During yesterday’s House Economic Matters Committee hearing on HB 630, Consumer Protection – Personal Information Protection Act, the committee saw a first hand example of how most identity theft occurs.

When Maryland Chamber Vice President Ron Wineholt and the rest of his panel were called to testify, they noticed that a woman on the panel before them had left her purse at the table. They ensured she got her purse back, but the incident reinforced part of Ron Wineholt’s testimony.

A recent national survey indicates that nearly two-thirds of identity theft results from data sources under the individual’s control – like a purse. This fact doesn’t lessen the obligation that all entities, public and private, have to their customers to maintain the security of personal information. But, I think it does help to put the issue in perspective.

The Chamber is working with lawmakers to amend the legislation (SB 486/HB 630 and SB 134/HB 873) to address a number of issues, including:

Definition of “personal information” is too broad. The eight items listed as personal information appear to go far beyond the typical requirements of other states. For example, signatures should not be characterized as personal information that needs protection. To the contrary, signatures of all property owners are recorded in the public land records and are readily obtainable. Given the large volume of business documents that contain customer signatures, businesses would need to shred all of their trash, at great expense, to avoid violating this bill. Likewise, protection of medical information is already governed by HIPPA, and its inclusion in this list is unnecessary.

Delete Provisions for Individual Lawsuits. While it would be appropriate for the Attorney General to be vested with the authority to enforce this bill, there is no reason to subject businesses to individual lawsuits, fines and attorney’s fees from individuals under the Consumer Protection Act.

Include State and Local governments. All too often in recent sessions the business community has protested the enactment of legislation where the General Assembly sets one standard of conduct for private businesses, but exempts state and local governments. Since governmental entities have been a major source of personal information breaches, it is essential that they be included in this bill. For example, 40 percent of the security breaches listed in Table 1 of the Report on the Attorney General’s Identity Theft Forum were from government sources. Failure to include governmental entities in this bill will send a message to the public that the General Assembly is not serious about solving the problem of security breaches and is unwilling to abide by the standards that it sets for businesses in maintaining personal information security.

For more information on this issue, contact Ron Wineholt at rwineholt@mdchamber.org.