A wide range of business groups are fighting proposed state rules intended to protect consumers from identity theft.
Representatives of banks, insurance companies and other businesses that collect personal customer information say the rules drafted by the Division of Consumer Affairs are too rigid, burdensome and probably unenforceable.
The rules seek to clarify parts of the Identity Theft Prevention Act, which took effect on Jan. 1, 2006.
Legislators passed the act after a series of incidents in which customer personal information was stolen or accidentally released, highlighting consumers' vulnerability to identity theft.
Observers say the law is one of the strongest in the nation. It seeks to protect consumers by requiring government and businesses to quickly report the loss or release of personal information, and it establishes security measures for handling sensitive information.
What it means
The Legislature in 2005 passed the Identity Theft Protection Act. It seeks to protect consumers' personal information by requiring companies to take certain security measures and use computer processes in handling private data. The current controversy is over rules drawn up by the Division of Consumer Affairs to interpret and clarify parts of the bill.
The law also requires businesses to destroy unneeded customer records and enables consumers to freeze their credit reports, restricting the ability of identity thieves to open a new credit account.
State departments typically write rules to clarify or add specifics to the structure of complicated legislation. But lobbyists say most opposition occurs before a bill is passed; it's rare for rules interpreting a bill to spark such opposition.
Business leaders say that in this case, Consumer Affairs officials have exceeded the law's intent.
The rules "are actually much worse than was anticipated," said Robert J. Tartaglia, a lobbyist for the New Jersey Bankers Association. "They are, from comments from at least two of our nationally chartered banks, unenforceable."
He said it was "absurd" for small businesses and major banks to be covered with the same set of rules for the technical requirements of computer security systems. That would make it almost impossible for the state to ensure all companies comply, he said.
Christine Stearns, a lobbyist for New Jersey Business and Industry Association (NJBIA), said the trade group has "many concerns about the bill." Some rules go well beyond the legislation, and even conflict with it, according to the association's analysis.
Stearns said the association has asked the division to extend the 60-day comment period so that more association members can voice their discontent.
The period currently expires on June 15. Division spokesman Jeff Lamm said the division has not decided whether to extend it. Once the period is over, division officials will evaluate the comments and decide whether to adjust the proposed rules.
Business groups offered these criticisms:
• A requirement that companies keep a record of the destruction of documents is burdensome.
• The computer security measures and equipment specifications are so specific they leave no room for companies to design their own protective measures. Businesses say the required equipment could soon be obsolete.
• The demand that companies report a security breach to the state police within six hours of its discovery is too restrictive. Companies say they often need to do extensive analysis to establish exactly what happened and what files were affected.
• The rules require companies to "mitigate" security breaches even though the law doesn't mention it. Business groups worry that the rule is vague and could open them to liability for security breaches.
Abigail Field, a lobbyist for the New Jersey branch of the Public Interest Research Group, said the agency has no problem with most of the rules. She said most of the measures are necessary to protect the public, and she rejected most of the business community's complaints.
"I don't have a lot of sympathy," she said. "Our data is insecure. Consumers are at the mercy of businesses who have our data. I think in general, businesses just have to learn to change the way they do business and take better care of our data."
Still, she said, some of the technological requirements are excessive and could stop companies upgrading their computer systems to improve security.
Trenton appears Wednesdays. E-mail: morley@northjersey.com
