« Ind. Decisions - Transfer list for week ending February 9, 2007 | Main | Ind. Courts - Reports on bills of interest to the Judiciary discussed this week »

Friday, February 09, 2007

Ind. Gov't. - "State Web site breached: 5,600 notified hacker saw their credit-card numbers"

The Fort Wayne Journal Gazette, among others, is reporting that:

Indiana's state government Web site has been broken into, and the hacker saw credit-card information for about 5,600 people and businesses, the state Office of Technology said today.

The state has mailed letters to those people and businesses explaining what happened and what may happen next.

"(T)he State has implemented the highest levels of security and submitted itself to regular independent audits to ensure that data is safeguarded," the letter said. "Despite these efforts, the State's Web site recently experienced a security breach during which some credit card numbers were obtained without authorization." Because of technical errors, the letter said, those numbers were not encrypted, or scrambled, were not removed from the state's computer systems, and the hacker viewed the unencrypted numbers. It says it has fixed the errors and has taken additional measures to ensure security is as strong as possible.

The state recommends that people receiving the letters review credit-card statements since Jan. 1 and immediately report any questionable or unusual activity to card companies.

They are asked to call the site's security hotline at 888-438-8397 if they need additional information, or e-mail securityconcerns@www.IN.gov.

Taking Down Words has posted the actual advisory sent out by the State, access it here.

Indiana passed a law last year on credit card fraud - HEA 1101 from 2006. SECTION 5 added a new IC 24-4-14, Persons Holding a Customer's Personal Information. Sec. 1 begins:

This chapter does not apply to the following:
(1) The executive, judicial, or legislative department of state government or any political subdivision.
SECTION 6 added a new Article 24-4.9, Disclosure of Security Breach. It begins with the same exemptions.

Despite the exemption from the law, the State has sent out notices to those impacted. One wonders why last year's General Assembly thought the state and local government should not be held to the same standard as others.

Especially since the Indiana law does not do much, other than require the notice the State has sent out. The ILB posted serious criticisms of this new law on March 11, 2006. Access them here. The commentary ended:

Finally, and most importantly, HEA 1101's new IC 24-4.9 offers no remedies to those consumers whose security has been breached, other than requiring that they be notified of the breach. What of the remedies that would pause or help repair the damage the breach has caused -- the remedies of security freezes, credit monitoring and credit repair set forth in Professor Ramasastry's article?

Short of that, the biggest question here is: Is the new IC 24-4.9 now to be the exclusive remedy available to Indiana residents for these security breaches resulting in disclosure of their information? Or can consumers whose records have been released bring suit for negligence and ask for damages, costs, security freezes, and credit monitoring or credit repair? Will the companies whose negligence resulted in the disclosure be able to claim compliance with the minimal notification requirements of the new law as a defense?

For more, see not only the article by Anita Ramasastry, Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology, titled "Data Insecurity: What Remedy Should Consumers Have When Companies Do Not Keep Their Data Safe?" referenced above, but also this article, "The Clean Credit and Identity Theft Protection Act: Model State Laws," which proposes a comprehensive model act addressing:
- Definitions;
- Security Freeze;
- Protection for Credit Header Information;
- Right to File a Police Report Regarding Identity Theft;
- Factual Declaration of Innocence After Identity Theft;
- Consumer-Driven Credit Monitoring;
- Prevention of and Protection From Security Breaches;
- Social Security Number Protection;
- Banning Credit Scoring and Insurance Scoring for Use in Insurance Decisions;
- Adequate Destruction of Personal Records; and
- Severability Clause.

Posted by Marcia Oddi on February 9, 2007 03:41 PM
Posted to Indiana Government