April 26, 2006 – Arizona’s state legislature has passed a data breach notification law that is currently awaiting the signature of Governor Janet Napolitano. While the law may have been well intentioned, it has some critical flaws and we are urging the Governor to veto it.

Data breach notification laws started to become popular in early 2005. These laws require companies that store consumer data to notify consumers when their data is exposed without the consumer’s authorization.

California passed the first data breach law in the country in 2004. The law gained national attention when ChoicePoint, a company that stores and sells consumer data to virtually anyone who wants it, found that 145,000 consumers had been exposed to potential identity theft. 30,000 of those consumers were residents of California. The law forced ChoicePoint to notify them of the breach.

Although ChoicePoint originally said that only California consumer’s had been exposed, they were soon forced to change their story and admit that the breach involved consumers around the country. It was then that other states began to examine the need for their own data breach notification laws. There are currently 11 states that have such laws on the books.

Unfortunately, the Arizona law falls flat on its face when it comes to protecting the rights of consumers. This is because it has two very big loopholes.

First and foremost, the law allows companies to decide if a data breach is important enough to warrant consumer notification. The legislation reads that only breaches that "materially compromise" consumer information require notification. And the definition of "materially compromise" is left up to the company that exposed the data in the first place. It’s like the fox guarding the hen house!

Secondly, the law exempts banks, hospitals and government agencies from compliance. Since many of the data breaches over the past twelve months have involved the banking and healthcare industries, this loophole presents a real problem for consumers.

When compared to data breach laws in states like California or New Jersey, the Arizona law is virtually worthless. These other states make almost no exception for consumer notification; as it should be.

ACCESS urges Governor Napolitano to veto this legislation, SB 1338. We believe that if this bill is allowed to become law it will provide consumers with a false sense of security while doing nothing to protect them. The Governor should tell the legislature to come up with new legislation that offers consumers some real protection.

Only registered users can write comments.
Please login or register.