id theft: variations of an international crime
DESCRIPTION
While no less than a decade ago ―identity theft was apt to be met with curiosity and some bewilderment, it has become one of the most recognizable crimes in the terms of the 21st century. Even so, questions remain regarding what it really represents, what type of person is most likely to commit this crime, what criminal methods are most commonly (and successfully) employed, and who is most at risk of being victimized ? A comprehensive report.TRANSCRIPT
Table of Contents
Advanced Risk Management Solutions
08
Identity Theft Today
“Variations of an International Crime”
Wilma Ariza, C.I.T.R.M.S.
Identity Theft Today
2
Advanced Risk Management Solutions © 2008
Table of Contents
About the Author ................................................................................................... 3
Introduction ........................................................................................................ 4
President’ Task Force Report Abstract ............................................................. 5
Identity Theft: Federal Definition .......................................................................... 6
The Offenders ...................................................................................................... 7
Identity Theft Crime Variations ......................................................................... 8
a) Credit Fraud or Theft by deception……………………………….9 b) Social Security Theft ………………………………………………………10 c) Medical Identity Theft…………………………………………………….11 d) Driver’s License Identity Theft ……………………………………….12 e) Criminal Identity Theft …………………………………………………..13
Case Study Samples…… ........................................................................................ 14
Business Considerations and the Law………………………………………………………………18
Conclusion ........................................................................................................ 23
References ....................................................................................................... 19
Resources…………………………………………………………………………………………………….…20
Acknowledgement: Thank you for stealing my identity and selling it, to everyone else who is me, somewhere, anywhere in the US, without you guys I would never be where I am today. You know who you are! The Real Wilma “Colon” Ariza
Identity Theft Today
3
Advanced Risk Management Solutions © 2008
About the Author
Wilma Ariza has successfully completed the Certified Identity Theft Risk Management Specialist curriculum and now joins the ranks of select professionals nationwide who have earned the CITRMS certification. Ms. Ariza became interested in Identity Theft Victims Rights and issues 3 years ago when she discovered her identity was stolen and was unable to find effective knowledgeable assistance and advocacy to resolve the ensuing financial and legal issues that resulted from a number of unknown individuals using her identity nationwide to obtain employment, medical insurance, passports, social services, credit, out of state drivers licenses in her maiden name, multiple real estate acquisitions, goods and services fraudulently, including the illegal use of her NJ Drivers License information during traffic violations stops. . The CITRMS certification program is the nation’s only training program specifically developed for professionals who are dedicated to educating and assisting clients, customers, businesses, and the general public in combating the epidemic of Identity Theft. CITRMS-qualified professionals are employed by financial institutions, financial services firms, law enforcement and other state and federal government agencies. Many others are private practitioners including attorneys, CPAs, financial advisors and business consultants like Ms Ariza who has focused her practice on legal rights and legislation affecting consumer identity protection, children’s identity fraud, criminal identity theft victims advocacy and medical identity theft awareness education in Northern New Jersey where she currently resides. . The course curriculum addresses such key areas as: the various types of Identity Theft vs. credit fraud; consumer protection laws and related requirements; the public dossier and sources of information; Identity Theft risks and issues for businesses, including information security laws, related requirements and liabilities; Identity Theft Risk Management and Anti-Fraud Resources; and more. To attain the certification, CITRMS candidates must successfully complete a rigorous final examination designed to thoroughly assess their comprehension and sound knowledge of the course materials and the legal, as well potential financial pitfalls of compliance. The Certified Identity Theft Risk Management Specialist program is provided through a cooperative effort between the award-winning Institute of Consumer Financial Education (www.ICFE.info), and The Institute of Fraud Risk Management (www.TIFRM.com). Indicative of the ever-increasing threat of this emerging crime and the critical nature of providing business owners and the public with the knowledge and tools to address and manage their risks, the CITRMS certification course is accepted for professional continuing education credit by such organizations as: the Certified Financial Planning Board of Standards for Certified Financial Planners (CFP®); PACE and The American College for Chartered Life Underwriters (CLU) and Chartered Financial Consultants (ChFC); the International Association of Registered Financial Consultants for Registered Financial Consultants (RFC); and The Association for Financial Counseling and Planning Education for Accredited Financial Consultants (AFC).
Identity Theft Today
4
Advanced Risk Management Solutions © 2008
INTRODUCTION
While no less than a decade ago ―identity theft‖ was apt to be met with curiosity and
some bewilderment, it has become one of the most recognizable crime terms of the 21st
century. Even so, questions remain regarding what it really represents, what type of person is
most likely to commit this crime, what criminal methods are most commonly (and successfully)
employed, and who is most at risk of being victimized. The United States Secret Service is
actively involved in the investigation and prosecution of identity theft and fraud crimes.
According to its website www.secretservice.gov/criminal.shtml
Identity crimes are defined as the misuse of personal or financial identifiers in order to
gain something of value and/or facilitate other criminal activity. The Secret Service is the
primary federal agency tasked with investigating identity theft/fraud and its related activities
under Title 18, United States Code, Section 1028.
