Lawmakers at the State House last week considered 35 bills that have been filed as a result of growing concerns over identity theft.

Everyone, it seems, has an idea these days on how to deal with identity theft problems – and they got their day in General Court last Tuesday when the Legislature’s Joint Committee on Consumer Protection and Professional Licensure considered 35 bills addressing everything from credit cards to credit scores.

An increase in attention to the identity theft issue since a computer hacker got into data at Framingham-based TJX Cos. – compromising hundreds of thousands of consumer credit and debit card accounts in the United States, Canada and Europe – may have prompted a larger number of bills filed than normal, a committee research analyst suggested. TJX is the parent company for Marshalls, T.J. Maxx, A.J. Wright, HomeGoods, and other regional and national retailers.

The breach was discovered in December but wasn’t announced until January, on the heels of a Wall Street Journal article about the compromised data. Some have suggested the company delayed immediate announcement as it feared it would affect the holiday shopping season.

Giving retailers responsibility and financial-liability “incentives” to follow the data-security provisions in their contracts with card issuers is a key feature in House Bill 213, filed by Rep. Michael A. Costello, D- Newburyport, and backed by the Massachusetts Bankers Association and Massachusetts Credit Union League.

“Currently, retailers and other data processors have little legal or financial incentive to ensure high data-security standards,” explained Kevin M. Tierney, president of Saugusbank, testifying for the bill on MBA’s behalf. “Imposing financial liability on those entities to cover the card replacement and fraud losses associated with a breach will provide a greater incentive on them to develop, implement and monitor those standards.”

H. 213 would require retailers to reimburse banks for the costs of “reasonable actions” they take in response to a data security breach. If enacted, it would be the first law of its kind in the country, according to the Spring 2007 Financial Services Report posted on the Web site of New York law firm Morrison & Foerster.

‘Perpetual Loss’
MBA President Daniel J. Forte said banks pay up to $25 to replace each card after a data breach.

Responding to Retailers Association of Massachusetts President Jon B. Hurst’s contention that card-issuing banks, in fact, recover many card replacement costs through insurance and card contract provisions, Forte said banks recover just “pennies on the dollar” from Visa or MasterCard when they have to replace a card.

Forte indicated he thinks Hurst’s argument is a red herring, saying H. 213 and other legislation is less about cost recovery than about protecting consumers.

“We are all trying to stop the perpetual loss of data by retailers. If they have a better way, we’re all ears,” he added.

However, the co-chairmen of the Consumer Protection Committee – Rep. Michael Rodrigues, D-Westport, and Sen. Michael Morrissey, D-Quincy – both seemed concerned that H. 213 would affect private contracts between banks and retailers.

Rodrigues said he’d “have a hard time with statutorily interfering with a contractual relationship,” and Morrissey wondered aloud whether any state law passed, relating to contracts with credit card companies, could be preempted by federal law.

Banks and credit unions generally have contracts with processing companies that give them access to major credit card networks such as Visa or MasterCard. Retailers, in turn, must be sponsored by card companies’ so-called “merchant banks,” which process card transactions, in order to accept Visa or MasterCard transactions.

Only about one-third of the major U.S. retailers doing business with Visa and MasterCard actually comply with the data security standards those companies set, according to the Massachusetts Credit Union League.

Massachusetts Office of Consumer Affairs and Business Regulation Director Daniel C. Crane said creating a climate that “rewards and encourages data collectors who actively protect consumer information” would have to be a feature in any identity-theft legislation his agency would support. Notifying consumers whose personal information is compromised within one to three days, and empowering them to freeze their credit, if that happens, without a fee, would be others, he said.

Currently, Massachusetts consumers cannot freeze their credit reports, even though this option is available to residents of at least 20 other states.

Two pieces of legislation – House Bill 328 and Senate Bill 184 – contain many provisions addressing what’s important to his agency, Crane said.

Speaking on behalf of both H. 213 and H. 328 – which he co-filed with Rep. William M. Straus, D- Mattapoisett, and 60 others – Costello said identity theft is like assault and battery. “But unlike assault and battery, you don’t know identity theft is occurring unless someone tells you,” he noted.

That’s why both bills address how notice should be given “quickly and effectively,” he added.

H. 328 suggests those affected should get individual letters or e-mails, unless the cost exceeds $250,000 or the number of accounts affected exceeds 500,000 – in which case notification through major media outlets and on the company’s Web site would be acceptable.

S. 184 was filed by Sen. Pat Jehlen, D-Somerville, and would extend existing federal law that prohibits collection agencies from calling consumers in a threatening manner, to prohibit creditors from doing the same.

Rep. Paul Casey, D-Winchester, and a recent victim of identity theft – which cost him hundreds of hours to clean up, according to colleagues – spoke on behalf of House Bill 211, a bill he filed that would impose stiff fines and prison sentences on people who pose as others, knowingly gather information with the intent to do so or sell identifying information about five or more other people to someone who intends to pose as another person.

It also would allow a police officer to arrest someone he or she has probable cause to believe is involved in one of the above activities, without a warrant.

Prosecution of such offenses would take place in the county where the offense was committed or where the person whose identity allegedly was stolen resides.

But Massachusetts Attorney General Martha Coakley, testifying in support of provisions she thinks should be present in any bill passed, said the Bay State needs to update its laws relating to jurisdiction for prosecution of identity-theft crimes and addressing the reality of how many occur today.

Coakley said it’s common for someone’s identity to be stolen by an out-of-state party or while the person is traveling out of state, but said current laws on how to prosecute such matters don’t reflect that reality.