Wednesday, April 30, 2014

Identity Theft and Data Breaches

Identity thieves have victimized 12.6 million Americans in 2012 to the tune of nearly $21 billion. Eighteen percent of all Federal Trade Commission complaints received that year involved identity theft. More complaints were lodged in 2012 when compared to 11.6 million in 2011 and 10.2 million in 2010. (Javelin Strategy and Research, 2013 Identity Fraud Report: Data Breaches Becoming a Treasure Trove for Fraudsters, February 2013)

Globalization and the world wide use of the Internet have allowed thieves with actual, stolen, or cyber identities to engage in highly sophisticated crimes involving credit card fraud, bank fraud, immigration fraud, medical use fraud, and employment fraud.

Identity theft was not a federal crime prior to 1998. Congress passed the Identity Theft Assumption Deterrence Act (P.L. 105-318) which made identity theft a crime, established penalties for those engaging in such fraud or planning to defraud, and confiscation of property used in the pursuit of identity theft. The FTC established a Theft Data Clearinghouse in 2000 which recorded all consumer complaints data. (Kristin Finklea, Identity Theft: Trends and Issues, CRS R40599, January 16, 2014, p. 4)

The Congressional Research Service makes a distinction between identity theft and identity fraud even though people use the terms interchangeably. Identity fraud is described as an umbrella term referring to crimes “involving the use of false identification – though not necessarily a means of identification belonging to another person.” Identity theft is the “specific form of identity fraud that involves using the personally identifiable information of someone else.”

Flores-Figueroa v. United States brought clarification to the issue of identity theft vs. aggravated identity theft in the Supreme Court decision. It was important that “in order to be found guilty of aggravated identity theft, a defendant must have knowledge that the means of identification he used belonged to another individual. It is not sufficient to only have knowledge that the means of identification used was not his own,” the crime had to be executed “knowingly.” (Congressional Research Service report, R40599, January 16, 2014, p. 3)

The Identity Theft Penalty Enhancement Act (P.L. 108-275) established penalties for aggravated identity theft with additional penalties of two to five years’ imprisonment when the fraud was connected to other federal crimes.

Additionally, Congress passed the Identity Theft Enforcement and Restitution Act of 2008 (Title II of P.L. 110-326) for restitution to theft victims for time and effort spent recovering their good name.

To coordinate 17 federal agencies fighting against identity theft, President Bush signed Executive Order 13402, “Strengthening Federal Efforts to Protect Against Identity Theft, establishing the President’s Identity Theft Task Force. (71 Federal Register 93, May 15, 2006)

Even though the use of Social Security numbers in government documents and the private sector has been curtailed, 50 million Medicare cards still use SSN as identification. Changing to a different Medicare identifier has been estimated to cost between $255 million and $317 million. (U.S. Government Accountability Office, Medicare Information Technology: Centers for Medicare and Medicaid Services Needs to Pursue a Solution for removing Social Security Numbers from Cards, GAO-13-761, September 2013, p. 2)

The Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458) “prohibited states from displaying or electronically including SSNs on driver’s licenses, motor vehicle registration, or personal identification cards.” (CRS Report R40599, p. 24)

Several agencies are tasked with fighting identity theft:

-          FBI through its Financial Crimes Section with 20 theft task forces
 
      -          United States Secret Service which protects financial infrastructure and payment systems

      -      United States Postal Inspection Service which identifies thieves who use the postal service    for their criminal activities and educates consumer groups

-          Social Security Administration Office of the Inspector General (stolen or misused SSNs are put under fraud alert in credit files, earning records are checked and fraud, waste, and abuse identified)

-          Immigration and Customs Enforcement (searches for identity theft that involves documents and benefits fraud via the 2006 ICE created Document and Benefit Fraud Task Forces located in 19 cities in the U.S.)

-          Department of Justice (prosecutes identity theft cases found during investigations by various agencies)

Once a person’s identity is stolen, criminals use it to commit credit card fraud by changing the billing address of the victim, opening new accounts in the victim’s name, eventually destroying their credit rating and emptying their bank accounts. Skimming devices installed at cash registers steal customers’ account information when they make purchases. I became such a victim when I used my debit card to pay for food in Portland, Oregon and in Alexandria, Virginia.

Using a person’s information, thieves can create fake birth certificates, licenses, and Social Security cards in order to apply for and receive government benefits in a victim’s name. Fake identities and passports are created for illegal aliens traveling to and living in the United States.

Furthermore, using identity theft, criminals can obtain jobs or medical services for which they are not entitled. The victim’s credit rating is adversely affected, cannot file taxes, or cannot find future employment. One method used to empty bank accounts or find personal information is by email phishing.

Last but not least are the frequent data breaches by hackers around the world who steal large stores and companies customers’ credit card and personal information, often including medical records. Financial services industries are better at guarding their customer information database, however, information resellers are not bound by stringent restrictions. Limited research suggests that 12-27 percent of identity theft results from data breaches.

No comments:

Post a Comment