id theft: variations of an international crime

Table of Contents

Advanced Risk Management Solutions

08

Identity Theft Today

“Variations of an International Crime”

Wilma Ariza, C.I.T.R.M.S.


2

Advanced Risk Management Solutions © 2008

Table of Contents

About the Author ................................................................................................... 3

Introduction ........................................................................................................ 4

President’ Task Force Report Abstract ............................................................. 5

Identity Theft: Federal Definition .......................................................................... 6

The Offenders ...................................................................................................... 7

Identity Theft Crime Variations ......................................................................... 8

a) Credit Fraud or Theft by deception……………………………….9 b) Social Security Theft ………………………………………………………10 c) Medical Identity Theft…………………………………………………….11 d) Driver’s License Identity Theft ……………………………………….12 e) Criminal Identity Theft …………………………………………………..13

Case Study Samples…… ........................................................................................ 14

Business Considerations and the Law………………………………………………………………18

Conclusion ........................................................................................................ 23

References ....................................................................................................... 19

Resources…………………………………………………………………………………………………….…20

Acknowledgement: Thank you for stealing my identity and selling it, to everyone else who is me, somewhere, anywhere in the US, without you guys I would never be where I am today. You know who you are! The Real Wilma “Colon” Ariza


3


About the Author

Wilma Ariza has successfully completed the Certified Identity Theft Risk Management Specialist curriculum and now joins the ranks of select professionals nationwide who have earned the CITRMS certification. Ms. Ariza became interested in Identity Theft Victims Rights and issues 3 years ago when she discovered her identity was stolen and was unable to find effective knowledgeable assistance and advocacy to resolve the ensuing financial and legal issues that resulted from a number of unknown individuals using her identity nationwide to obtain employment, medical insurance, passports, social services, credit, out of state drivers licenses in her maiden name, multiple real estate acquisitions, goods and services fraudulently, including the illegal use of her NJ Drivers License information during traffic violations stops. . The CITRMS certification program is the nation’s only training program specifically developed for professionals who are dedicated to educating and assisting clients, customers, businesses, and the general public in combating the epidemic of Identity Theft. CITRMS-qualified professionals are employed by financial institutions, financial services firms, law enforcement and other state and federal government agencies. Many others are private practitioners including attorneys, CPAs, financial advisors and business consultants like Ms Ariza who has focused her practice on legal rights and legislation affecting consumer identity protection, children’s identity fraud, criminal identity theft victims advocacy and medical identity theft awareness education in Northern New Jersey where she currently resides. . The course curriculum addresses such key areas as: the various types of Identity Theft vs. credit fraud; consumer protection laws and related requirements; the public dossier and sources of information; Identity Theft risks and issues for businesses, including information security laws, related requirements and liabilities; Identity Theft Risk Management and Anti-Fraud Resources; and more. To attain the certification, CITRMS candidates must successfully complete a rigorous final examination designed to thoroughly assess their comprehension and sound knowledge of the course materials and the legal, as well potential financial pitfalls of compliance. The Certified Identity Theft Risk Management Specialist program is provided through a cooperative effort between the award-winning Institute of Consumer Financial Education (www.ICFE.info), and The Institute of Fraud Risk Management (www.TIFRM.com). Indicative of the ever-increasing threat of this emerging crime and the critical nature of providing business owners and the public with the knowledge and tools to address and manage their risks, the CITRMS certification course is accepted for professional continuing education credit by such organizations as: the Certified Financial Planning Board of Standards for Certified Financial Planners (CFP®); PACE and The American College for Chartered Life Underwriters (CLU) and Chartered Financial Consultants (ChFC); the International Association of Registered Financial Consultants for Registered Financial Consultants (RFC); and The Association for Financial Counseling and Planning Education for Accredited Financial Consultants (AFC).

http://rs6.net/tn.jsp?t=c6upy9bab.0.tpxry9bab.eduxfzbab.841&ts=S0216&p=http%3A%2F%2Fwww.icfe.info

http://rs6.net/tn.jsp?t=c6upy9bab.0.lu9eo9bab.eduxfzbab.841&ts=S0216&p=http%3A%2F%2Fwww.TIFRM.com


4


INTRODUCTION

While no less than a decade ago ―identity theft‖ was apt to be met with curiosity and

some bewilderment, it has become one of the most recognizable crime terms of the 21st

century. Even so, questions remain regarding what it really represents, what type of person is

most likely to commit this crime, what criminal methods are most commonly (and successfully)

employed, and who is most at risk of being victimized. The United States Secret Service is

actively involved in the investigation and prosecution of identity theft and fraud crimes.

According to its website www.secretservice.gov/criminal.shtml

Identity crimes are defined as the misuse of personal or financial identifiers in order to

gain something of value and/or facilitate other criminal activity. The Secret Service is the

primary federal agency tasked with investigating identity theft/fraud and its related activities

under Title 18, United States Code, Section 1028.

