SEATTLE -- While the words "identity theft" did not appear on the official agenda, the topic was a popular discussion theme at a meeting this week of states' attorneys general.
The meeting, which focused on developments in Internet law, drew an influential list of attendees, including attorneys general, politicians and federal agency leaders, many of whom used the forum to harp on the need for more effective protections against identity theft.
"This is not an issue where you can call 911 and somebody is going to respond," said Sen. Maria Cantwell (D-Wash.), a former executive at Real Networks in Seattle who has become a leader in Internet legislation since taking her seat two years ago. "They not only can't get access to the information to correct their records, they're stuck with bad credit, sometimes for years and years."
In 2001, Cantwell sponsored a law (PDF) aimed at assisting identity theft victims, which passed in the Senate before time ran out at the end of the full congressional session that year.
The proposed law, which she said she plans to reintroduce this year, would provide means for consumers and law enforcement "to get access to the business records that are the evidence the identity fraud has taken place." It would also require credit bureaus and reporting agencies to stop including negative reports that are the results of ID thefts.
Cantwell is one of several politicians, at both the state and federal levels, who have recently backed legislation to reduce identity theft or to make it easier for victims to repair damaged credit reports and other records.
Their efforts are timely as identity theft crimes, and their costs to businesses and individuals, continue to rise. A report from Sen. Diane Feinstein (D-Calif.) estimated that ID theft costs businesses as much as $3.5 billion a year.
Many of the crimes have been carried out on a disturbingly large scale, including one case last November in which three people were arrested for allegedly stealing personally identifiable information on 30,000 individuals from one of the big three credit reporting agencies.
While claims of ID theft made up just 1 percent of Internet fraud complaints, according to an FBI report issued last December, one in six of them reported losing money as a result. The average loss was $2,000.
A serious concern for consumers, says Howard Beale, director of the FTC's Bureau of Consumer Protection, is the theft of information from centralized databases, such as those of banks and credit bureaus. Beale says a number of those cases involved "very low-tech" methods, such as disgruntled employees or temps simply stealing printouts or passwords and using them to break into the computer files.
In effort to curb identity theft, the FTC has taken action against a handful of companies, including Microsoft, whose Passport servers were deemed too vulnerable to hackers, and the level of security they were providing was misrepresented. The agency also censured Eli Lily, the drug company that sent out lists of e-mail addresses of visitors to their Prozac.com website.
A major obstacle in preventing identity theft, however, is that most people whose IDs are lifted electronically don't even know it until charges show up on their credit cards or they find they have negative marks on their credit ratings.
Banks and other repositories of vast amounts of personal and financial information linked to people's names and Social Security numbers have little incentive to announce that their databases have been hacked, and lot of reasons not to do so.
"I think (the banks') feeling is they'll take the risk to get people spending the money and they'll take the loss or fight it out later," says Scott Longo, an assistant attorney general from Ohio attending the meeting. He says his office has not seen a lot of reports of identity theft, more of other Internet problems like child pornography.
"When it becomes a big enough problem for the banks to say, 'That's it,' then we're going to see either some effective legislation on the national level or states banding together until we get some national legislation to deal with identity theft."
Longo also says a disconnect between government and the private sector makes even the best regulation all but meaningless. He noted "while we're arguing in Ohio about not disclosing Social Security numbers on most state forms," hotels and other businesses often require a driver's license or other ID at the check-in desk.
One of the other problems facing the state's chief law enforcers in fighting the problem, Longo says, is staying on the right side of the Constitution's "commerce clause," which bars states from interfering with "interstate commerce" business activities that cross state lines.
"It works pretty well if it's a local person stealing a local person's identity, but when you have somebody out of state, it's confounded like spam would be because of state lines," he said. "So I think that a national identity theft legislation would probably benefit the entire country a lot better."
Anita Ramasastry, a law professor at the University of Washington, however, believes states can do much on their own to curtail identity theft.
As an example, she cited a new California law (PDF) requiring state agencies and businesses to inform state residents whose information "was or is reasonably believed to have been acquired by an unauthorized person."
