U.S. PIRG's Ed Mierzwinski

—by Ed Mierzwinski, U.S. PIRG Consumer Program Director

Identity theft is now the nation’s fastest growing crime.

Yet while some people accept identity theft as an unfortunate byproduct of today’s fast-paced, Information Age economy, I beg to differ.

There are some very simple reasons why identity theft is growing, and they have little to do with the growing sophistication of identity thieves. Consider:

• Banks, credit card companies and other financial institutions are gathering more personal information on their customers than ever before—almost always without the customers’ consent. Only California has enacted a law requiring strong consumer consent before sharing and selling these confidential dossiers, but the law is under threat of court repeal after a lawsuit by the banks, backed by their federal regulators.

• As technological advances have made it easier to transmit information in the blink of an eye, data-dealing has become big business—companies are also sharing or selling this information like never before. Two relatively young companies, ChoicePoint (founded 1997) and Acxiom (founded in 1969), are each billion dollar database businesses selling virtually unregulated records on nearly every adult American to businesses and government agencies.

According to Washington Post reporter Robert O’Harrow’s new book No Place To Hide: It’s not just names, ages, addresses, and telephone numbers. The computers in Acxiom’s rooms also hold billions of records about marital status and families and ages of children. They track individuals’ estimated incomes, the value of their homes, the make and price of their cars. They maintain unlisted phone numbers and details about people’s occupations, religions, and ethnicities. They sometimes know what some people read, what they order over the phone and online, and where they go on vacation.

• Too often, a bank or credit card company handles this information with little regard to the interests of the customer. In many cases, identity thieves have gained access to bank or credit card accounts by simply buying the personal data that can unlock these accounts—for as little as $6 for each credit report illegally obtained.

Don’t get me wrong. Identity thieves deserve to be punished. And even with the best of precautions in place, they’ll continue to prey on vulnerable consumers. But the best of precautions are not in place. If you want to find out why, a good place to start is the U.S. Capitol.

The Data Dealer Protection Law
In 2003, the pressure on Congress to do something about identity theft had reached new heights, thanks in part to research and public education by U.S. PIRG and the state PIRGs. (We released our first report on the problem back in 1996.) Yet while Congress purported to act on behalf of consumers, the law that emerged from the Capitol that year was, in fact, largely shaped by lobbyists for banks, credit card companies, credit reporting bureaus and retailers. For instance:

• The industry had already adopted many of the “reforms” included in the law as standard practices, including the right to put a “fraud alert” on your credit report.

• Even though these practices were standard, the credit card industry insisted upon—and won—a provision shielding the industry from lawsuits if individual companies ignored the law.

• Worst of all, the industry lobbyists convinced Congress to prevent states from passing many stronger laws to stop identity theft.

My consumer advocate colleagues and I managed one small victory, convincing Congress to force credit bureaus to give consumers one free credit report per year.

Yet even this innocuous requirement was adopted over the fierce objections of the credit bureaus—which derive a growing share of their revenue from selling identity theft protection services to consumers. (Ironically, of course, that revenue is growing in part because lax credit industry practices make it easy for identity thieves to gain access to bank account numbers and other personal data.) A more accurate name for the law, dubbed the Fair and Accurate Credit Transactions (FACT) Act by its congressional backers, would be the Data Dealer Protection Law.

ChoicePoint Opens A Window
While the law preempted most state action on the issue, it did allow a narrow window for state-level reform. For example, while the states cannot perfect the federal right to a fraud alert, the states can enact security freezes, because Congress did not include a freeze in the FACT Act. PIRG joined Consumers Union (publishers of Consumer Reports) to draft state legislation to prevent identity theft, modeled on several PIRG-backed laws that had been adopted earlier in California.

In 2005, our proposal gained momentum in the wake of a series of well-publicized security breaches at major firms and institutions. The wave began in February when ChoicePoint, a little-known but giant data broker, disclosed that it had sold detailed dossiers on 145,000 Americans to identity thieves who had posed as businesses.

While I’m sure you heard about the ChoicePoint debacle, the breach might never have become public had it not been for one of those PIRG-backed state laws. Forced by the law to disclose the breach to California consumers, ChoicePoint came under pressure from attorneys general in other states. They successfully pressured Choicepoint to come clean across the country. Within months, a cascade of similar problems became public, including breaches of security at Bank of America, Citigroup, and even DSW Shoe Warehouse. All told, at least 50 million Americans have seen their financial security put at risk by sloppy practices at some of the nation’s top financial institutions and retailers so far in 2005.

The publicity, of course, only helped PIRG and other consumer advocates make the case for our model identity theft legislation. In the beginning of 2005, only four states had state security freeze laws on the books: California and Louisiana for all consumers and Texas and Vermont for identity theft victims. This year, 27 states have filed security freeze bills, including California and Texas, which have filed bills to strengthen their existing security freeze laws.

As of June 28, 2005, a total of 10 states now have laws allowing consumers to restrict access to their credit reports. In addition, the New Jersey General Assembly has passed what would be the strongest security freeze law in the country. It is expected to be signed in September.

We only know about the ChoicePoint security breach because of a California law requiring businesses, nonprofits and state public institutions to notify consumers when their personal information has been compromised. This year, security breach notification legislation was introduced in at least 35 states. As of September 1, 2005, at least 19 states have passed security breach notification laws, and similar bills await the governor’s signature in New Jersey and North Carolina.

Will Data Dealers Be Rescued?
The good news is that Congress is now considering at least six major proposals to enact similar federal laws. The bad news is that most of these proposals are weaker than those already enacted by the states and all would permanently override the state rules.

For example, in late August, the Senate Commerce Committee passed S 1408 on a voice vote. While it is commendable that the bill is bi-partisan, its freeze protection is weaker than those in nearly every state that have passed laws so far, and its preemption provision is sweeping.

Meanwhile, as the data dealers continue to let more of our personal information fall into the wrong hands, the industry is reaping an estimated $1 billion per year in “identity theft protection” products and services.

Talk about adding insult to injury! It’s time to hold the data dealers accountable for their sloppy practices. It’s time to restore more control over our personal information to where it rightfully belongs, in the hands of the consumer. More and more states are taking up this challenge.

We need Congress to side with consumers instead of with the data dealers. If we really want to stop identity theft, we've got to tell Congress to either lead, follow or get out of the states' way.