New law takes aim at ID theft

Kathleen Pender

Businesses nationwide are scrambling to comply with a new California law that sharply limits the use of Social Security numbers to identify customers.

The law, which takes effect July 1 for most companies, is designed to thwart identity theft. Another provision of the law makes it easier for consumers to alert credit bureaus when they think their identity is at risk.

Beginning Jan. 1, a third provision will let consumers temporarily freeze all access to their credit reports.

Under SB168, companies cannot:

-- Post or display SSNs.

-- Print them on identification cards or badges.

-- Print an SSN on anything mailed to a customer unless it's required by law or the document is a form or application.

-- Require people to transmit an SSN over the Internet (through e-mail, for example) unless the connection is secure or the number is encrypted.

-- Require people to log on to a Web site using an SSN without a password.

Although the SSN restrictions apply only to accounts opened in California after June 30, many companies are adopting the new rules for all customers -- old and new, in every state.

Companies say it's simpler to have a single system. Also, companies that continue using SSNs for old accounts must give customers an annual opportunity to opt out. Finally, it's only a matter of time before other states -- and possibly the federal government -- follow suit. Four states have bills pending that would restrict the use of SSNs.

The California law has several exceptions:

-- Health care and insurance companies have until Jan. 1 to comply with the new rules (except the one prohibiting SSNs on ID cards) for individual policy holders. After Jan. 1, 2004, they must comply with all the SSN restrictions for new individual policy holders and new group polices. By July 1, 2005, they must comply with all restrictions for all existing policies.

-- The law does not apply if a state or federal law requires an SSN on a document. That means SSNs will still appear on federal and state tax forms and employee pay stubs.

-- Private schools and colleges have to comply, but public ones don't. However, the University of California and the California State University systems are already moving away from using SSNs as student ID numbers.

-- Companies may still use SSNs to identify customers internally.

The American Benefits Council, which represents large employers that sponsor health and pension plans, recently held a conference call to educate members about the new law.

"It had the biggest response to any call we've ever had," says John Scott, the council's director of retirement policy. "This is a big issue. The use of SSNs is pervasive in retirement plan administration. To modify your systems to comply with this law is a huge effort."

J.P. Morgan/American Century Retirement Plan Services began preparing for the law in November and hopes to finish testing its new system this week.

It will continue using SSNs to identify all customers internally, but not externally, using a product known as an invisible font.

"The printer prepares an index for us on CD-ROM that's sorted by Social Security number. No Social Security number will show up on the statement sent to individuals. But if someone calls in with a question, we can look up the account on the CD-ROM," says Robert Holcomb, a vice president with the firm.

Scott says other companies are using truncated or encrypted SSNs. He says at least one is embedding customer SSNs in the middle of a bar code that will appear on customer statements.

Many small companies "are only now trying to figure out how to comply," Scott says.

He says there could be some mistakes as companies switch to a new system, "especially at the rollout. There's also the possibility of people being overly cautious and not sending all the information that should be sent out."

Companies that fail to comply with SB168 are subject to general unfair- business-practice penalties.



SB168, sponsored by Sen. Debra Bowen, D-Marina del Rey, also establishes uniform requirements when consumers post a security alert to their credit file.

A security alert warns lenders that a person may be a victim of identity theft.

This provision, which also takes effect July 1, requires the three major credit bureaus to provide a provide a toll-free telephone number for people to place security alerts and to place the alert in a consumer's credit file within 72 hours of receiving it.

The alert must remain in place for at least 90 days, and credit bureaus must offer consumers a free credit report at the end of 90 days.

The toll-free numbers for the credit bureaus are Experian, (888) 397-3742; Equifax, (800) 685-1111; and Trans Union, (800) 888-4213.

A security alert is advisory only. It encourages but does not require lenders to take extra precautionary measures to verify a person's identity.

Sen. Bowen has sponsored a new bill, SB1730, that would force businesses that access a credit report to take certain steps to communicate with a person who placed a security alert to make sure he or she is not an identity thief. That bill passed the Assembly Banking Committee 8-3 Monday and now moves to the Assembly judiciary committee. It passed the Senate 24-11.



Beginning Jan. 1, SB168 will let consumers freeze access to their credit reports.

The freeze prevents thieves from getting credit in your name, even if they have your SSN, address, birth date and other identifying information. It also prevents unwanted companies from prying into your credit report.

But it also could prevent you from getting a loan because most lenders won't extend credit without a credit report.

If you're going to be shopping for a loan and you have a freeze on, you can allow your credit report to be released during a specific period of time, to specific lenders or to lenders who have a secret code you give them.

It could take up to three business days to have a freeze lifted, so if you get a weekend whim to buy a Mini Cooper, you could be out of luck.

To read SB168 or SB1730, go to and click on Legislation.