Identity crimes are some of the fastest growing and most serious economic crimes in the

United States for both financial institutions and persons whose identifying information has been

illegally used. The Secret Service records criminal complaints, assists victims in contacting

other relevant investigative and consumer protection agencies and works with other federal,

state and local law enforcement and reporting agencies to identify perpetrators. These efforts

are time consuming and often very costly for victims.

Similar information can be found on the websites of the United States Postal Inspection

Service, the FBI (Federal Bureau of Investigation), the FTC (Federal Trade Commission), the

Social Security Administration, the Department of Justice, many state police departments,

several local police departments, and the numerous not-for-profit organizations devoted to

combating identity theft and helping citizens to recover from it.

Identity crimes are far reaching, as the attention given to it by government entities, the

businesses that have emerged in an effort to thwart it, and the many stories from the media

indicate. Statistics from Consumer Sentinel, the database of complaints maintained by the

Federal Trade Commission, indicate that the highest percentage of complaints received in 2006

(36%) were concerning identity theft. http://www.ftc.gov/opa/2007/02/topcomplaints.shtm Since

2001, the same has been true; the highest percentage of complaints received during each year

concerned identity theft.

http://www.secretservice.gov/criminal.shtml

http://www.ftc.gov/opa/2007/02/topcomplaints.shtm


5


THE TASK FORCE REPORT

President George Bush established the President’s Task Force on Identity Theft

in May 2006 by Executive Order 13402. Which states ―The problem of identity theft has

become more complex and challenging to the general public, the government, and the

private sector.‖ (April 2007, p. 1)

While the Internet, with its chat rooms, electronic banking and payments,

phishing and pharming, malware and Spyware, and pretexting, has certainly added a

dimension to the crime, the basics are also still employed by identity thieves: common

theft, mail theft and change of address, dumpster diving, database and network

hacking, including insider theft.

The purposes for which identity thieves can use the stolen personal identifier

information has been exacerbated by the Internet, as online credit applications, bank

account transfers, purchases and the like eliminate the need for face to face contact.

Law enforcement is, of course, faced with the challenges that the growing complexity

the crime presents including the growing numbers of undocumented immigrants using

fraudulently obtained personal identifying information to:

Conceal Actual Identity

Obtain Credit and Loans

Procure and Secure Employment

Obtain Drivers License and Passports

Purchase Motor Vehicles and Real Estate

Enroll In School and Obtain Student Loans

Apply for and obtain social services or medical care


6


IDENTITY THEFT: The Federal Definition

In the report of the President’s Task Force on Identity Theft, identity theft is

defined in this way, ―Although, identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual’s personal information to commit fraud” (April 2007, p. 2).

As of the preparation date of this report there is an ongoing debate concerning the definition of identity theft. However, for the purposes of this report and discussion, I agree with the Task Force definition, but consider personal information to be personal identifying information such as name, address, Social Security number and date of birth, which may be included on documents such as driver’s licenses and birth certificates.

Access devices such as credit cards, debit cards, ATM cards, electronic monetary gift cards, calling cards and bank checks, are excluded from the identity theft crime definition. While the theft of a credit card, other financial access card and/or bank check may result in fraudulent charges, known as credit fraud or theft by deception, it does not result in the theft of an identity.

The Task Force report agrees: ―For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card alone, generally would not provide the thief with enough information to establish a false identity‖ (p. 3).

And so, there, lies the debatable concept of identity theft crimes versus credit fraud incidents and the ramifications for the consumer who fails to make the distinctive connection and effectively assess (1) the personal data management risks (2) the consumer credit risks, as defined by Federal and State Laws vs. the general misconception that inadequate credit monitoring services offered to credit card and banking consumers by their financial institution can be relied upon for comprehensive identity theft protection.

.

―Credit scores can be ruined and existing personal and business credit may be significantly reduced or closed while disputed fraudulent credit charges on delinquent past due accounts are cleared and resolved.” -- Newsweek --


7


THE OFFENDERS

The data analysis specified on the Identity Fraud Trends and Patterns: Building a

Data-Based Foundation for Proactive Enforcement Report published by the Center for

Identity Management and Information Protection of Utica College this past October

2007, showed more diversity among the age, race, gender, and criminal backgrounds of

offenders than the picture held by conventional wisdom.

Most of the offenders – 42.5% - were between 25 and 34 years of age at the time

that the case was opened.

The 35 – 49 age group made up 33% of the offenders.

18.5% were between 18 and 24 years old.

The remaining 6% were 50 years old or older.

One third of all reported offenders were female.

24.1% of the offenders were born outside of the United States.

71% of the offenders had no arrest history.

** those who had a prior criminal record or pending charges included

fraud and forgery, identity theft and theft by deception.

The most prevalent motive among all offenders was economic personal gain, followed

by avoidance of past criminal convictions disclosure and a variety of social benefits

fraud.


