Legislative efforts to increase consumer information protection have begun in Annapolis following Hopkins' admission that it misplaced highly sensitive information for thousands of its employees.
Some of the ongoing bills are pushing to ensure that consumers are notified immediately in such situations; others are being passed so that the option to freeze credit reports would be made available to individuals.
The computer tapes that were reported lost last week included employee salaries, social security numbers and other personal information. After thorough investigations and background checks, Hopkins concluded that the information was likely misplaced, then incinerated and destroyed as garbage.
"Hopkins notified the employees ... but Maryland isn't required to do that yet," Steve Sakamoto-Wengel, assistant attorney general in the consumer protection division, who has been assigned by Attorney General Douglas Gansler to work with the legislators, said. Sakamoto-Wengel explained that notifying individuals to take action in case of security breaches represents an active form of consumer information protection.
At the same time, other bills are working to allow Maryland consumers to place a security freeze on their accounts to block lenders and other unauthorized personnel from access to their personal credit information. "It's an important tool for Maryland consumers to have," Sakamoto-Wengel said. The current protection only allows accounts in Maryland to be put on `alert' under which access to the account is limited while the credit report still remains accessible to a third party. Currently, the security freeze option is adopted in only 22 other states.
There are several points of contention with regard to the recent legislation process that is now taking place in Annapolis. According to the Baltimore Sun, some other bills suggest that state agencies should not be required to send out notifications in case of security breaches.
The present challenge is to find a compromise in the ongoing legislation considerations between consumers and the lobbyists who represent industries and business. It is uncertain how broadly the security breach notification requirement should be applied to the public.
"Not all companies are very readily inclined to all the ongoing legislations," Sakamoto-Wengel said.
Various advocates have different takes on future cases similar to the accident at Hopkins, where over 50,000 employees would need to be contacted. Business advocates, for instance, believe that notification is only necessary when the administrators feel the breach may be faced with the threat of identity theft.
"You could have a situation where there may have been mishandling of data but where the company investigating concluded that data never had any likelihood of getting out," Ronald W. Wineholt, vice president of Government Affairs for the Maryland Chamber of Commerce said to the Baltimore Sun, "This is so you're not forcing businesses to send out waves after waves of notices to customers."
Still other bills see the notification requirement only conditional to the amount of money involved in the breach.
"For now, I believe it is possible to pass a notification bill to allow consumers to do damage control," Delegate Susan C. Lee has shared with the Baltimore Sun.
