ID Theft: Variations of An International Crime by Wilma ColonAriza

Advanced Risk Management Solutions

Identity Theft Today â&#x20AC;&#x153;Variations of an International Crimeâ&#x20AC;? Wilma Ariza, C.I.T.R.M.S.

08 Table of Contents

Identity Theft Today Table of Contents About the Author ...................................................................................................3 Introduction ........................................................................................................4 President’ Task Force Report Abstract .............................................................5 Identity Theft: Federal Definition ..........................................................................6 The Offenders ......................................................................................................7 Identity Theft Crime Variations .........................................................................8 a) b) c) d) e)

Credit Fraud or Theft by deception……………………………….9 Social Security Theft ………………………………………………………10 Medical Identity Theft…………………………………………………….11 Driver’s License Identity Theft ……………………………………….12 Criminal Identity Theft …………………………………………………..13

Case Study Samples…… ........................................................................................14 Business Considerations and the Law………………………………………………………………18 Conclusion ........................................................................................................23 References .......................................................................................................19 Resources…………………………………………………………………………………………………….…20

Acknowledgement: Thank you for stealing my identity and selling it, to everyone else who is me, somewhere, anywhere in the US, without you guys I would never be where I am today. You know who you are! The Real Wilma “Colon” Ariza

Identity Theft Today

About the Author Wilma Ariza has successfully completed the Certified Identity Theft Risk Management Specialist curriculum and now joins the ranks of select professionals nationwide who have earned the CITRMS certification. Ms. Ariza became interested in Identity Theft Victims Rights and issues 3 years ago when she discovered her identity was stolen and was unable to find effective knowledgeable assistance and advocacy to resolve the ensuing financial and legal issues that resulted from a number of unknown individuals using her identity nationwide to obtain employment, medical insurance, passports, social services, credit, out of state drivers licenses in her maiden name, multiple real estate acquisitions, goods and services fraudulently, including the illegal use of her NJ Drivers License information during traffic violations stops. . The CITRMS certification program is the nation’s only training program specifically developed for professionals who are dedicated to educating and assisting clients, customers, businesses, and the general public in combating the epidemic of Identity Theft. CITRMS-qualified professionals are employed by financial institutions, financial services firms, law enforcement and other state and federal government agencies. Many others are private practitioners including attorneys, CPAs, financial advisors and business consultants like Ms Ariza who has focused her practice on legal rights and legislation affecting consumer identity protection, children’s identity fraud, criminal identity theft victims advocacy and medical identity theft awareness education in Northern New Jersey where she currently resides. . The course curriculum addresses such key areas as: the various types of Identity Theft vs. credit fraud; consumer protection laws and related requirements; the public dossier and sources of information; Identity Theft risks and issues for businesses, including information security laws, related requirements and liabilities; Identity Theft Risk Management and Anti-Fraud Resources; and more. To attain the certification, CITRMS candidates must successfully complete a rigorous final examination designed to thoroughly assess their comprehension and sound knowledge of the course materials and the legal, as well potential financial pitfalls of compliance. The Certified Identity Theft Risk Management Specialist program is provided through a cooperative effort between the award-winning Institute of Consumer Financial Education (www.ICFE.info), and The Institute of Fraud Risk Management (www.TIFRM.com). Indicative of the ever-increasing threat of this emerging crime and the critical nature of providing business owners and the public with the knowledge and tools to address and manage their risks, the CITRMS certification course is accepted for professional continuing education credit by such organizations as: the Certified Financial Planning Board of Standards for Certified Financial Planners (CFP®); PACE and The American College for Chartered Life Underwriters (CLU) and Chartered Financial Consultants (ChFC); the International Association of Registered Financial Consultants for Registered Financial Consultants (RFC); and The Association for Financial Counseling and Planning Education for Accredited Financial Consultants (AFC). 3 Advanced Risk Management Solutions © 2008