Identity crimes are some of the fastest growing and most serious economic crimes in the
United States for both financial institutions and persons whose identifying information has been
illegally used. The Secret Service records criminal complaints, assists victims in contacting
other relevant investigative and consumer protection agencies and works with other federal,
state and local law enforcement and reporting agencies to identify perpetrators. These efforts
are time consuming and often very costly for victims.
Similar information can be found on the websites of the United States Postal Inspection
Service, the FBI (Federal Bureau of Investigation), the FTC (Federal Trade Commission), the
Social Security Administration, the Department of Justice, many state police departments,
several local police departments, and the numerous not-for-profit organizations devoted to
combating identity theft and helping citizens to recover from it.
Identity crimes are far reaching, as the attention given to it by government entities, the
businesses that have emerged in an effort to thwart it, and the many stories from the media
indicate. Statistics from Consumer Sentinel, the database of complaints maintained by the
Federal Trade Commission, indicate that the highest percentage of complaints received in 2006
(36%) were concerning identity theft. http://www.ftc.gov/opa/2007/02/topcomplaints.shtm Since
2001, the same has been true; the highest percentage of complaints received during each year
concerned identity theft.
Identity Theft Today
5
Advanced Risk Management Solutions © 2008
THE TASK FORCE REPORT
President George Bush established the President’s Task Force on Identity Theft
in May 2006 by Executive Order 13402. Which states ―The problem of identity theft has
become more complex and challenging to the general public, the government, and the
private sector.‖ (April 2007, p. 1)
While the Internet, with its chat rooms, electronic banking and payments,
phishing and pharming, malware and Spyware, and pretexting, has certainly added a
dimension to the crime, the basics are also still employed by identity thieves: common
theft, mail theft and change of address, dumpster diving, database and network
hacking, including insider theft.
The purposes for which identity thieves can use the stolen personal identifier
information has been exacerbated by the Internet, as online credit applications, bank
account transfers, purchases and the like eliminate the need for face to face contact.
Law enforcement is, of course, faced with the challenges that the growing complexity
the crime presents including the growing numbers of undocumented immigrants using
fraudulently obtained personal identifying information to:
Conceal Actual Identity
Obtain Credit and Loans
Procure and Secure Employment
Obtain Drivers License and Passports
Purchase Motor Vehicles and Real Estate
Enroll In School and Obtain Student Loans
Apply for and obtain social services or medical care
Identity Theft Today
6
Advanced Risk Management Solutions © 2008
IDENTITY THEFT: The Federal Definition
In the report of the President’s Task Force on Identity Theft, identity theft is
defined in this way, ―Although, identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual’s personal information to commit fraud” (April 2007, p. 2).
As of the preparation date of this report there is an ongoing debate concerning the definition of identity theft. However, for the purposes of this report and discussion, I agree with the Task Force definition, but consider personal information to be personal identifying information such as name, address, Social Security number and date of birth, which may be included on documents such as driver’s licenses and birth certificates.
Access devices such as credit cards, debit cards, ATM cards, electronic monetary gift cards, calling cards and bank checks, are excluded from the identity theft crime definition. While the theft of a credit card, other financial access card and/or bank check may result in fraudulent charges, known as credit fraud or theft by deception, it does not result in the theft of an identity.
The Task Force report agrees: ―For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card alone, generally would not provide the thief with enough information to establish a false identity‖ (p. 3).
And so, there, lies the debatable concept of identity theft crimes versus credit fraud incidents and the ramifications for the consumer who fails to make the distinctive connection and effectively assess (1) the personal data management risks (2) the consumer credit risks, as defined by Federal and State Laws vs. the general misconception that inadequate credit monitoring services offered to credit card and banking consumers by their financial institution can be relied upon for comprehensive identity theft protection.
.
―Credit scores can be ruined and existing personal and business credit may be significantly reduced or closed while disputed fraudulent credit charges on delinquent past due accounts are cleared and resolved.” -- Newsweek --
Identity Theft Today
7
Advanced Risk Management Solutions © 2008
THE OFFENDERS
The data analysis specified on the Identity Fraud Trends and Patterns: Building a
Data-Based Foundation for Proactive Enforcement Report published by the Center for
Identity Management and Information Protection of Utica College this past October
2007, showed more diversity among the age, race, gender, and criminal backgrounds of
offenders than the picture held by conventional wisdom.
Most of the offenders – 42.5% - were between 25 and 34 years of age at the time
that the case was opened.
The 35 – 49 age group made up 33% of the offenders.
18.5% were between 18 and 24 years old.
The remaining 6% were 50 years old or older.
One third of all reported offenders were female.
24.1% of the offenders were born outside of the United States.
71% of the offenders had no arrest history.
** those who had a prior criminal record or pending charges included
fraud and forgery, identity theft and theft by deception.
The most prevalent motive among all offenders was economic personal gain, followed
by avoidance of past criminal convictions disclosure and a variety of social benefits
fraud.
