October, 2006

by Howard A. Lax

“The only real possession you'll ever have is your character.”
— Tom Wolfe


Identity theft is America's fastest-growing crime. Last year alone, more than 9.9 million Americans were victims of identity theft, a crime that cost them roughly $5 billion. Since the well publicized release of information by ChoicePoint on February 15, 2005, over 93 million individual records have been lost or stolen. Data was recovered in only seven of the hundreds of cases reported. Most of the laws discussing identity theft have been enacted in the past several years. On the federal side, the FACT Act (an amendment of the Fair Credit Reporting Act) provides protection against the deleterious financial effects of identity theft. Michigan laws punish individuals who steal identities, and provide limited safeguards against identity theft. However, none of these laws have effectively stopped identity thieves, principally because there is a market for stolen identities, and so few of the individuals who steal and sell identities are ever caught.


I. Fair Credit Reporting Act (FCRA)


A. Things an identity theft victim can do to avoid further damage:


1. File a police report.


2. Prepare an Identity Theft Affidavit for businesses that opened fraudulent accounts, and attach a copy of the police report to each Affidavit.


3. Call the three national credit bureaus to place a fraud alert on your credit report if you suspect that you may be victim of identity theft:



P.O. Box 740241

Atlanta, GA 30374



Experian (TRW)

P.O. Box 9532\

Allen, TX 75013



TransUnion Corp

P.O. Box 6790

Fullerton, CA 92834



A call to one of the three credit bureaus will result in a fraud alert on the record of all three bureaus (but this may take longer than asking each credit bureau for a fraud alert). The consumer is also entitled to receive a free credit report from each bureau to check for fraudulent accounts. The initial fraud alert is placed on a credit report for 90 days.


4. File a complaint with the FTC so that your incident report is available to multiple law enforcement agencies.


B. Under the FCRA Section 609(e), identity theft victims are entitled receive, upon request, a copy of the application or other business transaction records relating to their identity theft free of charge. Businesses must provide these records within 30 days of receipt of the victim’s request. Businesses must also provide these records to any law enforcement agency which the victim authorizes.


1. Businesses may select a specific address to which requests from victims must be mailed. If the business does not have a high degree of confidence that it knows the victim, before providing the records, the business may ask victims for:


a. proof of identity, which may be a government-issued ID card, the same type of information the identity thief used to open or access the account, or the type of information the business is currently requesting from applicants or customers; and


b. a police report and a completed affidavit, which may be either the FTC Identity Theft Affidavit (PDF, 56 KB) or the business’s own affidavit.


2. Section 609(e) does not require a business to change its current information or record retention procedures.


3. A business may decline to provide the records if, in good faith, it determines that this FCRA provision does not require disclosure, the business entity does not have a high degree of confidence in knowing the true identity of the requester after reviewing the proof of identity provided by the requester, the requester has made a misrepresentation of fact relevant to the request, or the information requested is Internet navigational data or similar information about a person’s visit to a website or online service. The business may also deny disclosure if it is otherwise prohibited under other provisions of state or federal law.


C. Things to do when your credit report is affected.


1. The fraud alert on a credit report can be extended if you find that you have been the victim of identity theft. You will be asked to send a police report to the credit bureau, and an identity theft report (the form should be obtained from the credit bureau).


a. The consumer must respond within 15 days when asked for an identity theft report.


b. The credit bureau has five days after receiving the identity theft report to review it and request additional information.


2. Contact both the national credit bureaus about items on your credit report that are fraudulent. Credit Bureaus are required to promptly investigate claims under §611 of FCRA.


a. The national credit bureau must notify the consumer of receipt of the dispute within five days. The credit bureau must investigate the claim of the fraudulent entry within 30 days of the receiving the claim. The period of investigation can be extended 15 days if the credit bureau receives additional information from the consumer.


b. The national credit bureau must provide any information it obtains to the consumer. The credit bureau must make a determination that the claim is incorrect or that it is correct. If the credit bureau finds that the consumer claim has merit, it has 5 days after making this determination to correct the item in its database.


c. The consumer can request that a notice be placed in the credit report that an item is disputed.


