GPSolo Magazine - December 2005
Identity Theft: Crime du Jour
According to a Federal Trade Commission survey conducted by Synovate and released in September 2003, almost 10 million Americans (about 4.6 percent of the adult population) were victimized by identity theft in 2002—compared with 17 million in the preceding four years combined. The FTC survey indicates that the incidence was up by almost 41 percent over the previous year, and the resulting loss to the U.S. economy—including losses borne by victims, businesses, and financial institutions—reached $52.6 billion, or about 0.5 percent of GNP. At an individual level, the out-of-pocket loss averaged about $4,800, not including the value of time lost in attempting to repair the damage.
Identity theft occurs without discrimination. It can affect you without regard to your age, gender, race, or economic status. It can damage your credit, your employment opportunities, and your personal reputation. It is the fastest-growing crime in America, its growth driven in part by the involvement of organized crime operating both in the United States and abroad. Because it is easy to do, offers quick rewards (an average take of $17,000 in two days or less), and poses little risk of arrest, identity theft has become the crime du jour. You may think you are powerless to do anything about it, but there is much that you and your clients can do to protect yourselves.
What Is Identity Theft?
Identity theft typically occurs in one of two ways. The first, account takeover , refers to the theft of existing bank or credit account information and the use of that account to purchase products and services or to obtain cash (e.g., by using a debit or ATM card). If you are a victim of account takeover, you typically will learn of the crime when you review your account balance or, if your financial institution or credit card company automatically monitors accounts for fraudulent activity, when you get a telephone call to verify a transaction.
The second method, true identity theft, sometimes referred to as application fraud or true name fraud, involves the theft of a Social Security Number (SSN) or other identifying information (e.g., health insurance identification number, taxpayer identification number, school identification number, or state or federal driver’s license number), which then is used to fraudulently open new accounts and obtain financial gain. The Federal Identity Theft and Assumption Deterrence Act of 1998 defines identity theft to include knowingly transferring or using, “without lawful authority, a means of identification of another person with the intent to commit, or to aid and abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.” According to Section 530.5 of the California Penal Code, even the acquisition, transfer, or retention of personal identifying information with the intent to defraud, but without actual use of the information, is a misdemeanor.
True identity theft is more difficult to detect than account takeover because victims may be unaware of it until the user of the stolen identity defaults and collection efforts are initiated—or, even worse, the victim is arrested for another crime committed by the person using the stolen identity.
According to the most recent reported data from the Identity Theft Data Clearinghouse, covering the period 2002 to 2004, most economic identity theft involves the use or creation of credit card accounts (28 percent of victims); utilities accounts, including wireless and land-line telephone service (19 percent of victims); and bank accounts (18 percent of victims).
How Is It Done?
Historically, picking pockets was the most common way of obtaining the personal identifying information contained in a wallet or purse. Today, anyplace that personal identifying information may be found is vulnerable. Contrary to conventional wisdom, however, most thefts of personal identifying information occur offline. Some of the favorite methods are:
- Dumpster diving—going through your trash for any documents containing personal identifying information. Even a strip shredder offers little protection against dumpster divers: Identity thieves often supply metham- phetamine addicts with free drugs in exchange for their painstaking labor to reconstruct documents from the strips.
- Stealing incoming postal mail from unlocked mailboxes—especially those mounted on a roadside or curbside post—to obtain pre-approved credit offers, newly issued credit cards, utility bills, bank and credit card statements, investment reports, insurance statements, benefits documents, and tax information.
- Fraudulently accessing credit files by posing as a loan officer, employer, or landlord.
- Distilling personal identifying information from personnel, customer, client, or patient files in the workplace, whether by outright theft, bribing an employee who has access to these records, conning information out of employees, or hacking into electronic records.
- Shoulder surfing (i.e., simply sneaking a look behind the victim’s back) at ATMs and public telephones to capture PINs.
- Capturing credit or debit card information using a pocket swiper or a device surreptitiously installed at a public ATM—a practice known as “skimming.”
- Harvesting personal identifying information from online sources, such as public records and fee-based information sites.
More recently, phishing and pharming have become popular ways to obtain personal identifying information directly from victims via e-mail and online (for more on these scams, see the article “Phishing, Pharming, and Other Scams” on page 26).
Creativity abounds among identity thieves. Here are just two examples, taken from Sacramento County District Attorney Jan Scully’s keynote address at the March 1, 2005, Governor’s Summit on Identity Theft Solutions: Locking Up the Evil Twin (available online at www.idtheftsummit.ca.gov/2005_report.pdf):
In mid-February 2005, ChoicePoint, a leading compiler of credit and financial data for use by businesses, disclosed that it had unknowingly sold 140,000 individual consumers’ background records to a group of con men running phony front companies. The front companies themselves had been set up with stolen IDs.