Identity Theft Today
8
Advanced Risk Management Solutions © 2008
IDENTITY THEFT CRIME VARIATIONS
Credit Fraud and Theft by Deception
The most productive and familiar form of the crime, the thief obtains key information about the victim such as the victim's name, Social Security or Registry number, date of birth, and any other available bits of personal identifying information. The victim may be an adult, a minor child or even *deceased ( known as*Ghosting).
The main common characteristic of the ID Theft crime is the ―theft" of information that enables the thief to abuse the victim's "identity" to commit credit fraud and other crimes. In credit fraud and theft by deception cases the criminals may obtain credit cards and loans, purchase goods and services, buy or lease homes and vehicles, take expensive vacations, etc., all under the victim's name. In a disturbing growing number of cases they effectively assume the victims full identity (*cloning) in another community.
This action, or abuse of the identity information, is known as "credit fraud". The result can often be the annihilation of the victim's finances and credit history, especially if fraudulent accounts are not identified and disputed within the time specified by law. Thousands of dollars of debt may be accumulated in a very short period of time, which
the ―identity theft victim‖ is left to clear up.
PrePaid Legal Services Inc., Life Events Membership Plans © Identity Theft Shield© Legal Shield©
“When bad things happen to good people”
www.prepaidlegal.com/hub/mquarles19
Wilma Ariza, C.I.T.R.M.S. Independent Associate Toll Free Televox (866) 292-7939 Email [email protected]
Identity Theft Today
9
Advanced Risk Management Solutions © 2008
Social Security Theft :
Because our Social Security or Social Registry number is the most widely utilized
personal identifier, most cases of Identity Theft and Identity Fraud involve some form of
theft and/or abuse of the victim's Social Security number. The Social Security number is
directly connected to a victim's work history, professional licenses, tax record and credit
file, therefore, is required by banking institutions to facilitate all manner of financial
transactions.
Real ―financial identity theft‖ cases will almost certainly involve the theft and
abuse of the victim's Social Security or Social Registry Number. However, this is not the
only way by which a Social Security or Social Registry number can be abused. A
criminal may use the victim's personal information to obtain employment, avoid paying
taxes, or disclose a criminal past. In many cases information is sold to undocumented
workers many times over creating an unreported income nightmare during an IRS audit.
It has been reported that thousands of social service, public assistance, food
stamps, and charity program fraud cases discovered in the past month involve
undocumented and otherwise disqualified program recipients establishing or re-
establishing benefits eligibility using stolen ―social security‖ or ―social registry‖ numbers.
This aspect of ―Identity Theft‖ can be extremely difficult to determine, because such
abuse is usually not uncovered through customary methods of credit review or
monitoring.
For example, in the case of illegal aliens (or anyone else) taking advantage of the
victim's Social Security or Social Registry Number for Months or years in order to gain
employment and make an income, the victim may discover the fraud only because the
thief failed to pay the resulting income taxes, and created significant tax liabilities or
penalties for the victim, including income withholding, bank account liens and in some
cases incarceration for tax evasion while the matter is resolved through the legal
system.
Another serious issue that is not widely discussed involves the use of an identity
theft victim's Social Security Number to apply for and receive Social Security, Medicare,
unemployment, or other government benefits, directly linked to an individual work
record, thus depleting the victim's own benefits and/or creating potential garnishments
or charges of benefits fraud until, and if, the victim can prove his/her innocence.
Identity Theft Today
10
Advanced Risk Management Solutions © 2008
Medical Identity Theft:
Your social security or social registry number is also frequently used for medical
records and insurance policy benefit identification, which can lead to another crime
which falls under the increasingly complicated umbrella of Identity Theft crimes; a very
dangerous rising trend, often referred to as "Medical Identity Theft".
Thieves and scam artists have discovered the ease in which they may use a
victim's information to obtain healthcare and other medical benefits and services. It is a
very serious problem and may soon be officially recognized through legislation as a
separate and distinct form of the crime. In a report by Elizabeth Roop of Radiology
Today, the World Privacy Forum has estimated that fraudulent medical billing resulting
from medical identity theft can range from $1,000 to as high as $1 million per incident.
Pam Dixon, Executive Director of the World Privacy Forum, said "We get a lot of
complaints that are in the $20,000 to $150,000 range; that's very common. If someone
called up and said, 'I had debt collectors knocking on my door wanting $90,000,' we
wouldn't even blink." In addition to the obvious troubles caused by fraudulent billing that
may result from the healthcare services obtained in the victim's name, there is an even
more distressing, and potentially life-threatening danger—incorrect medical file
information/records.
The thief's abuse of the victim's information to obtain healthcare services could
result in the victim's medical files and connected information entered into medical
databases becoming contaminated with wrong or incompatible information (the thief's
rather than the victim's) such as an incorrect medical history, missed or incorrect
documentation of allergies to certain medications, incorrect documented health
conditions or diagnosis, and a host of other dangerous mistakes that could put the
victim's health and life in danger.
