California Law on ID Theft Seen as Model

When con artists recently illegally gained access to the Social Security numbers and other sensitive personal data of nearly 145,000 people, only the 35,000 Californians affected were initially notified by ChoicePoint, the data collection giant that mistakenly disclosed the information.

That’s because California, often a pioneer in consumer protection, is the only state that requires companies to notify consumers when their credit information is stolen.

Just days after Georgia-based Choice Point disclosed the security breech, legislation modeled on California’s two year-old notification policy was proposed in the Georgia legislature. The Georgia proposal, which passed the Senate and is awaiting House action, would regulate “data brokers” such as ChoicePoint that buy and sell consumers’ personal information.

Colorado, Maryland and Ohio were also among states where lawmakers moved to tighten laws in light of the ChoicePoint blunder, an incident in early March in which Lexis-Nexis data was illegally accessed and one in February where hotel heiress Paris Hilton’s data was stolen.

Twenty six states in all are considering security breech notification proposals this year, many of them at the urging of the state attorney general. It was only at the prodding of a coalition of attorneys general from 19 states that ChoicePoint agreed to notify everyone whose personal information had been compromised.

“It was because of (our) notification law that anyone knew about the ChoicePoint breech,” said Joanne McNabb, chief of California’s Office of Privacy Protection. “They wouldn’t necessarily have been telling anybody.”

Although states have been working to implement stronger identity theft protections for several years, the recent high-profile identity theft cases thrust the issue into consumer consciousness.

“California’s protection really foresaw this problem in a way other states didn’t, so I think other states were a bit jealous, if you will, in wanting to do at least as well as California,” said Chris Hoofnagle, associate director of the Electronic Privacy Information Center, a Washington-based advocacy group.

A 2002 California law that allows consumers to “freeze” their credit records also could help prevent identity theft, experts say. Under the law, credit bureaus can only allow certain authorized entities – like banks – to access records for monitoring purposes

“The freeze is much more important than notice because the freeze operates as an impenetrable shield against identity theft,” Hoofnagle said.

In California, the option to freeze credit records is free for identity theft victims and available to anyone for a small fee.

Louisiana, Texas and Vermont also allow people to freeze their credit records. Nineteen more are considering similar legislation this year.

Identity thieves generally victimize consumers by stealing their personal information and using it to obtain credit in the victim’s name. So limiting disclosure of credit information released by credit bureaus – there are only three major U.S. credit bureaus – makes it more difficult for would-be thieves to access credit information, Hoofnagle said.

In California, consumers can “thaw,” or temporarily lift, the freeze on their records in the event that a legitimate creditor needs to perform a credit check.

“People who would likely be very inconvenienced by a freeze of their credit history are young people who are entering the credit market, who are buying houses, buying cars and applying for new credit,” McNabb of the California privacy office, said. “They might find it inconvenient to keep thawing and re-freezing. People who wouldn’t find it inconvenient are people who are not actively in the market for new credit or somebody who is really concerned about identity theft.”

States also have enacted other measures aimed at curbing identity theft:

• Forty-eight states (the only exceptions are Colorado and Vermont) specifically criminalize identity theft.
• Five states (Alabama, California, Colorado, Idaho and Washington) have laws requiring credit bureaus to remove inaccurate information from consumers’ credit reports.
• A Rhode Island law strictly limits the circumstances under which a consumer can be required to furnish a Social Security number to make a purchase.

According to a Feb. 1 report from the Federal Trade Commission, identity theft accounted for 39 percent fraud complaints nationwide in 2004. Arizona led the nation with the highest per-capita incidence, followed by Nevada, California, Texas and Colorado, according to the report.

Some privacy advocates have called on Congress to implement California-style identity-theft protections nationwide. In 2003, Congress acted to allow individuals to get one free credit report from each of the three credit agencies a year.