8


IDENTITY THEFT CRIME VARIATIONS

Credit Fraud and Theft by Deception

The most productive and familiar form of the crime, the thief obtains key information about the victim such as the victim's name, Social Security or Registry number, date of birth, and any other available bits of personal identifying information. The victim may be an adult, a minor child or even *deceased ( known as*Ghosting).

The main common characteristic of the ID Theft crime is the ―theft" of information that enables the thief to abuse the victim's "identity" to commit credit fraud and other crimes. In credit fraud and theft by deception cases the criminals may obtain credit cards and loans, purchase goods and services, buy or lease homes and vehicles, take expensive vacations, etc., all under the victim's name. In a disturbing growing number of cases they effectively assume the victims full identity (*cloning) in another community.

This action, or abuse of the identity information, is known as "credit fraud". The result can often be the annihilation of the victim's finances and credit history, especially if fraudulent accounts are not identified and disputed within the time specified by law. Thousands of dollars of debt may be accumulated in a very short period of time, which

the ―identity theft victim‖ is left to clear up.

PrePaid Legal Services Inc., Life Events Membership Plans © Identity Theft Shield© Legal Shield©

“When bad things happen to good people”

www.prepaidlegal.com/hub/mquarles19

Wilma Ariza, C.I.T.R.M.S. Independent Associate Toll Free Televox (866) 292-7939 Email [email protected]

http://www.prepaidlegal.com/hub/mquarles19

mailto:[email protected]


9


Social Security Theft :

Because our Social Security or Social Registry number is the most widely utilized

personal identifier, most cases of Identity Theft and Identity Fraud involve some form of

theft and/or abuse of the victim's Social Security number. The Social Security number is

directly connected to a victim's work history, professional licenses, tax record and credit

file, therefore, is required by banking institutions to facilitate all manner of financial

transactions.

Real ―financial identity theft‖ cases will almost certainly involve the theft and

abuse of the victim's Social Security or Social Registry Number. However, this is not the

only way by which a Social Security or Social Registry number can be abused. A

criminal may use the victim's personal information to obtain employment, avoid paying

taxes, or disclose a criminal past. In many cases information is sold to undocumented

workers many times over creating an unreported income nightmare during an IRS audit.

It has been reported that thousands of social service, public assistance, food

stamps, and charity program fraud cases discovered in the past month involve

undocumented and otherwise disqualified program recipients establishing or re-

establishing benefits eligibility using stolen ―social security‖ or ―social registry‖ numbers.

This aspect of ―Identity Theft‖ can be extremely difficult to determine, because such

abuse is usually not uncovered through customary methods of credit review or

monitoring.

For example, in the case of illegal aliens (or anyone else) taking advantage of the

victim's Social Security or Social Registry Number for Months or years in order to gain

employment and make an income, the victim may discover the fraud only because the

thief failed to pay the resulting income taxes, and created significant tax liabilities or

penalties for the victim, including income withholding, bank account liens and in some

cases incarceration for tax evasion while the matter is resolved through the legal

system.

Another serious issue that is not widely discussed involves the use of an identity

theft victim's Social Security Number to apply for and receive Social Security, Medicare,

unemployment, or other government benefits, directly linked to an individual work

record, thus depleting the victim's own benefits and/or creating potential garnishments

or charges of benefits fraud until, and if, the victim can prove his/her innocence.


10


Medical Identity Theft:

Your social security or social registry number is also frequently used for medical

records and insurance policy benefit identification, which can lead to another crime

which falls under the increasingly complicated umbrella of Identity Theft crimes; a very

dangerous rising trend, often referred to as "Medical Identity Theft".

Thieves and scam artists have discovered the ease in which they may use a

victim's information to obtain healthcare and other medical benefits and services. It is a

very serious problem and may soon be officially recognized through legislation as a

separate and distinct form of the crime. In a report by Elizabeth Roop of Radiology

Today, the World Privacy Forum has estimated that fraudulent medical billing resulting

from medical identity theft can range from $1,000 to as high as $1 million per incident.

Pam Dixon, Executive Director of the World Privacy Forum, said "We get a lot of

complaints that are in the $20,000 to $150,000 range; that's very common. If someone

called up and said, 'I had debt collectors knocking on my door wanting $90,000,' we

wouldn't even blink." In addition to the obvious troubles caused by fraudulent billing that

may result from the healthcare services obtained in the victim's name, there is an even

more distressing, and potentially life-threatening danger—incorrect medical file

information/records.

The thief's abuse of the victim's information to obtain healthcare services could

result in the victim's medical files and connected information entered into medical

databases becoming contaminated with wrong or incompatible information (the thief's

rather than the victim's) such as an incorrect medical history, missed or incorrect

documentation of allergies to certain medications, incorrect documented health

conditions or diagnosis, and a host of other dangerous mistakes that could put the

victim's health and life in danger.

