Network News

X My Profile
View More Activity

New State Laws Target Data Encryption, RFID Tracking

The states have been busy of late enacting laws that address a broad spectrum of security protections, from outlawing radio frequency identification (RFID) tag tracking to requiring organizations to encrypt sensitive data whether it is stored on a computer or sent over the Internet.

California Gov. Arnold Schwarzenegger this week approved a bill that would make it illegal to secretly scan the data encoded on unsecured RFID chips for the purposes of tracking, identity theft or counterfeiting the devices. RFID tags are tiny chips that are now commonly embedded into many retail products, student IDs, drivers' licenses, passports and medical ID cards. Most RFID tags are "passive," in that they have no internal power supply and are designed to be read from a few inches away, but researchers have shown that even passive tags can be read from more than 30 feet with special equipment.

However, for the second year running, the governor killed a hugely popular bill that would have limited the amount of time retailers and collectors of personal information could hold onto the data. California Assembly bill 1656 also would have required businesses that experience a data breach to give more details to those affected about the information that had been lost or stolen.

Schwarzenegger vetoed last year's version of the measure, which would have forced retailers to foot more of the bill in cleaning up after customer data spills. He said it would have saddle businesses with burdensome costs and attempt "to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

Norma Garcia, a senior attorney with Consumers Union, said she was disappointed that the governor killed the bill again this year, as it had been stripped of the reimbursement requirements to win passage.

"The particular provisions upon which the veto was based were dealt with in this version, and from the consumer perspective, this was a bill that that was very reasonable and enjoyed wide support in both houses" of the California legislature, Garcia said.

Over in Nevada, a new law took effect Oct. 1 that requires businesses to encrypt all customer personal information sent "outside of the secure system of the business." The requirement excludes data sent by fax. The law defines personal information as first name or first initial plus last name in combination with either a Social Security number, driver's license, ID card, credit/debit card or account number, along with any security code or password that would permit access to a person's financial accounts.

In Massachusetts, state regulators issued rules that require entities that store personal information on residents to encrypt that data on laptops and other portable devices. The requirements take effect on Jan. 1, 2009.

State-level technological mandates don't carry the weight and breadth of federal laws, but they often force companies to implement the requirements businesswide, due largely to the costs that would be associated with maintaining separate business practices dictated by the customer's state of residence. Novel state laws that push the legal envelope also have a way of catching on in other states. Nowhere has this been more evident than with California's landmark 2003 data breach disclosure law, variations of which have since been adopted in more than 40 states.

By Brian Krebs  |  October 3, 2008; 12:36 PM ET
Categories:  Fraud , From the Bunker , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Still Plagued by E-mail Deluge
Next: Report: Data Breaches Expose About 30M Records in '08


How about cloning ?
How to become Elvis:


Posted by: Chris | October 4, 2008 4:38 AM | Report abuse

Pitty about that bill not being passed it would have helped

Regards from

Posted by: Anonymous | October 5, 2008 3:03 AM | Report abuse

It is a pity about that bill not being passed it would have helped in the fight against scammers

Regards from

Posted by: | October 5, 2008 3:05 AM | Report abuse

Off topic: Brian what do you know about the site I was on and then was suddenly redirected to this site that asked me if I want to install Antivirus 2009. I killed Firfox thru the Task Manager instead of even clicking Cancel. If you can warn Bloomberg that would be great.

Also do you know if McAfee or Windows Defender will detect this malware.


Posted by: Tom | October 5, 2008 3:40 AM | Report abuse

"I killed Firfox thru the Task Manager instead of even clicking Cancel"

Good Move.. AntiVirus 2009 is a bad piece of malware.

I have seen AntiVirus 2009 coming in on peoples machines from a whole lot of sites, the last one I had to remove came in ffrom, looks like it is coming in off of a banner ad being displayed on many sites.

Posted by: Devin | October 5, 2008 4:52 PM | Report abuse

It's quite interesting that Schwarzenegger would veto a bill like this, considering similar bills have been passed in many other states, and also considering the current financial crisis the US is facing.
Certainly a move like this would only protect consumers, and though the United States entertains the idea of free commerce, it also exclusively protects the privacy of its citizens. Very provocative blog.

Posted by: | October 5, 2008 8:30 PM | Report abuse

Thanks for the tip on Antivirus 2009.

Does this say anything else also ???

Posted by: brucerealtor | October 5, 2008 10:58 PM | Report abuse

Stupid law, it won't stop criminals since they are planning on breaking the law anyway.

Passing a law making it illegal to put information which can identify or track individuals on unsecured RFID chips would actually be useful.

Posted by: Pete | October 6, 2008 3:22 AM | Report abuse

Merchants do not need to keep customer information for long periods of time. The only one who benefits is the hacker who gets access to lots of personal customer information for longer time periods and the consumer suffers if a data breach occurs which many times the merchant will just cover up and deny it occurred.Our web site has information to educate businesses and consumers on this Identity Theft problem.

Posted by: Tom Harkins, Chief Strategy Officer Secure Identity Systems | October 6, 2008 11:15 AM | Report abuse

Governor Arnold Schwarzenegger vetoed the Consumer Data Protection Act again on October the 2nd. Why didn't the post pick up on this story?

Posted by: Charles Corcoran | October 6, 2008 2:27 PM | Report abuse

Has anyone developed a commercially viable system to prevent scads of information being databased when a transaction takes place? Like a third party clearance system that only requires a transaction number that's encrypted to effect a transfer of funds?

Posted by: Buddy | October 7, 2008 1:32 PM | Report abuse

"Silly law" - absolutely not. Taking the attitude that a enacting legislation is pointless given that criminals are prepared to break the law anyway can only result in literally a lawless society. These laws do not have to act as a preventative measure (although in some cases they will) as they empower consumers, retailers, law enforcement and the juciciary in the process of punishing those who hurt others as a consequence of their greed.

Posted by: Simon Dehaute | October 8, 2008 7:23 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company