California consumers will learn next month whether their favorite shopping sites are steeled against computer fraud -- or are haunted by hackers and identity thieves.
Starting July 1, companies must warn California customers of security holes in their corporate computer networks. When a retailer discovers that credit card numbers in its files have been stolen, it must e-mail customers, essentially saying, "We've been hacked, and the hacker may have your credit card number."
State politicians call the regulation the first of its kind in the nation. U.S. Sen. Dianne Feinstein plans to introduce a similar federal legislation within a month.
"Corporate and government databases are increasingly becoming targets of identity thieves seeking Social Security numbers and other sensitive personal data," the California Democrat said in an e-mail. "Under current law, all too often people are unaware that an identity thief has gained this information and may be using it to run up credit card bills or use it to manufacture a new identity."
California's new regulation contrasts with the Bush administration's hands-off treatment of the technology industry, particularly when it comes to controversial e-commerce issues such as privacy and fraud.
Although the FBI and the Federal Trade Commission have hunted down Web site operators involved in fraudulent sales and auctions, laissez-faire proponents worry that regulations would hamper innovation.
"You cannot legislate good behavior," said EBay Inc. security chief Howard Schmidt, who quit this spring as a Bush advisor on cybersecurity.
The Postal Service reports that 50,000 people a year have become victims of identity theft, and the Treasury Department says thieves ring up $2 billion to $3 billion a year on stolen credit cards alone. As victims expend hours or days canceling debit and credit cards, obtaining new ones and reestablishing accounts and passwords, corporate America loses billions of dollars more in productivity.
Proponents say the California bill makes Web merchants more accountable for computer fraud. It doesn't impose monetary fines, but the regulation makes companies with questionable computer networks more vulnerable to lawsuits and public scorn.