Victims may also abruptly and without warning discover that their insurance

benefit coverage has been exhausted, that they no longer qualify for medical or life

insurance due to incorrectly reported "pre-existing" conditions, or even receive a notice

of cancellation or a considerable increase in their insurance premiums due to

fraudulent, incorrect documented medical conditions and claim billing activity. Errors in

medical files can be very hard to identify and correct, nearly impossible to detect.


11


Victims of medical identity theft are not extended the same rights and protections

as victims of financial identity theft. If your record is tainted and/or ruined by inaccurate

information, there is often no way to correct it. For example, information in a hospital

database may be forwarded to a doctor for assessment and then added into his/her

database, depending on diagnosis potentially damaging information may be forwarded

to the Centers for Disease Control.

Information in the doctor's database may then be forwarded to an insurance

company for billing purposes, and entered into that company's database. Information

from the insurance company database may then be passed on to the Medical

Information Bureau database (M.I.B File), used by many health care providers and

insurance companies. At this point, all of these databases have become tainted with the

incorrect health information, and correcting them all is nearly impossible.

Driver's License Identity Theft:

Capitalizing on the systems flaws and diversity of procedures from State to State

and international law, thieves can make use of the victim's personal identifying

information and forge or easily obtain personal documents, such as a birth certificate, in

order to obtain a driver's license or government-issued identification card in the victim's

name. Victims of driver's license ID card theft may unexpectedly discover that a thief's

actions have resulted in charges of DUI or DWI or any number of other driving-related

offenses.

Suspended or revoked driving privileges for unpaid fines, or sudden arrest during

a routine traffic stop for outstanding warrants for "Failure to Appear in Court". In these

kinds of situations the victim may need the assistance of a qualified attorney to resolve

the matter, particularly in cases involving criminal charges, driver insurance surcharges

and unpaid fines. It can become very costly for a victim to clear their name particularly

when traffic violations are documented in multiple jurisdictions.

Driving-related offenses wrongly included in the victim's driving records may also

cause an unexpected cancellation of the victim's automobile insurance, an inability to

get insurance coverage, or a dramatic increase in insurance premiums on existing

policies. Identity Theft criminals recognize that the Social Security or Social registry

number, an individual's driver's license or state issued ID card number is the most

widely utilized personal identifier.


12


This is extremely dangerous because in the United States (for instance) the

driver's license is effectively a form of National Identification used for check verification

databases and for passenger identification by the TSA. Making it possible for an identity

theft victim to be linked to organized crime and/or, in extreme cases terrorism, causing a

potentially critical security risk dilemma for the victim, their family, friends and

associates.

Criminal Identity Theft:

In cases of "criminal identity theft", or the abuse of the victim's information in

contact with law enforcement, the end results are often a wrong criminal record for the

victim, outstanding arrest warrants, and even temporary incarceration. In some cases,

the victim may be, without explanation fired from their place of employment due to an

"undisclosed conviction" discovered during a background check or security clearance

update.

This type of Identity Theft can have a devastating and long-lasting effect on the

victim. It can often be very hard to fully resolve, if ever, and the victim will most likely

require legal representation which can be very costly. Criminal convictions are also

usually entered into public records, which can further damage future employment

opportunities, security clearances, insurance premiums, and pose a range of other

significant potentially lifelong challenges for the victim.

Once incorrect criminal information is entered or connected to the victim's name

in a number of record databases, it can be extremely difficult or impossible to have it

completely corrected. It may still result in a permanent alias or a.k.a (Also Known As)

entry attached to the victim's records. In more severe cases, some victims have only

been able to detach themselves from the impostor by legally changing their names,

while others must carry court documentation with them at all times in order to prove to

law enforcement that they are not the person being sought for crimes or arrest warrants.


13


CASE STUDY EXAMPLES

Actual Loss: the Extremes

In a case representative of a zero dollar loss, a Houston area task force was contacted

by a bank fraud investigator concerning an employee of the bank who was involved in a

fraudulent transaction. The bank employee, the single defendant in the case, applied for

and received a loan in another individual’s name. When the car dealership refused the

loan check because it was not made out in the defendant’s name, he attempted to

deposit it into his account at the bank where he was an assistant manager. He had

applied for the loan online, using the victim’s Social Security number, date of birth, and

home and work phones. The defendant changed the victim’s first name from Jane to

Jan, and used his own address and utility bill. The victim was unaware of the car loan,

but knew that someone had attempted to apply for a credit card using her personal

identifiers.

In another case where the actual loss was $13,000,000, a bank investigator contacted

the Dallas Secret Service field office concerning a case of identity theft related to bank

fraud. The defendant, acting alone, used false information about his identity and

financial status to receive millions of dollars of loans to purchase luxury vehicles. He

used the identity of a person serving life in prison for several of these, as well as to

open credit accounts and buy two houses. He also used the identities of incarcerated

individuals to establish several shell companies and attract investors, whom he

subsequently defrauded.

