Order in the Court

April 2005

In an era where identity theft victims often suffer much more than the convicted perpetrators, members of Congress have been working hastily to intensify the punishments for committing the heinous crime of identity fraud.

Attention please!

Recent high-profile database compromises, along with earth-shattering statistics revealing an estimated 9 million identity theft victims in 2004, have forced government officials and consumers alike to acknowledge identity theft as a legitimate threat to society.

ChoicePoint, a massive data broker that has aggregated more than 17 billion public records including virtually every consumer in America, has lately found itself at the center of a widely publicized identity theft case. According to ChoicePoint's own estimates, more than 145,000 personal records have been breached through a fraud ring that established dozens of fraudulent business accounts with the database giant, with the sole intent of obtaining access to sensitive information.

LexisNexis, of Dayton, Ohio, recently sent letters to nearly 310,000 individuals who have been left vulnerable due to a massive compromise of sensitive personal information from both public and private sources, including drivers' license and Social Security numbers. Although the organization is offering free services to those affected, such as fraud insurance and credit bureau reports, the sensitive information could already be in the hands of the criminals.

In February of this year, Bank of America lost computer data tapes containing personal information on an estimated 1.2 million federal employees, including some members of the U.S. Senate. The missing information includes Social Security numbers and account data for government employees who used Bank of America charge cards for travel and expenses.

The Golden State

The state of California is no lightweight when it comes to identity theft, representing more than 10 percent of the total estimated U.S. victims in 2004. California's identity theft epidemic has gained much attention in recent years, and many officials have become adamant on seeking a solution.

The state's universities have been the most widely publicized target in 2005, with database breaches affecting both UC Berkeley and UC San Francisco. A laptop at UC Berkeley was stolen that contained Social Security numbers and other information for more than 98,000 students and faculty. In a similar situation, more than 7,000 Social Security numbers were pilfered from UC San Francisco. The health care industry has had its share of problems as well — for instance, a compromise at San Jose Medical Group put the information of more than 185,000 patients at risk.

Almost two years ago, California adopted a database compromise notification law, still the only such law in the United States. The law forces organizations that experience a database compromise to immediately notify any individuals placed at risk. This statute can be credited with the public disclosure of many large-scale database compromises, including the LexisNexis and ChoicePoint incidents — and, thus, for making the public more aware of the fastest-growing crime in the U.S. Currently, 30 other states are following California's lead by considering a mandatory disclosure law.

A slap on the wrist

California State Senator Chuck Poochigian believes strongly that punishments for committing identity-related crimes must be made more harsh, and has introduced the Identity Theft Traffickers Act (Senate Bill 839), which should enable the state of California to more effectively prosecute these types of criminals.

"Identity theft has become an extremely lucrative and low-risk crime that is relatively easy to get away with, contributing to the rapid surge in cases," states Poochigian. "Criminals can make just as much money 'dumpster diving' and selling or using information from an unsuspecting victim's discarded mail as they can holding up a minimart — why risk going to jail for life?"

Currently, many identity theft laws and punishments are not aligned, allowing for weaker penalties due to technicalities. For example, a thief caught with an illegal credit card number or Social Security number (not the actual card) would be charged with a misdemeanor, whereas a criminal caught with the card itself would be charged with a felony. Nowadays, illicit transactions are frequently done via the Internet or telephone, where a card need not be present, and thus the discrepancy between the two types of criminals doesn't make much sense.

U.S. Senator Dianne Feinstein of California is also pushing to crack down against identity-related crimes. Currently, the notification law described earlier covers only unencrypted electronic data breaches, whereas her new bill proposal includes both electronic and non-electronic data, as well as encrypted data. Feinstein is also proposing that individuals be able to place a seven-year fraud alert on their credit reports, and is lobbying to establish specific criteria that must be included in a fraud notice.

"Right now, consumers don't know the depth or breadth of the problem," said Feinstein. "The fact of the matter is that your buying habits, your bank accounts, your Social Security number, your drivers license — all of your personal data — today is being collected, collated, distributed, bought, sold — without your knowledge or consent."

First-hand experience

Although many California officials are pushing to reform and strengthen laws related to identity theft, they aren't alone in this task. Oftentimes a punch in the dark will bring light to a situation, and this has been the case with Texas State Representative Helen Giddings.

Helen Giddings had herself become a victim of identity theft last year. While anxiously awaiting newly ordered checks in the mail, she became weary of waiting and decided to call her bank, who informed Ms. Giddings — to her great surprise — that two of the checks had already cleared the account. As time passed, more checks were cashed from numerous retail stores, and immediately the helplessness of becoming an identity theft victim set in.

"It is very, very, very emotional when you feel so helpless, and there seems to be nothing that you can do to put an end to this or to get your reputation back," she said. "It is just a paralyzing experience."

After personally experiencing the dark emotions of becoming a victim of identity theft, and more than $40,000 later, Giddings decided she would do something about it. She proceeded to write 11 pieces of legislation, one of them calling for jail time for certain offenses, which has already been approved by the House. Giddings' main initiative is to require companies that produce and send checks through the mail to obtain customers' signatures on delivery.

Another piece of legislation authored by Giddings will require stores with check verification systems to clear any red flags that are due to identity theft, assuring that the victim can rightfully make purchases. This idea came from the humiliation Giddings herself felt when she attempted to pay for her Thanksgiving groceries, but was declined because of the fraudulent activity on her account.

Follow the leader

With identity theft being our country's fastest-growing crime, many new initiatives are being enacted with the aim of thwarting these criminals. It's only a matter of time before each state, and the federal government, follows in the lead of those individuals determined to put an end to the crime of identity theft.