It's no secret: Identity theft is a growing problem in the US, with complaints rising 73 percent from 2001 to 2002. But there's a mistaken impression that identity theft is carried out merely by rogue hackers.

That's not the case. If your credit history is stolen from a database, the thief is less likely to be a hacker than an employee of the company that owns the database. Yet businesses are still lax when it comes to policing insiders who have access to confidential data.

I believe this crime will not stop until the government steps in to regulate corporate privacy policies, and companies that handle your personal data are held liable for any abuses carried out by their employees.

Identity theft has been making headlines for months. Last fall, the feds broke what may be the largest identity theft case in US history (total losses from the case are estimated at US$2.7 million). Federal investigators arrested in November 2002 a help-desk employee of a third-party credit agency, Teledata Communications, who was able to access confidential information about the company's corporate clients.

Authorities allege that over a period of three years, this employee, Phillip Cumming, and three other accomplices used password and subscriber codes for auto dealerships, banks, health care facilities, and even public utilities in order to obtain the credit histories of nearly 30,000 individuals, which they then sold for US$60 per individual.

Just last month, California barred Allstate Insurance from using its online Department of Motor Vehicles database. While the state did not accuse Allstate of identity theft, it did contend that a few Allstate employees were not following the DMV's privacy policy, which stipulates that each individual who accesses the database have a unique password and sign confidentiality papers. Allstate employees also breached company policy by looking up DMV records of family and friends.

You might wonder how damaging a single DMV record could be. Well, your DMV record contains your driver's license number--a valid form of identification. It could also include your home address, phone number, and social security number. Armed with this information, a thief could at the very least open new lines of credit using your credit history. The worry here is that someone could start borrowing money under your name. When he or she fails to make the required payments, it's your credit rating that would suffer.

Fortunately, some corrective measures are being taken to protect against this sort of activity. As of January 1, 2003, California residents may now "freeze" their credit report, which prohibits any company or individual from accessing their credit history without their knowledge.

The cost of freezing and thawing varies among the big three credit bureaus--Equifax, TransUnion, and Experian from US$12 to US$60 per year, or about US$12-US$15 for each freeze or thaw. The only way to avoid these charges is to file an identify theft complaint with the police. While I would prefer that the credit bureaus didn't charge for this service, I'm hopeful that other states will soon follow California's lead and allow you to control access to your credit history.

The bigger issue here is that we automatically trust the companies we patronise to keep our personal information safe and secure--not only from outsiders, but also from company insiders--whether they deserve that trust or not. But when you think of all the people who have access to, for instance, a loan application for a new car, you start to see how vulnerable you are. Given that doing any business these days--whether in person or online--often requires giving out some personal information, what can be done?

I say the Federal Trade Commission should step in and mandate strict new policies regarding the handling of credit bureau information. Such rules might resemble the Health Insurance Portability and Accountability Act, which sets forth guidelines for the handling of medical information by healthcare providers, and the Gramm-Leach-Bliley Act, which sets forth guidelines for the handling of medical information by healthcare providers, and the Gramm-Leach-Bliley Act, which outlines privacy rules for customer information at financial institutions.

In addition, companies that access credit bureau reports should be held liable for any abuses and thus be encouraged to audit their employees' activities.

If you want more information about protecting yourself from identity theft, the Federal Reserve Bank of Boston offers a comprehensive brochure on the topic. It's full of useful tips and resources, such as how to contact each of the three major credit bureaus to monitor your credit reports. The brochure recommends you do this twice a year.

My advice: Be cautious when giving out personal information, and always ask about a company's security policies and procedures. If at any point you feel uneasy about the answers (or lack thereof), take your business elsewhere. I'm sure you can find a competitor who makes you feel more at ease.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.