A “Typical” Case

The victim contacted the Newark, New Jersey field office in August 2002. He reported

that he had received numerous credit card account statements from retail stores, none

of which he had authorized. The case’s primary classification was Fraudulent Use of

Account Numbers. One of the secondary classifications was Identity Fraud. The

defendant had purchased a birth certificate and W-2 form in the name of the victim. He

used those to obtain a duplicate driver’s license, which he used to open store credit

card accounts in the local area. The actual loss was $13,175. The case fell under

federal jurisdiction. The defendant pled guilty to charges of 18 USC 1029(a)(2), Access

Device Fraud, and was sentenced to 18 months in prison, 3 years of probation, and

ordered to pay $13,175 in restitution. The case was closed in March 2004.


14


Motivating Factor: Supporting a Drug Habit

In this case, which was opened in 2003, the three defendants worked together to steal

mail from mailboxes in suburban towns when they needed money to support their

methamphetamine habit. They looked for mail containing government, payroll, and

personal checks and personal identifiers. One defendant used his computer to produce

counterfeit state driver’s licenses, Social Security cards, and counterfeit checks. Each of

the defendants was sentenced to incarceration and probation.

Identity Theft through Employment

The defendant was employed by a cleaning service (service industry) and cleaned the

victim’s residence. While on the job, he stole the brokerage account number belonging

to the victim’s company and through telephone transfer, using the victim’s date of birth

and Social Security number, had $80,000 placed in a bank account. He later withdrew

it, placed it in another bank account, and used the money to purchase a vehicle. The

victim was on an airplane at the time of the call requesting the transfer. He became

aware of the fund transfer when the brokerage called him to confirm the transaction.

One Offender – Several Opportunities and Roles

The offender purchased a fake ID from www.counterfeitlibrary.com and used it to

procure a mailbox at Mailboxes Etc., as he needed an address to use in selling

counterfeit DVDs that he obtained from Taiwan on eBay (auction fraud). Using

www.counterfeitlibrary.com, the defendant purchased a fraudulent ID from an individual

in England and used it to obtain a pre-paid credit card from Rite-Aid in another’s name.

He also bought a counterfeit birth certificate and a Netbank account in another name,

and received information on setting up Netbank accounts. He traded Netbank account

information for credit card information. He also purchased 10 blank counterfeit birth

certificates. While working as a temporary employee at an insurance company, he stole

the names and personal identifiers of approximately 12 people and used them to obtain

pre-paid credit cards using counterfeit licenses which he manufactured on his home

computer. He purchased and used personal identifiers and credit card information to

add users to the account, to get additional cards, and to change the address


15


A small level group crime case

Defendant two obtained personal identifying information from a source at a state

Secretary of State office, for the purpose of selling it to people who needed to change

their identities. Defendant one bought information, as well as birth and marriage

certificates, from him and used them to obtain a driver’s license and Social Security

number. She obtained several credit cards in the names and paid the bills for them. She

used the false name at her place of employment and later received disability checks in

that name. She also filed income taxes in that name. She stated that she had to change

her identity to protect herself from the family of a person whom her brother murdered in

self-defense approximately 30 years ago. Neither defendant had a prior arrest history.

Roles taken in an organized group case

In a case with 16 defendants, the group used unauthorized credit card numbers to

purchase airline tickets in their own names and to reserve hotel rooms through

websites. They also used the names of others and driver’s licenses in those names as

identification when flying. Several of the defendants accessed workplace computers to

obtain customers’ personal identifying information, which they distributed to the rest of

the group. Billing documents were also used as a source of personal identifying

information.

One defendant skimmed credit card numbers (other) at hotels where she was

employed. Two of the defendants were involved in distributing the information to others

in the group. Three of them directed others. For example, they instructed and paid

others to purchase tickets for them. They all used the stolen personal identifying

information for their own use – purchasing tickets and booking hotel rooms for travel to

various cities where a social organization to which they all belonged held meeting.

Offender Methods: Internet Alone

The defendant in this case employed pharming to create duplications of an opera house

website in at least 9 cities worldwide. When customers attempted to purchase opera

tickets, the defendant captured their personal identifying information – names,

addresses, phone numbers, and credit card numbers. The customers either received

tickets at a higher cost or to a performance other than the one they requested. Some

customers did not receive tickets.


16


Using Computers to Produce Documents

The defendant procured personal identifying information by placing ads in newspapers

stating that he was hiring and would accept applications at a local hotel. He would

interview the individuals and collect their applications which included Social Security

numbers, dates of birth, and bank account information for direct deposit of a payroll

check. He would then create birth certificates and employment cards on a computer and

use them to get driver’s licenses with his photograph and others’ names. He used the

driver’s licenses to open bank accounts. He then manufactured counterfeit checks with

the victims’ names on the computer.

Point of Compromise: A Business

This case originated when a bank fraud investigator contacted the Secret Service. The

defendant was employed at a candy store and was terminated for stealing cash from

the register during transactions. He also skimmed credit cards while employed there.