Victims may also abruptly and without warning discover that their insurance
benefit coverage has been exhausted, that they no longer qualify for medical or life
insurance due to incorrectly reported "pre-existing" conditions, or even receive a notice
of cancellation or a considerable increase in their insurance premiums due to
fraudulent, incorrect documented medical conditions and claim billing activity. Errors in
medical files can be very hard to identify and correct, nearly impossible to detect.
Identity Theft Today
11
Advanced Risk Management Solutions © 2008
Victims of medical identity theft are not extended the same rights and protections
as victims of financial identity theft. If your record is tainted and/or ruined by inaccurate
information, there is often no way to correct it. For example, information in a hospital
database may be forwarded to a doctor for assessment and then added into his/her
database, depending on diagnosis potentially damaging information may be forwarded
to the Centers for Disease Control.
Information in the doctor's database may then be forwarded to an insurance
company for billing purposes, and entered into that company's database. Information
from the insurance company database may then be passed on to the Medical
Information Bureau database (M.I.B File), used by many health care providers and
insurance companies. At this point, all of these databases have become tainted with the
incorrect health information, and correcting them all is nearly impossible.
Driver's License Identity Theft:
Capitalizing on the systems flaws and diversity of procedures from State to State
and international law, thieves can make use of the victim's personal identifying
information and forge or easily obtain personal documents, such as a birth certificate, in
order to obtain a driver's license or government-issued identification card in the victim's
name. Victims of driver's license ID card theft may unexpectedly discover that a thief's
actions have resulted in charges of DUI or DWI or any number of other driving-related
offenses.
Suspended or revoked driving privileges for unpaid fines, or sudden arrest during
a routine traffic stop for outstanding warrants for "Failure to Appear in Court". In these
kinds of situations the victim may need the assistance of a qualified attorney to resolve
the matter, particularly in cases involving criminal charges, driver insurance surcharges
and unpaid fines. It can become very costly for a victim to clear their name particularly
when traffic violations are documented in multiple jurisdictions.
Driving-related offenses wrongly included in the victim's driving records may also
cause an unexpected cancellation of the victim's automobile insurance, an inability to
get insurance coverage, or a dramatic increase in insurance premiums on existing
policies. Identity Theft criminals recognize that the Social Security or Social registry
number, an individual's driver's license or state issued ID card number is the most
widely utilized personal identifier.
Identity Theft Today
12
Advanced Risk Management Solutions © 2008
This is extremely dangerous because in the United States (for instance) the
driver's license is effectively a form of National Identification used for check verification
databases and for passenger identification by the TSA. Making it possible for an identity
theft victim to be linked to organized crime and/or, in extreme cases terrorism, causing a
potentially critical security risk dilemma for the victim, their family, friends and
associates.
Criminal Identity Theft:
In cases of "criminal identity theft", or the abuse of the victim's information in
contact with law enforcement, the end results are often a wrong criminal record for the
victim, outstanding arrest warrants, and even temporary incarceration. In some cases,
the victim may be, without explanation fired from their place of employment due to an
"undisclosed conviction" discovered during a background check or security clearance
update.
This type of Identity Theft can have a devastating and long-lasting effect on the
victim. It can often be very hard to fully resolve, if ever, and the victim will most likely
require legal representation which can be very costly. Criminal convictions are also
usually entered into public records, which can further damage future employment
opportunities, security clearances, insurance premiums, and pose a range of other
significant potentially lifelong challenges for the victim.
Once incorrect criminal information is entered or connected to the victim's name
in a number of record databases, it can be extremely difficult or impossible to have it
completely corrected. It may still result in a permanent alias or a.k.a (Also Known As)
entry attached to the victim's records. In more severe cases, some victims have only
been able to detach themselves from the impostor by legally changing their names,
while others must carry court documentation with them at all times in order to prove to
law enforcement that they are not the person being sought for crimes or arrest warrants.
Identity Theft Today
13
Advanced Risk Management Solutions © 2008
CASE STUDY EXAMPLES
Actual Loss: the Extremes
In a case representative of a zero dollar loss, a Houston area task force was contacted
by a bank fraud investigator concerning an employee of the bank who was involved in a
fraudulent transaction. The bank employee, the single defendant in the case, applied for
and received a loan in another individual’s name. When the car dealership refused the
loan check because it was not made out in the defendant’s name, he attempted to
deposit it into his account at the bank where he was an assistant manager. He had
applied for the loan online, using the victim’s Social Security number, date of birth, and
home and work phones. The defendant changed the victim’s first name from Jane to
Jan, and used his own address and utility bill. The victim was unaware of the car loan,
but knew that someone had attempted to apply for a credit card using her personal
identifiers.
In another case where the actual loss was $13,000,000, a bank investigator contacted
the Dallas Secret Service field office concerning a case of identity theft related to bank
fraud. The defendant, acting alone, used false information about his identity and
financial status to receive millions of dollars of loans to purchase luxury vehicles. He
used the identity of a person serving life in prison for several of these, as well as to
open credit accounts and buy two houses. He also used the identities of incarcerated
individuals to establish several shell companies and attract investors, whom he
subsequently defrauded.
