Last year, when fraud artists purloined the personal records of at least 145,000 consumers from ChoicePoint, the massive data warehousing company, months went by before most of the victims found out. The only ones who got the news initially were the 35,000 who lived in California, then the only state to require customer notification when a company loses consumer data. Under a 2003 California law, any private firm, nonprofit organization or state government agency must alert consumers as soon as their personal data is stolen or lost.
As more and more personal information is warehoused by data brokers such as ChoicePoint--which alone has access to 19 billion records on Americans--consumers' exposure to identity theft will grow. Citizens are looking to states to respond to the threat with data-breach- notification laws or other rules giving citizens more control of their personal dossiers. Several legislatures have taken action in the past six months. But technology companies are fighting many of the proposals, and states are struggling to enact consumer protection laws with any real teeth. Meanwhile, national legislation being discussed in Congress could undo all the state-level work that's taken place so far.
In the past several months, headlines heralding identity thefts have become depressingly familiar. News of the ChoicePoint scandal--in which the company unwittingly sold private consumer data to con artists posing as legitimate businessmen--triggered a cascade of identity theft disclosures over the following months: Hackers stole data for 1.4 million consumers from Discount Shoe Warehouse Inc.; CitiFinancial lost information for 3.9 million of its customers; Bank of America misplaced identifying data for 1.2 million government workers; thieves absconded with personal information on more than 100,000 University of California graduate students and applicants. In June, MasterCard announced it had been victimized by a data heist that could affect 40 million credit card users.
In all, millions of Americans have been exposed to information fraud from at least 15 major data breaches over the past year. Some 39 percent of fraud complaints to the Federal Trade Commission in 2004 were for identity theft. That was an increase of 19 percent over 2003 and 61 percent over 2002. A 2003 survey by the FTC said identity theft was costing businesses, governments and consumers more than $53 billion a year.
It's not just that the thefts are becoming more common; it's also that the law in California and now in several other states is forcing companies to do more reporting of the problem. And additional requirements are taking effect all the time. According to the National Association of State Public Interest Research Groups, data-breach laws were introduced in at least 35 states in the first six months of this year. By the end of June, at least 15 states had passed some form of legislation, and bills in four other states were awaiting gubernatorial action. Some of these state laws include hefty fines for data brokers. Under new legislation in Florida, which went into effect July 1, companies will be fined $1,000 for every day they fail to disclose a data breach; a monthly fine of $50,000 kicks in after 30 days. Companies in Montana that fail to disclose the loss of consumer data face possible criminal charges and fines of $10,000 per violation.
Data and technology companies continue to insist that these laws are too broad to be really effective. Inundate consumers with alarms of every potential data loss, they say, and consumers will soon stop paying attention at all. "If you keep notifying consumers every time there may have been a data breach, it's like crying wolf," says Harris Miller, president of the Information Technology Association of America, a trade group representing the technology industry. "You're actually undermining the companies' ability to get customers to pay attention when there's a real data breach."
Miller's group recently opposed bills in Nevada and Minnesota because the measures failed to distinguish between important data breaches and inconsequential information losses. In the view of the ITAA, this would pave the way for "frivolous civil litigation." Additionally, the tech industry opposed the Nevada bill because it failed to differentiate between encrypted and non-encrypted data. Thieves who steal data that has been properly encrypted, they argue, abscond with mere gibberish, and no penalty against the company is appropriate.
In fact, though, groups such as ITAA have opposed virtually any state action regarding identity theft and customer notification, no matter how it may be written. Instead, they're pushing for a single nationwide law to standardize breach-disclosure requirements. Miller says the "hodgepodge of state laws" is confusing to both companies and consumers.
"Most of the companies impacted have customers in multiple states," Miller says, "and every state had its own slightly different legislation." He argues that a national breach-notification law--one that would preempt state measures and eliminate state-to-state disparities--would clarify and streamline the process of alerting customers when their private information is truly at risk. A few bills aimed at this result have been introduced in Congress. One, offered by California Senator Dianne Feinstein, is modeled on the existing California law. Another, sponsored by senators Arlen Specter of Pennsylvania and Patrick Leahy of Vermont, would limit the public display of consumers' Social Security numbers.
Consumer advocacy groups, however, fear that a national law would actually weaken disclosure standards. They worry that data storage companies and the finance industry would lobby for a national law less stringent than the ones some states are already putting in place. State-level breach-notification laws are critical. "We don't want to see federal law preempt state law here," says Linda Foley, of the Identity Theft Resource Center, a San Diego-based service center for victims of identity theft. If the federal government does enact a data-breach law, she says, "it should be the standard, not the ceiling."
At a minimum, consumer advocates say, any identity-theft law should provide for prompt notification whenever an individual's personal records have been stolen from a company that was storing them. And the notification must be a requirement, not an option for the company to undertake voluntarily. "We hope for the best," says Foley, "but we have to anticipate what to do in a worst-case scenario. Consumers need to be notified whenever there's unauthorized access, not when a decision is made by the company to disclose the breach."
Notification is not the only identity-theft issue currently being fought over at the state level. There is the question of document disposal, for example. Only a handful of states have laws mandating formal disposal of personal information when it is no longer needed, either by shredding paper documents or rendering electronic information unreadable. Such shredding regulations, some believe, might be a step toward ensuring that identity theft is not just reported but minimized.
Another option is to require police to file identity-theft crime reports in the jurisdiction where the victim lives. Currently, in most states, the report can be filed in the victim's jurisdiction, in the place where the crime occurred, or where the company that lost the data is headquartered. That inconsistency can make it more difficult for identity crimes to be solved. "We get this ping-ponging effect," Foley says. "It's too easy to say, 'Let this be an unsolved crime on someone else's desk.'"
Finally, states can enact data-freeze laws, allowing consumers to restrict access to their credit reports and block any new accounts being opened in their names. At the beginning of this year, four states had some sort of freeze law. Now 10 of them do. New Jersey is working on what would be the strongest credit-freeze law in the country. In June, its legislature passed a sweeping bill that would allow individuals to freeze their credit data by telephone or over the Internet, without having to contact the credit reporting agency in writing. Consumers could place a freeze at no cost in a matter of minutes and then lift it for a nominal $5 fee when they wanted to open a legitimate new account.
The information technology industry opposes all these state-level efforts, not just notification, arguing that the legislation as written has been too broad. "For every problem," says Harris Miller, of ITAA, "there's a solution that's simple, easy and wrong. We had this flurry of breach-notification stories that occurred late in state legislative sessions. Legislatures saw it as a good opportunity to show they're pro-consumer. We ended up with 'slam, bam, thank-you ma'am' legislation."
Consumer groups, on the other hand, say states have no choice but to act quickly and comprehensively if they want to prevent and control the additional identity crimes that all agree are coming. "We've heard a lot about identity theft this year," Foley says. "But this doesn't have to be 'the year of the breach.' It can be the year of starting to understand this problem, the year of protecting consumers, employees and companies."