Some of the companies facing criticism for letting consumer data fall into the hands of identity thieves are among the biggest backers of...

Share story

Some of the companies facing criticism for letting consumer data fall into the hands of identity thieves are among the biggest backers of proposed federal rules to safeguard personal information.

The reason: The companies fear even tougher state rules.

Bills introduced in Congress after some lapses at information broker ChoicePoint, LexisNexis and elsewhere would supersede the growing number of state laws, many of which have stricter standards on data brokers, banks and credit-reporting agencies.

Rigorous disclosure requirements in California’s law — the first in the nation, in effect since 2003 — brought many of the breaches to light. Following California’s lead, the number of states requiring companies to disclose the loss of sensitive personal information — credit-card and Social Security numbers, for example — has grown to 22. Twelve states, triple the number a year ago, allow some consumers to prevent credit applications from being made in their name or let consumers block access to their credit records.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks.

“Many states are starting to deal with the problem,” said Susanna Montezemolo, a policy analyst for the nonprofit Consumers Union. “A national solution is great if done the right way, but it could actually set us back.”

Several of the federal bills have provisions that consumer advocates like, but the drafts keep changing and probably will be combined in the spring, said Chris Hoofnagle, West Coast director of the nonprofit Electronic Privacy Information Center.

Some of the bills would force disclosure of an information breach only when the company involved decided there was a “significant” risk of fraud — a loophole Consumers Union said would have stopped disclosure in dozens of the big 2005 cases.

The American Bankers Association said a high threshold for notification was necessary because otherwise consumers would get so used to being warned that they wouldn’t take the notices seriously.

Banks and information brokers also argue that without a uniform federal rule, most companies will end up complying with the toughest state law in order to have a uniform policy, in effect letting one state regulate national conduct.

Among the bills with the most powerful congressional supporters is one written by Sens. Arlen Specter of Pennsylvania and Patrick Leahy of Vermont, the Republican and Democratic leaders, respectively, of the Senate Judiciary Committee.

That bill calls for notification except when companies, after consulting with law enforcement, say there’s no significant risk of fraud.

It also would allow consumers to see what information data brokers such as Alpharetta, Ga.-based ChoicePoint, have on them.

A bill sponsored by Rep. Cliff Stearns, R-Fla., of the House Energy and Commerce Committee also would require notification only in cases of significant risk.

And in going further toward the industry’s positions, it would apply only when information was “acquired” by a third party, not in all cases of lost information, and generally only if the information wasn’t encrypted.

Individuals would have no right to sue under the law.

Both bills would override state notification rules.

The spate of proposed laws follows continuing disclosures of big breaches. Identity theft is the most common fraud complaint to the Federal Trade Commission, which estimates that 10 million people a year discover accounts falsely opened in their name or are otherwise cheated. On a per-capita basis, Washington ranks eighth in incidence of identity theft.

Online transactions are less expensive for financial institutions to process, and security concerns have driven millions of people away.

To press their case, companies and industry groups have testified and written Congress. They’ve also underwritten studies that play down the threats of online identity theft.

Questionable statistics

In August, Indiana University law professor Fred Cate began circulating a paper arguing that some types of identity fraud were declining.

Cate, a frequent congressional witness and widely quoted authority on data security, declared: “Information security breaches are among the least common ways that personal information falls into the wrong hands. In 2005, the most common source of personal information that resulted in an identity-based fraud, by a factor of two to one over any other category, was ‘lost or stolen wallet, checkbook or credit card.’ “

A footnote attributed that statistic to its original source, a January 2005 study by California-based Javelin Strategy & Research.

Javelin and several trade groups have trumpeted the finding for months, along with Javelin’s related conclusion that 72 percent of identify theft begins offline.

Cate failed to disclose that the relevant Javelin data came from the 54 percent of consumer-fraud victims surveyed who said they knew how their personal information was taken. The remaining 46 percent had no idea.

FTC officials said this year the latter group logically would include a much higher percentage of victims of major electronic security breaches, computer spyware and “phishing” — online come-ons that trick people into revealing their personal information.

“We have concerns with putting out, frankly, numbers like that,” said FTC Associate Director Lois Greisman. “I know if I’ve lost my purse. A big problem with phishing is that people have no idea they’ve been phished.”

The Federal Deposit Insurance Corp., which guarantees bank deposits, found the same fault with Javelin’s methods when the agency urged banks to do more to educate their customers on the risks of electronic transactions.

After a California privacy official complained to Cate that he hadn’t explained that his figures on where identity theft originates were only from victims who knew what had happened, he added that information in later drafts.

The Javelin study was funded by Visa USA, Wells Fargo and Norcross, Ga.-based online payment firm CheckFree, all of which profit from Internet banking. Cate is a paid adviser to the Center for Information Policy Leadership, based at the law firm of Richmond, Va.-based Hunton & Williams, which published the paper. The center describes itself as “member-driven.”

Those members include Experian, one of the three major credit bureaus selling detailed financial information on consumers to other businesses; LexisNexis Group; and Acxiom. LexisNexis and Acxiom are two of the largest brokers of financial data in the country.

LexisNexis said in June that thieves had used stolen passwords to obtain sensitive information on as many as 310,000 people.

In August, a Florida spammer named Scott Levine was convicted of evading Acxiom security to access 1.5 billion records, including credit-card information and e-mail and street addresses.

“Driven by hysteria”

Cate said his research wasn’t controlled by the center’s members and that his initial omission about the victim survey was an oversight. He stood by the rest of the paper.

“It’s an area of policy in which legislation is driven by hysteria,” Cate said. “There’s just very little theft of data going on that is actually being used to commit identity theft.”

Another study was announced this month by San Diego-based ID Analytics, which described its findings in House testimony, to senators on two relevant committees and to the media. That generated news stories with headlines including “ID Theft Fears Overblown, Study Says” and “Good News on ID Theft.”

The company earns money by helping banks figure out whether credit-card applications might be fraudulent. Banks are among the institutions most actively opposed to new notification requirements.

But ID Analytics looked only for what it called signs of “organized misuse” — for example, if a criminal gave himself away by using the same contact telephone number for two people whose information had been obtained in the same breach.

In an interview, ID Analytics Vice President Mike Cook said he didn’t know what proportion of fraud would leave that sort of fingerprint.