Seizing the initiative from the federal government, state attorneys general are cracking down on information brokers. The latest example is in Connecticut, where Attorney General Richard Blumenthal has sued NRS Information Services Inc., a now defunct company that allegedly sold confidential consumer information, including bank account numbers and balances.
"As law enforcement officials and consumer protection activists, we have a natural role to play combating identity theft," Mr. Blumenthal said.
The suit, filed last month, charges that employees at NRS conned banks into releasing customer data by impersonating the consumers. As part of the fraud, the company allegedly obtained copies of consumer credit reports. These reports contained enough personal data for the company to deceive the bank, according to the suit.
Similar investigations are reportedly under way in Massachusetts and New York. The crackdown comes as consumer groups have grown increasingly worried about the ease with which criminals are able to steal confidential bank data.
Federal regulators this summer warned banks to guard against information brokers. In August, for instance, the Office of the Comptroller of the Currency urged banks to draft policies on what information may be disclosed by phone.
But Congress failed to enact a bill that would make it a federal crime to trick banks into revealing confidential customer data and none of the regulators have issued rules requiring banks to impose more safeguards.
Mary Griffin, a lawyer at Consumers Union in Washington, said the federal government has not done enough to protect the public. "Federal regulators need to put affirmative obligations on banks to prevent information from getting into the hands of information brokers," she said.
State attorneys general would welcome more help, Mr. Blumenthal said. "Ultimately the federal government must play a role because banks are multistate institutions and they are regulated at the federal level," he said.
Mr. Blumenthal urged banks to step up training about customer privacy, noting that Connecticut charged that bank employees accepted money in exchange for confidential data.
By reining in the disclosure of customer data now, the industry could spare itself years of litigation, he said. "States will give it much more attention if there are not voluntary measures by banks to have better training and more internal procedures to check who is calling for information," he said.
John J. Byrne, senior counsel and compliance manager at the American Bankers Association, agreed that the industry needs to do a better job guarding customer data. But he cautioned against going too far. Consumers would become angry if banks refused to share any information over the phone, which would be the ultimate way to protect privacy. "There is a balance between not giving up anything over the phone at any time versus when legitimate customers call seeking information," he said.