Lisa Vaas: So, Eric, could you start by telling us about what laws were looking at here in Massachusetts when it comes to businesses having to inform everybody about data breaches? Whats going on?
Eric Greenberg: Massachusetts has put into place a law thats similar to what has been put in place in a number if not the majority of states right now. Theyre either there or are being put into place. The majority of these laws are based on laws that were developed by an organization called the U.S. PIRG, which is the federation of state Public Interest Research Groups. And so, basically, if you look at their template, youll see that Massachusetts and some other state, most of the other states, have actually worked from that template.
Vaas: How many states right now have legislation or are looking at legislation?
Greenberg: I dont have the exact number. I havent counted them up. I know that as of a couple of years ago, more than 25 of them did. So I would say the majority of them. You have to check with your individual state to know if they are, and as well talk about, there are a few differences.
Vaas: I would guess that the businesses, online retailers and, well, anybody dealing with data right now who might be subjected to this law are going to have to deal with a hodgepodge of legislation. Is that correct?
Greenberg: Oh, yes, absolutely. In fact, California, who was a leader in some of this, kind of brought this to the awareness of retailers and folks that take credit cards quickly. Because if you run an online site - so many businesses do today, whether youre a department store or what have you - you dont know whether youre going to have customers from California. So if theres one state that requires it, youre aware that theres a notification requirement to at least that one state. So, yeah, they have notification laws, sort of, they have knowledge of it.
Vaas: So were talking about notification laws. Im assuming that what these laws require differ greatly. I mean, there are time elements involved. Could you delve a little bit into the differences in the laws right now?
Greenberg: Lets first talk about the Massachusetts law, which is based on the U.S. PIRG. Lets talk about the three components. One of them is the notification we talked about, which is breach notification. It requires the commercial entity and government to notify the consumer if enough of their personal information has been acquired by an unauthorized person or purpose. Were going to talk about that a little bit more because therere differences, and its from state to state on how thats interpreted. Theres credit report security freeze. What this means is that you have the ability to lock your credit report so that it cannot be accessed for the purposes of validating whether you should be given a credit card. So if your credit report is locked, someone cant issue credit in your name because they cannot get a credit report. Thats the idea behind the credit report security freeze. That impacts the credit reporting agencies. And there are differences from state to state about how much money you have to pay if you put your lock on and then want to take it off and put it back on again and take it off. Naturally, sometimes you need to take the lock off.
Vaas: And were talking about paying money to whom? The credit reporting agencies?
Greenberg: The credit reporting agency who would be responsible for locking your credit report.
Vaas: Okay. I just dont know why they arent required to pay us for our credit histories, but I guess thats a topic for another day.
Greenberg: Yes. And, in fact, there are five different topics that weave in and out of this that that we could talk about. And I may actually dare weave in a few of them before were done.
Vaas: Well, you know how people get enraged over this kind of thing. I dont think were the only ones feeling that way for sure. But these state laws, who are they protecting exactly?
Greenberg: Okay. And I want to add that the third [component of the Massachusetts law] is a police report. You have the ability to get a police report through that state legislation. You need that police report in order to actually clean up the mess. And in the past its been difficult for some folks to get that. So those are the three components.
Next Page: Not a police priority.