Where Credit Is Due

The California Legislature, so poorly regarded these days, deserves a round of thanks from the state’s consumers. Without a state law passed in 2002, credit card holders might still be in the dark about last week’s massive security breach at an Arizona credit card payment processor. The law, written by then-Sen. Steve Peace (D-El Cajon), required card companies to swiftly notify California customers of data thefts like the one that exposed 40 million MasterCard, Visa and other cards to potential fraud.

The rest of the nation owes thanks too, because once the news is out in California, it’s out everywhere. New York is offering the sincerest form of flattery, developing a consumer protection bill similar to California’s.

Which brings up a point about Congress: Why are the states having to pick up what should be a national responsibility? Unfortunately, even when Congress does act, the powerful financial services industry often succeeds in blocking or diluting consumer protection. Sen. Dianne Feinstein (D-Calif.) introduced legislation copying California’s disclosure law last year and again this April. She’s still fighting to get it out of committee to a floor vote.

On Monday, the U.S. 9th Circuit Court of Appeals ruled that a weaker federal law preempts part of another landmark California law, this one allowing consumers to opt out of having their personal information sold or shared. If that decision stands, California consumers will no longer be able to block banks’ sharing of their personal information with corporate affiliates, such as insurance companies.

State Sen. Jackie Speier (D-Hillsborough), who sponsored the state’s 2003 privacy act, sees the issue as uniquely resonant in California. For instance, the right to privacy was enshrined in the state Constitution in 1974, along with life, liberty and the pursuit of happiness. Violent movie-star stalkers who easily gathered addresses and other information from public sources also spurred privacy legislation.

Speier is now sponsoring legislation that would affect companies like ChoicePoint and LexisNexis, which vacuum up and repackage all kinds of personal and financial information for resale. Recently, both companies were hit by apparent identity thieves posing as legitimate companies. (Again, it was only California law that required them to disclose the thefts.) Speier’s new bill would require these so-called data brokers to tell consumers what personal, identifiable information is in their files and where it came from, and to “reinvestigate” disputed information.

The continuing spate of security breaches and thefts may force Congress to do more for consumers. In the end, though, no law will provide absolute safety from identity theft or fend off voracious marketers. Regular checks on one’s credit data and close reading of credit card statements are the first line of defense.