A “Typical” Case
The victim contacted the Newark, New Jersey field office in August 2002. He reported
that he had received numerous credit card account statements from retail stores, none
of which he had authorized. The case’s primary classification was Fraudulent Use of
Account Numbers. One of the secondary classifications was Identity Fraud. The
defendant had purchased a birth certificate and W-2 form in the name of the victim. He
used those to obtain a duplicate driver’s license, which he used to open store credit
card accounts in the local area. The actual loss was $13,175. The case fell under
federal jurisdiction. The defendant pled guilty to charges of 18 USC 1029(a)(2), Access
Device Fraud, and was sentenced to 18 months in prison, 3 years of probation, and
ordered to pay $13,175 in restitution. The case was closed in March 2004.
Identity Theft Today
14
Advanced Risk Management Solutions © 2008
Motivating Factor: Supporting a Drug Habit
In this case, which was opened in 2003, the three defendants worked together to steal
mail from mailboxes in suburban towns when they needed money to support their
methamphetamine habit. They looked for mail containing government, payroll, and
personal checks and personal identifiers. One defendant used his computer to produce
counterfeit state driver’s licenses, Social Security cards, and counterfeit checks. Each of
the defendants was sentenced to incarceration and probation.
Identity Theft through Employment
The defendant was employed by a cleaning service (service industry) and cleaned the
victim’s residence. While on the job, he stole the brokerage account number belonging
to the victim’s company and through telephone transfer, using the victim’s date of birth
and Social Security number, had $80,000 placed in a bank account. He later withdrew
it, placed it in another bank account, and used the money to purchase a vehicle. The
victim was on an airplane at the time of the call requesting the transfer. He became
aware of the fund transfer when the brokerage called him to confirm the transaction.
One Offender – Several Opportunities and Roles
The offender purchased a fake ID from www.counterfeitlibrary.com and used it to
procure a mailbox at Mailboxes Etc., as he needed an address to use in selling
counterfeit DVDs that he obtained from Taiwan on eBay (auction fraud). Using
www.counterfeitlibrary.com, the defendant purchased a fraudulent ID from an individual
in England and used it to obtain a pre-paid credit card from Rite-Aid in another’s name.
He also bought a counterfeit birth certificate and a Netbank account in another name,
and received information on setting up Netbank accounts. He traded Netbank account
information for credit card information. He also purchased 10 blank counterfeit birth
certificates. While working as a temporary employee at an insurance company, he stole
the names and personal identifiers of approximately 12 people and used them to obtain
pre-paid credit cards using counterfeit licenses which he manufactured on his home
computer. He purchased and used personal identifiers and credit card information to
add users to the account, to get additional cards, and to change the address
Identity Theft Today
15
Advanced Risk Management Solutions © 2008
A small level group crime case
Defendant two obtained personal identifying information from a source at a state
Secretary of State office, for the purpose of selling it to people who needed to change
their identities. Defendant one bought information, as well as birth and marriage
certificates, from him and used them to obtain a driver’s license and Social Security
number. She obtained several credit cards in the names and paid the bills for them. She
used the false name at her place of employment and later received disability checks in
that name. She also filed income taxes in that name. She stated that she had to change
her identity to protect herself from the family of a person whom her brother murdered in
self-defense approximately 30 years ago. Neither defendant had a prior arrest history.
Roles taken in an organized group case
In a case with 16 defendants, the group used unauthorized credit card numbers to
purchase airline tickets in their own names and to reserve hotel rooms through
websites. They also used the names of others and driver’s licenses in those names as
identification when flying. Several of the defendants accessed workplace computers to
obtain customers’ personal identifying information, which they distributed to the rest of
the group. Billing documents were also used as a source of personal identifying
information.
One defendant skimmed credit card numbers (other) at hotels where she was
employed. Two of the defendants were involved in distributing the information to others
in the group. Three of them directed others. For example, they instructed and paid
others to purchase tickets for them. They all used the stolen personal identifying
information for their own use – purchasing tickets and booking hotel rooms for travel to
various cities where a social organization to which they all belonged held meeting.
Offender Methods: Internet Alone
The defendant in this case employed pharming to create duplications of an opera house
website in at least 9 cities worldwide. When customers attempted to purchase opera
tickets, the defendant captured their personal identifying information – names,
addresses, phone numbers, and credit card numbers. The customers either received
tickets at a higher cost or to a performance other than the one they requested. Some
customers did not receive tickets.
Identity Theft Today
16
Advanced Risk Management Solutions © 2008
Using Computers to Produce Documents
The defendant procured personal identifying information by placing ads in newspapers
stating that he was hiring and would accept applications at a local hotel. He would
interview the individuals and collect their applications which included Social Security
numbers, dates of birth, and bank account information for direct deposit of a payroll
check. He would then create birth certificates and employment cards on a computer and
use them to get driver’s licenses with his photograph and others’ names. He used the
driver’s licenses to open bank accounts. He then manufactured counterfeit checks with
the victims’ names on the computer.
