Joe Protain learned that he might be an ID-theft victim in July 2007 when Bank of America contacted him about what it suspected were fraudulent charges to his account. He hadn’t made the charges, so he closed that account, notified the credit-reporting agencies, and began to do a little detective work of his own.

"I used a people search Web site to look up my name, found I was listed at an address I’d never heard of in Columbus, and then used Google Maps to find the exact location," Protain says. He notified the Columbus police that he was a fraud victim and gave them the address of the suspected thieves. But Columbus, Ohio, police didn’t pursue the investigation, and it was only by accident that another detective came upon the trail.

Franklin County wasn’t alone in providing an alluring tool for thieves looking for ID-theft victims. A GAO study in 2004 found that up to 28 percent of counties displayed records containing Social Security numbers on the Internet. Some have removed those keys to identity theft from online records, but they still can be found in many local court records, even in states known for strong rules, such as California.

We downloaded free records of a breach-of-contract lawsuit posted online at the Riverside County (Calif.) Superior Court’s Web site, for example. They reveal Social Security and checking-account numbers for the defendant, whose name and address are also clearly spelled out. Such records are also available online in San Mateo County. Some counties, such as Los Angeles County, impose a fee to view them, which can deter hackers.

"California was the first state to pass a data-breach-notification law, and it has set the standard for removing personally identifying information from state agency Web sites, but the courts are setting their own rules, which vary widely from county to county," says Steven Peisner, founder of Sellitsafe.com, a company in Calabasas, Calif., that helps merchants stem losses from fraudulent transactions.