Data breaches on both sides of the job market this week highlight the importance of information security. Employment-search site Monster.com got hacked by spammers who used compromised servers to send email to its users that appeared to originate from the site. Monster estimates that information from 1.3 million users was exposed , but nothing more sensitive than names, phone numbers, and email and physical addresses. Having obtained enough personal information from Monster.com to appear legitimate, the spammers emailed users posing as Monster.com asking for financial information or prompting users to click links that would install malicious software on their computers. Meanwhile, retirees' personal information has been inadvertently exposed by state pension funds in New York and California. The New York pension fund lost a laptop containing information on thousands of people, while the California fund printed partial or full social security numbers on the physical mail it sent to almost 500,000 of its members. Here's the crazy part – in some states, the company doesn't have any legal obligation even to tell its users their information was leaked.
Federal law protects some types of personal information – health and financial information , especially, are subject to stringent confidentiality requirements. Mostly, though, data security issues are left to the states. California law requires that its citizens be notified whenever electronic databases containing their personal information are compromised by unauthorized access. 35 states have followed California's lead and enacted data security breach notification laws , but each state's law is different. Not only is complying with so many different inconsistent notification laws burdensome on nationwide companies, it's difficult to see why two people whose information was lost in the same security breach shouldn't be entitled to the same notification. It's past time for a federal data security breach notification law.
Thanks to Aaron for the graphics help.