Detective Mark Watkins decided not to return the phone call of an identity thief he had put away several years ago. Just another inmate finagling to reduce his prison term, he thought at the time.
Then the man called again and got the Baltimore County police officer on the phone.
"Does this number mean anything to you?" Watkins said he was asked.
It did. It was his Social Security number.
The episode brought home a problem Watkins had seen on the job. With the rise of identity theft, an individual's personal data have become a hot commodity among criminals.
At the same time, consumers and employees are routinely asked to supply credit card numbers, birth dates, home addresses and Social Security numbers as a part of everyday commerce and work.
And that makes everyone potentially vulnerable.
While recent months have seen a series of corporate and government databases breached and information on thousands of people lost or stolen, about 70 percent of the information used by identity thieves comes from paper and other documentation, not from computer schemes, according to Javelin Strategy & Research, a consulting firm to the financial industry.
Perpetrators not only steal wallets, but they also rifle through trashcans and make connections with corrupt employees who have access to the information. The thieves often work with organized networks that traffic in the data.
Among area businesses and organizations that have been plundered for identities are Blockbuster Inc., U-Haul International Inc., Nextel Communications Inc., Jackson Hewitt Tax Service, a YMCA community center and the General Services Administration.
Watkins' personal data and those of other police officers and firefighters ended up at the county's recycling center before a shredding policy was implemented, Watkins said, recounting the story told to him by the now ex-inmate.
Watkins usually refuses to give out his Social Security number, even to legitimate sources, having become more cautious after investigating dozens of criminals running up credit cards, obtaining student loans and even buying cars, all using someone else's name.
But in this instance, he didn't have a say.
"Your information is floating out there, and all it takes is one unscrupulous person to get a hold of it," he said.
"It's buying furniture and filling out a credit application. It's getting your blood drawn. It's one dishonest car salesman running your credit report."
The problem has spurred a movement on Capitol Hill to strengthen federal regulations and in corporate America to shore up business policies.
Congress is considering several identity-theft bills and might pass legislation later this year. One proposal would require businesses, schools and other entities to secure any sensitive personal information that's collected.
The provision would close a loophole in the 2003 Fair and Accurate Credit Transactions Act, which requires businesses to shred or destroy credit report information being thrown away.
The so-called disposal rule, which took effect in June, technically doesn't apply to information from sources other than credit reports.
"It is conceivable that you could have identical information, one came from a consumer credit report and one didn't, and only the information from the credit report is covered by the disposal rule," said Katherine Armstrong, a lawyer in the Federal Trade Commission's division of financial practices.
"That's not to say it's not good business practice to properly dispose of information," she said.
The disposal rule is part of a patchwork of laws that govern the safekeeping of information.
Financial institutions are responsible for protecting customer data under one federal law.
Doctors and pharmacists are responsible for the confidentiality of patient records under another.
A number of states also have laws requiring that information be secured.
Companies, for their part, are becoming increasingly aware of the issue, and many have established policies for the storage and disposal of customer information, said Colleen Langevin, director of product marketing at Iron Mountain Inc., a records management company.
Some companies are also conducting background checks on all employees, even those working part time.
Blockbuster, the Dallas-based video rental chain, now keeps member applications "under lock and key" and destroys them after 90 days, said Randy Hargrove, a spokesman.
The chain no longer asks for Social Security numbers because of fears of identity theft. Employees are also told that documents can't leave the stores, and each store is equipped with a shredder, Hargrove said.
Sprint Nextel Corp., formed by a merger of those telecom companies, established a training group that travels to stores nationwide to ensure that precautions are taken against fraud, spokesman Charles Fleckenstein said.
The challenge for businesses is getting every employee to follow the rules, said Robert Johnson, executive director of the National Association for Information Destruction.