d. If the item is removed from the database, the national credit bureau must maintain procedures to make sure that it is not reinserted. The consumer can request that the credit bureau send a notice of the deletion to anyone receiving the report in the past 2 years for employment purposes, or within the past 6 months for other purposes.


e. Local credit bureaus that merge data from national credit bureaus (“resellers”) also have an obligation to investigate claims that information in a credit report is erroneous. However, the obligation only extends to correct mistakes the reseller made. The claim must be passed up the line to the national credit bureaus. The national credit bureau must then investigate the claim, make corrections in its data, and notify the reseller (which then notifies the consumer).


3. Contact a business to report that the information supplied to a credit bureau is fraudulent. Furnishers of information to credit bureaus are required to fix any inaccuracies pursuant to §623 of FCRA.


a. Businesses are required to maintain procedures to make sure that the information provided to a credit bureau is accurate, and to correct any erroneous information.


b. Businesses must establish a procedure to respond promptly to inquiries of fraudulent reports received from credit bureaus. Responses to credit bureaus must be made within the time limit that the credit bureau has to respond to the consumer.


c. Consumers must be notified when negative information about them is submitted to a credit bureau.


D. FCRA Identity Theft proposal: Customer Identification Programs. Section 114 of the FACT Act amends Section 615 of the FCRA and requires each of the federal banking regulators and the FTC (the “Agencies”) to jointly issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. Proposed “Red Flag Rules” were published at 71 FR 40786 (7/18/06). The centerpiece of the proposed rules is a list of “red flag” items that each financial institution (including mortgage brokers and mortgage lenders), and anyone who uses a consumer credit report, must examine for each consumer to help deter identity theft. Under the proposed Red Flag Regulations, financial institutions and creditors must have a written Program that is based upon the risk assessment of the financial institution or creditor and that includes controls to address the identity theft risks identified. This Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities, and be flexible to address changing identity theft risks as they arise. A financial institution or creditor may wish to combine its program to prevent identity theft with its information security program, as these programs are complementary in many ways. The Program must include policies and procedures to prevent identity theft from occurring, including policies and procedures to:

  • Identify those Red Flags that are relevant to detecting a possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor;
  • Verify the identity of persons opening accounts; 
  • Detect the Red Flags that the financial institution or creditor identifies as relevant in connection with the opening of an account or any existing account; 
  • Assess whether the Red Flags detected evidence a risk of identity theft; 
  • Mitigate the risk of identity theft, commensurate with the degree of risk posed;
  • Train staff to implement the Program; and 
  • Oversee service provider arrangements. 

1. The program must address financial, operational, compliance, reputation, and litigation risks. The Program must also address changes in methods of identity theft, methods to detect, prevent, and mitigate identity theft, in the types of accounts the financial institution or creditor offers, and in its business arrangements, such as mergers and acquisitions, alliances and joint ventures, and service provider arrangements.

2. The proposed Red Flag Regulations also require the board of directors or an appropriate committee of the board to approve the Program. In addition, the board, an appropriate committee of the board, or senior management must exercise oversight over the Program’s implementation. Staff implementing the Program must report to its board, an appropriate committee or senior management, at least annually, on compliance by the financial institution or creditor with the Red Flag Regulations.