Point of Compromise: A Business
This case originated when a bank fraud investigator contacted the Secret Service. The
defendant was employed at a candy store and was terminated for stealing cash from
the register during transactions. He also skimmed credit cards while employed there.
Two major credit card issuers identified the business as a common purchase point for
credit cards that were later used as counterfeit credit cards. The defendant admitted
that he was paid by another person to skim the credit card numbers. The other person
then used them to produce counterfeit credit cards which he sold with corresponding
counterfeit identification documents.
Point of Compromise: A Family Member
The victim in this case notified the Secret Service regarding the fraudulent use of her
identity. Her ex-husband used her information to open two American Express card
accounts and make charges to them. The defendant completed the credit card
applications via the Internet.
Identity Theft Today
17
Advanced Risk Management Solutions © 2008
Identity Theft through Employment: Hospital
The defendant, whose first and last name were the same as the victim’s, used her
position as a hospital employee to gain access to patients’ personal identifiers. The
victim had given birth in the hospital and the defendant accessed her identifiers, which
she used to obtain several credit card accounts. The victim became aware of the
unauthorized accounts when she was contacted by Discover concerning a credit card
for which she had not applied. She then obtained her credit history and found other
retail credit card accounts which she had not authorized.
Victimization of Financial Services Industry
In a case brought to the attention of the Secret Service by a bank fraud investigator in
2004, the defendant used his deceased’s father’s Social Security number and name to
obtain three loans and a credit card from the bank. He secured a vehicle loan from
another bank and paid it off with a loan from a third bank, which he obtained with the
same identifiers. He opened checking accounts using the fraudulent information at each
of the banks. He admitted using a false income tax form to show income high enough to
qualify for the loans. The defendant confessed that he used his father’s Social Security
number and name to open all of the accounts and credit cards, and to apply for the
loans. At the time of this criminal behavior, he was a resident of a halfway house on
supervised release for a prior federal criminal conviction for financial fraud. He pled guilty to Social Security Fraud (42 USC 408(a)(7)(b) and was sentenced to two years of incarceration, three years of probation, and $64,000 in restitution.
Offender-Victim Relationship: Caretaker-Employer
In this case, the defendant was employed by a blind man who owned a management company. The defendant, a white female in her forties, embezzled over one million dollars in approximately three and a half years. Her employer trusted her implicitly and signed whatever documents she directed him to. Thus, she was able to make purchases, bill them to her employer, and pay for them from his personal checking account. She issued checks from his account, which he signed, to pay her personal bills, including credit cards, tuition, vacations, medical expenses, clothing, jewelry, insurance policies, and home improvements. She used his date of birth and Social Security number to obtain unauthorized credit card accounts in his name and requested a second card for the accounts in her name. She also changed the address on the cards to her own. She used wire transfer and computer generated checks on his revocable trust and limited partnership checking accounts to pay the credit card bills.
Identity Theft Today
18
Advanced Risk Management Solutions © 2008
Business Considerations and the Law
By now, conducting financial and business transactions online on "secure" sites has become a commonplace convenience. But, as we are reminded from time to time, it is not entirely safe to entrust confidential personal information to others. Just such a reminder occurred in late May 2006, when the U.S. Department of Veterans Affairs disclosed that the confidential personal information of about 26.5 million people, including their Social Security numbers, had been stolen when a Virginia analyst took data home and his home was burglarized.
According to the Privacy Rights Clearinghouse, a non-profit organization, the theft brought the number of identities compromised since 2005 to over 80 million. Indeed, according to a Wall Street Journal article prompted by the VA incident, identity theft has become such a concern for employers, both in terms of potential liability and lost productivity, that some are providing a new employee benefit: "identity theft resolution services," i.e., someone to deal with the employees' legal and credit problems when a theft occurs.
What are the legal liabilities a company faces when someone breaches the company's security and accesses employee or customer confidential information? More than half the states have legislation addressing this problem. This article focuses on federal statutes that expose companies to potential civil and criminal liability for failing to take adequate steps to prevent the theft.
THE FEDERAL TRADE COMMISSION ACT
The Federal Trade Commission Act prohibits "unfair or deceptive acts or practices in or affecting commerce," and §5(a) of that Act empowers the FTC to commence civil actions against companies that violate the act. A number of cases in recent years have charged companies with violating the act by failing to adhere to their own privacy policies with respect to customers' personal information.
For example, the FTC recently brought a number of actions stemming from companies' failures to use reasonable measures to prevent consumer information from being accessed by viewers of company Web sites. Each company entered into a consent agreement requiring it to implement a comprehensive information security program, not misrepresent the extent of its information protections and conduct periodic independent audits of its security program.
