Md. legislators to offer bill on ID theft

Measure is response to ChoicePoint breach; Modeled after California law; It requires notification if personal data disclosed

By Eileen Ambrose | Sun Staff

March 2, 2005

Maryland legislators are expected to introduce legislation to protect personal information from identity fraud in response to the security breach at ChoicePoint Inc. in which thieves acquired data on thousands of consumers.

The legislation could be introduced as early as today or tomorrow by Del. Brian R. Moe and Sen. Leonard H. Teitelbaum, who serve on the Joint Technology Oversight Committee, said Steve Sakamoto-Wengel, assistant attorney general in the Consumer Protection Division.

Sakamoto-Wengel said yesterday that the legislation is modeled after a law in California, the only state that requires companies to notify consumers when personal data has been compromised.

Alpharetta, Ga.-based ChoicePoint discovered in October that it had sold personal consumer data to thieves posing as legitimate companies. The data-collection company, which culls information from public documents and sells it to other companies, began alerting more than 34,000 California residents in January.

Investigators told ChoicePoint that the problem reached beyond California. Last month, the company began notifying a total of 145,000 residents across the country, including 2,750 residents in Maryland.

Moe, a Democrat who represents portions of Anne Arundel and Prince George's counties, could not be reached for comment yesterday evening. Teitelbaum said privacy issues have been in the forefront during this session of the General Assembly as consumer concern has grown over the rising number of identity theft cases.

Teitelbaum, a Montgomery County Democrat, expects passage of the legislation.

"I can't imagine who would oppose it," he said.

Under the proposed legislation, any company doing business in Maryland that collects personal information about residents would be required to notify them as soon as possible once a security breach is discovered, Teitelbaum said. Personal information includes Social Security numbers, credit and debit card account information, driver's license and medical information.

24-hour limit

A breach would have to be reported to the attorney general's office within 24 hours of discovery, Teitelbaum said. Like the California law, notification to consumers could be delayed if authorities, such as the police, determine that it would jeopardize an investigation.

Additionally, once companies no longer need a customer's personal information, they would be required to destroy it.

The law "would include security rules for discarding personal information collected," said Sakamoto-Wengel, whose office has been working with legislators on the bill. "You can't just throw it in the trash can."

Sakamoto-Wengel said notification that personal data has been compromised will allow consumers to take measures to protect themselves, such as placing a fraud alert on their credit report. A fraud alert requests that creditors contact consumers before any new credit is issued in their name.

Report freeze

Other privacy legislation has been introduced in the General Assembly. One bill, for example, would allow consumers to place a "security freeze" on their credit reports. That would restrict credit bureaus from releasing a consumer's report without permission, said Cheryl L. Hystad, executive director of the Maryland Consumer Rights Coalition.