Making California a Safe Place for Consumers

Long before identity theft reached epidemic proportions, California state Sen. Debra Bowen was pushing laws to protect consumers’ private information.

The Democrat from Marina del Rey was proposing privacy bills as early as 1995 and in 2001 pushed through a state law restricting access to Social Security numbers, which are the keys to unlocking enough personal information for thieves to apply for credit in someone else’s name.

Bowen is part of a cadre of state and federal legislators who have made progress against identity theft but continue to seek ways to stem the flow of lost and stolen personal information that feeds it.

Identity theft has been the No. 1 consumer fraud complaint for five years running, according to the Federal Trade Commission, which estimates that 10 million people are hit each year.

Two different surveys, by Chubb Group and Deloitte & Touche, found that 1 in 5 consumers reported having been victimized.

But the once-exponential growth of identity theft is beginning to taper off, government officials say.

And California, long the identity theft capital of the country, is seeing slower growth than the national average, with an 11% increase in reported cases last year compared with a 14.6% hike nationwide.

Part of the reason that California has made some progress is that the Golden State has the strongest privacy protections in the country, said Kerry Smith, senior consumer attorney with the State Public Interest Research Group in Philadelphia.

Thanks to Bowen’s 2001 law, banks, insurers and credit card companies must truncate Social Security and credit card numbers sent to Californians in the mail, and healthcare cards can no longer list Social Security numbers as an identifier.

The state’s residents also have the right to freeze their credit reports, and they’re among a fortunate few in the nation who have the right to be notified if their personal information is compromised.

Bowen continues to try to build on those regulations. “We’ve got to make sure that private information is going out in fewer places,” Bowen said last week.

This year she proposed a bill that would strengthen the state’s notification law, and she is considering legislation that would establish data handling standards for industry to prevent some of the seemingly careless gaffes -- lost or stolen computers containing unencrypted consumer information, for instance -- that have exposed more than 58 million Americans to identity theft in the last two years alone.

“There are no laws affecting how people in the private sector handle data,” she said. “The number of times that there’s a laptop stolen, or there’s some mistaken transfer of data with no encryption, no tracking and no consequences, is phenomenal. We are at the early end of this, but we are starting to look at whether there should be standards for the handling of personally sensitive information -- or at the very least, some system to penalize companies that have been negligent.”

Bowen and other California legislators are also trying to expand privacy rights to residents of other states. Democratic U.S. Sen. Dianne Feinstein recently sponsored a bill to extend to all Americans the right to be notified of a security breach.

As of January, only Californians had the right to be notified when companies lost track of their personal identifying information, such as Social Security and credit card numbers or driver’s license information, said consumer attorney Smith.

That notification is important, experts say, because it can give the consumers the ability to put a fraud alert on their credit file, preventing criminals from obtaining credit in their names.

“Identity theft is a national problem that requires a federal solution,” Feinstein said in recent congressional testimony. “One strong notification standard is what we need, not a patchwork of state laws.”

This year, notification laws were proposed in 35 states -- 14 of which were successful and will go into effect in the next 12 months; 27 states proposed data freeze laws.

With privacy laws changing so rapidly, Jennie Bretschneider, a Bowen staffer, said one of the challenges was to inform consumers about the rights they already have. “We know that our data freeze law isn’t used very much because very few people are aware of it,” she said. “One of our big challenges is getting the word out.”

What rights do consumers have to battle identity thieves? And what rights are they likely to get through pending legislation?

Notification: Fifteen states, including California, have laws on the books requiring companies to notify consumers when they lose track of their personal information, exposing them to identity theft, Smith said. The other states, which passed their laws this year, are Arkansas, Connecticut, Florida, Georgia, Illinois, Indiana, Maine, Minnesota, Montana, Nevada, North Dakota, Tennessee, Texas and Washington.

Bowen notes that the California law requires disclosure of only electronic data breaches. It doesn’t cover the loss of paper records. Bowen proposed a law this year that would extend the notification to any security gaffe, whether electronic, telephonic or paper, but her bill failed in committee.

Security freezes: Residents of four states -- California, Louisiana, Texas and Vermont -- have the right to freeze access to their credit reports. To use this law, consumers generally must write -- and often send a fee -- to each of the three major credit bureaus, asking them to deny access to their credit reports. Without access to credit reports, lenders will not grant credit, and that stops identity thieves. (To unfreeze a credit report, consumers must use a personal identification number.)

Residents of six additional states -- Colorado, Connecticut, Illinois, Maine, Nevada and Washington -- will have the ability to freeze credit reports within months, thanks to laws passed this year. A similar law is pending in New Jersey.

Specific instructions on how to place a credit freeze on a California consumer’s file can be found at www.privacy.ca.gov.

Fraud alerts: All U.S. citizens have the right to place a 90-day fraud alert on their credit file, requiring banks to take extra steps to verify their identity before issuing credit.

Longer fraud alerts, lasting up to seven years, can be placed on files by identity theft victims who can provide the credit bureaus with a copy of a report from police or the state department of motor vehicles verifying the theft.

Credit reports: Federal law also provides the right to one free credit report each year. (Unfamiliar items on a consumer’s credit report are often the first telltale sign of identity theft.) However, access to reports is being phased in geographically, so East Coast residents will not be able to get their first free report until later this year.

Anyone wanting a report, or wanting to know when they can receive one, can call (877) 322-8228 or go to annualcreditreport.com.

Pre-approved offers: Federal law allows consumers to opt out of pre-approved credit card offers. To opt out, call (888) 567-8688.

*

Kathy M. Kristof, author of “Investing 101” and “Taming the Tuition Tiger,” welcomes your comments and suggestions but regrets that she cannot respond individually to letters or phone calls. Write to Personal Finance, Business Section, Los Angeles Times, 202 W. 1st St., Los Angeles, CA 90012, or e-mail kathy.kristof@latimes.com. For previous columns, visit latimes.com/kristof.