Identity Theft Today

INTRODUCTION While no less than a decade ago â&#x20AC;&#x2022;identity theftâ&#x20AC;&#x2013; was apt to be met with curiosity and some bewilderment, it has become one of the most recognizable crime terms of the 21st century. Even so, questions remain regarding what it really represents, what type of person is most likely to commit this crime, what criminal methods are most commonly (and successfully) employed, and who is most at risk of being victimized. The United States Secret Service is actively involved in the investigation and prosecution of identity theft and fraud crimes. According to its website www.secretservice.gov/criminal.shtml Identity crimes are defined as the misuse of personal or financial identifiers in order to gain something of value and/or facilitate other criminal activity. The Secret Service is the primary federal agency tasked with investigating identity theft/fraud and its related activities under Title 18, United States Code, Section 1028. Identity crimes are some of the fastest growing and most serious economic crimes in the United States for both financial institutions and persons whose identifying information has been illegally used. The Secret Service records criminal complaints, assists victims in contacting other relevant investigative and consumer protection agencies and works with other federal, state and local law enforcement and reporting agencies to identify perpetrators. These efforts are time consuming and often very costly for victims. Similar information can be found on the websites of the United States Postal Inspection Service, the FBI (Federal Bureau of Investigation), the FTC (Federal Trade Commission), the Social Security Administration, the Department of Justice, many state police departments, several local police departments, and the numerous not-for-profit organizations devoted to combating identity theft and helping citizens to recover from it. Identity crimes are far reaching, as the attention given to it by government entities, the businesses that have emerged in an effort to thwart it, and the many stories from the media indicate. Statistics from Consumer Sentinel, the database of complaints maintained by the Federal Trade Commission, indicate that the highest percentage of complaints received in 2006 (36%) were concerning identity theft. http://www.ftc.gov/opa/2007/02/topcomplaints.shtm Since 2001, the same has been true; the highest percentage of complaints received during each year concerned identity theft.

4 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today

THE TASK FORCE REPORT President George Bush established the President’s Task Force on Identity Theft in May 2006 by Executive Order 13402. Which states ―The problem of identity theft has become more complex and challenging to the general public, the government, and the private sector.‖ (April 2007, p. 1) While the Internet, with its chat rooms, electronic banking and payments, phishing and pharming, malware and Spyware, and pretexting, has certainly added a dimension to the crime, the basics are also still employed by identity thieves: common theft, mail theft and change of address, dumpster diving, database and network hacking, including insider theft. The purposes for which identity thieves can use the stolen personal identifier information has been exacerbated by the Internet, as online credit applications, bank account transfers, purchases and the like eliminate the need for face to face contact. Law enforcement is, of course, faced with the challenges that the growing complexity the crime presents including the growing numbers of undocumented immigrants using fraudulently obtained personal identifying information to: Conceal Actual Identity Obtain Credit and Loans Procure and Secure Employment Obtain Drivers License and Passports Purchase Motor Vehicles and Real Estate Enroll In School and Obtain Student Loans Apply for and obtain social services or medical care

Identity Theft Today

IDENTITY THEFT: The Federal Definition In the report of the President’s Task Force on Identity Theft, identity theft is defined in this way, ―Although, identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual’s personal information to commit fraud” (April 2007, p. 2). As of the preparation date of this report there is an ongoing debate concerning the definition of identity theft. However, for the purposes of this report and discussion, I agree with the Task Force definition, but consider personal information to be personal identifying information such as name, address, Social Security number and date of birth, which may be included on documents such as driver’s licenses and birth certificates. Access devices such as credit cards, debit cards, ATM cards, electronic monetary gift cards, calling cards and bank checks, are excluded from the identity theft crime definition. While the theft of a credit card, other financial access card and/or bank check may result in fraudulent charges, known as credit fraud or theft by deception, it does not result in the theft of an identity. The Task Force report agrees: ―For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card alone, generally would not provide the thief with enough information to establish a false identity‖ (p. 3). And so, there, lies the debatable concept of identity theft crimes versus credit fraud incidents and the ramifications for the consumer who fails to make the distinctive connection and effectively assess (1) the personal data management risks (2) the consumer credit risks, as defined by Federal and State Laws vs. the general misconception that inadequate credit monitoring services offered to credit card and banking consumers by their financial institution can be relied upon for comprehensive identity theft protection. . ―Credit scores can be business credit may be while disputed fraudulent due accounts are cleared

ruined and existing personal and significantly reduced or closed credit charges on delinquent past and resolved.” -- Newsweek --

Identity Theft Today

THE OFFENDERS The data analysis specified on the Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement Report published by the Center for Identity Management and Information Protection of Utica College this past October 2007, showed more diversity among the age, race, gender, and criminal backgrounds of offenders than the picture held by conventional wisdom. Most of the offenders – 42.5% - were between 25 and 34 years of age at the time that the case was opened. The 35 – 49 age group made up 33% of the offenders. 18.5% were between 18 and 24 years old. The remaining 6% were 50 years old or older. One third of all reported offenders were female. 24.1% of the offenders were born outside of the United States. 71% of the offenders had no arrest history. ** those who had a prior criminal record or pending charges included fraud and forgery, identity theft and theft by deception. The most prevalent motive among all offenders was economic personal gain, followed by avoidance of past criminal convictions disclosure and a variety of social benefits fraud.

