Identity theft

From The IT Law Wiki

Contents 1 Definition 2 Overview 3 Federal Legislation 4 References 5 See also

[edit] Definition

The Federal Trade Commission (FTC) defines identity theft as “a fraud committed or attempted using the identifying information of another person without authority.”^[1]

The OECD has stated that: "ID theft occurs when a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes."^[2]

The U.N. Intergovernmental Expert Group has defined "identity theft" as:

occurrences in which information related to identity, which may include basic identification information and in some cases other personal information, is actually taken in some manner analogous to theft or fraud, including theft of tangible documents and intangible information, the taking of documents or information which are abandoned or freely available, and the deception of persons who have documents or information into surrendering them voluntarily.^[3]

The term "identity theft" was defined in the United Kingdom, as “the act whereby someone obtains sufficient information about an identity to facilitate identity fraud ('ID fraud'), irrespective of whether, in the case of an individual, the victim is alive or dead.”^[4]

[edit] Overview

Identity theft is a form of fraud in which the personally identifiable information of an individual, such as a Social Security number, name, or date of birth, is co-opted by another person to facilitate committing a criminal or fraudulent act by impersonating the victim. As Senator Jon Kyl, Chairman of the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information put it, “there are few clearer violations of personal privacy than having your identity stolen and used in the commission of a crime.”^[5]

Identity theft, also sometimes referred to as identity fraud, does not usually occur as a stand-alone crime. Instead, identity theft is often committed as part of some other fraud or white-collar crime, including fraud on existing accounts — such as unauthorized use of a stolen credit card number — or fraudulent creation of new accounts — such as using stolen data to open a credit card account in someone else’s name. An identity thief could also take other actions on behalf of the victim, such as establishing residency/citizenship, securing employment, obtaining government benefits, and committing other crimes in the victim’s name. In addition, identity theft can play a facilitating role in potentially more violent crimes such as drug trafficking, people smuggling, and international terrorism.^[6]

Identity theft can happen in a variety of ways, but the basic elements are the same. Criminals first gather personal information,^[7] either through low-tech methods such as stealing mail or workplace records, or “dumpster diving,” or through complex and high-tech frauds such as hacking and the use of malicious computer code. These data thieves then sell the information or use it themselves. While identity theft is not solely an Internet issue, a number of high profile data security breaches involving the personally identifiable information (PII) of citizens and consumers has drawn significant attention to the issue.

According to the Federal Trade Commission, identity theft is the most common complaint from consumers in all 50 states, and accounts for over 35% of the total number of complaints the Identity Theft Data Clearinghouse received for calendar years 2004, 2005, and 2006. In calendar year 2006,^[8] of the 674,354 complaints received, 246,035 or 36% were identity theft complaints.^[9] With continued media reports of data security breaches,^[10] concerns about new cases of identity theft are widespread.

Victims of identity theft may incur damaged credit records, unauthorized charges on credit cards, and unauthorized withdrawals from bank accounts. Sometimes, victims must change their telephone numbers or even their social security numbers. Victims may also need to change addresses that were falsified by the impostor. With media reports of information security breaches increasing, concerns about new cases of widespread identity theft have received significant attention in Congress.

In 2007, identity theft alone cost businesses over $40 billion.^[11] The average data breach today will cost businesses $192 per-incident.^[12] According to a Ponemon Institute study, almost 33% of customers surveyed stated that they would cut ties with a company that had a data breach.^[13]

Public disclosures of identity thefts have heightened interest in the security of sensitive personal information;^[14] security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers;^[15] liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization;^[16] prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.^[17]

[edit] Federal Legislation

Several laws restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts:

• Section 5 of the FTC Act
• Fair Credit Reporting Act of 1970 (FCRA), and
• Gramm-Leach-Bliley Act Privacy and Safeguards Rules
• Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPPA)

Congress also has passed several laws specifically related to identity theft:

• Identity Theft and Assumption Deterrence Act of 1998
• Fair and Accurate Credit Transactions Act of 2003 (FACT); and
• Identity Theft Penalty Enhancement Act of 2004.

[edit] References

1. ↑ 69 Fed. Reg. 63933.
2. ↑ OECD, Online Identity Theft 16 (2009).
3. ↑ U.N. Intergovernmental Expert Group, "Fraud and the Criminal Misuse and Falsification of Identity."(2007).
4. ↑ Home Office Identity Fraud Steering Committee (2006).
5. ↑ Identity Fraud Protection, Hearings on Identity Theft Before the Subcomm. on Technology, Terrorism, and Gov't Info., 105th Cong. (May 20, 1998).
6. ↑ General Accounting Office, Identity Fraud: Prevalence and Links to Alien Illegal Activities 10 (GAO-02-830T, June 25, 2002).
7. ↑ Personal information can include name, SSN, account number, password, or other information linked to an individual.
8. ↑ The last year for which Identity Theft Victim Complaint Data is available.
9. ↑ Federal Trade Comm'n, "Identity Theft Victim Complaint Data" (Feb. 7, 2007).[1]
10. ↑ See Nancy Trejos, "Identity Theft Gets Personal: When a Debit Card Number Is Stolen, America’s New Crime Wave Hits Home," Wash. Post, Jan. 13, 2008, at F01.
11. ↑ Javelin Strategy and Research survey (Feb. 2008)[2]
12. ↑ Ponemon Institute, 2007 Annual Study: Cost of Data Breach.[3]
13. ↑ Id.
14. ↑ BNA Privacy & Security Law Report, "Data Security Legislation Expected to Face Big Challenges," 8 PVLR 51, Jan. 12, 2009.
15. ↑ See U.S. Government Accountability Office, Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data 56, GAO-06-674, June 26, 2006.[4]
16. ↑ See Gina Marie Stevens, "Federal Laws Related to Identity Theft" (CRS Report RL31919).
17. ↑ See Charles Doyle, "Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws" (CRS Report 97-1025).

[edit] See also

• Account takeover
• Data breach
• Data breach analysis
• Data breach notification laws
• Identity fraud
• Identity Theft Data Clearinghouse
• Identity theft insurance
• Identity Theft Resource Center
• New account creation