News: CJ Exclusives

N.C. ID Theft Laws Strengthened

Major provision allows consumers to put freeze on credit report

Major provisions of North Carolina’s new identity-theft law make citizens’ personal information less accessible to thieves, and are designed to help victims of identification theft put their lives back together.

The Identity Theft Protection Act of 2005, which went into effect in December, allows consumers to order a credit-reporting company to put a “security freeze” on their personal information, preventing the company from disclosing information about the person unless the account has been temporarily unfrozen.

The new law also requires that businesses destroy discarded records containing personal information. Another part of the act limits the ability of state agencies and private companies to collect and store individuals’ Social Security numbers.

The legislature decided to delay the full implementation of the Social Security provisions for about a year in the case of private businesses, and for about two years in the case of state agencies. A section of the new act requires companies to notify customers of a “security breach,” defined as the unauthorized disclosure of a customer’s personal information in circumstances where there is a danger of ID theft.

Another provision in the law allows police in the victim’s home county to take reports of ID theft, regardless of where the thief carried out his crime. If an identity thief commits crimes in another person’s name, the act allows the victim to get his criminal record expunged. People whose personal information is contained in certain public documents can apply to have the information deleted.

William McKinney at the N.C. Attorney General’s Office says ID theft is a “significant and growing problem in the state.”

The Federal Trade Commission, which takes complaints about identity theft, reported that it received complaints about 5,623 North Carolina ID theft cases in 2004, or 65.8 for every 100,000 population in North Carolina.

Linda Foley, founder of the ID Theft Resource Center in California, said the FTC’s statistics undercount the incidence of identity theft. There are “no reliable statistics anywhere” on the incidence of the crime, she said.

Putting a security freeze on a credit report (as provided for in laws like North Carolina’s) helps guard the information in the report from would-be impersonators, Foley said. A freeze can be “inconvenient” when making a genuine credit application, because any temporary unfreezing of information takes additional time and energy. Foley, nevertheless, said she has placed a freeze on her own information.

Allowing the police in a victim’s hometown to take ID theft reports, as provided in North Carolina’s law, addresses an important problem, Foley said. If the police don’t make a report, an ID theft victim doesn’t have the official documentation he might need to avoid paying the impostor’s credit-card charges. Foley said some ID theft victims, when they try to report the crime and get a police report, are “bounced back and forth” between their hometown police departments and police in other jurisdictions.

Police don’t like to take ID theft cases because catching the perpetrators is difficult — “like catching a ghost,” Foley said. Unresolved complaints could end up in the department’s unsolved-crime statistics, making the police and the community look bad.

Under North Carolina’s new law, the victim’s hometown police department can make a report in an ID theft case without including the case in the unsolved-crime statistics.

Norm Magnuson, vice president for public affairs of the Consumer Data Industry Association, a credit industry-lobbying group in Washington, D.C., said that his organization initially opposed security-freeze laws, and that it still considers such laws ineffective.

However, having concluded that security-freeze legislation is “the will of the states,” Magnuson’s group is now pressing for a federal law on the subject, so that there can be “one set of uniform rules.”

Companies should be required only to tell customers about a security breach if there’s a real risk of harm, Magnuson said. Notifying customers of all security breaches, even the harmless ones, would be like “the boy who cried wolf,” Magnuson said.

Of the 130 security breaches in 2005, only one was from a credit bureau, and almost half were from state agencies, he said.

Maximilian Longley is a contributing editor of Carolina Journal.