When a thief recently swiped some computers from a Wells Fargo subcontractor, the bank jumped to alert affected...
customers, even offering them a year's worth of credit bureau reports.
It might look like a great example of the impact of California's Database Security Breach Notification Act (SB 1386), which mandates that California consumers be told if data identifying them may have been pilfered. However, Wells Fargo would have done that anyway.
"It's been a longstanding policy of ours to contact customers who may be affected" by security breaches, says Alejandro Hernandez, a spokesman for the financial institution's personal credit group. A number of Wells Fargo customers with unsecured loans were exposed by the theft, since some of the stolen PCs had unencrypted Social Security numbers.
That's not what was expected when SB 1386 became law July 1. Given the huge California economy and a general sense that hacking is on the rise, the law seemed certain to trigger a wave of reports to consumers. After all, the bill was passed by legislators who were outraged that no one told them when hackers broke into state payroll computers.
Many types of security breaches fall outside the scope of the law. For instance, JetBlue's selling of customer data wasn't covered, since it didn't involve hacking. Nor was the theft of e-mail addresses from online travel agency Orbitz, because the law only covers names combined with Social Security numbers, account numbers or credit card numbers.
Perhaps the best example of the law's impact came after hackers broke into a computer that registered visitors to the University of California at Berkeley's Bancroft Library. The break-in occurred in August, and because driver's license numbers were recorded on the system, university officials decided they should tell those on the registration list.
Though library officials believe the hacker used the compromised computer only to store files, and that no personal data was touched, because of SB 1386, "we decided to err on the side of letting people know," says Peter E. Hanff, the library's deputy director.
Critics have complained that the law is overly broad, since it tells organizations to alert consumers when data is "reasonably believed" to have been compromised. Joanne McNabb, chief of the California Department of Consumer Affairs' Office of Privacy Protection, says that if it had been written more explicitly, it would probably have drawn criticism for that.
The bigger question, then, is whether consumers aren't hearing about compromises because organizations conclude their data breaches aren't covered by the California law.
To prove the law applies, a California consumer would have to trace breaches back to possible violations and report it to the California Attorney General's office. McNabb recommends consumers check their credit reports twice a year, and look for things like unexpected credit checks by banks and others, as well as incorrect data in the personal section, such as an unfamiliar address.