By Adam Karlin, Contributor to The Christian Science Monitor
BOSTON - Sandra Pochapin learned a few key lessons from her ordeal
with identity theft. Among them: Check the mail early.
Had she done so, she may have gotten the replacement credit card in
her mailbox. Instead, a thief lifted the card and took it on a $1,200
shopping spree at Lord & Taylor.
Ms. Pochapin eventually recouped her money, but the incident haunted
her for months afterward, as the criminal opened other new accounts in
her name.
She recalls a Macy's representative calling to ask about a $2,400 bill
on her new store card. "I asked them, 'How could you open an account
in my name if I already have an account there?' " said Pochapin,
testifying recently in front of the Massachusetts state legislature.
Experiences of people like Pochapin, and break-ins at large databases
that hold Americans' most sensitive personal information, have grown
severe enough in recent months to prompt a new wave of protective
legislation by lawmakers at the state and federal level.
The bills are designed to address various aspects of the threat, but,
as identity thieves find new ways to ply their trade, the efforts
represent a daunting race against crime.
Credit-freeze laws growing
One rising form of legislation, the one being considered here in
Massachusetts, allows consumers to freeze third-party access to their
credit reports.
"If a security freeze [on my credit reports] had been implemented,
this couldn't have happened," said Pochapin. While she admits the
thief could have still had a field day at Lord & Taylor, "They
wouldn't have been able to open other accounts," since companies don't
give out credit cards if they can't review a potential client's credit
rating.
Ten states now have credit-freeze laws, with a New Jersey bill
awaiting the promised signature of Gov. Richard Codey.
While lauded by many consumer advocates, such measures hint at the
challenges of combatting ID theft. Opponents say such laws are
intrusive measures that clunk up business practices. Others question
if any law can protect personal information from determined hackers.
At the least, if current laws aren't deterring high-tech burglars,
neither are security measures. On June 17, MasterCard announced a
break-in to the database of payment-processor CardSystems
Solutions. The heist, by far the biggest of its kind to date,
compromised the account records for millions of Visa USA, American
Express, Discover, and MasterCard holders. But MasterCard said a much
smaller number of people faced a real risk of identity theft from the
breach.
Cardholders honored in a breach
What infuriates ID theft activists is that up until this year,
California was the only state that forced credit-card companies to
notify their customers about such a raid. There, companies must tell
their clients about breaches to electronic, unencrypted
databases. Now, 15 states have some sort of breach law, and four more
bills await a governor's signature.
"We think the California law provides a good model for other states
and the federal government to follow," says Marc Rotenberg, president
of the Electronic Privacy Information Center.
In that vein, Sen. Dianne Feinstein (D) of California is pushing
Senate Bill 751, which goes beyond her state's law requiring companies
to notify consumers of unauthorized access to paper caches and
encrypted files.
"The senator has been working on ID theft for over five years. She
thought that not just California should have this right. The recent
database breaches really underscore the need for this kind of
legislation," says Scott Gerber, the senator's spokesman.
Representatives from credit-card companies disagree that such steps
are needed. J.P. Morgan Chase, for example, has stated that
cardholders will not be contacted unless the firm believes they are
victims of, or highly susceptible to, fraud.
Credit card companies say they are trying to stave off unneeded
panic. And costs are an issue as well; if a new card costs $3 to
create, 40 million cancelled cards would cost $12 billion to replace.
The next phase: prevention
For Mr. Rotenberg, bills like Feinstein's come too late to help many
ID theft victims. "We also want to focus on the question of how do you
reduce the breaches before they take place," he says.
So do some lawmakers. This year, Sens. Charles Schumer (D) of New York
and Bill Nelson (D) of Florida introduced the Comprehensive Identity
Theft Prevention Act. Among that bills' provisions: the establishment
of an Office of Identity Theft within the Federal Trade Commission,
and provisions that "data merchants" establish authentication,
tracking, and safeguarding processes for third parties that want to
access personal information.
The bill also has language on notifying consumers of database
break-ins. All put together, the legislation could create a nightmare
for credit-card companies: In a case like CardSystems, fines are
slapped down by the federal government and customers across the nation
ask for credit report freezes, which keeps consumers from opening new
credit accounts.
Critics warn that such laws could hold unintended consequences for
consumers.
"This should be about meeting consumer expectations," said Eric
Ellman, director of government relations for the Consumer Data
Industry Association, testifying against credit-report freezes in
Massachusetts. In emergency situations where credit is crucial, frozen
reports would slow access to funds, he says. In addition, obstacles to
credit would deter companies from pushing promotional deals, like 10
percent discount cards.
But state lawmakers were skeptical. "It seems there's a very
paternalistic theme to those comments, which is 'We know what's best
for consumers,'" said Massachusetts state Rep William M. Straus.
He said the issue should be turned over to the victims of ID theft:
"Would they trade a 10 percent discount from Sears for everything
they've been through?"
Copyright 2005 The Christian Science Monitor. All rights reserved.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily.
*** FAIR USE NOTICE. This message contains copyrighted material the
use of which has not been specifically authorized by the copyright
owner. This Internet discussion group is making it available without
profit to group members who have expressed a prior interest in
receiving the included information in their efforts to advance the
understanding of literary, educational, political, and economic
issues, for non-profit research and educational purposes only. I
believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish
to use this copyrighted material for purposes of your own that go
beyond 'fair use,' you must obtain permission from the copyright
owner, in this instance, The Christian Science Publishing Society.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Adam Karlin (karlin@telecom-digest.org)