On August 28, Missouri’s new data protection law went into effect. Fat lot of good it did for past clients of Nationwide Credit Counseling. When their financial records, replete with personal information, were found in bankers boxes in a dumpster , were they notified of the breach? No. And was any action taken against the company for just dumping their data? No.
OzarksFirst.com, which broke the original story, now reports:
Police are dropping the case against a suspect who threw away sensitive documents in a dumpster in Battlefield….. Dave Vallely, Battlefield police chief, says the company that owns the dumpster does not want to prosecute.
Investigators found a suspect, but now they will close the case. Vallely says he does not believe any crime other than illegal dumping was committed.
Missouri’s data protection law does not cover paper records or paper breaches. So Nationwide may have exposed numerous people to identity theft or fraud and get off scott free.
Nor does H.R. 2221, the Data Accountability and Trust Act, include required notification of breaches involving paper records.
If consumers are to have trust, we need to trust that our personal information will be protected, regardless of whether it is in paper format or electronic. As the ITRC’s press releases this year indicate, paper breaches now account for 27% of all breaches included in their annual statistics. Any proposed federal legislation that does not include both protection of paper records and disclosure of paper breaches is incomplete and should be amended.
Another great example of how casual our authorities treat this crime. Unfortunately, most of our media would have everyone believe Identity Theft is contained to only financial, and by having a monitoring service you are safe. A thief can get a whole lot further and instill tremendous damage with a social secuirty number and drivers license info than with a credit card and checking account. Our stolen information is a valuable resource to be sold for quick money by the criminals.
My social secuirty number being sold to 12 illiegal immigrants working at 12 additional jobs in the nation is not going to surface on my credit report nor is the warrants I have for my arrest for crimes someone committed using my personal information. That is why these AG’s need to force these companies to pay for a total restoration services company for those whose information has been breached by a negligent company. An individual cannot cover the five major areas of Identity Theft. We have an epedemic on our hands.
I agree with you, but as we both know, the AGs can’t enforce laws that don’t exist.
This site and its companion sites routinely report breaches that do not involve SSN, financial data, or credit card data. This site also reports paper breaches and breaches that do not affect huge numbers of people, precisely because I think legislators and the media still don’t “get” that while they focus on one aspect of ID theft or fraud, they are missing other significant problems.
One of the biggest examples I see of this is in reading Medicare or Medicaid fraud stories or press releases. Medicare and Medicaid fraud frequently involves medical ID theft, yet most of those press releases never report how the fraudsters obtained the patient Medicare and Medicaid numbers used for fraud, do not mention whether those patients whose numbers were misused were ever notified, and there is no indication as to how many might have had problems because their medical insurance records not contain false information. And when the fraudsters are sentenced, there is no indication that they are required to pay restitution to patients who may have to spend time and money to straighten out their records.
For some people, a breach may mean simply calling a bank, getting a fraudulent charge reversed, and getting a new account number and notifying people of same. For others, the consequences are much more serious, as you note. I was horrified to read the story of someone who had suffered for 35 years because of ID theft.
So I’ll keep beating my little drum over here in my little corner of the blogosphere and hope that others will join in and that many more people will let Congress know that what they’ve proposed to date is not nearly comprehensive enough. And I hope Congress finds its cajones to undo what HHS has done in watering down the breach notification requirements under the HITECH Act.