3. Several important points to realize about these regulations are:

  • The regulations apply to "accounts" of any person or entity - whether the account is for consumer or commercial purposes, and whether or not the account belongs to an individual or a legal entity, or even an unincorporated association.
  • You cannot simply buy a program to comply with the regulations. A financial institution or creditor that uses a third party’s computer-based programs to detect fraud and identity theft must independently assess whether such programs meet the requirements of the Red Flag Regulations and Red Flag Guidelines, and should not rely solely on the representations of the third party. Mortgage companies rely upon their credit bureau to check the applicant against the OFAC blocked persons list. We expect that credit bureaus will play a similar role in identifying applicants. Ultimately, however, the financial institution or creditor remains responsible for ensuring that the identification of its customers is being conducted by the credit bureau in compliance with a Program that meets the requirements of the Red Flag Regulations.
  • Mortgage companies have always issued a sigh of relief that they do not have to implement costly Consumer Identification Programs required of depository institutions. That party has come to an end. The proposed regulations require identification of customers, and the rule is nearly identical to the Customer Information Program rule that each depository institution must implement under Section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l). Furthermore, guidelines recently issued to depository institutions require two means of identification at each contact (e.g. password and verification of email address). This is not going to be implemented through a cheap off-the-shelf program. Heaven help us if the final rules require each mortgage broker to implement a Customer Identification Program with the breadth and complexity of the program implemented by the investor it is selling the loan to.
  • Signing an identity theft pledge is not going to suffice as staff training. Staff should be trained to detect Red Flags with regard to new and existing accounts, such as discrepancies in identification presented by a person applying for a loan or anomalous disbursement requests in connection with a customer’s loan. Staff should also be trained to mitigate identity theft, for example, by recognizing when an application should not be accepted. Note that Michigan law prohibits a lender from refusing to accept a mortgage application. This may be preempted, under the proposed regulations, when the applicant cannot provide satisfactory identification.

4. Appendix J to the Regulation lists the proposed "Red Flags" that each financial institution must address in its program. These include:

1. A fraud or active duty alert is included with a consumer report.
2. A notice of address discrepancy is provided by a consumer reporting agency.
3. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries.
b. An unusual number of recently established credit relationships.
c. A material change in the use of credit, especially with respect to recently established credit relationships.
d. An account was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

4. Documents provided for identification appear to have been altered.
5. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
6. Other information on the identification is not consistent with information provided by the person opening a new account or customer presenting the identification.
7. Other information on the identification is not consistent with information that is on file, such as a signature card.
8. Personal information provided is inconsistent when compared against external information sources. For example:

a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.

9. Personal information provided is internally inconsistent. For example, there is a lack of correlation between the SSN range and date of birth.
10. Personal information provided is associated with known fraudulent activity. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.

11. Personal information provided is of a type commonly associated with fraudulent activity. For example:

a. The address on an application is fictitious, a mail drop, or prison.
b. The phone number is invalid, or associated with a pager or answering service.

12. The address, SSN, or home or cell phone number provided is the same as that submitted by other persons opening an account or other customers.
13. The person opening the account or the customer fails to provide all required information on an application.
14. Personal information provided is not consistent with information that is on file.
15. The person opening the account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
16. Shortly following the notice of a change of address for an account, the institution or creditor receives a request for new, additional, or replacement checks, convenience checks, cards, or a cell phone, or for the addition of authorized users on the account.
17. Mail sent to the customer is returned as undeliverable although transactions continue to be conducted in connection with the customer’s account.
18. A new revolving credit account is used in a manner commonly associated with fraud. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

19. An account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example:

a. Nonpayment when there is no history of late or missed payments;

b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;

d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.

20. An account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
21. The financial institution or creditor is notified of unauthorized charges in connection with a customer’s account.
22. The financial institution or creditor is notified that it has opened a fraudulent account for a person engaged in identity theft.
23. The financial institution or creditor is notified that the customer is not receiving account statements.
24. The financial institution or creditor is notified that its customer has provided information to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website.
25. Electronic messages are returned to mail servers of the financial institution or creditor that it did not originally send, indicating that its customers may have been asked to provide information to a fraudulent website that looks very similar, if not identical, to the website of the financial institution or creditor.
26. The name of an employee of the financial institution or creditor has been added as an authorized user on an account.
27. An employee has accessed or downloaded an unusually large number of customer account records.
28. The financial institution or creditor detects attempts to access a customer’s account by unauthorized persons.
29. The financial institution or creditor detects or is informed of unauthorized access to a customer’s personal information.
30. There are unusually frequent and large check orders in connection with a customer’s account.
31. The person opening an account or the customer is unable to lift a credit freeze placed on his or her consumer report.

5. Lenders and brokers who are notified of a discrepancy in an applicant address must resolve the discrepancy.


E. Other FCRA safeguards.


1. Consumers must be given the opportunity to opt out of sharing of non-experiential information between affiliated businesses.


