Right to know: most states have laws requiring notification when personal data are stolen. How effective the laws have been, though, is an open question.

• Author: Greenberg, Pam

[ILLUSTRATION OMITTED]

A Countrywide mortgage employee working Sunday nights copied customer records from an office computer, then sold the personal information of an estimated 2 million mortgage applicants.

A group of hackers "wardriving"--searching for unsecured wireless networks in parking lots and outside retail stores such as TJ Maxx, Marshalls, Boston Market and others--managed to capture credit card numbers, passwords and account information for more than 40 million customers.

A laptop stolen from a National Institutes of Health researcher contained the information of about 2,500 participants in a medical research study, including names, birth dates, health data and diagnoses.

Before 2004, consumers rarely heard about these kinds of thefts. But a landmark California law, which went largely unnoticed outside the state when it passed in 2002, set off a chain of events felt nationwide. California's Security Breach Notice Law requires businesses or state agencies that have a security breach to notify state residents if their personal information is lost or stolen.

Since the law took effect in mid-2003, hundreds of data breaches have been reported in the press, and more than 245 million records containing personal information have been exposed. Thousands of people have received letters warning them to monitor their records, and businesses and organizations have beefed up data security. One study put the cost of data breaches to the companies involved at $197 per record breached in 2007.

NATIONAL REACH

In February 2005, ChoicePoint, a company that collects and compiles information about millions of consumers, discovered that it had inadvertently sold the personal information of almost 145,000 people to a con artist who claimed to be an executive with a Los Angeles company. ChoicePoint initially notified only California residents, who were covered by the state's notification law, even though the stolen data included information about residents in other states. Only after widespread media coverage, and after 38 state attorneys general had called for notification to victims in other states and territories, did the company notify everyone whose personal information had been compromised.

After ChoicePoint's security failure became widely known, lawmakers in other states moved quickly to make sure their citizens had the same kind of notice as California residents.

Twenty-two states enacted security breach laws in 2005, and others quickly followed in subsequent years.

In the five years since the California law has been in force, 43 states, the District of Columbia, Puerto Rico and the Virgin Islands have passed similar laws. But the laws have their critics, and researchers are beginning to take a careful look at their effectiveness.

LAWS CREATE CHANGE

"The law has worked surprisingly well," says Senator Joe Simitian, a sponsor of the California bill. "Millions of American consumers have known when their personal information had been disclosed and they were at risk."

With notice, a consumer can protect against theft by closing...