WORKING FOR BETTER IDENTITY THEFT REGULATION—PIRG Consumer Advocate Ed Mierzwinski appeared on ABC to call on Congress to pass meaningful identity theft reform laws.

—by Ed Mierzwinski, consumer advocate for WISPIRGs’ Washington, D.C. office.

Identity theft is now the nation’s fastest-growing crime. While some people accept identity theft as an unfortunate byproduct of today’s fast-paced, Information Age economy, I beg to differ.

There’s a very simple reason why identity theft is growing, and it’s not because identity thieves are getting smarter. Consider:

• Banks, credit card companies and other financial institutions gather more personal information today than ever before—almost always without the customer’s consent. Only California has enacted a strong law requiring consumer consent before sharing and selling these confidential dossiers, and that law is under threat of being rolled back thanks to a lawsuit by the banks.

• As technological advances have made it easier to transmit information, data-dealing has become big business. ChoicePoint and Acxiom are each billion-dollar database businesses selling virtually unregulated records on nearly every American to businesses and government agencies.

According to Washington Post reporter Robert O’Harrow’s new book “No Place To Hide”, “It’s not just names, ages, addresses, and telephone numbers. The computers in [Acxiom’s] rooms also hold billions of records about marital status and families and ages of children. They track individuals’ estimated incomes, the value of their homes, the make and price of their cars. They maintain unlisted phone numbers and details about people’s occupations, religions, and ethnicities.”

• Too often, a bank or credit card company handles this information with little regard for the security of the customer. In many cases, identity thieves have easily gained access to credit card accounts by buying the personal data that can unlock these accounts—for as little as $6 for each credit report illegally obtained.

Don’t get me wrong. Identity thieves deserve to be punished, but even with the best precautions in place, they’ll continue to prey on consumers. However, the banks and data dealers routinely leave the doors unlocked, the fence open, and the night watchman asleep. If you want to find out why, a good place to start is the U.S. Capitol.

A Data Dealer Protection Law
In 2003, the pressure on Congress to do something about identity theft had reached new heights, thanks in part to research and public education by WISPIRG and the other state PIRGs. (We released our first report on the problem way back in 1996.)

Yet while Congress purported to act on behalf of consumers, the law that emerged from the Capitol that year was, in fact, largely shaped by lobbyists for banks, credit card companies and retailers.

The credit card industry insisted upon—and won—a provision shielding the industry from lawsuits if individual companies ignored the law. Worst of all, the industry lobbyists convinced Congress to prevent the states from passing stronger laws that would stop identity theft.

My colleagues and I managed one small victory against the wealthy and powerful data dealers—convincing Congress to force credit bureaus to give consumers one free credit report per year. That way, consumers can check their credit status without paying the data dealers who left them open to attack.

Despite our hard work, the Fair and Accurate Credit Transactions (FACT) Act looks more like the Data Dealer Protection Law.

ChoicePoint Breach A Break
While the 2003 law prevented most state action on the issue, it did allow a narrow window for state-level reform to experiment in areas where Congress was silent.

In 2004, PIRG joined Consumers Union (publishers of Consumer Reports) in drafting model state legislation to prevent identity theft, based on several CALPIRG-backed laws that had been adopted earlier in California.

In the wake of a series of well-publicized security breaches at major companies, our proposal gained momentum. The wave began in February when ChoicePoint, a little-known but giant data broker, disclosed that it had sold detailed dossiers on 145,000 Americans to identity thieves.

I’m sure you heard about the ChoicePoint debacle. You might not have heard that it was a PIRG-backed California law that made this exposé possible in the first place. Forced by the law to disclose the breach to California consumers, ChoicePoint came under pressure from other states. State attornies general and advocates in those states successfully pressured ChoicePoint to come clean across the country.

Within months, a cascade of similar problems became public, including breaches of security at Bank of America, Citigroup, and even DSW Shoe Warehouse. At least 50 million Americans saw their financial security put at risk by sloppy practices at some of the nation’s top financial institutions and retailers.

The publicity, of course, only helped WISPIRG and our allies make the case for our model identity theft legislation. Not only did at least 27 states consider security freeze bills—at least eight more states enacted them. California and Texas filed bills to strengthen their existing laws—giving consumers more control of their credit reports.

We’ll only know about the ChoicePoint security breaches of the future if businesses, non-profits and other public institutions are required to notify consumers when their valuable personal information has been compromised.

As of Sept. 1, 2005, 19 states have passed security breach laws.

Data Dealer Bailout Two?
The good news is that Congress is now considering at least six major proposals to enact federal laws based on those in the states. The bad news is that most of these proposals are weaker than those already enacted by the states and all would permanently override the state rules.

Meanwhile, as the data dealers continue to let more of our personal information fall into the wrong hands, the industry is reaping an estimated $1 billion per year in “credit monitoring” services. Talk about adding insult to injury!

It’s time to hold the data dealers accountable for their sloppy practices, and return control of our personal information to where it rightfully belongs—in the hands of the consumer.

We need Congress to side with consumers instead of the data dealers. But if we really want to stop identity theft, we’ve got to tell Congress: Either lead, follow, or get out of the states’ way.