Editorial: Stand strong against loopholes

Wednesday, Nov. 30, 2005 | 8 a.m.

To protect against the growing crime of identity theft, California passed a law in 2003 that requires its residents to be informed whenever privately held confidential information about them is compromised.

The law applies to all companies in the United States. If their computers are hacked, if their files are compromised in any way, those companies must notify all affected California residents.

This law led to the public disclosure earlier this year of major security breaches at national companies. In February ChoicePoint Inc., a Georgia company that sells information about American consumers to government agencies and private businesses, had to notify 35,000 people in California that it mistakenly sold personal information about them to criminals. The company later notified more than 100,000 people outside of California.

Because of California's law, similar disclosures were required in two other high-profile incidents. In May personal information on consumers was stolen from a company owned by Lexis-Nexis, a worldwide firm that also combs public records and sells information about people. The company acknowledged that files on as many as 310,000 people had been compromised.

In June hackers penetrated CardSystems Solutions Inc. of Arizona, which handles transactions for credit-card companies. As many as 40 million records were compromised.

Public pressure from these cases forced Congress to begin crafting legislation patterned after California's. It was obvious that all Americans should receive notification.

Affected businesses, however, are pushing for loopholes. One would allow them to decide for themselves whether a security breach was significant enough to warrant notification. Notification in all cases would be too costly, they argue.

The other loophole would have this weakened federal legislation supersede all state laws. Many states are passing laws as strict or more strict than California's.

Most congressional Democrats favor a consumer-friendly law that would mandate notification in all real or suspected security breaches. We can see the wisdom of a national law, as opposed to 50 laws with varying requirements. The national law, however, should be as strict as California's. And if states wish to pass laws even more strict, that should be allowed.