Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Millions of veterans at risk for identity theft following data breach

Congress urged to require stricter data security practices and give consumers new safeguards

Monday, May 22, 2006

Personal Data Stolen From Veterans Administration Puts Millions at Higher Risk of Identity Theft

Latest Data Security Breach Underscores Need for Stronger Consumer Protections Against Fraud

An estimated 26.5 million U.S. military veterans may be at higher risk for identity theft as a result of personal data stolen from a Veterans Administration employee who improperly took the material home. The data stolen included such sensitive information as names, Social Security numbers, and dates of birth, and underscores the need for Congress and the states to adopt stronger laws to protect consumers against identity theft.

“Through no fault of their own, millions of veterans now have to worry about having their identity stolen as a result of this data security breach at the Veterans Administration,” said Gail Hillebrand, Director of Consumers Union’s Financial Privacy Now campaign. “Congress needs to enact strong new identity theft protections to require companies and government agencies to follow tight security practices and to notify consumers when personal data is compromised. All consumers should get the right to freeze access to their credit files to stop crooks from opening fraudulent new accounts using stolen information.”

Congress has been debating a series of identity theft proposals over the past year ever since the ChoicePoint scandal highlighted how vulnerable consumers are to having their personal and financial information fall into the wrong hands. Since that time, over 55 million consumers have been put at higher risk of identity theft as a result of similar data security breaches at government agencies and companies throughout the country.

Later this week, two committees in the House will consider competing identity theft bills. HR 3997 would let companies that lose sensitive information decide whether to tell consumers about it. That would represent a big step backward since it would replace stronger laws in some states that have helped to ensure that consumers throughout the country are notified by companies whenever there has been a breach in data security involving sensitive personal information.

HR 3997 would make consumers wait until after they have become victims of identity theft before they could block access to credit files with a security freeze. Most states that have adopted security freeze laws let consumers exercise this right before the damage is done.

A better alternative is HR 4127, which requires companies to notify consumers if the security of their personal information has been compromised unless the company can show there is no reasonable risk of harm. The bill would let states continue to adopt laws giving all consumers the right to freeze credit files.

Consumers living in California, Connecticut, Louisiana, Maine, Nevada, New Jersey, and North Carolina currently have the right to put a security freeze on their credit files. A security freeze lets the consumer stop anyone from looking at his or her own credit reporting file for purposes of granting credit unless the consumer chooses to let that particular business look at the information. When the consumer is not seeking credit or new accounts, the security freeze effectively prevents anyone else from getting credit in the consumer’s name.

Security freeze laws covering all consumers also have been adopted in Colorado, Kentucky, Utah, and Wisconsin, but have not gone into effect. Kansas, South Dakota, Texas, and Washington have adopted security freeze laws covering identity theft victims. Lawmakers in Illinois and Vermont recently passed legislation strengthening the security freeze laws in their states so that all consumers are covered.

For more information on these state security freeze laws, see: http://www.consumersunion.org/campaigns//learn_more/002355indiv.html

Current federal law gives identity theft victims, and those with a good faith belief that they are about to become victims of such fraud, the right to place only a 90-day initial fraud alert on their credit file. All consumers who do so are entitled to a free credit report. Initial fraud alerts instruct creditors to exercise more care to verify the identity of the credit applicant. Identity theft victims may choose an extended fraud alert good for seven years. Unlike the security freeze, however, these fraud alerts do not stop distribution of credit reports or credit scores.

“For the 26.5 million veterans who have had their personal records stolen as a result of this data security breach, a 90-day fraud alert is simply not good enough,” said Hillebrand. “Veterans living in states with security freeze laws should consider taking this extra step to protect themselves. But the security freeze safeguard should be available to consumers throughout the country. Congress should make sure all consumers get the right to freeze crooks out of their credit files.”

Susanna Montezemolo: 202-462-6262
Gail Hillebrand: 415-431-6747