BOSTON (4/1/08)--Credit unions backing state privacy and data breach bills might want to check the bills they're supporting for loopholes such as one exposed in Massachusetts' new data privacy law when grocer chain Hannaford Bros. disclosed a sophisticated first-of-its-kind data breach. The Massachusetts statute, like many other similar statutes, requires companies to notify state officials and residents when they lose control of records that could lead to the theft of personal information such as a person's name and credit card number. State officials say the law applied in the case of the Hannaford breach, according to the Boston Globe (March 30). Even though it disclosed the breach, Hannaford says it was not required to make such a disclosure, even after it learned the information from the cards was sent overseas. Hannaford's General Counsel Emily D. Dickinson wrote in a letter to Massachusetts Attorney General Martha Coakley and the state Office of Consumer Affairs and Business Regulation that the loss of card numbers alone does not amount to loss of personal information, as defined by Massachusetts law. She added that Hannaford's notice to regulators was a form of voluntary cooperation. The company did not believe that notice of the breach was required. Thirty nine states have laws requiring some form of disclosure following a breach. Most say the companies involved must file reports when they lose card data with customers' names and other personal details. They don't address what happens when a company experiences the loss of just numbers, without the customers' names, as happened in the Hannaford breach. Most laws include names and data because together they constitute potential identity theft, said Chris Hoofnagle, a specialist in privacy law at the University of California. Hoofnagle told the Globe that losing only numbers is considered less threatening because there's less chance of abuse and because card issuers often forgive many fraudulent charges. Hannaford revealed on March 17 that 300 stores in its system were compromised by a first-of-its-kind data breach that illicitly placed software on the stores' servers and lifted credit and card numbers and expiration dates of 4.2 million customers. The breach was discovered on Feb. 27. It disclosed the details in stages, through a press release, a statement on its website, and the letter to the Massachusetts regulators.