by ANDREW SHAIN
Consumer Writer
Under
N.C. law, a bank or hotel must tell you if crooks get ahold of your
account information, but not the state motor vehicles division or city
water department.
The
law passed last year exempts state and local government agencies from
notifying consumers after data-security breaches. And the law's
creators and chief sponsor could offer no reason Monday why they gave
governments a free pass.
That
puts North Carolina at odds with similar laws passed in most other
states. Nearly 20 of the 30 states that have enacted security-breach
notification laws require governments as well as businesses to inform
potential victims, an Observer analysis found.
Late last week, a parent discovered Social Security numbers belonging to 619 Catawba County students on the Internet.
The
school district, which thought the Web page was password-protected,
removed the information and sent letters to parents after learning of
the breach from a Hickory newspaper.
Catawba County Schools officials said Monday that they would have notified parents no matter what state law required.
N.C. Sen. Austin Allran, a Republican who represents Catawba County, said the government exemption "doesn't make much sense."
"I guess we didn't think something like this was going to happen," Allran said.
Many
recent publicized data-security breaches have involved various
government agencies nationwide, notably stolen data belonging to 26
million active and retired military personnel.
"That
could have just as easily been happening within state government," said
Rob Thompson, a consumer advocate for the N.C. Public Interest Research
Group. "Pretty much everyone who deals with personal information
doesn't take good care of it. Without notification, how else will you
know about a breach until your credit report shows you got a loan in
Washington state?"
Information
belonging to an estimated 88 million people nationwide has been lost,
stolen or exposed since the beginning of 2005, according to a list of
announced breaches compiled by the Privacy Rights Clearinghouse.
Personal financial information can be used by identity thieves to get
credit cards and loans.
North
Carolina's breach notification law was crafted by state Attorney
General Roy Cooper's office and already included the government
exemption when it was submitted to legislators, said Sen. Dan
Clodfelter, a Charlotte Democrat who sponsored the bill.
Clodfelter referred additional questions to Cooper's office.
Cooper's office would not say Monday why the exemption was included.
A
spokeswoman said Cooper could not be reached for comment Monday, but
she said the attorney general would support ending the exemption.
Clodfelter and Allran said they would consider amending the notification law to include government agencies next year.
"We never get everything right when we first go at it," Clodfelter said. "That's why we meet every year."
