PRC's Privacy Update No. 3, Iss. 5

In this issue . . .

[1] Action Alert: Identity Theft Legislation: Will Congress Preempt Strong State Laws?

[2] Email Hoax: The Truth About the Do-Not-Call List

[3] Privacy Tip: New FTC Resource for Keeping Your Guard Online

[4] Update: Medications become Marketing Tool: Is Your Pharmacy Contacting You with Refill Reminders?


[1] Action Alert: Identity Theft Legislation: Will Congress Preempt Strong State Laws?

The rash of security breaches, made public this year, has continued to alarm consumers. A list of the breaches is available at:

Over 35 states responded by considering legislation to require that individuals be notified if their data has been compromised. At least 21 states enacted such laws. When notified about breaches, individuals are able to take precautions against identity theft, such as placing fraud alerts on their credit reports. Notification goes a long way in preventing people from eventually becoming victims.

Over 20 states also considered laws to enable consumers to freeze access to their credit reports. Credit freezes are considered to be the ultimate identity theft prevention tool. To date, at least 12 states have security freeze laws on the books. Some of these laws will not go into effect until 2006.

For more information on the breach notification laws see

For more information on the security freeze laws see

Congress is currently considering several bills that incorporate provisions enacted at the state level. Federal law can act either as a ceiling (as it does with the Federal CAN-SPAM act) or as a floor, leaving states the option to enact stronger standards (as in HIPAA).

Unfortunately, rather than build on strong state laws, most bills now being debated in Congress would not only adopt weaker standards, but would also eliminate existing state laws and prevent states from enacting stronger laws in the future.

Consumer and privacy advocates are challenging Congressional laws, not only regarding preemption, but also provisions that include a trigger for security breach notification. If the law includes a trigger, companies will not have to notify consumers unless in their opinion a data breach creates a "significant risk" of identity theft.

Advocates maintain that such a trigger is a fiction because many thieves hold onto personal information for months or even longer. It's nearly impossible to know if or when a fraudster will use personal information to commit identity theft. Relying on such a vague and unclear trigger drastically hampers consumer ability to prevent identity theft.

You can do two things to tell Congress that you want identity theft and computer security-related legislation to retain the strong provisions passed by the states. First, visit the Consumers Union action page and send an e-letter to Congress. That web site is

Second, contact the key Representatives and Senators in Congress and give them the same message. The legislative leaders that need to hear from you RIGHT AWAY are:

Your own legislators
Richard Shelby, Chairman, Senate Banking Committee
Paul Sarbanes, Ranking Member, Senate Banking Committee
Arlen Specter, Chairman, Senate Judiciary Committee
Patrick Leahy, Ranking Member, Senate Judiciary Committee
Joe Barton, Chairman of the House Commerce Committee
John Dingell, Ranking Member, House Commerce Committee
Mike Oxley, Chair, House Financial Services Committee
Barney Frank, Ranking Member, House Financial Services Committee

To learn the contact information for your own legislators, visit Click on "Committees & Subcommittees" to find the contact information for those listed above. Do NOT send letters through the mail. It will take too long to reach the members. Rather, phone or fax them as soon as you can.


[2] Email Hoax: The Truth About the Do-Not-Call List

An email warning that telemarketers will soon be targeting cell phones has been re-circulating. This email is a hoax according to the Federal Communications Commission (FCC).

The bogus email warns that with the release of a cell phone 411 directory (expected in 2006) telemarketer calls will flood consumer cell phones, creating enormous bills for consumers. The FCC clarified that this is not going to happen because in most cases telemarketing calls to cell phones are already illegal. For more information, see the full release at

To prevent sales calls from getting through, consumers should register their cell phone number with the Do-Not-Call Registry at Or call 888-382-1222.The registry has always included cell phone numbers. For more information see the PRC's alert on this matter, available at:


[3] Privacy Tip: New FTC Resource for Keeping Your Guard Online

The Federal Trade Commission has recently launched a new web site,, with tips on ways to safeguard yourself when you are online . OnguardOnline is a partnership between the FTC, other federal agencies, and the technology industry. The site offers advice on identity theft, phishing, spyware, spam, online shopping, P2P file sharing, and VOIP. It's available in English and Spanish.

Learn how you can guard against Internet fraud, secure your computer, and protect your personal information. And if you need to file a complaint, the site gives instructions. It provides videos, tutorials, and interactive programs on viruses and worms, spam filters, security tools, and more.

If you're an educator or in a position to distribute educational materials to others, you can order free brochures in bulk titled "Stop - Think - Click."


[4] Update: Medications Become Marketing Tool: Is Your Pharmacy Contacting You with Prescription Refill Reminders?

Last year the Privacy Rights Clearinghouse filed a lawsuit in California Superior Court charging supermarket giant Albertsons and its pharmacy units, SavOn, Osco, and Jewel-Osco, with violating the privacy rights and medical confidentiality of thousands of its customers. The suit charges that Albertsons pharmacies illegally use the confidential prescription information of their customers to conduct targeted marketing campaigns on behalf of drug companies.  Albertsons pharmacies get paid for this marketing by large drug companies, but proceed without customer consent or the knowledge of a customer's doctor.

Have you been contacted by phone or direct mail by your Albertsons pharmacist with reminders to refill your prescription or with suggestions to switch to or consider another prescription product?  If so, we want to hear from you. 

Most such "reminders" are thinly veiled marketing pitches, paid for by the major drug companies to increase sales.  Our suit states that pharmacies must give their customers an opt-in opportunity allowing such communications, as required by California law.  In other words, unless the customer says "yes" to being contacted, the pharmacy cannot contact them to sell drugs.  The practice of the pharmacies has been to provide customers with a way to stop the marketing but this is available only after the harm has occurred.

If you've received such communications, whether from Albertsons or another pharmacy chain, please contact PRC director Beth Givens at

To read more, visit our site at


  To subscribe to our free email newsletter, go to