Hawaii lawmakers are likely to take up proposed legislation that would punish state agencies responsible for data breaches that can result in identity theft.
"Right now the problem is that victims are the ones who bear all the brunt in recovering from identity theft," said state Sen. Mike Gabbard (D, Kalaeloa-Makakilo). "It’s like having someone break into your house and then holding you responsible for crimes committed while the thief was wearing your clothes. Most people would agree that if you mess up, you should own up. So this is what we’re trying to accomplish."
The legislation will be modeled after proposals offered today by the Liberty Coalition, a Washington, D.C.-based nonprofit civil liberties watchdog group. The report estimates that identity theft caused by breaches has cost Hawaii businesses and banks $571 million since 2005.
Among its proposals, the Liberty Coalition suggests that Hawaii law be changed to require organizations or agencies responsible for data breaches to provide specific information on the nature of the breach.
"Unfortunately, only the breaching entity knows all of the details of a breach," the report states. "And unfortunately, it is also the organization with the greatest incentives to hide, skew or leave out key details."
The coalition also suggests that the state set up a "Breach Victims Trust Account" that would be administered by a "Victims Advocacy Agency." It would be funded by the culpable organizations.
The money would be available to victims of identity fraud.
"We’re working with the Legislative Reference Bureau in taking a look at their proposals to see which ones best fit our state’s needs," said Gabbard, who requested the report. "I plan to introduce the proposals that make the most sense and will help to better protect people’s sensitive, personal information from breaches and identity theft."
The report comes after recent high-profile data breaches at the University of Hawaii system. More than half of the estimated 479,000 Hawaii records that have been breached since 2005 were those mishandled by UH.
The Liberty Coalition’s information privacy director, Aaron Titus, discovered the most recent UH breach, which compromised the information of more than 40,000 students and graduates. Titus has discussed the problem with university officials.
"The university is actively developing a comprehensive plan with all 10 accredited campuses to improve information security throughout the University of Hawaii system," said UH spokeswoman Tina Shelton.
The coalition also recommends that breaching organizations be required to conduct independent audits as a remedial action. The audit would promise action and industry best practices, and certify how compliant the organization is at that point.
State Sens. Jill Tokuda and Carol Fukunaga will hold an informational briefing with UH officials next month on the security breach issue.
Data breaches occur because organizations have not been held accountable for negligence, Gabbard said.
"It’s a matter of priorities, given that businesses and government organizations have limited resources and the information-technology security controls come at a cost," he said. "I fully appreciate the difficulties they’re facing because of our tough economy. At the same time, it’s our job to find a way to add protections that are reasonable and that serve the public’s interest."
Gabbard said a victims trust account should be funded by agencies and organizations that leak data. The fee amount will be determined as legislation moves forward and lawmakers receive input from experts and the community.