2. The purposes for obtaining a consumer credit report or a consumer investigative report are very limited. With respect to loan brokers and lenders, the consumer must request credit (i.e. make an oral request for credit) or provide written consent before a loan officer can obtain a credit report. A lender is not permitted to obtain a credit report from a consumer who is only shopping rates. A lender is permitted to obtain a list (name and address) from a credit bureau of consumers who meet certain criteria for the purpose of marketing credit; however, the lender must provide a firm offer of credit to each consumer who satisfies the lender’s search criteria.


a. The “firm offer of credit” requires the lender to provide the conditions for obtaining the credit in the solicitation. This requirement spawned dozens of class action lawsuits over how much detail must be provided in the solicitation.

b. The amount of credit offered must be reasonable. For example, a car dealer cannot offer $1500 to buy a car when the credit can only be used at the dealer, and no car is available with so little credit.


c. It is becoming very popular among mortgage brokers to ask a credit bureau for a list of consumers who have had credit reports issued to mortgage lenders in the past few days (known as a “trigger” program) since these consumers are shopping for mortgage credit. These requests require the mortgage broker to make a firm offer of credit, which they may not be able to do if they are licensed brokers, and not lenders.


3. Re-release of a consumer report is forbidden by contract (except for release to the consumer).


4. Medical information cannot be included in a credit report used to approve credit.


5. Each consumer is entitled to receive a free annual credit report from one or all the national consumer reporting companies. To obtain a free credit report, visit, call toll-free 877-322-8228, or complete the Annual Credit Report Request Form at, and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. The free report does not include a credit score (you have to pay for that). Do not confuse this web site with, which is a commercial site selling credit report services to consumers. If you need more than one credit report in a year, you can buy a credit report from any of the national credit bureaus for $9.50.


6. A member of the military away from the usual duty station may place an “active duty alert” his or her credit report to help minimize the risk of identity theft. Active duty alerts are in effect for one year, and can be extended by the serviceperson.


7. Only the last five digits of a credit card number can be printed on a receipt. There is an exception for handwritten credit card slips.


F. Law enforcement under the FCRA is limited.


1. The FTC does not have any criminal investigation authority with respect to identity theft. The FTC does list all complaints of identity theft in the Identity Theft Data Clearinghouse, a national identity theft victim complaint database containing more than 815,000 complaints. Local law enforcement agencies are encouraged to locate and act upon these complaints. The Secret Service maintains regional electronic crimes task forces. The closest task force is located in Chicago:


Chicago Electronic Crimes Task Force (CECTF)
525 West Van Buren
Chicago, IL 60607
Phone: 312/353-5431
Fax: 312/353-1225


2. The FTC has authority under the FTC Act to fine companies for deceptive trade practices. The FTC considers the failure to safeguard consumer information to be a deceptive trade practice. In December, 2005, shoe discounter DSW Inc. agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. The FTC charges that until at least March 2005, DSW engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive customer information. Specifically, the agency alleges that DSW:

  • created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
  • failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
  • stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
  • failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
  • failed to employ sufficient measures to detect unauthorized access.

According to the FTC, approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers. According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million. The settlement will require DSW to implement a comprehensive information-security program and obtain audits by an independent third-party security professional every other year for 20 years.


3. Other federal laws make identity theft a crime.


a. 18 U.S.C. § 1028 to make it a federal crime when anyone
knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”

b. The Identity Theft Penalty Enhancement Act adds 2 years to the sentence for many felonies when the criminal “knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person.” The additional 2 years must run consecutively to the sentence for the felony.


c. Gramm Leach Bliley Act, 15 USC §6801 et. seq.


