Navigating the law of unintended consequences
While the U.S. Congress dickers over how to respond to a series of high-profile data mishaps by ChoicePoint and other companies, state legislators are wasting no time.
Legislators in more than 20 states, including New York, Washington, Illinois and Texas, have already proposed laws in response to a series of security snafus involving Bank of America, payroll provider PayMaxx and Reed Elsevier Group's LexisNexis service.
While details vary, most of the state proposals follow the lead of a California law that took effect in 2003. It requires customers to be notified when "unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."
That's a reasonable principle for companies to follow. But many of the new state bills seem to have been written in haste and could create more problems than they solve. One measure introduced last month in New Jersey, for instance, would require that customers be alerted if any personal information--even an e-mail addresses or home page address--is acquired by an "unauthorized person." Companies that fail to disclose this can be fined $10,000 for the first offense and $20,000 for the second.
