While businesses and universities can do more to prevent identity theft, federal lawmakers have opened loopholes in some state laws that previously didn't exist, making it easier for crimes to occur, representatives from state Public Interest Research Groups (search) told reporters last week.
The Fair and Accurate Credit Transaction Act (search), signed by President Bush in December, was designed to help states deal with identity theft. But in the process, experts say, it enabled federal law to trump some states' laws that were already tougher than the FACT Act.
"The FACT Act put some protections in place, but Congress is clearly way behind in terms of solving these problems long-term," said Maureen Kirk, executive director of Oregon PIRG. "Some states now have protections they didn't have before. It's a mixed bag. The progress was at a high cost because of state pre-emption."
"Prior to FACT, Congress passed one major piece of legislation. California, in contrast, passed more than 30. California is a hotbed of identity theft (search) crime. This new law makes it easier for businesses to collect, exchange, sell information," said Steve Blackledge, California PIRG legislative director.
FACT did introduce tougher laws in states like Colorado that had no previous identity theft laws, and the legislation has been widely hailed by business groups who say the federal legislation makes it easier for them to comply by relieving them from trying to understand and follow 50 separate state laws.
"This law will create a national system of fraud detection so that identity theft can be traced and dealt with earlier," Bush said during the signing ceremony. "This law will encourage lenders and credit agencies to take action before a victim even knows an identity crime has occurred ... These practical steps will help consumers protect their credit and their good name."
Under FACT, consumers will be able to acquire a free copy of their credit report and their credit score each year to help them understand why their credit was denied or approved. It also will require businesses to black out Social Security numbers (search), credit card numbers and debit card numbers on receipts, and require the coding of medical information on credit reports.
But Kirk said the act also increased the latitude in which businesses can share and trade customer information across affiliated companies without consumers' permission.
"The use of our information as a commodity leaves us open to abuse," said Kirk, citing online availability of data and careless disposal methods by banks and other firms of consumer information.
There is too much "willful sharing or selling by companies," she said.
According to the Federal Trade Commission (search), identity thieves stole 9.9 million people's identities in 2003, and doubled the number of crimes committed from the previous year.
Thieves use a number of different strategies to obtain personal information. They hack into databases, sift through dumpsters and steal from mailboxes, one of the most common methods.
Identity thieves then use stolen Social Security numbers, addresses and phone numbers to apply for credit cards and change billing addresses. In many cases, victims never even know they are being taken until they apply for a loan and find their credit has been destroyed.
"Not only do you lose your money, but then there's also an effect on your credit report. You can't rent an apartment. You can't buy a house. You can't buy a car," said Rex Wilmouth, Colorado state PIRG director.
Obtaining personal information is extremely easy for identity thieves, Wilmouth said, and often a Social Security number is enough to get a loan that can destroy the victim's credit. With a Social Security number, a thief can pay $15 to $20 online to find out a spouse's name, last three addresses and other information.
The FTC reports that it takes an average of 175 hours and costs more than $800 in out-of-pocket expenses to clear a victim's name.
Local police report that a significant cause of identity theft is the way businesses operate, Blackledge said.
"Sloppy handling of consumers' information by businesses" is the most frequent failing cited by police, he said.
Beth McConnell, Pennsylvania PIRG director, said health clubs, universities and other organizations should not use Social Security numbers so frequently and publicly, such as for the posting of grades. Instead, "they should come up with some other number. Let's only use the Social Security number when it's necessary and appropriate," McConnell said.
PIRG's representatives say consumers also can do more to protect their identity, for instance, occasionally checking their credit reports, putting locks on their mailboxes, and avoiding use of Social Security numbers when possible.
Although FACT removes some state protections that would have restricted companies' ability to share information without consumers' consent, states still have leeway to tighten up other areas to limit the ability of identity thieves to operate.
"Some states have restricted posting of Social Security numbers, but more can be done. States can pass legislation freezing credit reports and giving information on who has accessed them. States can require that certain entities destroy information or keep it protected," McConnell said.