1. Article V(A) requires financial institutions to provide financial privacy disclosures, requires an opportunity for consumers to opt out of sharing of non-public information for marketing purposes, and requires the safekeeping (and safe destruction) of consumer records. Each financial institution is required by the FTC Safeguards Rule (16 CFR part 314) to appoint an information security compliance officer, who will (a) analyze risks to the security of consumer information, (b) develop a program to address the risks so identified, (c) train employees on keeping information secure, and (d) evaluate the program and make changes to the program to address new risks or to improve performance of security measures. Superior Mortgage Corp., a lender with 40 branch offices in 10 states and multiple Web sites, agreed to settle FTC charges that it violated the Safeguards Rule by failing to provide reasonable security for sensitive customer data and falsely claiming that it encrypted data submitted online. The settlement bars future deceptive claims and requires the company to establish data security procedures that will be reviewed by independent third-party auditors for 10 years. Copies of the relevant documents are available at:


2. Article V(B) makes “pretext calling” a five year felony. “Pretext calling” is contacting a depository institution and claiming that you are another person to obtain information concerning that person’s account.


d. 18 USC §2721 (the Driver’s privacy Protection Act of 1994) prohibits states from selling driver license information and records.


e. 20 USC §1232g prohibits educational institutions that receive federal funds from releasing information about students.


f. HIPAA regulates the release and safekeeping of health care information.

4. Local law enforcement agencies may obtain a victim’s identity theft-related transaction records from creditors without first obtaining a subpoena, if authorized in writing by the victim. The request to the company must:


  • be in writing
  • show authorization from the victim
  • be sent to an address specified by the business, if any, and
  • allow the business 30 days to respond.


5. The Identity Theft Assistance Center (ITAC) is a cooperative private sector initiative that provides a free victim assistance service for customers of its member companies, and shares data with the FTC and other law enforcement agencies.


6. The brochure, “ Take Charge: Fighting Back Against Identity Theft,” published by the FTC at:

is a good source of information for consumers. The booklet is about 50 pages long.


II. State Laws and Litigation


A. In Bell v. Michigan Council 25 Of the American Federation of State, County, And Municipal Employees, Michigan Court of Appeals No. 246684 (Unpublished 2/15/05), the Court affirmed an award of $275,000 to 13 union members who were the victims of identity theft by the daughter of union treasurer. The daughter obtained the names, social security numbers and other information from the plaintiffs illegally. The Court stated:


“It follows that part and parcel of that relationship is a responsibility to safeguard its members’ private information. And society has a right to expect that personal information divulged in confidence, especially to an organization such as a union whose existence is for the benefit of the union members, will be guarded with the utmost care…..


“The crime of identity theft has been gaining momentum in recent years due to the accessibility of identifying personal information, mainly through computer use. In the past, the risk of harm stemming from a worker taking home sensitive information may not have been great. However, with the advancements in technology, holders of such information have had to become increasingly vigilant in protecting such information and the security measures enacted to ensure such protection have become increasingly more complex. As demonstrated by the problems plaintiffs’ faced after their identities had been appropriated, the severity of the risk of harm in allowing personal identifying information to be taken to an unsecured environment is high. The instant plaintiffs were very fortunate regarding the limited extent of the fraud perpetrated using their identities. But it is the potential severity of the risk, not the actual risk encountered, that must be considered in deciding to impose liability.


“Additionally, the burden on defendant in terms of securing its members’ information is not great. While no organization can 100% prevent illegal activities of third parties, it can certainly decrease the likelihood, as in this case, by not providing easy access to such sensitive information. The evidence showed that the union had absolutely no procedures or safeguards in place to ensure that confidential information was not accessed by unauthorized persons. The question of the “degree of certainty of injury” and the “closeness of connection between the conduct and injury” is a difficult one. But we believe that these factors must be considered in light of the technological age in which we now live. Even as recent as a decade ago, it could be said that the likelihood of identity theft occurring as the result of personal information being allowed to leave defendant’s premises was remote. However, today, the possibility of identity theft is all too commonplace. Under the circumstances of this case, we find that there is a strong basis for concluding that the criminal acts were foreseeable in this case…..


After considering all the factors, we find that a special relationship did exist between defendant and plaintiffs such that defendant did owe plaintiffs a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information, information which could be easily used to appropriate a person’s identity. As we noted above, the question of duty in this case is, at its core, one of public policy and the facts of this case support the imposition of a duty on defendant. We do not intend our holding to be construed as imposing a duty in every case where a third party has obtained identifying information and subsequently uses that information to commit the crime of identity theft. Each case is unique and the duty determination must be made only after considering the relevant factors, which have been delineated in case law, and the circumstances of the particular case. Murdock, supra at 215. Therefore, our holding is limited to the facts of this case where defendant knew confidential information was leaving its premises and no procedures were in place to ensure the security of the information.”


