The loss of computer tapes containing personal information on more than 135,000 Johns Hopkins employees and patients - the data possibly tossed in a trash bin - is spurring consumer protection bills in Annapolis, including one to force prompt disclosure of such breaches.
"Every time you see a corporation or any organization lose data, it's going to strengthen the hand of those of us who say we need better protections for consumers," said Del. S. Saqib Ali, a Montgomery County Democrat and former software engineer who has sponsored several bills dealing with the issue.
The disclosure proposal, and another to allow Maryland consumers to block access to their credit reports, are part of a nationwide push to enhance consumer protections against identity theft. About 35 states have enacted notification laws, and a majority of states have so-called security freeze laws on the books.
Personal data is collected at almost every interface with consumers, including in stores, schools and the workplace, and privacy activists warn that much of it goes unprotected from would-be thieves. According to the Privacy Rights Clearinghouse, more than 100 million records of sensitive personal information have been involved in data breaches at companies, universities and government entities in the past two years.
"This is a bigger problem than most consumers or organizations even understand," said Troy Allen, chief fraud solutions officer at Kroll, a risk-consulting firm. "What you actually see out there is a very small subset of what's going on."
And if it can happen at Hopkins, Baltimore's top-rated university and hospital, legislators and consumer advocates worry, it could be happening anywhere.
"He left it in a Dumpster? What the hell is that?" said Sen. John C. Astle, an Anne Arundel County Democrat and vice chairman of the Finance Committee. "Obviously there's a problem there, and somebody was asleep at the wheel. Somebody was not treating this information with the care it deserved."
Hopkins won an award last year from Gov. Robert L. Ehrlich Jr. for initiatives aimed at identity theft, such as disseminating brochures on the subject. As for the handling of data, Dr. William R. Brody, the university president, said that procedures are being evaluated and that "appropriate" changes will be made.
Officials at Hopkins think that a courier mistakenly left a box of computer tapes containing personal records, which in some cases included Social Security numbers, at the wrong stop and that the tapes were likely trashed or incinerated.
About 135,000 university employees and hospital patients were affected, but officials say the chances of the information being used for nefarious purposes are slim.
Hopkins did an extensive investigation, including a background check and polygraph of the courier, as well as a review of security videotapes, spokesman Dennis O'Shea said. The courier recollected that he must have neglected to put the tapes back on his truck and instead left them in a shipping area that's usually full of boxes that are placed in a trash bin.
O'Shea said he and his college-age daughter, who worked as a resident adviser at the university last summer, were among those whose information was affected. But he said he is "not worried," nor is he checking his credit report or taking any other precaution.
He said about 100 people have called a hot line set up by the university to handle inquiries about the incident.
But some at Hopkins had a different take.
"I'm still going crazy. I'm still worried," said custodian Scott Williams, who said he was not convinced that the data has been destroyed. "They're not giving any evidence for that; we still don't know. ... Irresponsibility, that's the word for it."
Frustrations on campus were compounded when the university mistakenly e-mailed employees an incorrect phone number to one of the nation's three credit bureaus. The error was quickly corrected, O'Shea said.
"How incompetent can you get?" said Robert Rynasiewicz, a philosophy professor.
Some Maryland lawmakers say they want to give consumers more latitude to know who has access to their personal information and to control access to credit data.
Several bills would allow consumers to put in place a security freeze, which would put credit reports off-limits to lenders and others, thereby thwarting those who try to open credit card or other accounts in someone else's name.
The Senate Finance committee is developing the legislation, and lawmakers say it might have a better chance of passage this year. Still, some lobbyists for retail and financial industries want provisions that consumer advocates oppose, such as one that would allow only identity-theft victims to put a freeze in place.
Other pending bills would require consumers to be notified as soon as possible if their information has been exposed; not doing so could result in fines.
One bill would levy fines of $500 per violation or the actual damages sustained as a result of the breach.