Stolen Status

Arizona is the No. 1 identity-theft state, but the Legislature has refused to take action

Arizona leads the nation in identity theft--and the Legislature has not done much to alter that.

Earlier this year, Southern Arizona Republican lawmaker Marian McClure introduced a bill similar to laws recently enacted in California and 14 other states. It would require companies from which "personal identifying information" was stolen to notify its customers within 48 hours of the theft.

The legislation was assigned to two committees, but didn't even get a hearing.

"Any little thing we can do to get off being No. 1 on the national list would help," McClure says. "It's important people are notified so they can take appropriate measures."

The Federal Trade Commission agrees. Its top recommendation for people who think their identity has been stolen: "Contact the fraud departments of any one of the three major credit bureaus to place a fraud alert on your credit file." Of course, if someone doesn't know their personal information--such as a Social Security number or birth date--has been taken, they're not likely to do that.

The number of Americans who should be worried about identity theft is growing at an alarming rate. A survey done for the FTC concluded that nationwide, an estimated 10 million people might have been victims of some type of identify theft last year.

Per capita, Arizona leads the country in the number of reported victims--13 percent higher than second-place Nevada. Tucson, with more than 1,100 identified annual victims, is right up there with Phoenix, the so-called identity theft capital of the world.

Not everyone who has their personal information stolen from a company that stores electronic or paper data is victimized by the thieves, but those who are pay dearly. They might be accused of crimes that the thief commits in their name. In credit card and bank-fraud cases, it is estimated that an average of $17,000 in fraudulent charges are made. Additionally, the victims must spend about 600 hours and $1,400 out of their own pockets trying to fix the problems.

But it isn't only individuals who suffer from identity theft. The recent case in Tucson where credit- and debit-card data was stolen from CardSystems Solutions, Inc., might result in the loss of 90 local jobs, because Visa and American Express may pull business from the company, forcing it to shut its doors.

Arizona's attorney general, Democrat Terry Goddard, thinks it is time for companies to promptly notify their customers if information is stolen. "That seems kind of basic," he says. "The people (in the Legislature) didn't understand how critical it is to protect identification."

Goddard mentions two other issues which he believes should be addressed: how security for the information is provided by a company, and how it is eventually destroyed. Citing a case where data was left in a garbage bin, the attorney general remarks, "That's ridiculous!"

McClure's notification bill would obviously have financial and legal implications for the state's businesses, but what the Arizona Chamber of Commerce thinks about the proposal is unknown. They did not return repeated phone calls seeking a comment.

California attorney/privacy consultant Mari Frank focuses on identity theft issues, and says of McClure's proposal: "Forty-eight hours may not be the best for law enforcement, but you negotiate to have a reasonable time. The California law explains what that is."

Both Goddard and Frank also believe Arizona should consider a security-freeze law which permits people to deny access to their credit reports. With that in place, lenders will stop providing credit reports until specifically allowed to by the consumer, thus thwarting thieves.

Four states currently have this law in place, and six others will soon follow. Goddard knows the process can be inconvenient for some people, but for senior citizens, he says, it would be very prudent.

Frank thinks that attempts in Arizona to address the identity theft problem may be futile. Congress is considering more than a dozen laws concerning the issue, and Frank says some of them seek to water down the impacts of the two-year old, groundbreaking California legislation while also pre-empting states rights in the matter.

Frank, a registered Republican, declares of this proposed federal legislation: "It's totally to protect big business. They're trying to make it so people won't know. It's absolutely disgusting."

Another view is expressed by local attorney David Karnas, who says McClure's proposed legislation "is a good start, but falls far short of what's necessary."

Karnas is currently involved with trying to have a class-action lawsuit certified in the TriWest Healthcare Alliance identity theft case. In that instance, the names and Social Security numbers of 500,000 military personnel and their dependents were stolen in 2002 from the Phoenix-based firm.

Karnas believes the company should be required to pay for monitoring the credit histories of the victims for seven years, along with compensating those people against whom fraud is committed. Karnas thinks a similar solution should also be legally possible in other Arizona identity theft cases.

Willy Bils, Tucson founder of the Center for the Study of Privacy Rights, goes further in his suggestions. He characterizes identity theft's impact on society as "like termites eating at a house" and believes companies have a fiduciary duty to protect the identifying information of individuals.

"The real problem," Bils says, "is the unrestrained collection of personal information by entities, either public or private, who deal in it to make profits. They are not using the most stringent measures possible to protect the data."

To comprehensively address the issue, Bils proposes a conference be assembled to confront the identity theft problem in Arizona, or even regionally. "We need an effective attack on several fronts, including legislative and judicial," he says.

From his perspective, Bils would also like to see consumers given the legal right to sue companies from which their personal information is stolen. "Why only punish the thief and not the business that allows the theft?" he wonders.

Bils feels that allowing victims to seek up to three times the damages they suffer, plus collecting attorney's fees, might provide the companies which collect and store the personal data with a financial incentive not to do so. "That is the kind of hammer which would put businesses in the position of asking: 'Do we want to collect this information?'" he says.

Believing criminals, especially organized-crime syndicates, will always be ahead of remedial legal actions, Bils thinks even his proposals wouldn't completely solve the identity theft explosion, but would at least slow it down.

"They put control in the hands of the consumer," he says of his ideas, "instead of the police. It's a true market regulation, and (if enacted), this stuff will fade."

Bills calls McClure's proposed legislation "a baby step in the right direction. Notice is important, but it must be fair to businesses, and be a reasonable time period."

For her part, McClure indicates she will reintroduce her 48-hour notification bill in the next session of the Legislature. "I kind of live in fear of identity theft," she says, "because of how hard it is to correct."