Identity Theft Today

IDENTITY THEFT CRIME VARIATIONS Credit Fraud and Theft by Deception The most productive and familiar form of the crime, the thief obtains key information about the victim such as the victim's name, Social Security or Registry number, date of birth, and any other available bits of personal identifying information. The victim may be an adult, a minor child or even *deceased ( known as*Ghosting). The main common characteristic of the ID Theft crime is the ―theft" of information that enables the thief to abuse the victim's "identity" to commit credit fraud and other crimes. In credit fraud and theft by deception cases the criminals may obtain credit cards and loans, purchase goods and services, buy or lease homes and vehicles, take expensive vacations, etc., all under the victim's name. In a disturbing growing number of cases they effectively assume the victims full identity (*cloning) in another community. This action, or abuse of the identity information, is known as "credit fraud". The result can often be the annihilation of the victim's finances and credit history, especially if fraudulent accounts are not identified and disputed within the time specified by law. Thousands of dollars of debt may be accumulated in a very short period of time, which the ―identity theft victim‖ is left to clear up.

PrePaid Legal Services Inc., Life Events Membership Plans © Identity Theft Shield© Legal Shield© “When bad things happen to good people” www.prepaidlegal.com/hub/mquarles19 Wilma Ariza, C.I.T.R.M.S. Independent Associate Toll Free Televox (866) 292-7939 Email warizac@gmail.com

Identity Theft Today Social Security Theft : Because our Social Security or Social Registry number is the most widely utilized personal identifier, most cases of Identity Theft and Identity Fraud involve some form of theft and/or abuse of the victim's Social Security number. The Social Security number is directly connected to a victim's work history, professional licenses, tax record and credit file, therefore, is required by banking institutions to facilitate all manner of financial transactions. Real ―financial identity theft‖ cases will almost certainly involve the theft and abuse of the victim's Social Security or Social Registry Number. However, this is not the only way by which a Social Security or Social Registry number can be abused. A criminal may use the victim's personal information to obtain employment, avoid paying taxes, or disclose a criminal past. In many cases information is sold to undocumented workers many times over creating an unreported income nightmare during an IRS audit. It has been reported that thousands of social service, public assistance, food stamps, and charity program fraud cases discovered in the past month involve undocumented and otherwise disqualified program recipients establishing or reestablishing benefits eligibility using stolen ―social security‖ or ―social registry‖ numbers. This aspect of ―Identity Theft‖ can be extremely difficult to determine, because such abuse is usually not uncovered through customary methods of credit review or monitoring. For example, in the case of illegal aliens (or anyone else) taking advantage of the victim's Social Security or Social Registry Number for Months or years in order to gain employment and make an income, the victim may discover the fraud only because the thief failed to pay the resulting income taxes, and created significant tax liabilities or penalties for the victim, including income withholding, bank account liens and in some cases incarceration for tax evasion while the matter is resolved through the legal system. Another serious issue that is not widely discussed involves the use of an identity theft victim's Social Security Number to apply for and receive Social Security, Medicare, unemployment, or other government benefits, directly linked to an individual work record, thus depleting the victim's own benefits and/or creating potential garnishments or charges of benefits fraud until, and if, the victim can prove his/her innocence. 9 Advanced Risk Management Solutions © 2008

Identity Theft Today Medical Identity Theft: Your social security or social registry number is also frequently used for medical records and insurance policy benefit identification, which can lead to another crime which falls under the increasingly complicated umbrella of Identity Theft crimes; a very dangerous rising trend, often referred to as "Medical Identity Theft". Thieves and scam artists have discovered the ease in which they may use a victim's information to obtain healthcare and other medical benefits and services. It is a very serious problem and may soon be officially recognized through legislation as a separate and distinct form of the crime. In a report by Elizabeth Roop of Radiology Today, the World Privacy Forum has estimated that fraudulent medical billing resulting from medical identity theft can range from $1,000 to as high as $1 million per incident. Pam Dixon, Executive Director of the World Privacy Forum, said "We get a lot of complaints that are in the $20,000 to $150,000 range; that's very common. If someone called up and said, 'I had debt collectors knocking on my door wanting $90,000,' we wouldn't even blink." In addition to the obvious troubles caused by fraudulent billing that may result from the healthcare services obtained in the victim's name, there is an even more distressing, and potentially life-threatening dangerâ&#x20AC;&#x201D;incorrect medical file information/records. The thief's abuse of the victim's information to obtain healthcare services could result in the victim's medical files and connected information entered into medical databases becoming contaminated with wrong or incompatible information (the thief's rather than the victim's) such as an incorrect medical history, missed or incorrect documentation of allergies to certain medications, incorrect documented health conditions or diagnosis, and a host of other dangerous mistakes that could put the victim's health and life in danger. Victims may also abruptly and without warning discover that their insurance benefit coverage has been exhausted, that they no longer qualify for medical or life insurance due to incorrectly reported "pre-existing" conditions, or even receive a notice of cancellation or a considerable increase in their insurance premiums due to fraudulent, incorrect documented medical conditions and claim billing activity. Errors in medical files can be very hard to identify and correct, nearly impossible to detect.

