CHICAGO – Gov. Rod Blagojevich today proposed legislation that would require companies both inside and outside Illinois to quickly notify Illinois consumers if their personal information is compromised due to a breach in company security. The Governor’s action comes days after public disclosure of a massive security failure in October involving Georgia-based ChoicePoint, which resulted in the theft of personal information, including social security numbers, of approximately 145,000 people in all 50 United States – including roughly 5,000 in Illinois.
“Identity theft is the fastest growing crime in our country, at a cost of $550 million last year alone. We have to do a better job of preventing thieves from gaining access to personal information, and of helping consumers react quickly to protect their credit when identity thieves succeed,” said Blagojevich. “That means if a company knows that their records have been illegally accessed, they should let their customers know as soon as possible. Waiting until mid-February to notify customers whose information was stolen in October is not good enough.”
Current Illinois law does not require companies to notify consumers when their private information may have been hacked into or exposed to unauthorized sources.
The Blagojevich proposal would require companies to quickly notify anyone from Illinois whose information has been stolen. This would apply whether the company whose records were broken into is located in Illinois or any other state. Personal information would include social security numbers, dates of birth, medical records, and other personal and financial information. Companies that do not immediately notify their customers of potential identity theft will face civil penalties.
The stronger requirement will provide dual benefits: making sure that those whose personal information has been stolen are quickly notified; and motivating organizations to improve their security systems to better protect personal information.
The Governor’s proposal is similar to California’s 2003 “You’ve Been Hacked” law that requires disclosure of any security breach that puts Californians’ personal information at risk.
“California’s law provides a model for us to work from. I want to make sure Illinois’ law is as strong and effective as possible. I look forward to working with lawmakers, and have begun reaching out to consumer groups and the business community to get that done,” the Governor said.
The Governor’s proposal would also include other consumer protection enhancements, including an option allowing consumers to freeze their credit levels so that additional credit cannot be extended without permission and an identity check, and increased penalties for organized identity theft that involves multiple individuals obtaining personal information for illegal purposes.
A 2004 FBI Cybercrime study found that only 20% of companies report computer hackings to the police and half do not report them to anyone. Identity theft and consumer fraud are rapidly growing problems, costing Americans nearly $550 million last year, up from $430 million in 2003, according to the Federal Trade Commission. The FTC received 635,000 consumer complaints in 2004 about identity theft and consumer fraud.
The Governor reminded consumers of practical steps they can take to protect their personal information from thieves: (1) never provide any personal information in response to an unsolicited request; (2) review your account statements regularly to ensure that your transactions are in order; (3) check your credit report to make sure no new credit accounts have been opened in your name; (4) do not use information that can be used to steal your identity (birthdays, names, social security numbers, account numbers) as passwords or account numbers; (5) limit the amount of personal information you divulge over the phone or to web sites.