Byline: Dan Caterinicchia, THE WASHINGTON TIMES
Multiple states enacted laws Sunday designed to help prevent identity theft after major security breaches compromised personal data for millions of consumers in 2005, including last week's incident at Marriott Vacation Club International.
New and existing state laws require timely notification of information breaches to affected customers, and related legislation allows consumers to freeze their credit reports as a means of identity-theft prevention and protection.
But similar federal legislation remains tied up in Congress, which is where consumer groups said it should stay while industry pushes for a tightly focused national breach-notification standard.
Twelve states have credit-freeze legislation, which allows residents to block new creditors from accessing their credit reports and helps prevent identity thieves from opening spending accounts using a stolen name.
Credit-freeze laws in Connecticut, Illinois and New Jersey were enacted Sunday, while Maine's will become effective Feb. 1 and Colorado's July 1.
"Quite simply, the states are again the ones doing strong laws and showing Congress the way," said Ed Mierzwinski, consumer-program director at the U.S. Public Interest Research Group in Washington. The freeze laws are the first attempt to give people control over their Social Security numbers, the "financial DNA that is strewn all over the place."
Consumer groups endorse the states' credit-freeze laws, but want them to apply to all consumers, not just identity-theft victims as some currently do, he said.
"The freeze is not an absolute save-all," said Jay Foley, co-director of the Identity Theft Resource Center, a nonprofit in San Diego that tracks the more than 130 breaches disclosed last year, potentially affecting more than 57 million people. "It's a tool for victims and for families with senior members who are not competent to handle their credit."
More than 20 states have breach-notification laws. There already is near national compliance with California's law, which was the first in the nation when enacted in 2003 to require companies to notify state residents when their unencrypted personal information is reasonably thought to have been compromised.
"If Congress fiddles with it, it will most likely result in a weaker law that pre-empts the best of the state laws," Mr. …