10 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today Victims of medical identity theft are not extended the same rights and protections as victims of financial identity theft. If your record is tainted and/or ruined by inaccurate information, there is often no way to correct it. For example, information in a hospital database may be forwarded to a doctor for assessment and then added into his/her database, depending on diagnosis potentially damaging information may be forwarded to the Centers for Disease Control. Information in the doctor's database may then be forwarded to an insurance company for billing purposes, and entered into that company's database. Information from the insurance company database may then be passed on to the Medical Information Bureau database (M.I.B File), used by many health care providers and insurance companies. At this point, all of these databases have become tainted with the incorrect health information, and correcting them all is nearly impossible.

Driver's License Identity Theft: Capitalizing on the systems flaws and diversity of procedures from State to State and international law, thieves can make use of the victim's personal identifying information and forge or easily obtain personal documents, such as a birth certificate, in order to obtain a driver's license or government-issued identification card in the victim's name. Victims of driver's license ID card theft may unexpectedly discover that a thief's actions have resulted in charges of DUI or DWI or any number of other driving-related offenses. Suspended or revoked driving privileges for unpaid fines, or sudden arrest during a routine traffic stop for outstanding warrants for "Failure to Appear in Court". In these kinds of situations the victim may need the assistance of a qualified attorney to resolve the matter, particularly in cases involving criminal charges, driver insurance surcharges and unpaid fines. It can become very costly for a victim to clear their name particularly when traffic violations are documented in multiple jurisdictions. Driving-related offenses wrongly included in the victim's driving records may also cause an unexpected cancellation of the victim's automobile insurance, an inability to get insurance coverage, or a dramatic increase in insurance premiums on existing policies. Identity Theft criminals recognize that the Social Security or Social registry number, an individual's driver's license or state issued ID card number is the most widely utilized personal identifier. 11 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today This is extremely dangerous because in the United States (for instance) the driver's license is effectively a form of National Identification used for check verification databases and for passenger identification by the TSA. Making it possible for an identity theft victim to be linked to organized crime and/or, in extreme cases terrorism, causing a potentially critical security risk dilemma for the victim, their family, friends and associates.

Criminal Identity Theft: In cases of "criminal identity theft", or the abuse of the victim's information in contact with law enforcement, the end results are often a wrong criminal record for the victim, outstanding arrest warrants, and even temporary incarceration. In some cases, the victim may be, without explanation fired from their place of employment due to an "undisclosed conviction" discovered during a background check or security clearance update. This type of Identity Theft can have a devastating and long-lasting effect on the victim. It can often be very hard to fully resolve, if ever, and the victim will most likely require legal representation which can be very costly. Criminal convictions are also usually entered into public records, which can further damage future employment opportunities, security clearances, insurance premiums, and pose a range of other significant potentially lifelong challenges for the victim. Once incorrect criminal information is entered or connected to the victim's name in a number of record databases, it can be extremely difficult or impossible to have it completely corrected. It may still result in a permanent alias or a.k.a (Also Known As) entry attached to the victim's records. In more severe cases, some victims have only been able to detach themselves from the impostor by legally changing their names, while others must carry court documentation with them at all times in order to prove to law enforcement that they are not the person being sought for crimes or arrest warrants.

12 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today

CASE STUDY EXAMPLES Actual Loss: the Extremes In a case representative of a zero dollar loss, a Houston area task force was contacted by a bank fraud investigator concerning an employee of the bank who was involved in a fraudulent transaction. The bank employee, the single defendant in the case, applied for and received a loan in another individual’s name. When the car dealership refused the loan check because it was not made out in the defendant’s name, he attempted to deposit it into his account at the bank where he was an assistant manager. He had applied for the loan online, using the victim’s Social Security number, date of birth, and home and work phones. The defendant changed the victim’s first name from Jane to Jan, and used his own address and utility bill. The victim was unaware of the car loan, but knew that someone had attempted to apply for a credit card using her personal identifiers. In another case where the actual loss was $13,000,000, a bank investigator contacted the Dallas Secret Service field office concerning a case of identity theft related to bank fraud. The defendant, acting alone, used false information about his identity and financial status to receive millions of dollars of loans to purchase luxury vehicles. He used the identity of a person serving life in prison for several of these, as well as to open credit accounts and buy two houses. He also used the identities of incarcerated individuals to establish several shell companies and attract investors, whom he subsequently defrauded.