Compare this decision to the Michigan Supreme Court decision in Zsigo v. Hurley Medical Center. In that case, the plaintiff was sexually assaulted by an aide who was cleaning up the room where the Plaintiff was restrained. Plaintiff was being treated for a manic depressive episode. She enticed the aide, believing that the aide was a very powerful person at the hospital who would release her. Plaintiff argued that the hospital should be liable for damages caused by its employee's unlawful acts, on the basis that the employee was an agent of the hospital. The Supreme Court disagreed, refusing to hold that the employer is responsible for the acts of employees who appear to be acting with the authority of their employer. The Court recognized that the agency exception to the principal of respondeat superior is accepted in some states, but not in Michigan:

“Under the doctrine of respondeat superior, the general rule is that an employer is not liable for the torts intentionally or recklessly committed by an employee when those torts are beyond the scope of the employer’s business.1 Restatement Agency, 2d, § 219(2) sets forth the general rule of respondeat superior and also lists certain exceptions to employer nonliability:

“(2) A master is not subject to liability for the torts of his servants acting outside the scope of their employment, unless: (a) the master intended the conduct or the consequences, or (b) the master was negligent or reckless, or (c) the conduct violated a non-delegable duty of the master, or (d) the servant purported to act or to speak on behalf of the principal and there was reliance upon apparent authority, or he was aided in accomplishing the tort by the existence of the agency relation.


“The question in this case is whether Michigan recognizes the fourth exception, § 219(2)(d), to the doctrine of respondeat superior nonliability. Plaintiff argues that Michigan has adopted, or should now adopt, the fourth exception to the respondeat superior nonliability rule. Section 219(2)(d) provides an exception to employer nonliability when a plaintiff can show that he or she relied on the apparent authority of the employee, or that the employee was aided in harming the plaintiff by the existence of the agency relationship between the employee and the employer. Section 219(2)(d) and the commentary on that section establish that this exception to employer nonliability applies primarily to cases involving misrepresentation and deceit, for example when a store manager is able to cheat store customers because of his or her position as store manager for the owner....

“Courts have criticized § 219(2)(d) primarily because the exception swallows the rule and amounts to an imposition of strict liability upon employers.24 Indeed, it is difficult to conceive of an instance when the exception would not apply because an employee, by virtue of his or her employment relationship with the employer is always “aided in accomplishing” the tort. Because the exception is not tied to the scope of employment but, rather, to the existence of the employment relation itself, the exception strays too far from the rule of respondeat superior employer nonliability.

“Because we recognize that were we to adopt the exception we would potentially be subjecting employers to strict liability, we decline to do so. We further note that, employers will continue to be subject to liability for their negligence in hiring, training, and supervising their employees.....”

This decision has broad implications in the mortgage industry, where individual loan officers act outside of the scope of their employment to defraud consumers. In the Bell decision, the employee was acting legally, in the course of employment, and failed to safeguard information. In Zsigo, the difference is that the employee was acting illegally, in a manner not authorized by the employer. In the former case, the employer is liable for damages. In the latter case, the employee is liable for damages.


B. A package of bills (2004 PA 452 , 453 , 454 , 455 , 456 , 457 , 458 , 459 , 460 , 461 and 462 ) signed by the Michigan Governor at the end of 2004 provide protections to victims of identity theft above and beyond the protections afforded by FCRA. A lender cannot discriminate against a person by reducing available credit because the person was a victim of identity theft. If the applicant produces a police report showing that they made a complaint that they were a victim of identity theft, the lender must restore any reduction in a credit line due to the fraudulent activity.

