Kaine Seeks Passage Of Identity Theft Bills

By Bill Brubaker
Washington Post Staff Writer
Friday, January 4, 2008

Virginia Gov. Timothy M. Kaine proposed legislation yesterday that would require companies to notify consumers if their Social Security numbers or other personal information were accidentally made public.

There's an out for companies, however.

Under the proposed law, businesses could choose to take no action if they determined there was no "reasonable risk" that the consumer would be harmed by the disclosures.

Kaine's proposal, crafted by a 26-member group of government officials, business leaders and consumer advocates, comes amid growing concerns about identity theft across the United States. Virginia has lagged other states in addressing some aspects of identity theft, which has plagued millions of Americans, according to government studies.

A version of the "breach notification" proposal already has been adopted by 38 other states and the District, Kaine (D) said at a news conference at AARP's Virginia headquarters in Richmond. Since Nov. 1, state and local governments in Virginia have been required to make such notifications, he said.

Gordon Hickey, Kaine's press secretary, downplayed the exemption that allows companies to make the final call on whether to notify consumers that their personal information had been made public. The state attorney general's office, he said, would take action if it learned that a company was wrong in not making a disclosure. "Then it would become an enforcement issue," he said.

A second legislative proposal unveiled yesterday by Kaine -- to give consumers the option of freezing their credit reports if they believe their personal information has been compromised -- has been adopted by 39 states and the District.

That proposal, if passed by the General Assembly, would give Virginians an option they already have. As Kaine noted yesterday, the three major credit agencies -- Experian, Transunion and Equifax -- voluntarily agreed last year to allow credit report freezes, but a law would formalize this arrangement.

AARP Virginia State Director Bill Kallio praised Kaine's proposals, noting that a survey of the association's members found that 81 percent were "concerned about becoming a victim of identity theft."

"Breach of personal information and identity theft are two issues that are extremely difficult to manage for all consumers," he said. "However, when it happens to the frail and elderly consumer, it becomes a huge financial crisis . . . [because] their entire ability to function financially stops."

One Virginia identity theft activist called Kaine's proposals a "sham" because they do not address the easy access criminals have to Social Security numbers in court case files and on government Web sites.

"It appears no one is putting in any legislation mandating that the SSNs be removed from records that the [court] clerks are making available online," said Betty "B.J." Ostergren, who operates

"That's legislation for another day," Hickey said.

A recent spot-check by The Washington Post found Social Security numbers on hundreds of documents in courthouses and on state agency Web sites across the nation. Although Virginia is taking steps to remove Social Security numbers from some court documents, the state has not taken any action to redact the numbers from criminal-case filings such as summonses, arrest warrants and criminal complaints.

Yesterday, Kaine cited two new private studies that show that loss of personal data, such as credit card and Social Security numbers, "soared to unprecedented levels" last year.

"Identity theft is a malicious crime that costs both consumers and businesses," he said, "and as we get more and more sophisticated and better and better technology, the opportunities for theft increase and the costs of that theft increases as well."

Staff writer Tim Craig contributed to this report from Richmond.

© 2008 The Washington Post Company