Two major credit card issuers identified the business as a common purchase point for

credit cards that were later used as counterfeit credit cards. The defendant admitted

that he was paid by another person to skim the credit card numbers. The other person

then used them to produce counterfeit credit cards which he sold with corresponding

counterfeit identification documents.

Point of Compromise: A Family Member

The victim in this case notified the Secret Service regarding the fraudulent use of her

identity. Her ex-husband used her information to open two American Express card

accounts and make charges to them. The defendant completed the credit card

applications via the Internet.


17


Identity Theft through Employment: Hospital

The defendant, whose first and last name were the same as the victim’s, used her

position as a hospital employee to gain access to patients’ personal identifiers. The

victim had given birth in the hospital and the defendant accessed her identifiers, which

she used to obtain several credit card accounts. The victim became aware of the

unauthorized accounts when she was contacted by Discover concerning a credit card

for which she had not applied. She then obtained her credit history and found other

retail credit card accounts which she had not authorized.

Victimization of Financial Services Industry

In a case brought to the attention of the Secret Service by a bank fraud investigator in

2004, the defendant used his deceased’s father’s Social Security number and name to

obtain three loans and a credit card from the bank. He secured a vehicle loan from

another bank and paid it off with a loan from a third bank, which he obtained with the

same identifiers. He opened checking accounts using the fraudulent information at each

of the banks. He admitted using a false income tax form to show income high enough to

qualify for the loans. The defendant confessed that he used his father’s Social Security

number and name to open all of the accounts and credit cards, and to apply for the

loans. At the time of this criminal behavior, he was a resident of a halfway house on

supervised release for a prior federal criminal conviction for financial fraud. He pled guilty to Social Security Fraud (42 USC 408(a)(7)(b) and was sentenced to two years of incarceration, three years of probation, and $64,000 in restitution.

Offender-Victim Relationship: Caretaker-Employer

In this case, the defendant was employed by a blind man who owned a management company. The defendant, a white female in her forties, embezzled over one million dollars in approximately three and a half years. Her employer trusted her implicitly and signed whatever documents she directed him to. Thus, she was able to make purchases, bill them to her employer, and pay for them from his personal checking account. She issued checks from his account, which he signed, to pay her personal bills, including credit cards, tuition, vacations, medical expenses, clothing, jewelry, insurance policies, and home improvements. She used his date of birth and Social Security number to obtain unauthorized credit card accounts in his name and requested a second card for the accounts in her name. She also changed the address on the cards to her own. She used wire transfer and computer generated checks on his revocable trust and limited partnership checking accounts to pay the credit card bills.


18


Business Considerations and the Law

By now, conducting financial and business transactions online on "secure" sites has become a commonplace convenience. But, as we are reminded from time to time, it is not entirely safe to entrust confidential personal information to others. Just such a reminder occurred in late May 2006, when the U.S. Department of Veterans Affairs disclosed that the confidential personal information of about 26.5 million people, including their Social Security numbers, had been stolen when a Virginia analyst took data home and his home was burglarized.

According to the Privacy Rights Clearinghouse, a non-profit organization, the theft brought the number of identities compromised since 2005 to over 80 million. Indeed, according to a Wall Street Journal article prompted by the VA incident, identity theft has become such a concern for employers, both in terms of potential liability and lost productivity, that some are providing a new employee benefit: "identity theft resolution services," i.e., someone to deal with the employees' legal and credit problems when a theft occurs.

What are the legal liabilities a company faces when someone breaches the company's security and accesses employee or customer confidential information? More than half the states have legislation addressing this problem. This article focuses on federal statutes that expose companies to potential civil and criminal liability for failing to take adequate steps to prevent the theft.

THE FEDERAL TRADE COMMISSION ACT

The Federal Trade Commission Act prohibits "unfair or deceptive acts or practices in or affecting commerce," and §5(a) of that Act empowers the FTC to commence civil actions against companies that violate the act. A number of cases in recent years have charged companies with violating the act by failing to adhere to their own privacy policies with respect to customers' personal information.

For example, the FTC recently brought a number of actions stemming from companies' failures to use reasonable measures to prevent consumer information from being accessed by viewers of company Web sites. Each company entered into a consent agreement requiring it to implement a comprehensive information security program, not misrepresent the extent of its information protections and conduct periodic independent audits of its security program.


19


THE GRAMM-LEACH-BLILEY ACT

Title V of the Gramm-Leach-Bliley Act requires financial institutions to take steps to protect their customers' data, and imposes possible civil and criminal sanctions for non-compliance. Subsection I authorizes the applicable regulatory agency to promulgate appropriate standards for financial institutions to ensure that customer records and information are adequately safeguarded from unauthorized access. 15 U.S.C. §6801(b). Subsection I also imposes a duty on financial institutions to notify customers prior to any disclosure of their personal information to third parties and offers the customer an opportunity to direct that the information not be disclosed. 15 U.S.C. §§6802(a) & (b). Subsection II prohibits any person from disclosing or causing to be disclosed customer information under false pretenses. 15 U.S.C. §6821(a). Violations of the provisions of subsections I and II are punishable by civil and criminal penalties. 15 U.S.C. §6823.

