Hopkins data loss prompts legislative effort

The loss of computer tapes containing personal information on more than 135,000 Johns Hopkins employees and patients - the data possibly tossed in a trash bin - is spurring consumer protection bills in Annapolis, including one to force prompt disclosure of such breaches.

"Every time you see a corporation or any organization lose data, it's going to strengthen the hand of those of us who say we need better protections for consumers," said Del. S. Saqib Ali, a Montgomery County Democrat and former software engineer who has sponsored several bills dealing with the issue.


The disclosure proposal, and another to allow Maryland consumers to block access to their credit reports, are part of a nationwide push to enhance consumer protections against identity theft. About 35 states have enacted notification laws, and a majority of states have so-called security freeze laws on the books.

Personal data is collected at almost every interface with consumers, including in stores, schools and the workplace, and privacy activists warn that much of it goes unprotected from would-be thieves. According to the Privacy Rights Clearinghouse, more than 100 million records of sensitive personal information have been involved in data breaches at companies, universities and government entities in the past two years.


"This is a bigger problem than most consumers or organizations even understand," said Troy Allen, chief fraud solutions officer at Kroll, a risk-consulting firm. "What you actually see out there is a very small subset of what's going on."

And if it can happen at Hopkins, Baltimore's top-rated university and hospital, legislators and consumer advocates worry, it could be happening anywhere.

"He left it in a Dumpster? What the hell is that?" said Sen. John C. Astle, an Anne Arundel County Democrat and vice chairman of the Finance Committee. "Obviously there's a problem there, and somebody was asleep at the wheel. Somebody was not treating this information with the care it deserved."

Hopkins won an award last year from Gov. Robert L. Ehrlich Jr. for initiatives aimed at identity theft, such as disseminating brochures on the subject. As for the handling of data, Dr. William R. Brody, the university president, said that procedures are being evaluated and that "appropriate" changes will be made.

Officials at Hopkins think that a courier mistakenly left a box of computer tapes containing personal records, which in some cases included Social Security numbers, at the wrong stop and that the tapes were likely trashed or incinerated.

About 135,000 university employees and hospital patients were affected, but officials say the chances of the information being used for nefarious purposes are slim.

Hopkins did an extensive investigation, including a background check and polygraph of the courier, as well as a review of security videotapes, spokesman Dennis O'Shea said. The courier recollected that he must have neglected to put the tapes back on his truck and instead left them in a shipping area that's usually full of boxes that are placed in a trash bin.

O'Shea said he and his college-age daughter, who worked as a resident adviser at the university last summer, were among those whose information was affected. But he said he is "not worried," nor is he checking his credit report or taking any other precaution.


He said about 100 people have called a hot line set up by the university to handle inquiries about the incident.

But some at Hopkins had a different take.

"I'm still going crazy. I'm still worried," said custodian Scott Williams, who said he was not convinced that the data has been destroyed. "They're not giving any evidence for that; we still don't know. ... Irresponsibility, that's the word for it."

Frustrations on campus were compounded when the university mistakenly e-mailed employees an incorrect phone number to one of the nation's three credit bureaus. The error was quickly corrected, O'Shea said.

"How incompetent can you get?" said Robert Rynasiewicz, a philosophy professor.

Some Maryland lawmakers say they want to give consumers more latitude to know who has access to their personal information and to control access to credit data.


Several bills would allow consumers to put in place a security freeze, which would put credit reports off-limits to lenders and others, thereby thwarting those who try to open credit card or other accounts in someone else's name.

The Senate Finance committee is developing the legislation, and lawmakers say it might have a better chance of passage this year. Still, some lobbyists for retail and financial industries want provisions that consumer advocates oppose, such as one that would allow only identity-theft victims to put a freeze in place.

Other pending bills would require consumers to be notified as soon as possible if their information has been exposed; not doing so could result in fines.

One bill would levy fines of $500 per violation or the actual damages sustained as a result of the breach.

The House Economic Matters Committee plans to take up such legislation this week.

