Long before identity theft reached epidemic proportions, California state Sen. Debra Bowen was pushing laws to protect consumers' private information.
The Democrat from Marina del Rey was proposing privacy bills as early as 1995 and in 2001 pushed through a state law restricting access to Social Security numbers, which are the keys to unlocking enough personal information for thieves to apply for credit in someone else's name.
Bowen is part of a cadre of state and federal legislators who have made progress against identity theft but continue to seek ways to stem the flow of lost and stolen personal information that feeds it.
Identity theft has been the No. 1 consumer fraud complaint for five years running, according to the Federal Trade Commission, which estimates that 10 million people are hit each year.
Two different surveys, by Chubb Group and Deloitte & Touche, found that 1 in 5 consumers reported having been victimized.
But the once-exponential growth of identity theft is beginning to taper off, government officials say.
And California, long the identity theft capital of the country, is seeing slower growth than the national average, with an 11% increase in reported cases last year compared with a 14.6% hike nationwide.
Part of the reason that California has made some progress is that the Golden State has the strongest privacy protections in the country, said Kerry Smith, senior consumer attorney with the State Public Interest Research Group in Philadelphia.
Thanks to Bowen's 2001 law, banks, insurers and credit card companies must truncate Social Security and credit card numbers sent to Californians in the mail, and healthcare cards can no longer list Social Security numbers as an identifier.
The state's residents also have the right to freeze their credit reports, and they're among a fortunate few in the nation who have the right to be notified if their personal information is compromised.
Bowen continues to try to build on those regulations. "We've got to make sure that private information is going out in fewer places," Bowen said last week.
This year she proposed a bill that would strengthen the state's notification law, and she is considering legislation that would establish data handling standards for industry to prevent some of the seemingly careless gaffes -- lost or stolen computers containing unencrypted consumer information, for instance -- that have exposed more than 58 million Americans to identity theft in the last two years alone.
"There are no laws affecting how people in the private sector handle data," she said. "The number of times that there's a laptop stolen, or there's some mistaken transfer of data with no encryption, no tracking and no consequences, is phenomenal. We are at the early end of this, but we are starting to look at whether there should be standards for the handling of personally sensitive information -- or at the very least, some system to penalize companies that have been negligent."
Bowen and other California legislators are also trying to expand privacy rights to residents of other states. Democratic U.S. Sen. Dianne Feinstein recently sponsored a bill to extend to all Americans the right to be notified of a security breach.
As of January, only Californians had the right to be notified when companies lost track of their personal identifying information, such as Social Security and credit card numbers or driver's license information, said consumer attorney Smith.
That notification is important, experts say, because it can give the consumers the ability to put a fraud alert on their credit file, preventing criminals from obtaining credit in their names.
"Identity theft is a national problem that requires a federal solution," Feinstein said in recent congressional testimony. "One strong notification standard is what we need, not a patchwork of state laws."
This year, notification laws were proposed in 35 states -- 14 of which were successful and will go into effect in the next 12 months; 27 states proposed data freeze laws.
With privacy laws changing so rapidly, Jennie Bretschneider, a Bowen staffer, said one of the challenges was to inform consumers about the rights they already have. "We know that our data freeze law isn't used very much because very few people are aware of it," she said. "One of our big challenges is getting the word out."
What rights do consumers have to battle identity thieves? And what rights are they likely to get through pending legislation?
Notification: Fifteen states, including California, have laws on the books requiring companies to notify consumers when they lose track of their personal information, exposing them to identity theft, Smith said. The other states, which passed their laws this year, are Arkansas, Connecticut, Florida, Georgia, Illinois, Indiana, Maine, Minnesota, Montana, Nevada, North Dakota, Tennessee, Texas and Washington.