1. Lenders are required to identify all loan applicants pursuant to Section 11 of 2004 PA 452:


“Sec. 11. (1) A person shall not do any of the following in the conduct of trade or commerce:

(d) Extend credit to a consumer without exercising reasonable procedures to verify the identity of that consumer. Compliance with regulations issued for depository institutions, and to be issued for other financial institutions, by the United States department of treasury under section 326 of the USA patriot act of 2001, 31 USC 5318, is considered compliance with this subdivision. This subdivision does not apply to a purchase of a credit obligation in an acquisition, merger, purchase of assets, or assumption of liabilities or any change to or review of an existing credit account.”


2. The law states that Customer Identification Programs (CIP) required under federal banking laws are sufficient to meet state laws. This does not mean that a full blown "know your customer" program is required by state law. Every lender and mortgage broker should be collecting identifying information before closing, such as a drivers license and social security card, and checking the identity of borrowers against the blocked persons list maintained by the Office of Foreign Assets Control (OFAC) (many law firms maintain articles about PATRIOT Act compliance on their web sites, such as Holland and Knight ). Stewart Title has automated this process with a blocked person lookup utility . Preferably, a fraud/blocked person check should be conducted at the time of application to reduce fraudulent loan applications.

3. The bills also prohibit a business displaying or requesting a customer's social security number, except when the customer is applying for a loan and in certain other circumstances. The bills prohibit merchants from including more than four digits of a customer's credit card number on a receipt. There was a grandfather period for replacing old equipment that prints the entire credit card number. Social security numbers cannot be utilized by a business as ID numbers or login numbers.

4. The bill also includes criminal penalties and civil fines for identity theft schemes, including pin readers, and other equipment designed to skim numbers from automated transaction equipment (such as gas pumps, ATM machines, etc.), and filing or possessing personal information or a false police report of identity theft for illegal purposes. There is a six year limitations period for criminal indictments. The criminal penalty is five years in prison and/or $25,000 in fines.


5. Victims of identity theft can access public records to determine if someone other than themselves requested a birth certificate or other documentation for the purpose of identity theft.


6. Violation of identity theft statutes is a violation of the Consumer Protection Act. Refusing to approve credit (discrimination) because of items that are the result of identity theft is a violation of the Consumer Protection Act.


7. Employers are obligated to keep employee social security numbers secure, and are liable for damages resulting from the loss of this information. 2004 PA 254 states:


“Sec. 4. (1) Beginning January 1, 2006, a person who obtains 1 or more social security numbers in the ordinary course of business shall create a privacy policy that does at least all of the following concerning the social security numbers the person possesses or obtains:

(a) Ensures to the extent practicable the confidentiality of the social security numbers.

(b) Prohibits unlawful disclosure of the social security numbers.

(c) Limits who has access to information or documents that contain the social security numbers.

(d) Describes how to properly dispose of documents that contain the social security numbers.

(e) Establishes penalties for violation of the privacy policy.

(2) A person that creates a privacy policy under subsection (1) shall publish the privacy policy in an employee handbook, in a procedures manual, or in 1 or more similar documents, which may be made available electronically.

(3) This section does not apply to a person who possesses social security numbers in the ordinary course of business and in compliance with the fair credit reporting act, 15 USC 1681 to 1681v, or subtitle A of title V of the Gramm-Leach-Bliley act, 15 USC 6801 to 6809.”


About the Author:

Howard A. Lax is a corporate law attorney and shareholder with Lipson, Neilson, Cole, Seltzer & Garin, P.C. Howard A. Lax specializes in financial institutions consumer compliance and regulatory affairs, and real property law. He earned his J.D. cum laude, from Wayne State University's School of Law and holds a bachelor's degree from the University of Michigan. Active in the community, he is a member of the State Bar of Michigan's Business Law Section, is a member of the governing council of Real Property Law Section, and a member of the MMLA. Mr. Lax also writes and publishes The Mortgage News, a bimonthly mortgage banking compliance newsletter. The Mortgage News can be found at: Mr. Lax may be contacted at:

Lipson, Neilson, Cole, Seltzer & Garin, P.C.
3901 Telegraph Rd., Suite 200
Bloomfield Hills , MI 48302
Tel.: (248) 593-5000
Fax: (248) 593-5040