HIPAA

The Health Insurance Portability and Accountability Act imposes obligations on health care providers to safeguard personal information. A person who knowingly obtains or discloses confidential health information about a patient is subject to fines and imprisonment. Wrongful disclosure of individually identifiable health information carries up to a year in prison and up to a $50,000 penalty. If the wrongful disclosure is under false pretenses, the maximum term rises to 5 years, and the monetary penalty to $100,000. If the disclosure was with an intent to sell, transfer or use for commercial advantage, personal gain or to inflict malicious harm, the maximum sentence increases to 10 years, with a fine of up to $250,000. 42 U.S.C. §1177.

In a June 1, 2005 opinion, the Justice Department Office of Legal Counsel announced that because the regulations establishing privacy standards under HIPAA applied only to "covered entities," the HIPAA criminal provisions did not reach individual employees. The Department noted, however, that those employees could still be prosecuted for identity theft and fraudulent use of a computer (see below).

THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT

The Fair and Accurate Credit Transactions Act imposes liability on consumer reporting agencies that do not maintain "reasonable procedures designed to avoid" improper disclosure of information. 15 U.S.C. §1681e. Such agencies must require anyone seeking information contained in a consumer report to identify themselves, certify the purpose for which they are seeking the information and certify that they will not use the information for any other purpose. 15 U.S.C. §1681e.


20


A violation of FACTA can result in civil liability, including punitive damages if the violation was willful. 15 U.S.C. §1681n. FACTA also imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully discloses an individual's personal information to an unauthorized person. 15 U.S.C.

§1681r.; 18 U.S.C. §§1028 and 1028A; 18 U.S.C. §1028.

One of the primary vehicles for prosecuting identity theft is 18 U.S.C. §1028, which is a

general criminal statute prohibiting fraud in connection with identification documents. In

1998, Congress enacted the Identify Theft and Assumption Deterrence Act, which

amended 18 U.S.C. §1028 to criminalize the knowing transfer or use, without lawful

authority, of "a means of identification of another person" with the intent to commit, or to

aid or abet, any violation of federal law. 18 U.S.C. §1028(a)(7).

"Means of identification" is defined broadly to include any name or number that may be

used to identify a specific person, including any name, Social Security number, date of

birth, officially issued driver's license or identification number, alien registration number,

government passport number, or employer or taxpayer identification number. 18 U.S.C.

§1028(d)(4). If convicted under this statute, a defendant faces up to 15 years in prison if

he obtained anything in value aggregating $1000 or more during a 1-year period. 18

U.S.C. §1028(b)(1)(D).

Concerned with potential use of the Internet as a means of committing identity theft,

Congress passed the Internet False Identification Prevention Act in 2000. This act

further amended §1028 to prohibit the transfer of false identification information over the

Internet. It also charged the Attorney General and Secretary of the Treasury with

establishing a committee of agency heads to ensure that the creation and distribution of

false identification documents is vigorously investigated and prosecuted.

In 2004, Congress again addressed the growing problem by passing the Identity Theft

Penalty Enhancement Act, 18 U.S.C. §1028A, which significantly increased the

penalties by adding a 2-year sentence to anyone who knowingly possesses, transfers or

uses a means of identification of another person without lawful authority. The Act also

prohibits courts from imposing sentences of probation on persons convicted of identity

theft, mandates, with limited exceptions, that sentences for identity theft run

consecutively with any other term of imprisonment, and directs the U.S. Sentencing


21


Commission to amend Guideline §3B1.3 (Abuse of Position of Trust), which adds two

points to the base offense level, to apply to offenses in which the defendant "exceeds or

abuses the authority of his or her position in order to obtain unlawfully or use without

authority any means of identification."

18 U.S.C. §1030

The Computer Fraud and Abuse Act, 18 U.S.C. §1030 (1986), makes it a federal

criminal offense to access and obtain information from protected computers without

authorization. This statute has been used to prosecute individuals who obtained

personal identification information from third-party computer systems. For example, in

U.S. v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001), the defendant was convicted and

sentenced to 48 months for hacking into the computer system of an e-commerce

business that hosted Web sites and processed credit transactions and stealing

passwords that gave the hacker access to the entire network.

