Law Gives Hacking Victims Right to Know

California consumers will learn next month whether their favorite shopping sites are steeled against computer fraud -- or are haunted by hackers and identity thieves.

Starting July 1, companies must warn California customers of security holes in their corporate computer networks. When a retailer discovers that credit card numbers in its files have been stolen, it must e-mail customers, essentially saying, “We’ve been hacked, and the hacker may have your credit card number.”

State politicians call the regulation the first of its kind in the nation. U.S. Sen. Dianne Feinstein plans to introduce a similar federal legislation within a month.

“Corporate and government databases are increasingly becoming targets of identity thieves seeking Social Security numbers and other sensitive personal data,” the California Democrat said in an e-mail. “Under current law, all too often people are unaware that an identity thief has gained this information and may be using it to run up credit card bills or use it to manufacture a new identity.”

California’s new regulation contrasts with the Bush administration’s hands-off treatment of the technology industry, particularly when it comes to controversial e-commerce issues such as privacy and fraud.

Although the FBI and the Federal Trade Commission have hunted down Web site operators involved in fraudulent sales and auctions, laissez-faire proponents worry that regulations would hamper innovation.

“You cannot legislate good behavior,” said EBay Inc. security chief Howard Schmidt, who quit this spring as a Bush advisor on cybersecurity.

The Postal Service reports that 50,000 people a year have become victims of identity theft, and the Treasury Department says thieves ring up $2 billion to $3 billion a year on stolen credit cards alone. As victims expend hours or days canceling debit and credit cards, obtaining new ones and reestablishing accounts and passwords, corporate America loses billions of dollars more in productivity.

Proponents say the California bill makes Web merchants more accountable for computer fraud. It doesn’t impose monetary fines, but the regulation makes companies with questionable computer networks more vulnerable to lawsuits and public scorn.

“It’s a wake-up call for companies to make major, across-the-board changes in every part of the company,” said Nick Akerman, an attorney specializing in computer fraud in the New York office of Dorsey & Whitney. “Companies are afraid to report breaches because they think it reflects badly on them, and they don’t want the bad publicity of becoming known as a company that’s been hacked into. This bill says, ‘You can’t continue business as usual.’ ”

The regulation applies to any company that stores data electronically and does business in California. Companies must alert customers whenever “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

The bill defines “personal information” as an individual’s first name or initial and last name, with one of the following: Social Security number; driver’s license number; state identification number; or credit or debit card account number and security code.

Except when disclosure would impede a criminal investigation, companies must notify consumers “in the most expedient time possible” by e-mail or physical letter.

If a hacker gains access to data for 500,000 or more customers, the company might also have to notify people through a “conspicuous” posting on a Web site and disclosure to the media.

Amazon.com Inc., Land’s End, Recreational Equipment Inc. and numerous other companies with extensive databases would not comment on the bill. Dell Computer Corp., which sells 50% of its goods online, said it applauds the regulation.

“This legislation codifies what we’ve had in place for a long time,” spokeswoman Cathie Hargett said.

Sending e-mails to customers is daunting, but sending alerts to newspapers and wire services truly panics e-commerce executives, said Peggy Weigle, chief executive of Santa Clara, Calif.-based security company Sanctum Inc. The regulation would treat computer vulnerabilities like automobile recalls -- critical safety data that must not be kept from the public.

“The public has been under the impression that the transactions they’re doing online are really secure,” Weigle said.

Nearly half of the 530 companies and government agencies polled in January by the FBI and San Francisco-based Computer Security Institute acknowledged their networks had been the victim of an unauthorized, internal hacker in the last year.

It’s unclear whether the alarming level of computer fraud will result in so many warnings that consumers ignore them.

Andy Carvin, an e-commerce enthusiast in Washington, D.C., would like a national version of the California bill. Carvin discovered his credit card information was stolen two years ago and suspects a hacker stole data during an online transaction.

“It would have been great if [the online merchant] had sent a letter with some useful advice,” Carvin said. “I’d feel they wanted to help me.”