• Mission & Governance
• Services Overview
• How to Get Involved
• Standing Committees
• NCSL Foundation

• Issue Areas: A-Z
• State-Federal Relations
• NCSL Standing Committees
• News from D.C. and the States

• About State Legislatures
• Elections, Campaigns & Redistricting
• NCSL's StateConnect Directory
• Web Sites

• Online Guide to NCSL Services
• Staff Sections and Networks
• Meetings & Professional Development
• Staff Directories

• Meetings Calendar
• Online Registration
• Meetings Home Page
• Legislative Summit

• Bookstore
• State Legislatures Magazine
• NCSL's StateConnect Directory

I'm pleased to be asked to speak at this forum about the serious problem of identity theft. In discussing this problem, I am going to wear two hats - first my public education hat, and then my consumer advocate hat.

The National Consumers League was founded in 1899 to identify, protect, represent, and advance the social and economic interests of consumers and workers. Identity theft is not a new problem - people have been impersonating other people for various purposes, some of them scurrilous, since the dawn of time. But it is a crime that is approaching epidemic proportions. Consumers need to know that it happens, how it happens, what they can do to protect themselves, and what to do if they are victimized. Businesses, government agencies, and organizations that handle people's personal information also need to know how to keep it safe.

So, wearing my public education hat, I am happy to say that in June of this year the National Consumers League launched a public education campaign about ID theft with a grant from Bank of America, for which we are very grateful. One element of this campaign is a new section of our main web site called "Invasion of the ID Snatchers." You can find it by going to www.nclnet.org/privacy. It describes some of the common ways that ID theft happens, how thieves use the information, tips for keeping personal information more secure, and steps that victims should take. It also provides links to important resources such as the Federal Trade Commission.

NCL uses its newsletters and Web sites, interviews with the media, and one-on-one interaction with consumers to get the word out about ID theft. When ID theft victims contact our National Fraud Information Center and Internet Fraud Watch program, a hotline that provides advice about telemarketing and Internet fraud, our counselors tell them the initial steps they need to take and refer them to the FTC's ID Theft Clearinghouse to report the problem and get more detailed instructions on how to repair the damage to their credit and their reputations.

Some of the tips we offer about how to reduce the potential for ID theft include:

• Don't give financial account numbers unless you are making purchases with them;
• Use public mailboxes to send out your bill payments;
• Collect incoming mail promptly and stop it at the post office while you're away;
• Don't give your social security number to anyone unless there is a valid reason why it's needed;
• Be suspicious of anyone who claims to be from a business or agency that already has your personal information and asks to verify it;
• Keep personal information locked up in your home and workplace;
• Keep customers' or employees' records secure and make them accessible only to those who have a valid need.

More enforcement and stiffer penalties for ID thieves, while welcome, won't solve the problem, either. Most jurisdictions don't have and never will have the resources to pursue every ID theft case, and the lure of easy money outweighs the threat of prosecution. The key is to prevent ID theft, not mop up afterward. To do that, we must:

• Make personal information less readily available to thieves;
• Make it harder for them to do anything with the information;
• And hold those accountable who facilitate ID theft by sloppy or inappropriate handling of personal information.

Social security numbers shouldn't be used as ID numbers, and where there is a legitimate reason to use them, they should be truncated or redacted so they are not exposed to public view. It should also be illegal to buy or sell social security numbers.

Payment card issuers, creditors, and credit bureaus should improve their security systems. Simple things such as having photographs on credit and debit cards and requiring PIN numbers or passwords would make it harder for thieves to take over those accounts and use them.

Recent news reports about someone who was able to use software to fraudulently obtain the credit reports of more than 30,000 people point to another vulnerability in the system. Artificial intelligence can be used to detect unusual patterns of accessing credit records. Consumers could be notified immediately whenever their credit reports have been accessed or, even better, their consent could be required before their credit records are accessed.

We don't even take advantage of the protections that are already in place. It's outrageous that when ID theft victims dutifully put fraud alerts on their credit files, creditors are not required to look at that information when people apply for accounts in their names. Some businesses are so anxious to extend credit to consumers that they take minimal steps to verify applicants' true identities, especially in the "instant credit" and pre-approved credit scenarios. If the information on an application doesn't match the information in the credit file, the creditor can go ahead with the transaction anyway, and often does.

A certain percentage of applications are fraudulent, but that is regarded as an acceptable cost of doing business. There is little regard for the terrible impact on ID theft victims. Instead, the solution is to offer consumers useless services such as ID theft insurance, for a fee.

If creditors and those who hold consumers' personal information were required to be more careful, and consumers had private rights of action for punitive damages if they're not, this cavalier attitude would soon change. State legislatures are in the forefront of the fight to protect consumers' privacy and prevent ID theft, and I would especially like to commend California for its pioneering work in this area. Here is my "wish list" for action that state and federal lawmakers could take:

• Require credit bureaus to provide or offer one free credit report annually to consumers;
• Stop the use of social security numbers as identifiers;
• Require opt-in for sharing consumers' financial information;
• Require truncating of credit card, debit card, and social security numbers;
• Require credit bureaus to notify consumers when their reports are accessed or get their consent before allowing access;
• Require prospective creditors to check applicants' files for fraud reports;
• Requires businesses to verify requests to change addresses on accounts by sending a notice to the last known address;
• If information on the credit application is different than in the credit report, require additional information such as the amount of the person's monthly mortgage payment;
• Require a minimum amount of ID verification for instant credit applications;
• Require photographs, PIN numbers, or passwords for credit and debit cards;
• Prohibit sending consumers "convenience" checks;
• Allow consumers to "freeze" their credit files so credit can't be granted without their knowledge and affirmative consent;
• Encourage better use of technology to detect patterns of fraud;
• Make creditors, credit bureaus, employers, and others liable for punitive damages for sloppy use or care of personal information or for not verifying identification adequately.

I urge you to work with consumer organizations and businesses to make it harder for ID theft to thrive. Thank you very much for your kind attention.

Susan Grant, Vice President for Public Policy
National Consumers League
1701 K Street NW, Suite 1200
Washington, DC 20006
(202) 835-3323