By John Fuquay
RALEIGH
— Consumers are to be notified by businesses, such as banks, when
personal information is lost; and a bill in the General Assembly would
add the same requirement to governments.
The
bill passed in the House last year but did not clear a Senate committee
until last week. It could be heard by the full Senate this week.
Prompted
in part by a recent theft of military records, the bill would require
disclosure by governments whenever someone’s Social Security number,
account number, password or other sensitive identifying information is
compromised.
The
bill strengthens a 2005 law that requires businesses to notify
customers of potential identity theft. If passed, the law would apply
to local and state agencies, such as the N.C. Department of Revenue,
local motor vehicle offices, cities and schools.
State
Attorney General Roy Cooper has pushed for mandatory disclosure laws.
While most governmental agencies say they don’t mind disclosing
potential identity theft, there was no requirement.
The
U.S. Veterans Administration recently disclosed that information about
more than 26 million retired and active duty military personnel had
been stolen. But the theft was kept quiet for weeks.
“Government
should have to play by the same rules as business when it comes to
protecting personal information,” state Attorney General Roy Cooper
said in a statement. “Consumers deserve to know when their information
has been lost or stolen and could fall into the hands of an identity
thief.”
The
identity theft law of 2005 seeks to minimize the use of Social Security
numbers as identification numbers, allows consumers to prohibit release
of the credit history, and requires business to protect a consumer’s
personal information. The bill did not address government offices.
“I
think it’s good that we’re closing this loophole,” said Rob Thompson,
director of the N.C. Public Interest Research Group, an independent
advocacy organization. “We shouldn’t assume that governments would make
that same disclosure businesses do.”
Cooper’s
spokeswoman, Noelle Talley, said governments weren’t included a year
ago because breaches by private companies were considered more urgent.
She said a data-processing company had planned to limit notification of
a breach to its its California customers because it was the only state
that required notification.
“We’ve since seen that government is not immune to this problem,” Talley said.
Social
Security numbers have been used as identifying numbers for many years.
Some states used the numbers on drivers’ licenses, and, in some cases,
they remain available.
‘Security breach’
Thompson
said he is concerned about an “ongoing security breach” with Social
Security numbers available from the N.C. Secretary of State’s Web site.
He said about 500,000 such numbers are available with business
registration information.
Liz
Proctor, a spokeswoman for the Secretary of State, said the office is
seeking a one-year extension in the bill to allow time to redact the
numbers.
“We
don’t ask for those numbers, but some of the forms sent in do have it,”
Proctor said. “What we’ve been trying to do as new forms come in, is go
in and redact that before they’re scanned onto the Web site. It’s a
public document, so we can’t really change it. The issue is, we still
have 2 million older filings.”
State
Rep. Margaret Dickson, a Fayetteville Democrat who co-sponsored the
bill last year, said she was not aware of the Secretary of State’s use
of the numbers, and hopes it can be corrected.
“Sometimes
our technology makes possible things we couldn’t have imagined before,”
she said. “It wasn’t too long ago that universities in North Carolina
used a Social Security number as a student’s ID number. Circumstances
change, and we have to adapt.”
