Identity theft
From The IT Law Wiki
Contents |
[edit] Background
Identity theft is a form of fraud in which the personally identifiable information of an individual, such as a Social Security number, name, or date of birth, is co-opted by another person to facilitate committing a criminal or fraudulent act by impersonating the victim.[1] As Senator Jon Kyl, Chairman of the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information put it, “there are few clearer violations of personal privacy than having your identity stolen and used in the commission of a crime.”[2]
Identity theft, also sometimes referred to as identity fraud, does not usually occur as a stand-alone crime. Instead, identity theft is often committed as part of some other fraud or white-collar crime, including fraud on existing accounts — such as unauthorized use of a stolen credit card number — or fraudulent creation of new accounts — such as using stolen data to open a credit card account in someone else’s name. An identity thief could also take other actions on behalf of the victim, such as establishing residency/citizenship, securing employment, obtaining government benefits, and committing other crimes in the victim’s name. In addition, identity theft can play a facilitating role in potentially more violent crimes such as drug trafficking, people smuggling, and international terrorism.[3]
Identity theft can happen in a variety of ways, but the basic elements are the same. Criminals first gather personal information,[4] either through low-tech methods such as stealing mail or workplace records, or “dumpster diving,” or through complex and high-tech frauds such as hacking and the use of malicious computer code. These data thieves then sell the information or use it themselves. While identity theft is not solely an Internet issue, a number of high profile data security breaches involving the personally identifiable information (PII) of citizens and consumers has drawn significant attention to the issue.
According to the FTC, identity theft is the most common complaint from consumers in all fifty states, and complaints regarding identity theft have grown for four consecutive years. According to FTC, millions of Americans have their identities stolen each year. Roughly 85% of these cases involve the misuse of existing accounts and 35% involve new account creation or other fraud. (Twenty percent of the total involve both.)
Victims of identity theft may incur damaged credit records, unauthorized charges on credit cards, and unauthorized withdrawals from bank accounts. Sometimes, victims must change their telephone numbers or even their social security numbers. Victims may also need to change addresses that were falsified by the impostor. With media reports of information security breaches increasing, concerns about new cases of widespread identity theft have received significant attention in Congress.
In 2007, identity theft alone cost businesses over $40 billion.[5] The average data breach today will cost businesses $192 per-incident.[6] According to a Ponemon Institute study, almost 33% of customers surveyed stated that they would cut ties with a company that had a data breach.[7]
Public disclosures of identity thefts have heightened interest in the security of sensitive personal information;[8] security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers;[9] liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization;[10] prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.[11]
[edit] Federal Legislation
Several laws restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts:
- Section 5 of the FTC Act
- Fair Credit Reporting Act of 1970 (FCRA), and
- Gramm-Leach-Bliley Act Privacy and Safeguards Rules
- Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPPA)
Congress also has passed several laws specifically related to identity theft:
- Identity Theft and Assumption Deterrence Act of 1998
- 2003 Fair and Accurate Credit Transactions Act of 2003 (FACT); and
- Identity Theft Penalty Enhancement Act of 2004.
[edit] References
- ↑ The Federal Trade Commission (FTC) defines identity theft as “a fraud committed or attempted using the identifying information of another person without authority.” 69 Fed. Reg. 63933.
- ↑ Identity Fraud Protection, Hearings on Identity Theft Before the Subcomm. on Technology, Terrorism, and Gov't Info., 105th Cong. (May 20, 1998).
- ↑ General Accounting Office, Identity Fraud: Prevalence and Links to Alien Illegal Activities 10 (GAO-02-830T, June 25, 2002).
- ↑ Personal information can include name, SSN, account number, password, or other information linked to an individual.
- ↑ Javelin Strategy and Research survey (Feb. 2008)[1]
- ↑ Ponemon Institute, 2007 Annual Study: Cost of Data Breach.[2]
- ↑ Id.
- ↑ BNA Privacy & Security Law Report, "Data Security Legislation Expected to Face Big Challenges," 8 PVLR 51, Jan. 12, 2009.
- ↑ See U.S. Government Accountability Office, Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data 56, GAO-06-674, June 26, 2006.[3]
- ↑ See Gina Marie Stevens, "Federal Laws Related to Identity Theft" (CRS Report RL31919).
- ↑ See Charles Doyle, "Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws" (CRS Report 97-1025).