Identity Theft Today
19
Advanced Risk Management Solutions © 2008
THE GRAMM-LEACH-BLILEY ACT
Title V of the Gramm-Leach-Bliley Act requires financial institutions to take steps to protect their customers' data, and imposes possible civil and criminal sanctions for non-compliance. Subsection I authorizes the applicable regulatory agency to promulgate appropriate standards for financial institutions to ensure that customer records and information are adequately safeguarded from unauthorized access. 15 U.S.C. §6801(b). Subsection I also imposes a duty on financial institutions to notify customers prior to any disclosure of their personal information to third parties and offers the customer an opportunity to direct that the information not be disclosed. 15 U.S.C. §§6802(a) & (b). Subsection II prohibits any person from disclosing or causing to be disclosed customer information under false pretenses. 15 U.S.C. §6821(a). Violations of the provisions of subsections I and II are punishable by civil and criminal penalties. 15 U.S.C. §6823.
HIPAA
The Health Insurance Portability and Accountability Act imposes obligations on health care providers to safeguard personal information. A person who knowingly obtains or discloses confidential health information about a patient is subject to fines and imprisonment. Wrongful disclosure of individually identifiable health information carries up to a year in prison and up to a $50,000 penalty. If the wrongful disclosure is under false pretenses, the maximum term rises to 5 years, and the monetary penalty to $100,000. If the disclosure was with an intent to sell, transfer or use for commercial advantage, personal gain or to inflict malicious harm, the maximum sentence increases to 10 years, with a fine of up to $250,000. 42 U.S.C. §1177.
In a June 1, 2005 opinion, the Justice Department Office of Legal Counsel announced that because the regulations establishing privacy standards under HIPAA applied only to "covered entities," the HIPAA criminal provisions did not reach individual employees. The Department noted, however, that those employees could still be prosecuted for identity theft and fraudulent use of a computer (see below).
THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT
The Fair and Accurate Credit Transactions Act imposes liability on consumer reporting agencies that do not maintain "reasonable procedures designed to avoid" improper disclosure of information. 15 U.S.C. §1681e. Such agencies must require anyone seeking information contained in a consumer report to identify themselves, certify the purpose for which they are seeking the information and certify that they will not use the information for any other purpose. 15 U.S.C. §1681e.
Identity Theft Today
20
Advanced Risk Management Solutions © 2008
A violation of FACTA can result in civil liability, including punitive damages if the violation was willful. 15 U.S.C. §1681n. FACTA also imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully discloses an individual's personal information to an unauthorized person. 15 U.S.C.
§1681r.; 18 U.S.C. §§1028 and 1028A; 18 U.S.C. §1028.
One of the primary vehicles for prosecuting identity theft is 18 U.S.C. §1028, which is a
general criminal statute prohibiting fraud in connection with identification documents. In
1998, Congress enacted the Identify Theft and Assumption Deterrence Act, which
amended 18 U.S.C. §1028 to criminalize the knowing transfer or use, without lawful
authority, of "a means of identification of another person" with the intent to commit, or to
aid or abet, any violation of federal law. 18 U.S.C. §1028(a)(7).
"Means of identification" is defined broadly to include any name or number that may be
used to identify a specific person, including any name, Social Security number, date of
birth, officially issued driver's license or identification number, alien registration number,
government passport number, or employer or taxpayer identification number. 18 U.S.C.
§1028(d)(4). If convicted under this statute, a defendant faces up to 15 years in prison if
he obtained anything in value aggregating $1000 or more during a 1-year period. 18
U.S.C. §1028(b)(1)(D).
Concerned with potential use of the Internet as a means of committing identity theft,
Congress passed the Internet False Identification Prevention Act in 2000. This act
further amended §1028 to prohibit the transfer of false identification information over the
Internet. It also charged the Attorney General and Secretary of the Treasury with
establishing a committee of agency heads to ensure that the creation and distribution of
false identification documents is vigorously investigated and prosecuted.
In 2004, Congress again addressed the growing problem by passing the Identity Theft
Penalty Enhancement Act, 18 U.S.C. §1028A, which significantly increased the
penalties by adding a 2-year sentence to anyone who knowingly possesses, transfers or
uses a means of identification of another person without lawful authority. The Act also
prohibits courts from imposing sentences of probation on persons convicted of identity
theft, mandates, with limited exceptions, that sentences for identity theft run
consecutively with any other term of imprisonment, and directs the U.S. Sentencing
Identity Theft Today
21
Advanced Risk Management Solutions © 2008
Commission to amend Guideline §3B1.3 (Abuse of Position of Trust), which adds two
points to the base offense level, to apply to offenses in which the defendant "exceeds or
abuses the authority of his or her position in order to obtain unlawfully or use without
authority any means of identification."
18 U.S.C. §1030
The Computer Fraud and Abuse Act, 18 U.S.C. §1030 (1986), makes it a federal
criminal offense to access and obtain information from protected computers without
authorization. This statute has been used to prosecute individuals who obtained
personal identification information from third-party computer systems. For example, in
U.S. v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001), the defendant was convicted and
sentenced to 48 months for hacking into the computer system of an e-commerce
business that hosted Web sites and processed credit transactions and stealing
passwords that gave the hacker access to the entire network.