Even this scam pales in comparison to that devised by Abraham Abdallah, a master identity thief from New York. According to District Attorney Scully, Abdullah posed as an executive for Sprint when he contacted a private detective firm in Texas. He said he needed someone to do background checks on Sprint customers. He asked for the firm’s rates and their private investigation license. Hoping to do business for Sprint, they sent him the information. He used it to pose as a private investigator, and set up his own account with an online database firm that specialized in financial checks for PIs. For only $300 per month, he got unlimited access to names, addresses, and Social Security numbers. From there, he could pick and choose the victims whose identities—and money—he would steal. He thought big, targeting the Fortune magazine list of the 400 wealthiest Americans. When he was finally caught, he had stolen over $80 million, had bought a credit card manufacturing machine for $25,000 to make his own credit cards, and was in the process of creating his own off-shore bank, chartered in an African country, where he could launder money and cut off any audit trail.
The lesson we lawyers can learn from these examples is that we must verify the identity of our prospective clients (including the principals of entities), taking nothing at face value. Failure to do so could give rise to liability as an aider and abettor.
How Do You Protect Yourself?
Two-thirds of American Express cardmembers in a recent survey understood that their Social Security Number was the key to stealing their identity, but nearly half of those same people were carrying their Social Security cards in their wallets. Obviously, although you cannot prevent every theft of personal identifying information, you can significantly reduce your risk in a number of ways. First, observe the “Three-S Rule”: secure, study, and shred.
Secure. Do not disclose personal identifying information unnecessarily, especially your SSN. Practice safe Internet usage by avoiding attachments to e-mail from unknown writers, as well as “convenience software” that may surreptitiously download “malware” (viruses, spyware, worms, etc.) to your system to harvest information. Install and maintain appropriate security (firewall, anti-virus, and anti-spyware) software on your individual computers and enterprise-grade versions of that software on your servers.
Study. Monitor all account statements and credit bureau reports, and periodically check other files, such as DMV records, containing any of your personal identifying information. Each of the major consumer credit bureaus (TransUnion, at www.truecredit.com; Experian at www.experian.com; and Equifax at www.equifax.com) offers triple-bureau credit monitoring to alert you of any change in your credit files at each of the three bureaus, and a subscription typically includes a three-bureau credit report to provide a baseline against which to judge the results of your monitoring.
Under the FACTA amendments to the Fair Credit Reporting Act, you also can obtain a free copy of your credit report once a year from each of the three bureaus. A single website—www.annualcreditreport.com—has been established to facilitate the ordering and delivery of these statutorily mandated free reports.
Most commentators recommend that you obtain only one free report every four months, each from a different bureau, rather than all three at once. Fair Isaac Corporation (www.myfico.com) also offers monitoring of more than 400 other data sources for signs of identity theft, although bundled with other products and services. Review your Social Security Personal Earnings and Benefits Estimate Statement each year to check for fraud.
Shred. All discarded personal information should be shredded, preferably using a confetti shredder.
Now, get smarter. You should also change your personal habits, mindful of the following criteria:
1. Know your personal information—and your vulnerabilities. Protect the information that identity thieves want more than anything else:
- your SSN
- your driver’s license
- your credit card information
- your bank account information
- your mother’s maiden name
- your home address and phone numbers
- any other information that helps an imposter pretend to be you
In particular, keep your SSN and your driver’s license number off your checks and do not allow merchants to write either of them on your checks. Do not furnish your SSN on employment applications. If a prospective employer requires your SSN and satisfies you as to the pre-employment reason for having it, provide it on a Form W-9 for the prospective employer to keep securely, separate from the application.
2. Reduce your exposure. Here are a few suggestions, and I am sure you can think of more that are unique to your own circumstances:
- Carry with you only that personal identifying information you require at the time, and keep it on your person.
- Never release your personal identifying information over the telephone, over the Internet, or by mail unless you have a trusted business relationship with the company and you have initiated the contact.
- Pick up new checks at your bank branch or have them mailed to a secure location, such as your office or a P.O. box.
- Never leave your outgoing mail in your mailbox for the postal carrier to pick up—always deposit your outgoing mail in a secure post office mailbox, preferably one inside a post office.
- Have your incoming mail delivered to a secure location—either a reinforced locked mailbox if outside your residence or through a mail slot into the interior of your residence.
- If you are away from home on an extended trip, either have your mail held at the post office or have a trusted friend or neighbor pick it up and hold it for you.
- When creating passwords and PINs, never use the last four digits of your SSN, your mother’s maiden name, your birth date, your middle name, your pet’s name, consecutive numbers, or anything else that could easily be discovered or guessed by thieves. Whenever possible, use “strong” passwords and PINs—character strings consisting of different letters (in different cases), numbers, and other characters—and change them on a regular schedule. And never keep them somewhere they can be lost or stolen (such as a wallet or PDA), unless you store them electronically in an encrypted file on a password-protected or other access-protected device.
- Keep sensitive documents, as well as documents containing personal identifying information, under lock and key—whether in your home or in your office.
- Always conduct online financial transactions over a secure link in your browser.
- Install a firewall to prevent unauthorized access to, as well as unauthorized transmissions from, your computers at home, at work, and on the road.
- Make sure your credit and debit card receipts do not show the full account number. If they do, ink out all but the last four digits.
