State laws target identity theft

Multiple states enacted laws Sunday designed to help prevent identity theft after major security breaches compromised personal data for millions of consumers in 2005, including last week's incident at Marriott Vacation Club International.

New and existing state laws require timely notification of information breaches to affected customers, and related legislation allows consumers to freeze their credit reports as a means of identity-theft prevention and protection.

But similar federal legislation remains tied up in Congress, which is where consumer groups said it should stay while industry pushes for a tightly focused national breach-notification standard.

Twelve states have credit-freeze legislation, which allows residents to block new creditors from accessing their credit reports and helps prevent identity thieves from opening spending accounts using a stolen name.

Credit-freeze laws in Connecticut, Illinois and New Jersey were enacted Sunday, while Maine's will become effective Feb. 1 and Colorado's July 1.

"Quite simply, the states are again the ones doing strong laws and showing Congress the way," said Ed Mierzwinski, consumer-program director at the U.S. Public Interest Research Group in Washington. The freeze laws are the first attempt to give people control over their Social Security numbers, the "financial DNA that is strewn all over the place."

Consumer groups endorse the states' credit-freeze laws, but want them to apply to all consumers, not just identity-theft victims as some currently do, he said.

"The freeze is not an absolute save-all," said Jay Foley, co-director of the Identity Theft Resource Center, a nonprofit in San Diego that tracks the more than 130 breaches disclosed last year, potentially affecting more than 57 million people. "It's a tool for victims and for families with senior members who are not competent to handle their credit."

More than 20 states have breach-notification laws. There already is near national compliance with California's law, which was the first in the nation when enacted in 2003 to require companies to notify state residents when their unencrypted personal information is reasonably thought to have been compromised.

"If Congress fiddles with it, it will most likely result in a weaker law that pre-empts the best of the state laws," Mr. Mierzwinski said, adding that businesses have been lobbying for a weak federal law with notification "triggers" only when industry says the breach could be harmful.

Mike Zaneis, director of congressional and public affairs at the U.S. Chamber of Commerce, disagreed. "Industry is not looking for a weak federal law. We are proponents of a strong, national uniform standard on data security breach."

The chamber does not have an official position on credit freezes or other access and correction protocols, he said, but it encouraged the appropriate House and Senate committees to explore the best solutions after a strict breach-notification law is passed.

With commerce being so global now, it makes no sense to have multiple state notification laws, Mr. Zaneis said, because they are difficult for industry to comply with and confusing for consumers who could end up inundated with notices and then desensitized to the important ones.

Susanna Montezemolo, a policy analyst for the nonprofit Consumers Union in Washington, scoffed at that notion. By complying with the strongest state law, businesses would be meeting their own state's requirements, which benefits consumers.

Many companies are following the California standard, which is why Maryland, Virginia and D.C. residents receive notification if their information has been breached, even though their home states do not have laws requiring businesses to do so, she said.

Congress became involved last year after the high-profile breach at data broker ChoicePoint Inc. In February, the Alpharetta, Ga., company began notifying 145,000 consumers in numerous states that their personal information had been compromised.

High-profile breaches also were found at Bank of America Corp., shoe retailer DSW Inc. and other companies. The most recent occurred last week when Marriott's timeshare unit announced that it had to notify 206,000 employees, time-share owners and customers that their personal data may have been compromised after backup computer tapes went missing from an Orlando, Fla., office.

Consumer groups said they are not against a federal breach-notification law, but do not want Congress to pass legislation that outweighs tougher state standards.

"Let's either do it right or not to do it, federal government," Mr. Foley said. "This is far too important to mess around with."