New York Gov. David A. Paterson recently announced that the Legislature has reached an agreement on a bill that would improve New York’s identity theft laws in many ways, including the enhancement of privacy protection in the workplace and programs to aid those who have had their identities stolen.

Identity theft is the most common consumer fraud complaint and the fastest growing financial crime, affecting approximately 10 million Americans each year. In 2007, New York ranked sixth in the country in per capita identity theft complaints, according to Identity Theft Data Clearinghouse of the Federal Trade Commission (FTC).

“These kinds of protections are long overdue for the citizens of New York. Increasingly, commerce is done over the internet, making sensitive information more vulnerable to theft than ever before,” said Paterson. “The consequences of identity theft can be devastating and far-reaching. This bill recognizes the new risks facing consumers today and puts a number of critical safeguards in place to help the people of New York state protect their credit and their good names.”

The New York Times reports that Social Security officials, concerned about the risk of identity theft, are calling for immediate action to remove Social Security numbers from the Medicare cards used by millions of Americans.

But Medicare officials have pooh-poohed the proposal, saying it would be costly and impractical.

In a new report, the inspector general of Social Security, Patrick P. O’Carroll Jr., says “immediate action is needed.”

“Displaying such information on Medicare cards unnecessarily places millions of individuals at risk for identity theft,” Mr. O’Carroll said. “We do not believe a federal agency should place more value on convenience than the security of its beneficiaries’ personal information.”

In a memorandum to the heads of federal departments and agencies in May 2007, Clay Johnson III, deputy director of the White House Office of Management and Budget, said they should draw up plans to “eliminate the unnecessary collection and use of Social Security numbers within 18 months.”

According to CNET, Verizon Business just released a four-year study that reveals that 9 out of 10 corporate data breaches could have been prevented, had appropriate security measures been taken. The Verizon report includes the results of more than 500 forensic investigations, including three of the largest data breaches in history.

Verizon found that 73 percent of the data breaches were the result of outside sources, with only 18 percent from insider threats. Of the outside sources, 39 percent were attributed to business partners. Third parties, not victimized organizations, discovered 75 percent of the breaches.

Attack methods vary around the world, Verizon found. Attacks from Asia, China and Vietnam in particular, often involve application exploits. Attacks from the Middle East involve site defacements. And attacks from Eastern Europe and Russia involve point-of-sale compromises.

CBS4 reports that Sheldon Chrysler of Denver, a recent victim of identity theft, filed a federal lawsuit against DirectTV, AT&T, and the credit reporting companies when he couldn’t get his name cleared on his own.

Chrysler found out he was a victim of identity theft in December 2006 when he went to apply for a loan. The collections were for accounts with AT&T, another phone company and DirectTV — accounts that Chrysler never opened.

He filed criminal reports in Colorado and Michigan, put a credit fraud alert on his accounts, and contacted the companies as well as the credit reporting companies. But still he his credit still showed the bad accounts.

So he filed a lawsuit in federal court and won. The companies settled the case and cleared his credit.

Over the past five years, 43 US states have adopted data breach notification laws, but have these laws reduced identity theft? Not according to researchers at Carnegie Mellon University who just published an analysis of data supplied by the US Federal Trade Commission (FTC).

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” said Sasha Romanosky, one of the authors of the analysis. His team looked at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California’s SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen.

It looks like there may be good reasons that explain why breach laws have not cut down on identity theft. Many consumers ignore breach notification letters. And Romanosky believes that security firms are still not doing enough to protect data themselves. “In so many of these cases, the breaches occur because of ridiculous security practices,” he said.