But unauthorized access alone may not be enough to convict. The 1st Circuit reversed
a conviction under 18 U.S.C. §§1343 and 1030 in U.S. v. Czubinski, 106 F.3d 1069 (1st
Cir. 1997), where the defendant, a Contact Representative in the Boston office of the
Taxpayer Services Division of the IRS, had access to the taxpayer information of
everyone stored in the IRS's Integrated Data Retrieval System, and knowingly
disregarded IRS policy by accessing this information outside of the scope of his
employment. However, no evidence was introduced at trial showing that he used the
information. The 1st Circuit held that the defendant had not violated the wire fraud
statute because he had not "deprived" anyone of a protected right. Similarly, he had not
committed computer fraud because §1030 requires that a defendant personally benefit
or further some scheme of fraud in order to be criminally liable.
Identity Theft Today
22
Advanced Risk Management Solutions © 2008
**Authors Noted Comment for Business Owners :
Controversial pending federal legislation that would preempt state data-breach
notification laws may change the statutory framework discussed above. In addition,
courts have begun to recognize common law remedies for people injured by identity
theft.
For example, recent cases in New York and Michigan have recognized private causes
of action for identity theft. Jones v. Commerce Bancorp, Inc., 2006 WL 1409492
(S.D.N.Y. 2006); Bell v. Michigan Council 25 AFSCME, 2005 Mich. App. Lexis 353
(Mich. Ct. App. 2005).
Clearly, the legal landscape is in flux. The need for corporate counsel to monitor the
situation is underscored by the Office of Legal Counsel's reminder in its June 1, 2005
opinion that "in general, the conduct of an entity's agents may be imputed to the entity
when the agents act within the scope of their employment, and the criminal intent of
agents may be imputed to the entity when the agents act on its behalf."
Wilma Ariza, Certified Risk Management Specialist Independent Associate PrePaid Legal Services Inc.
Business Consultant & Privacy Rights Educator Toll Free Televox 866-292-7938
Email [email protected]
www.prepaidlegal.com/hub/mquarles19
Identity Theft Today
23
Advanced Risk Management Solutions © 2008
Conclusion
There is no doubt that public and private sector literature, media coverage, special
reports and public service announcements concerning ―identity theft‖ prevention
methods have been instrumental in educating the public about the threat and
consequences of the most prevalent form of identity theft., credit fraud. Some
characterizations have emphasized identity theft as more of a stranger-to-stranger
crime. Others have underscored the importance of not falling into a level of
complacency that would open the doors for friends and relatives to take advantage of
the unwary victim. Still other descriptions have focused on the methods practiced,
ranging from relatively simplistic acts such as ―dumpster diving‖ and mail theft to more
sophisticated criminal activities that depend upon the victim’s and offender’s use of the
Internet.
While provocative, much of the widely distributed information is based upon surveys
and reports that often leave key questions unanswered from an empirical standpoint.
The open ended question that remains and is clearly underestimated by media
accounts, businesses, government and the general public; ―How do we, as private
citizens in a global economy, protect all of our identity subtypes from the implied threat
of abuse ? Our personal identifying data information and financial information is already
stored in hundreds, maybe even thousands of private and public databases in the
United States and around the world, outside of our control !
Clearly proactive prevention measures are not a strong enough line of protection and
we must defensively prepare ourselves financially and legally for the challenge of
identity restoration once victimized.
Wilma Ariza, Certified Risk Management Specialist
www.prepaidlegal.com/hub/mquarles19
Identity Theft Today
24
Advanced Risk Management Solutions © 2008
References
Dadisho, Ed (2005, February). Identity Theft and Police Response: Prevention. The Police Chief. Retrieved May 23, 2007 from http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=displ ay_arch&article_id=510&issue_id=22005 Federal Trade Commission. FTC Issues Annual List of Top Consumer Complaints. Retrieved June 17, 2007 from http://www.ftc.gov/opa/2007/02/topcomplaints.shtm The President’s Identity Theft Task Force (2007, April). Combating Identity Theft: A Strategic Plan. United States Secret Service. Identity Crimes. Retrieved May 15, 2007 from www.secretservice.gov/criminal.shtml Identity Fraud Trends and Patterns :Building a Data-Based Foundation for Proactive Enforcement October 2007 Center for Identity Management and Information Protection Utica College Identity Theft. Someone is Watching You! Momentum Media a division of Video Plus Inc (2003) Newman, John Q, Identity Theft: The Cyber Crime of the Millenium, Loompanics Unlimited (1999)
Identity Theft Today
25
Advanced Risk Management Solutions © 2008
Resources
Consumer Action www.consumeraction.org
Junkbusters www.junkbusters.com
Urban Legends www.snopes2.com
National Fraud Information Center www.fraud.org
National Consumer League www.nclnet.org
Federal Trade Commission www.FTC.gov
Identity Theft Resource Center www.idtheftcenter.org
Internet Fraud Watch www.fraud.org/internet/intset.htm
Identity Theft Resource Center www.idtheftcenter.org/index/shtml
Identity Theft Shield www.prepaidlegal.com/idt/mquarles19