Attorney General Douglas F. Gansler supports both bills. He has assigned Steve Sakamoto-Wengel, an assistant attorney general in the consumer protection division, to work with legislators.


Gov. Martin O'Malley's office is also reviewing the measure but has not taken a public position.

Industry lobbyists have asked for certain caveats to the consumer notification bills. For instance, business representatives generally want to limit their obligation to tell consumers of data breaches to cases in which they determine that identity theft is likely.

"You could have a situation where there may have been mishandling of data but where the company investigating concluded that data never had any likelihood of getting out," said Ronald W. Wineholt, vice president of government affairs for the Maryland Chamber of Commerce. "This is so you're not forcing businesses to send out waves after waves of notices to customers."

Allen, the Kroll executive, said that businesses are often ill-equipped to investigate and that they often underestimate the risks involved.

"It's the fox watching the henhouse," he said.

Another sticking point is that some bills would exclude state agencies, which could include the city of Baltimore or the University of Maryland, from the notification requirement. Consumer advocates say many of the breaches are at public-sector entities.


Legislators balked at covering state agencies in a bill that passed the Senate last year when a financial analysis showed that the requirement could be a serious drain on state and university funds.

Some bills require entities to notify each individual consumer affected by a data breach unless the cost exceeds $250,000, in which case an alternative notice could be provided through an Internet posting and media alerts.

"The best scenario would have everybody do it, but in the real world, perhaps more of the financial information is in the business world," said Sen. Jennie M. Forehand, a Montgomery County Democrat.

Del. Susan C. Lee, also a Montgomery County Democrat, said that an identity-theft task force will explore how state agencies handle consumer information and that a bill addressing state agencies could be tackled later. "For now, I believe it is possible to pass a notification bill to allow consumers to do damage control," she said.

Ali has introduced other legislation that would prevent companies that issue so-called customer loyalty cards, which often give discounts to users while tracking their spending habits for direct-mail campaigns, from sharing or selling the personal information. It also would allow consumers to inquire what information a company has gathered about them.

Lillie Coney, associate director of the Electronic Privacy Information Center in Washington, said companies are collecting too much data about consumers, most of it unnecessary. She wants institutions to curtail their collections and make sure their processes are transparent.


"We're talking about fair information practices," Coney said. "You need to tell people why you're collecting information and the source of the information, and only collect as much information as is necessary to provide the benefit and service."

Jeffrey P. Marston, a Washington lawyer who represents financial institutions, said companies are "struggling to keep pace with all the crazy patchwork quilt of legislation."

He said his clients would like to see a "comprehensive regulatory scheme," perhaps at the federal level. Congress has been considering identity-theft bills. Meanwhile, states are acting first.

"The time is now; Maryland is behind the ball on this," said Joseph DeMattos, director of AARP Maryland, the retiree advocacy group that backs the legislation. "The recent security data breaches prove that through no fault of our own, we all face potential identity theft and potentially grave losses of our hard-earned money and savings."

Sun reporter Tricia Bishop contributed to this article.


Tips on identity theft

Consumers are urged to take the following steps if they think their identity has been stolen:

Contact the fraud departments of any one of the three consumer reporting companies to place a fraud alert on your credit report. A fraud alert tells creditors to follow certain procedures before opening any new accounts. The companies are Equifax: 800-525-6285,; Experian: 888-397-3742,; TransUnion: 800-680-7289,

Close the accounts that you know or believe have been tampered with or opened fraudulently. Use the ID Theft Affidavit, available through the FTC's Web site, when disputing unauthorized accounts.

File your complaint with the FTC. You should print a copy of your complaint to provide important standardized information for your police report.

File a report with your local police or police in the community where the identity theft took place. Give the police a copy of your FTC complaint.


Alert your bank to the situation, so it can watch for suspicious activity.

If you are concerned that you may be affected by the Hopkins security issue, go to, or call 800-981-7524.

[Sources: Federal Trade Commission, Johns Hopkins]