A “Typical” Case The victim contacted the Newark, New Jersey field office in August 2002. He reported that he had received numerous credit card account statements from retail stores, none of which he had authorized. The case’s primary classification was Fraudulent Use of Account Numbers. One of the secondary classifications was Identity Fraud. The defendant had purchased a birth certificate and W-2 form in the name of the victim. He used those to obtain a duplicate driver’s license, which he used to open store credit card accounts in the local area. The actual loss was $13,175. The case fell under federal jurisdiction. The defendant pled guilty to charges of 18 USC 1029(a)(2), Access Device Fraud, and was sentenced to 18 months in prison, 3 years of probation, and ordered to pay $13,175 in restitution. The case was closed in March 2004. 13 Advanced Risk Management Solutions © 2008

Identity Theft Today Motivating Factor: Supporting a Drug Habit In this case, which was opened in 2003, the three defendants worked together to steal mail from mailboxes in suburban towns when they needed money to support their methamphetamine habit. They looked for mail containing government, payroll, and personal checks and personal identifiers. One defendant used his computer to produce counterfeit state driver’s licenses, Social Security cards, and counterfeit checks. Each of the defendants was sentenced to incarceration and probation.

Identity Theft through Employment The defendant was employed by a cleaning service (service industry) and cleaned the victim’s residence. While on the job, he stole the brokerage account number belonging to the victim’s company and through telephone transfer, using the victim’s date of birth and Social Security number, had $80,000 placed in a bank account. He later withdrew it, placed it in another bank account, and used the money to purchase a vehicle. The victim was on an airplane at the time of the call requesting the transfer. He became aware of the fund transfer when the brokerage called him to confirm the transaction.

One Offender – Several Opportunities and Roles The offender purchased a fake ID from www.counterfeitlibrary.com and used it to procure a mailbox at Mailboxes Etc., as he needed an address to use in selling counterfeit DVDs that he obtained from Taiwan on eBay (auction fraud). Using www.counterfeitlibrary.com, the defendant purchased a fraudulent ID from an individual in England and used it to obtain a pre-paid credit card from Rite-Aid in another’s name. He also bought a counterfeit birth certificate and a Netbank account in another name, and received information on setting up Netbank accounts. He traded Netbank account information for credit card information. He also purchased 10 blank counterfeit birth certificates. While working as a temporary employee at an insurance company, he stole the names and personal identifiers of approximately 12 people and used them to obtain pre-paid credit cards using counterfeit licenses which he manufactured on his home computer. He purchased and used personal identifiers and credit card information to add users to the account, to get additional cards, and to change the address

Identity Theft Today A small level group crime case Defendant two obtained personal identifying information from a source at a state Secretary of State office, for the purpose of selling it to people who needed to change their identities. Defendant one bought information, as well as birth and marriage certificates, from him and used them to obtain a driver’s license and Social Security number. She obtained several credit cards in the names and paid the bills for them. She used the false name at her place of employment and later received disability checks in that name. She also filed income taxes in that name. She stated that she had to change her identity to protect herself from the family of a person whom her brother murdered in self-defense approximately 30 years ago. Neither defendant had a prior arrest history.

Roles taken in an organized group case In a case with 16 defendants, the group used unauthorized credit card numbers to purchase airline tickets in their own names and to reserve hotel rooms through websites. They also used the names of others and driver’s licenses in those names as identification when flying. Several of the defendants accessed workplace computers to obtain customers’ personal identifying information, which they distributed to the rest of the group. Billing documents were also used as a source of personal identifying information. One defendant skimmed credit card numbers (other) at hotels where she was employed. Two of the defendants were involved in distributing the information to others in the group. Three of them directed others. For example, they instructed and paid others to purchase tickets for them. They all used the stolen personal identifying information for their own use – purchasing tickets and booking hotel rooms for travel to various cities where a social organization to which they all belonged held meeting.

Offender Methods: Internet Alone The defendant in this case employed pharming to create duplications of an opera house website in at least 9 cities worldwide. When customers attempted to purchase opera tickets, the defendant captured their personal identifying information – names, addresses, phone numbers, and credit card numbers. The customers either received tickets at a higher cost or to a performance other than the one they requested. Some customers did not receive tickets. 15 Advanced Risk Management Solutions © 2008

Identity Theft Today Using Computers to Produce Documents The defendant procured personal identifying information by placing ads in newspapers stating that he was hiring and would accept applications at a local hotel. He would interview the individuals and collect their applications which included Social Security numbers, dates of birth, and bank account information for direct deposit of a payroll check. He would then create birth certificates and employment cards on a computer and use them to get driver’s licenses with his photograph and others’ names. He used the driver’s licenses to open bank accounts. He then manufactured counterfeit checks with the victims’ names on the computer.

Point of Compromise: A Business This case originated when a bank fraud investigator contacted the Secret Service. The defendant was employed at a candy store and was terminated for stealing cash from the register during transactions. He also skimmed credit cards while employed there. Two major credit card issuers identified the business as a common purchase point for credit cards that were later used as counterfeit credit cards. The defendant admitted that he was paid by another person to skim the credit card numbers. The other person then used them to produce counterfeit credit cards which he sold with corresponding counterfeit identification documents.

