A Blow to Identity Thieves

Perhaps the only thing worse than learning that thieves have hijacked your Social Security and credit card numbers is to discover that you might have been able to stop them before they bought big screen TVs, leather jackets and a taste of the high life in Las Vegas.

The number of people who steal Social Security numbers to open credit card accounts, write bad checks and buy cars has surged in recent years. Usually, victimized consumers -- an estimated 700,000 last year -- don’t know they’ve been hit until the thieves have maxed out the credit cards and bill collectors start calling. Often it takes years to restore their good credit.

A welcome new law that took effect last week can help deter these identity crooks before they begin their shopping sprees. Assemblyman Joe Simitian’s (D-Palo Alto) AB 700 requires businesses and government agencies to quickly notify customers if their personal information might have been stolen from computer databases. In the past, some outfits have kept silent for weeks or months, either too embarrassed to acknowledge the break-in or indifferent to the consequences.

The law works like this: When an agency or company of any size, anywhere in the country, discovers that a hacker or other criminal may have obtained customers’ personal data, it must now inform Californians in that database of the security breach “without unreasonable delay.” This is a loose standard but better than the current lack of any standard, which gives consumers no way to measure liability.

If companies fail to notify, the fraud victims can sue for damages. Even better, consumers who know their personal information may have been stolen can cancel credit cards, close accounts or just monitor their bank statements more closely.

Acting on the principle that what’s good for Californians is good for all Americans, Sen. Dianne Feinstein (D-Calif.) introduced a bill last month to impose virtually the same notification requirements nationally.

Some consumer and business attorneys grumble that these measures should be more specific -- for example, spelling out how quickly individuals should be notified and under what circumstances.

The measures may indeed have to be tightened if businesses try to turn the vague language into loopholes. However, Simitian and Feinstein have struggled to help consumers without saddling business with costly burdens or impeding criminal fraud probes.

Legislation intended to prevent identity theft is much needed, and it treads new terrain. Simitian and Feinstein say their goal is as much to push businesses toward tighter information security as it is to prevent consumer rip-offs. These are worthy first efforts.