But unauthorized access alone may not be enough to convict. The 1st Circuit reversed

a conviction under 18 U.S.C. §§1343 and 1030 in U.S. v. Czubinski, 106 F.3d 1069 (1st

Cir. 1997), where the defendant, a Contact Representative in the Boston office of the

Taxpayer Services Division of the IRS, had access to the taxpayer information of

everyone stored in the IRS's Integrated Data Retrieval System, and knowingly

disregarded IRS policy by accessing this information outside of the scope of his

employment. However, no evidence was introduced at trial showing that he used the

information. The 1st Circuit held that the defendant had not violated the wire fraud

statute because he had not "deprived" anyone of a protected right. Similarly, he had not

committed computer fraud because §1030 requires that a defendant personally benefit

or further some scheme of fraud in order to be criminally liable.


22


**Authors Noted Comment for Business Owners :

Controversial pending federal legislation that would preempt state data-breach

notification laws may change the statutory framework discussed above. In addition,

courts have begun to recognize common law remedies for people injured by identity

theft.

For example, recent cases in New York and Michigan have recognized private causes

of action for identity theft. Jones v. Commerce Bancorp, Inc., 2006 WL 1409492

(S.D.N.Y. 2006); Bell v. Michigan Council 25 AFSCME, 2005 Mich. App. Lexis 353

(Mich. Ct. App. 2005).

Clearly, the legal landscape is in flux. The need for corporate counsel to monitor the

situation is underscored by the Office of Legal Counsel's reminder in its June 1, 2005

opinion that "in general, the conduct of an entity's agents may be imputed to the entity

when the agents act within the scope of their employment, and the criminal intent of

agents may be imputed to the entity when the agents act on its behalf."

Wilma Ariza, Certified Risk Management Specialist Independent Associate PrePaid Legal Services Inc.

Business Consultant & Privacy Rights Educator Toll Free Televox 866-292-7938

Email [email protected]


mailto:[email protected]



23


Conclusion

There is no doubt that public and private sector literature, media coverage, special

reports and public service announcements concerning ―identity theft‖ prevention

methods have been instrumental in educating the public about the threat and

consequences of the most prevalent form of identity theft., credit fraud. Some

characterizations have emphasized identity theft as more of a stranger-to-stranger

crime. Others have underscored the importance of not falling into a level of

complacency that would open the doors for friends and relatives to take advantage of

the unwary victim. Still other descriptions have focused on the methods practiced,

ranging from relatively simplistic acts such as ―dumpster diving‖ and mail theft to more

sophisticated criminal activities that depend upon the victim’s and offender’s use of the

Internet.

While provocative, much of the widely distributed information is based upon surveys

and reports that often leave key questions unanswered from an empirical standpoint.

The open ended question that remains and is clearly underestimated by media

accounts, businesses, government and the general public; ―How do we, as private

citizens in a global economy, protect all of our identity subtypes from the implied threat

of abuse ? Our personal identifying data information and financial information is already

stored in hundreds, maybe even thousands of private and public databases in the

United States and around the world, outside of our control !

Clearly proactive prevention measures are not a strong enough line of protection and

we must defensively prepare ourselves financially and legally for the challenge of

identity restoration once victimized.

Wilma Ariza, Certified Risk Management Specialist




24


References

Dadisho, Ed (2005, February). Identity Theft and Police Response: Prevention. The Police Chief. Retrieved May 23, 2007 from http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=displ ay_arch&article_id=510&issue_id=22005 Federal Trade Commission. FTC Issues Annual List of Top Consumer Complaints. Retrieved June 17, 2007 from http://www.ftc.gov/opa/2007/02/topcomplaints.shtm The President’s Identity Theft Task Force (2007, April). Combating Identity Theft: A Strategic Plan. United States Secret Service. Identity Crimes. Retrieved May 15, 2007 from www.secretservice.gov/criminal.shtml Identity Fraud Trends and Patterns :Building a Data-Based Foundation for Proactive Enforcement October 2007 Center for Identity Management and Information Protection Utica College Identity Theft. Someone is Watching You! Momentum Media a division of Video Plus Inc (2003) Newman, John Q, Identity Theft: The Cyber Crime of the Millenium, Loompanics Unlimited (1999)

http://www.ftc.gov/opa/2007/02/topcomplaints.shtm

http://www.secretservice.gov/criminal.shtml


25


Resources

Consumer Action www.consumeraction.org

Junkbusters www.junkbusters.com

Urban Legends www.snopes2.com

National Fraud Information Center www.fraud.org

National Consumer League www.nclnet.org

Federal Trade Commission www.FTC.gov

Identity Theft Resource Center www.idtheftcenter.org

Internet Fraud Watch www.fraud.org/internet/intset.htm

Identity Theft Resource Center www.idtheftcenter.org/index/shtml

Identity Theft Shield www.prepaidlegal.com/idt/mquarles19

http://www.consumeraction.org/

http://www.junkbusters.com/

http://www.snopes2.com/

http://www.fraud.org/

http://www.nclnet.org/

http://www.ftc.gov/

http://www.idtheftcenter.org/

http://www.fraud.org/internet/intset.htm

http://www.idtheftcenter.org/index/shtml

http://www.prepaidlegal.com/idt/mquarles19