New rule requires businesses, state agencies to do more about data breaches

Santa Cruz Sentinel

As many as 9 million Americans have their identities stolen each year, according to the Federal Trade Commission, which is pressing businesses to step up their levels of data oversight under a new Red Flags Rule that is set to go into effect at the end of the year.

The rule requires financial institutions and creditors subject to enforcement by the agency to develop and implement written identity theft prevention programs. Companies have been asked to help identify, detect and respond to patterns, practices or specific activities — known as “red flags.”

Additional employee training, reporting and notification laws are in effect and fines and penalties are onerous, said Alan Smith, a Scotts Valley business consultant who works with businesses in the area of data security.

“There are a ton of laws right now forcing businesses to be the prevention arm,” Smith said.

California was the first state to enact in 2003 a data breach notification law that required companies and state government agencies to notify individuals when their personal information has been compromised. A new bill, introduced by Sen. Joe Simitian, D-Palo Alto, was passed by the California Senate in April. It updates the existing law by requiring that notification letters contain specifics about the data-loss incident, including the type of personal information exposed, a description of the incident and advice on steps to take to protect oneself from identity theft. Simitian calls it “the logical next step.”

“No one likes to get the news that personal information about them has been stolen,” said Simitian in a prepared statement. “But when it happens, people are entitled to get the information they need to decide what to do next.”

At least 347 million sensitive records have been compromised nationwide since 2005, according to Privacy Rights Clearinghouse, a nonprofit consumer education and advocacy group. Twenty-eight percent of the people getting data breach notification letters don’t understand the potential consequences of the incident even after reading the letter, according to a survey by the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley.

For information about the red flag rule, visit

This article was first published here.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s