"Everyone is aware of the importance of protecting our personal information, and almost all of us know someone who has been the victim of identity theft or credit card fraud," Governor Kaine said. "That is why I established a working group last year and charged it with recommending steps we could take to protect our citizens. These proposed legislative actions reflect those recommendations."
The 26-member working group, established by executive directive in January 2007, was members of the General Assembly, business leaders and consumer advocates.
"While there is no single solution to the many challenges we face in this area, I believe these proposals strike a reasonable balance between the interests of the Commonwealth's citizens and the legitimate interests of the business community," Governor Kaine said.
Breach Notification
Virginians have the right to know when important personal information has been released to the public or otherwise compromised. Kaine's proposal would enact a breach notification standard, which would apply to state government.
Kaine recommends that breach be defined as the unauthorized acquisition and access of unencrypted or unredacted personally identifying information from a variety of data forms, including paper records. The law would require companies to notify consumers in the event that a data breach is experienced. State law already defines personal information that would constitute a breach as a resident's name in combination with one or more of the following: Social Security number; driver's license number; account number or credit card number in combination with any security code, access code or password that would permit access to a resident's financial account.
The governor's proposal provides an exemption from the requirement to notify when a company can determine that there is no reasonable risk of harm occurring from the unauthorized disclosure of personal identifying information. It also provides for written notification or notification by e-mail or telephone.
Credit Report Freeze
Included in Kaine's recommendation is the ability for Virginian's to put a freeze on their credit reports until any identity theft or fraud issues are resolved. This protection would be available to all consumers and allow the placement of the freeze by standard mail, electronically or by telephone.
"As identity theft becomes more and more common, we must give our citizens tools to protect themselves from the possibility of continued damage that an open credit line allows," Governor Kaine said. "This legislation will give Virginian's greater control over access to their credit."
Three credit agencies -- Experian, Transunion and Equifax -- last year volunteered to allow credit report freezes. Building upon their move, the proposed legislation would allow the credit reporting agencies to charge a reasonable fee of $5, to each agency, for placing and removing a freeze, with no charge to temporarily lift one. The service would be free to victims of identity theft. The freeze would stay in effect until lifted by the consumer.
Exemptions from the credit report freeze would be granted to entities such as those with active business relationships with the consumer, law enforcement, insurance brokers, debt collections agencies and other with legitimate needs to carry out their duties. Credit reporting agencies would be required to provide the fastest means possible to lift or remove a freeze by including a "quick thaw" provision by September 1, 2008.
