California state agencies will have to follow strict new standards when handling personal information, under the provisions of State Senate Bill 13, authored by State Senator Debra Bowen and signed Thursday, September 22nd by Governor Arnold Schwarzenegger.
“Identity theft is still the country’s fastest growing white collar crime,” Bowen said. “It is maddening to see that state agencies responsible for handling sensitive personal information still don’t understand that a person’s Social Security number is the one key criminals need to unlock someone’s entire financial history.”
Senate Bill 13 requires the state Committee for the Protection of Human Subjects — a division of the California Health and Human Services Agency — to review and approve all research projects which come with a request for personal data.
The bill also sets minimum security and privacy standards and requires the committee to remove personal identifiers such as Social Security numbers before allowing researchers access to information.
“The goal here isn’t to make it harder for researchers to do their work,” Bowen said. “The goal is to stop the state from using a person’s Social Security number as a default identifier.”
Bowen wrote the bill in response to an August 2004 computer hacking incident.
The state Department of Social Services downloaded and gave to a researcher the department’s entire In Home Support Services database, which contained the names, addresses, Social Security numbers, dates of birth, and phone numbers of 1.3 million people who provided or received In Home services between 2001 to 2004.
In a letter to the department, the researcher requested access to the database so that a random sample of workers who care for the elderly at home could be surveyed.
The database later found its way to a computer at University of California at Berkeley, where the university’s computer system was subsequently hacked.
Instead of giving the entire database to the researcher, Bowen said the State Department of Social Services should have pulled a random sample, removed confidential data, sent the edited data to the researcher, and charged the researcher a fee for the department’s extra work.
Bowen also said the research project should have been approved by the state before the department handed over the database. The legislation takes effect January 1st.