Waging war on identity theft

You might try to cover your “privates” by religiously shredding credit-card offers and old bills, but some of the companies you trust with your private information seem to be carelessly baring it to the world.

How else to explain the stupefying rash of consumer information security breaches in the past year?

Washington is a leader in helping consumers protect their identities, with the Legislature passing another batch of new laws this year. But federal legislation is needed to knit together a minimum standard among all states, while not superseding state laws with higher standards.

And more needs to be done on the front end, ending the laziness and loose ends evident at some companies with massive data bases. The credit-card companies and their partners that made the breaches possible should be on the hook — not the retailers, which is often the case.

The development of the American credit system helped the nation flourish, permitting people to buy homes they couldn’t otherwise, to manage an unexpected large car repair or pay for holiday excess into the new year.

But with the advent of huge electronic databases and Internet connections, the private information that used to be safe on paper tucked away in a file now is ripe for the picking by enterprising e-hooligans.

Until recently, most state and federal laws were designed to help identity theft victims after the fact — when their information had been stolen. But the far-too-common examples of widespread breaches have spurred more-aggressive approaches — at least in some states, like California and Washington.

A hacker infiltrated CardSystems Solutions, putting 40 million cardholders at risk. CitiFinancial confessed tapes with data on 3.9 million customers were “misplaced” by a delivery person. ChoicePoint sold information on about 145,000 customers after being duped by crooks pretending to be legitimate businesses. DSW Shoe Warehouse, LexisNexis, Polo of Ralph Lauren, Wachovia Corp. and even the U.S. Air Force also made news with security breaches of personal data.

Don’t buy the “We are victims, too” line offered by some companies. Several of these breaches could have been avoided or minimized. For instance, CardSystems Solutions processes data when credit cards are scanned at the store and the data is supposed to quickly be purged. But CardSystems held information, in violation of its agreements with credit-card companies, for “research.” CitiFinancial’s misplaced tapes? Not even encrypted, although the company now is encrypting such data. ChoicePoint being fooled by impostors setting up phony businesses? Not a ringing endorsement of its sideline verifying the authenticity of businesses.

Getting these companies to notify consumers at risk can be difficult because of what’s at stake for them. ChoicePoint initially was going to notify consumers only in California, which enacted a notification law in 2003, but not in the other states with victims. Only later did the company relent and notify victims, including those in Washington. A similar Washington notification law went into effect July 24.

Efforts to pass federal legislation matching these state laws so far have been blocked by the financial-services industry. Legislation is pending again in Congress, but it will be an uphill battle.

Washington State Attorney General Rob McKenna has joined with 44 other states to pressure CardSystems to notify the 40 million consumers its breach put at risk. So far, that has not happened.

But McKenna, named financial-practices chairman of the National Association of Attorneys General, intends to continue Washington’s leadership in fighting identity theft. He convened an advisory council and plans a summit in November.

One possible outcome is one-stop reporting for identity-theft and credit-fraud victims, who now must run from the bank to the police station to the copy store to fax various documents to companies that insist the victims owe them money.

That will help after the crime is committed. But more needs to be done on the corporate end, requiring companies to adopt physical and technological security measures to protect private information from thieves, disclosing breaches — and paying the bills when they come due.

Kate Riley’s column appears regularly on editorial pages of The Times. Her e-mail address is kriley@seattletimes.com

Copyright © 2005 The Seattle Times Company

<paper shredding services