Identity theft: big enough to steal lawmakers' attention
In the wake of large-scale digital break-ins, legislatures consider a range of measures to protect consumers.
BOSTON — Sandra Pochapin learned a few key lessons from her ordeal with identity theft. Among them: Check the mail early.
Had she done so, she may have gotten the replacement credit card in her mailbox. Instead, a thief lifted the card and took it on on a $1,200 shopping spree at Lord & Taylor.
Ms. Pochapin eventually recouped her money, but the incident haunted her for months afterward, as the criminal opened other new accounts in her name.
She recalls a Macy's representative calling to ask about a $2,400 bill on her new store card. "I asked them, 'How could you open an account in my name if I already have an account there?' " said Pochapin, testifying recently in front of the Massachusetts state legislature.
Experiences of people like Pochapin, and break-ins at large databases that hold Americans' most sensitive personal information, have grown severe enough in recent months to prompt a new wave of protective legislation by lawmakers at the state and federal level.
The bills are designed to address various aspects of the threat, but, as identity thieves find new ways to ply their trade, the efforts represent a daunting race against crime.
One rising form of legislation, the one being considered here in Massachusetts, allows consumers to freeze third-party access to their credit reports.
"If a security freeze [on my credit reports] had been implemented, this couldn't have happened," said Pochapin. While she admits the thief could have still had a field day at Lord & Taylor, "They wouldn't have been able to open other accounts," since companies don't give out credit cards if they can't review a potential client's credit rating.
Ten states now have credit-freeze laws, with a New Jersey bill awaiting the promised signature of Gov. Richard Codey.
While lauded by many consumer advocates, such measures hint at the challenges of combatting ID theft. Opponents say such laws are intrusive measures that clunk up business practices. Others question if any law can protect personal information from determined hackers.
At the least, if current laws aren't deterring high-tech burglars, neither are security measures. On June 17, MasterCard announced a break-in to the database of payment-processor CardSystems Solutions. The heist, by far the biggest of its kind to date, compromised the account records for millions of Visa USA, American Express, Discover, and MasterCard holders. But MasterCard said a much smaller number of people faced a real risk of identity theft from the breach.
What infuriates ID theft activists is that up until this year, California was the only state that forced credit-card companies to notify their customers about such a raid. There, companies must tell their clients about breaches to electronic, unencrypted databases. Now, 15 states have some sort of breach law, and four more bills await a governor's signature.
"We think the California law provides a good model for other states and the federal government to follow," says Marc Rotenberg, president of the Electronic Privacy Information Center.
In that vein, Sen. Dianne Feinstein (D) of California is pushing Senate Bill 751, which goes beyond her state's law by requiring companies to notify consumers of unauthorized access to paper caches and encrypted files.
"The senator has been working on ID theft for over five years. She thought that not just California should have this right. The recent database breaches really underscore the need for this kind of legislation," says Scott Gerber, the senator's spokesman.
Representatives from credit-card companies disagree that such steps are needed. J.P. Morgan Chase, for example, has stated that cardholders will not be contacted unless the firm believes they are victims of, or highly susceptible to, fraud.
Credit card companies say they are trying to stave off unneeded panic. And costs are an issue as well; if a new card costs $30 to create, 40 million cancelled cards would cost $12 billion to replace.
For Mr. Rotenberg, bills like Feinstein's come too late to help many ID theft victims. "We also want to focus on the question of how do you reduce the breaches before they take place," he says.
So do some lawmakers. This year, Sens. Charles Schumer (D) of New York and Bill Nelson (D) of Florida introduced the Comprehensive Identity Theft Prevention Act. Among that bills' provisions: the establishment of an Office of Identity Theft within the Federal Trade Commission, and provisions that "data merchants" establish authentication, tracking, and safeguarding processes for third parties that want to access personal information.
The bill also has language on notifying consumers of database break-ins. All put together, the legislation could create a nightmare for credit-card companies: In a case like CardSystems, fines are slapped down by the federal government and customers across the nation ask for credit report freezes, which keeps consumers from opening new credit accounts.
Critics warn that such laws could hold unintended consequences for consumers.
"This should be about meeting consumer expectations," said Eric Ellman, director of government relations for the Consumer Data Industry Association, testifying against credit-report freezes in Massachusetts. In emergency situations where credit is crucial, frozen reports would slow access to funds, he says. In addition, obstacles to credit would deter companies from pushing promotional deals, like 10 percent discount cards.
But state lawmakers were skeptical. "It seems there's a very paternalistic theme to those comments, which is 'We know what's best for consumers,'" said Massachusetts state Rep William M. Straus.
He said the issue should be turned over to the victims of ID theft: "Would they trade a 10 percent discount from Sears for everything they've been through?"