- Do not leave your copy of your credit and debit card receipts in the shopping bags. Put them in your wallet until you get home or back to the office, and then file them as appropriate. Do the same with your ATM receipts.
3. Make your sensitive data useless to identity thieves. For example:
- If at all possible, any data that you transmit or store in digital form should be encrypted using the strongest possible encryption available to you and the person with whom you are sharing it.
- Always shred anything containing personal identifying information.
- When disposing of a computer, make sure the hard disks and any other data storage media are unreadable. Either use a “wipe” program strong enough to meet Department of Defense specifications for the erasure of classified information or remove and physically destroy the hard disks. Shred floppy diskettes, CDs, and DVDs using a heavy-duty shredder. Break apart the 1.2 MB “floppy” diskettes, throw away the plastic sleeves, and shred the Mylar media they contain.
4. Act fast if trouble strikes. If you are the victim of identity theft (or reasonably believe that you are), time is of the essence. Assess the situation quickly, preferably with the guidance of someone who knows this complex terrain and is committed to seeing you through the whole process. Then determine what needs to be done and begin reclaiming your identity.
How Do You Reclaim Your Identity?
In reclaiming your identity, you have two options—either avail yourself of the services of a professional identity theft restoration service, or do it yourself. Many large insurance carriers—including MetLife Auto & Home, Fireman’s Fund, One Beacon, and Liberty Mutual, among others—now are offering identity theft restoration services as part of their property and casualty insurance coverage. Check your policy for further details. Similarly, some financial institutions—predominantly credit unions—are offering identity theft restoration services to some, if not all, of their customers. Similarly, larger employers— sensitive to the time, effort, and dislocation involved in resolving an identity theft—are beginning to offer these services as a benefit to their employees. Even if you do not have such a benefit already available to you, you can contract with an identity theft resolution service provider—typically for a reasonable flat fee—to work with you to get you back to the status quo ante.
If you decide to go it alone, or if your client decides to use your services instead of those of a professional identity theft resolution service provider, checklists and guidelines are available on the Internet. For example, Identity Theft 911 offers Understanding Identity Theft Part II—Reclaiming Your Identity and Understanding Identity Theft Part III—Emotional Considerations as part of its consumer education library (www.identitytheft911.org/articles/articles.htm). The Federal Trade Commission offers Take Charge: Fighting Back Against Identity Theft (www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm), a comprehensive checklist of actions to take, including forms to use for tracking actions and results. Additional information also is available at the FTC’s other consumer- oriented website, www.consumer.gov/idtheft/con_steps.htm.
What Else Should You Do?
As lawyers, we understand our traditional obligations to maintain inviolate, at all risk to ourselves, the secrets and confidences of our clients. Historically, however, we have not understood that obligation to extend to personal identifying information, even though we often collect and maintain a lot of that information in connection with our practices—particularly in the areas of divorce, estate planning, and probate. California took the lead in mandating the disclosure to affected persons, by any “person or business that conducts business in California and that owns or licenses computerized data that includes personal information [as defined in the statute]” of any resident of California, of any breach of the security of the system following discovery or notification of the breach that resulted in, or reasonably is believed to have resulted in, the acquisition of that data by an unauthorized person (Cal. Civ. Code 1798.82(a)). Numerous other states have joined California in requiring disclosure and enhanced data security, and Congress is contemplating the issue with bills introduced by Senators Dianne Feinstein and Arlen Specter.
As the issue is under an ever-brighter spotlight at the state and federal level, prudence dictates that we treat our clients’ and our employees’ unencrypted personal identifying information (including the unencrypted information contained in paper files and loose documents) with even greater care than we safeguard our clients’ “secrets and confidences.” To do so, any personal identifying information should be segregated and secured, and access to it should be limited to those who have an actual need to know it.
Identity theft is a scourge on our society. It can result from carelessness or indifference, but it also may occur despite our best precautions. If we store personal identifying information digitally and keep it encrypted at the office, we must ensure that it stays encrypted when it leaves the office. If we maintain personal identifying information in unencrypted form (such as on paper), we must avoid leaving it lying around, never just throw it out with the trash, and ensure that our personnel act with equal diligence.
None of us want to share the experience of Blockbuster, which abandoned clear plastic garbage bags containing hundreds of customer account applications in plain sight outside a closed store on the Upper East Side of Manhattan. As reported in the New York Daily News on October 9, 2005, the applications contained customer names, dates of birth, credit card numbers and expiration dates, addresses and phone numbers, and other sensitive personal information, and many also included the applicant’s Social Security Number. When the garbage bags broke, the sensitive documents, described by the New York Daily News as a “fraud gold mine,” lay scattered across the busy Manhattan sidewalk.
We all must exercise our best efforts to protect ourselves and our clients against the risk of victimization. We can educate ourselves and our clients to be proactive. By doing so, we all will reduce the risk of experiencing the dislocations of this crime.
J. Anthony Vittal is general counsel of Credit.Com, Inc., in San Francisco, California. He speaks and writes frequently on legal technology topics and can be reached at email@example.com.