| Shredding Identity Theft |
By KEVIN G. DeMARRAIS Sunday, November 27, 2005 Consumers will gain strong new protections when New Jersey's Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses.Those maintaining computer databases will be required to act quickly and publicly in case of security breaches under the new law - among the strongest in the nation. Social Security numbers will be out as all-purpose identification numbers, forcing businesses, colleges, unions, insurance companies, police departments and other public agencies to purge files and shred documents. For a big insurance company, where managing paper has been a core of the business for generations, complying shouldn't be difficult, said Jim Appleton, president of the New Jersey Coalition of Automotive Retailers in Trenton. "But for a small business, like a car dealership, it's a major problem, and they're just coming to grips with it now," Appleton said. "It's just another cost of doing business," he said. "You can get on a soapbox and complain, but in the face of well-documented cases of identity fraud, dealers can recognize the problem." Even with the added costs and paperwork, the legislation had the backing of the New Jersey Chamber of Commerce, said Kim Ricketts, director of the state Division of Consumer Affairs, which will administer the new law. All concerned recognize the problem. Millions affected Identity theft - stealing someone's personal information to commit fraud or other crimes - is growing rapidly. Last year, the Consumer Sentinel, a database maintained by the Federal Trade Commission, logged 246,570 ID theft complaints, compared with 215,093 in 2003 and 161,896 in 2002. But official complaints represent only a small percentage of victims. In congressional testimony in June, FTC Chairwoman Deborah Platt Majoras estimated that 10 million consumers were victimized in 2003 at a cost of $5 billion. That pales compared with the estimated $48 billion the crimes cost businesses and banks. Nearly a third of that went to cover losses due to credit-card fraud, and more than 20 percent was lost to bogus telephone and utility accounts, the FTC said. If New Jersey's experience is anything like California's - whose laws were the model for this state's legislation - businesses will quickly see that it costs less to comply than to deal with thieves gaining access to their data, said Joan McNabb, chief of the California Office of Privacy Protection. The laws "have put a cost on insecurity, altered the cost-benefit ratio," she said. Even so, each of the sections of the new law, outlined below, force public and private entities to change how they do business. Law's highlights This provision makes it tough for thieves to create bogus credit-card accounts by prohibiting the changing of key information in a credit file. But there is a downside. Until Consumer Affairs develops a system to temporary lift the freeze within 15 minutes of a customer's request, credit bureaus will have up to three business days to comply, making "instant credit" virtually impossible.
New Year's means confetti time, and it won't be limited to holiday celebrations this year, as more piles of stored papers head for in-house, mobile or remote shredders. Shredding had already increased in recent years because of several federal laws, so companies are ready, said Ross Lobosco, manager of Confi-Shred a division of Zozzaro Brothers, a Clifton-based paper recycler. Rutgers University, for example, has developed "systematic manners and procedures" for destroying and removing any paper or electronic records that are no longer needed, spokeswoman Sandra Lanman said. So, too, does Public Service Electric and Gas Co., which obtains personal information when establishing new accounts. Access is strictly limited, and every year the utility downloads data from its computers to microfiche, as required by the Board of Public Utilities, spokeswoman Karen Johnson said. "It's off the mainframe and archived in a locked storage area," she said. Cost of shredding Now interest in shredding is coming from "a lot of smaller companies that never really thought about it before, or didn't care," said Bob Gallo, president of Shred-It New Jersey, a Fairfield-based franchise of Ontario-based Shred-It International. "The statistics on identity theft are just mind-boggling," Gallo said. And that has made companies realize the seriousness of not doing it properly. Shred-It provides customers with locked containers and its trucks go to businesses throughout the region to shred documents. The cost for a small business is $89 a month, Gallo said. Confi-Shred specializes in off-site shredding, with most customers bringing material to the company's Clifton site for shredding, at 10 cents a pound. Company also can buy their own shredders, which can save them money but also open themselves to liability if employees are not conscientious about using them, Gallo said. Companies must also decide what to shred or delete. The California law has forced them to examine their practices, and some have found they've been keeping records they didn't need, McNabb said. One university, for example, had kept the records of everyone who ever applied - including Social Security numbers - over the past 15-plus years, she said. "They said, 'Good grief, why do we keep this data?' That is a good result," she said.
Social Security cards used to say "not to be used for identification purposes," but they've become the all-purpose identifier. No more. "Protecting the Social Security number is obviously a best practice for the times we live in," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. Nothing in the new law prevents a company from requesting a SSN, and numbers will still be used for a variety of purposes, from credit checks to obtaining a fishing license. And the new law will not affect the use of SSNs on federal documents, such as Medicaid cards. But it does put strict controls on how that information is used, stored and disposed of. Replacing the SSN Even before the state law was enacted, Ramapo College and Rutgers, among others, began replacing the familiar nine-digit SSNs with random nine-digit ID numbers. "We switched over our employee IDs, and we're in the process of switching student records over," Ramapo spokeswoman Bonnie Franklin said. "By the spring, we'll no longer use the Social Security number for student IDs." Health insurance companies and a wide range of employers are taking similar steps. Doing so can be expensive and time-consuming, said John Niccollai, president of Little Falls-based Local 464A of the United Food and Commercial Workers. "It's going to run into tens of thousands of dollars by the time we set up a completely new number for everybody and get them into our system," Niccollai said. Like other businesses, the union must set up a dual system, because payroll and pension information must still be reported to the federal government using the SSN.
Businesses must act quickly, either through direct contact with customers or - when the cost of providing notice exceeds $250,000 or the number of potential victims tops 500,000 - through Internet posting and notification to major media outlets. One potential problem is determining if notification is required when a hacker breaks into a computer system, even if there is no evidence that the database on the server was touched, |McNabb said. The cost for notification can be up to $25 per person, depending on methods and whether credit monitoring is offered. Considering the size of files breached in the past year - including the names of 500,000 bank customers allegedly taken by a manager of DRL Associates of Hackensack - that can be expensive.
This makes it easier for victims to get the theft on the record, which is important in proving innocence. But this section of the law means police departments will have to get involved. |