Point of Compromise: A Family Member The victim in this case notified the Secret Service regarding the fraudulent use of her identity. Her ex-husband used her information to open two American Express card accounts and make charges to them. The defendant completed the credit card applications via the Internet.

Identity Theft Today Identity Theft through Employment: Hospital The defendant, whose first and last name were the same as the victim’s, used her position as a hospital employee to gain access to patients’ personal identifiers. The victim had given birth in the hospital and the defendant accessed her identifiers, which she used to obtain several credit card accounts. The victim became aware of the unauthorized accounts when she was contacted by Discover concerning a credit card for which she had not applied. She then obtained her credit history and found other retail credit card accounts which she had not authorized.

Victimization of Financial Services Industry In a case brought to the attention of the Secret Service by a bank fraud investigator in 2004, the defendant used his deceased’s father’s Social Security number and name to obtain three loans and a credit card from the bank. He secured a vehicle loan from another bank and paid it off with a loan from a third bank, which he obtained with the same identifiers. He opened checking accounts using the fraudulent information at each of the banks. He admitted using a false income tax form to show income high enough to qualify for the loans. The defendant confessed that he used his father’s Social Security number and name to open all of the accounts and credit cards, and to apply for the loans. At the time of this criminal behavior, he was a resident of a halfway house on supervised release for a prior federal criminal conviction for financial fraud. He pled guilty to Social Security Fraud (42 USC 408(a)(7)(b) and was sentenced to two years of incarceration, three years of probation, and $64,000 in restitution.

Offender-Victim Relationship: Caretaker-Employer In this case, the defendant was employed by a blind man who owned a management company. The defendant, a white female in her forties, embezzled over one million dollars in approximately three and a half years. Her employer trusted her implicitly and signed whatever documents she directed him to. Thus, she was able to make purchases, bill them to her employer, and pay for them from his personal checking account. She issued checks from his account, which he signed, to pay her personal bills, including credit cards, tuition, vacations, medical expenses, clothing, jewelry, insurance policies, and home improvements. She used his date of birth and Social Security number to obtain unauthorized credit card accounts in his name and requested a second card for the accounts in her name. She also changed the address on the cards to her own. She used wire transfer and computer generated checks on his revocable trust and limited partnership checking accounts to pay the credit card bills. 17 Advanced Risk Management Solutions © 2008

Identity Theft Today

Business Considerations and the Law By now, conducting financial and business transactions online on "secure" sites has become a commonplace convenience. But, as we are reminded from time to time, it is not entirely safe to entrust confidential personal information to others. Just such a reminder occurred in late May 2006, when the U.S. Department of Veterans Affairs disclosed that the confidential personal information of about 26.5 million people, including their Social Security numbers, had been stolen when a Virginia analyst took data home and his home was burglarized. According to the Privacy Rights Clearinghouse, a non-profit organization, the theft brought the number of identities compromised since 2005 to over 80 million. Indeed, according to a Wall Street Journal article prompted by the VA incident, identity theft has become such a concern for employers, both in terms of potential liability and lost productivity, that some are providing a new employee benefit: "identity theft resolution services," i.e., someone to deal with the employees' legal and credit problems when a theft occurs. What are the legal liabilities a company faces when someone breaches the company's security and accesses employee or customer confidential information? More than half the states have legislation addressing this problem. This article focuses on federal statutes that expose companies to potential civil and criminal liability for failing to take adequate steps to prevent the theft.

THE FEDERAL TRADE COMMISSION ACT The Federal Trade Commission Act prohibits "unfair or deceptive acts or practices in or affecting commerce," and Â§5(a) of that Act empowers the FTC to commence civil actions against companies that violate the act. A number of cases in recent years have charged companies with violating the act by failing to adhere to their own privacy policies with respect to customers' personal information. For example, the FTC recently brought a number of actions stemming from companies' failures to use reasonable measures to prevent consumer information from being accessed by viewers of company Web sites. Each company entered into a consent agreement requiring it to implement a comprehensive information security program, not misrepresent the extent of its information protections and conduct periodic independent audits of its security program.

18 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today THE GRAMM-LEACH-BLILEY ACT Title V of the Gramm-Leach-Bliley Act requires financial institutions to take steps to protect their customers' data, and imposes possible civil and criminal sanctions for noncompliance. Subsection I authorizes the applicable regulatory agency to promulgate appropriate standards for financial institutions to ensure that customer records and information are adequately safeguarded from unauthorized access. 15 U.S.C. §6801(b). Subsection I also imposes a duty on financial institutions to notify customers prior to any disclosure of their personal information to third parties and offers the customer an opportunity to direct that the information not be disclosed. 15 U.S.C. §§6802(a) & (b). Subsection II prohibits any person from disclosing or causing to be disclosed customer information under false pretenses. 15 U.S.C. §6821(a). Violations of the provisions of subsections I and II are punishable by civil and criminal penalties. 15 U.S.C. §6823.

