electronic form for all manner of commerce within their jurisdiction. This bill would also require the customers express consent to electronic notice.

In the event that the breach exceeds 500,000 names or $250,000 in notification costs, the business may notify the news media, post notification on its web site and e-mail the customers. This bill imposes the same notification requirements on state agencies as it does on business.

This legislation also calls for appropriate penalties to ensure compliance from businesses. Court imposed civil fines would begin at five thousand dollars and could reach ten dollars per person who did not received the requisite notice, with a maximum of a $150,000 fine. In addition, under this bill, the Attorney General would be authorized to bring an action on behalf of victims for a violation of the provisions of this measure.

"Timely notification is essential in cases where personal information may have been stolen or improperly disseminated," said Senator Saland. "This legislation would put practices in place to ensure that notification is prompt and damage is minimized or avoided."

The second bill(S.2899) would expand and clarify the crimes of identity theft as well as strengthen the penalties. The legislation would:

- increase the penalty for identity theft in the first degree from a Class D to a C felony;

- expand the period between prior convictions of identity theft from 5 to 10 years;

- expand the list of unlawfully possessed personal identification information for identity theft in the second degree; and

-decrease the number of such items possessed from 250 pieces to a more reasonable 10 pieces.

"It is not uncommon for years to pass before victims of identity theft are able to clean up the mess left by those who commit these crimes," said Senator Saland. "This legislation would make it easier to hold those who engage in identity theft accountable for this very serious crime."