It's now almost a year and a half since the ChoicePoint debacle, in which Social Security numbers and other personal information about 145,000 people was "improperly accessed" (to use ChoicePoint's description), and data about tens of millions of others was put at risk. The resulting publicity was instrumental in identity theft-related laws being passed in almost three dozen states - but not, as of yet, by Congress. Given some of the bills under consideration, it might be better for you and me if Congress continues not to act.

The security breach at ChoicePoint was not the first such incident and certainly not the last. The Privacy Rights Clearinghouse maintains a list of the steady drumbeat of breaches reported since the ChoicePoint one. The list - 250-plus breaches of various types as of this writing - is not fun reading: far too many thefts of laptops with far too little encryption; far too many hacks of servers and missing, unencrypted backup tapes - and most troubling, far too many cases where people were keeping Social Security numbers because they could, not because they needed to.

The reason we know about most of these breaches is not because the organizations breached wanted to do the right thing but because of a 4-year-old California law mandating notification if people's financial information might have been compromised. Specifically, in the words of the law, someone holding data must provide notification "to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Note the breach triggers the disclosure requirement, not the expectation the breach might produce a risk to the individual whose data was compromised.

The ChoicePoint case came to light when the company got around to notifying California residents of the breach. There is no reason to believe ChoicePoint would have told anyone without the notification law, because the company did not do so after a breach that occurred before that law went into effect. Companies are often reluctant to disclose breaches, because it can cost a lot of money. For example, ChoicePoint has settled with the Federal Trade Commission for $15 million, on top of whatever the incident cost ChoicePoint in direct expenses. The total number of people put at risk by the breaches in the Privacy Rights Clearinghouse list is a bit more than 90 million. To put this into context, according to published reports, as many as 9 million U.S. residents have suffered some form of identity theft. Congress has held a number of hearings since ChoicePoint's revelations and has been considering a number of bills that ostensibly would help reduce that threat. All the bills have one thing in common: They would preempt state laws in favor of a consistent national policy. Most of the bills, however, look like they were written by lobbyists working for the likes of ChoicePoint.