HIPAA The Health Insurance Portability and Accountability Act imposes obligations on health care providers to safeguard personal information. A person who knowingly obtains or discloses confidential health information about a patient is subject to fines and imprisonment. Wrongful disclosure of individually identifiable health information carries up to a year in prison and up to a $50,000 penalty. If the wrongful disclosure is under false pretenses, the maximum term rises to 5 years, and the monetary penalty to $100,000. If the disclosure was with an intent to sell, transfer or use for commercial advantage, personal gain or to inflict malicious harm, the maximum sentence increases to 10 years, with a fine of up to $250,000. 42 U.S.C. §1177. In a June 1, 2005 opinion, the Justice Department Office of Legal Counsel announced that because the regulations establishing privacy standards under HIPAA applied only to "covered entities," the HIPAA criminal provisions did not reach individual employees. The Department noted, however, that those employees could still be prosecuted for identity theft and fraudulent use of a computer (see below).

THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT The Fair and Accurate Credit Transactions Act imposes liability on consumer reporting agencies that do not maintain "reasonable procedures designed to avoid" improper disclosure of information. 15 U.S.C. §1681e. Such agencies must require anyone seeking information contained in a consumer report to identify themselves, certify the purpose for which they are seeking the information and certify that they will not use the information for any other purpose. 15 U.S.C. §1681e.

Identity Theft Today

A violation of FACTA can result in civil liability, including punitive damages if the violation was willful. 15 U.S.C. §1681n. FACTA also imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully discloses an individual's personal information to an unauthorized person. 15 U.S.C.

§1681r.; 18 U.S.C. §§1028 and 1028A; 18 U.S.C. §1028. One of the primary vehicles for prosecuting identity theft is 18 U.S.C. §1028, which is a general criminal statute prohibiting fraud in connection with identification documents. In 1998, Congress enacted the Identify Theft and Assumption Deterrence Act, which amended 18 U.S.C. §1028 to criminalize the knowing transfer or use, without lawful authority, of "a means of identification of another person" with the intent to commit, or to aid or abet, any violation of federal law. 18 U.S.C. §1028(a)(7). "Means of identification" is defined broadly to include any name or number that may be used to identify a specific person, including any name, Social Security number, date of birth, officially issued driver's license or identification number, alien registration number, government passport number, or employer or taxpayer identification number. 18 U.S.C. §1028(d)(4). If convicted under this statute, a defendant faces up to 15 years in prison if he obtained anything in value aggregating $1000 or more during a 1-year period. 18

U.S.C. §1028(b)(1)(D). Concerned with potential use of the Internet as a means of committing identity theft, Congress passed the Internet False Identification Prevention Act in 2000. This act further amended §1028 to prohibit the transfer of false identification information over the Internet. It also charged the Attorney General and Secretary of the Treasury with establishing a committee of agency heads to ensure that the creation and distribution of false identification documents is vigorously investigated and prosecuted. In 2004, Congress again addressed the growing problem by passing the Identity Theft Penalty Enhancement Act, 18 U.S.C. §1028A, which significantly increased the penalties by adding a 2-year sentence to anyone who knowingly possesses, transfers or uses a means of identification of another person without lawful authority. The Act also prohibits courts from imposing sentences of probation on persons convicted of identity theft, mandates, with limited exceptions, that sentences for identity theft run consecutively with any other term of imprisonment, and directs the U.S. Sentencing 20 Advanced Risk Management Solutions © 2008

Identity Theft Today

Commission to amend Guideline §3B1.3 (Abuse of Position of Trust), which adds two points to the base offense level, to apply to offenses in which the defendant "exceeds or abuses the authority of his or her position in order to obtain unlawfully or use without authority any means of identification."

18 U.S.C. §1030 The Computer Fraud and Abuse Act, 18 U.S.C. §1030 (1986), makes it a federal criminal offense to access and obtain information from protected computers without authorization. This statute has been used to prosecute individuals who obtained personal identification information from third-party computer systems. For example, in U.S. v. Ivanov, 175 F.Supp.2d 367 (D. Conn. 2001), the defendant was convicted and sentenced to 48 months for hacking into the computer system of an e-commerce business that hosted Web sites and processed credit transactions and stealing passwords that gave the hacker access to the entire network. But unauthorized access alone may not be enough to convict. The 1st Circuit reversed a conviction under 18 U.S.C. §§1343 and 1030 in U.S. v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), where the defendant, a Contact Representative in the Boston office of the Taxpayer Services Division of the IRS, had access to the taxpayer information of everyone stored in the IRS's Integrated Data Retrieval System, and knowingly disregarded IRS policy by accessing this information outside of the scope of his employment. However, no evidence was introduced at trial showing that he used the information. The 1st Circuit held that the defendant had not violated the wire fraud statute because he had not "deprived" anyone of a protected right. Similarly, he had not committed computer fraud because §1030 requires that a defendant personally benefit or further some scheme of fraud in order to be criminally liable.

Identity Theft Today **Authors Noted Comment for Business Owners : Controversial pending federal legislation that would preempt state data-breach notification laws may change the statutory framework discussed above. In addition, courts have begun to recognize common law remedies for people injured by identity theft. For example, recent cases in New York and Michigan have recognized private causes of action for identity theft. Jones v. Commerce Bancorp, Inc., 2006 WL 1409492 (S.D.N.Y. 2006); Bell v. Michigan Council 25 AFSCME, 2005 Mich. App. Lexis 353 (Mich. Ct. App. 2005). Clearly, the legal landscape is in flux. The need for corporate counsel to monitor the situation is underscored by the Office of Legal Counsel's reminder in its June 1, 2005 opinion that "in general, the conduct of an entity's agents may be imputed to the entity when the agents act within the scope of their employment, and the criminal intent of agents may be imputed to the entity when the agents act on its behalf."

Wilma Ariza, Certified Risk Management Specialist Independent Associate PrePaid Legal Services Inc. Business Consultant & Privacy Rights Educator Toll Free Televox 866-292-7938 Email warizac@gmail.com

www.prepaidlegal.com/hub/mquarles19

22 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today

Conclusion There is no doubt that public and private sector literature, media coverage, special reports and public service announcements concerning ―identity theft‖ prevention methods have been instrumental in educating the public about the threat and consequences of the most prevalent form of identity theft., credit fraud. Some characterizations have emphasized identity theft as more of a stranger-to-stranger crime. Others have underscored the importance of not falling into a level of complacency that would open the doors for friends and relatives to take advantage of the unwary victim. Still other descriptions have focused on the methods practiced, ranging from relatively simplistic acts such as ―dumpster diving‖ and mail theft to more sophisticated criminal activities that depend upon the victim’s and offender’s use of the Internet. While provocative, much of the widely distributed information is based upon surveys and reports that often leave key questions unanswered from an empirical standpoint. The open ended question that remains and is clearly underestimated by media accounts, businesses, government and the general public; ―How do we, as private citizens in a global economy, protect all of our identity subtypes from the implied threat of abuse ? Our personal identifying data information and financial information is already stored in hundreds, maybe even thousands of private and public databases in the United States and around the world, outside of our control ! Clearly proactive prevention measures are not a strong enough line of protection and we must defensively prepare ourselves financially and legally for the challenge of identity restoration once victimized. Wilma Ariza, Certified Risk Management Specialist

www.prepaidlegal.com/hub/mquarles19

Identity Theft Today

References Dadisho, Ed (2005, February). Identity Theft and Police Response: Prevention. The Police Chief. Retrieved May 23, 2007 from http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=displ ay_arch&article_id=510&issue_id=22005 Federal Trade Commission. FTC Issues Annual List of Top Consumer Complaints. Retrieved June 17, 2007 from http://www.ftc.gov/opa/2007/02/topcomplaints.shtm The Presidentâ&#x20AC;&#x2122;s Identity Theft Task Force (2007, April). Combating Identity Theft: A Strategic Plan. United States Secret Service. Identity Crimes. Retrieved May 15, 2007 from www.secretservice.gov/criminal.shtml Identity Fraud Trends and Patterns :Building a Data-Based Foundation for Proactive Enforcement October 2007 Center for Identity Management and Information Protection Utica College Identity Theft. Someone is Watching You! Momentum Media a division of Video Plus Inc (2003) Newman, John Q, Identity Theft: The Cyber Crime of the Millenium, Loompanics Unlimited (1999)

24 Advanced Risk Management Solutions ÂŠ 2008

Identity Theft Today

Resources

Consumer Action

www.consumeraction.org

Junkbusters

www.junkbusters.com

Urban Legends

www.snopes2.com

National Fraud Information Center

www.fraud.org

National Consumer League

www.nclnet.org

Federal Trade Commission

www.FTC.gov

Identity Theft Resource Center

www.idtheftcenter.org

Internet Fraud Watch

www.fraud.org/internet/intset.htm

Identity Theft Resource Center

www.idtheftcenter.org/index/shtml

Identity Theft Shield

www.prepaidlegal.com/idt/mquarles19

25 Advanced Risk Management Solutions ÂŠ 2008