Identify Theft- Module 3 of 5

Identify Theft- Module 3 of 5


Module 3: Identify Theft

 

Terry Dean Rogan was pulled over, arrested, and placed in a Texas jail four times over the course of two years based on an outstanding California warrant for a robbery and murder that he didn’t commit. How could this happen? Well, Terry was a victim of identity theft. In 1981, Alabama state prison escapee Bernard McKandes obtained Terry Rogan’s birth certificate in Michigan.  After relocating to California, he used the birth certificate to obtain a driver’s license and other identification documents under Rogan’s name. Los Angeles police misidentified Rogan as McKandes and arrested him several times. Not until police apprehended the real McKandes did they finally remove the arrest warrant from the national notification system. Ultimately, Rogan sued the City of Los Angeles and two police officers for violation of his Fourth Amendment rights. [1]   

          It’s an extreme example, but it demonstrates the need to protect personal identification documents such as birth certificates, driver’s licenses and social security cards. Identity theft “generally refers to any fraud that is facilitated by the unauthorized use of a third party's identifying information.”[2] It directly affects the lives of the victims and defrauds third parties such as banks, the government and insurance providers. According to the Department of Justice, over 16 million people experience identity theft yearly, causing financial losses close to $25 billion.[3] Victims may end up spending years to reestablish their credit.

In this module, we will study identity theft. We’ll learn about the federal and state law approaches to prevent identity theft, as well as enforcement of such laws. Finally, we’ll learn about private causes of action for identity theft and remedies available for such offenses.


Identity Theft

Identity theft can assume many forms.[4] It can occur via credit card fraud, where a thief opens a credit card account in a consumer’s name. It can be bank fraud, when the thief opens a checking or savings account in the victim’s name and writes fraudulent checks. Or, it can happen when a perpetrator obtains a loan using another’s identity.

The Federal Trade Commission tracks identity theft complaints. Studies show that tens of millions of people are victimized each year by identity thieves and fraudsters. The most common types of reported identity theft are credit card fraud and government benefits fraud (applying for benefits or tax refunds under another’s name).[5]

According to the federal Office for Victims of Crime, areas that may see increased identity theft include medical and employment-related identity theft, benefits fraud –  such as collecting someone else’s unemployment or welfare benefits- and intergenerational identity theft.  The latter may include parents using their children’s personal information or an adult child victimizing a parent.  A Federal Trade Commission study indicated that 16 percent of victims knew the thieves who stole their identities, as the thieves victimized their family members, roommates, neighbors, coworkers, employers or other acquaintances.[6] 


The Fair Credit Reporting Act and the 2003 Amendment

Identity thieves have evolved in their practices and so has the federal government in its responses to such illegal conduct. The Fair Credit Reporting Act of 1970- Congress’s first attempt to regulate creditors and credit reporting agencies and to protect consumer privacy- didn’t provide a great deal of insight on what an agency should do in case of identity theft. For instance, this law required credit reporting agencies to maintain “‘reasonable procedures’ designed ‘to assure maximum possible accuracy of the information’ in credit reports and ‘to limit furnishing of [such reports] to’ certain . . . purposes,” but did not specifically address identity theft.[7] Simply put, Congress hadn’t anticipated dealing with identity theft issues and didn’t legislatively prepare for it.

More than 30 years later, Congress recognized the changing nature of U.S. credit markets and recognized the rising tide of identity theft by amending the 1970 law in 2003. The amendment was called the Fair and Accurate Credit Transactions Act of 2003, and it added provisions designed to prevent and mitigate identity theft, including a section that enables a consumer to place fraud alerts in his credit files.[8] Think of the 2003 amendment as an “Identity Theft Victim’s Bill of Rights.”

Under the 2003 amendment, if a consumer believes that she is a victim of identity theft, she has the right to ask nationwide credit reporting agencies, such as Equifax or Experian, to place “a fraud alert” in her file to let potential lenders know that she has been, or is about to become, a victim of fraud or a related crime.[9] A fraud alert warns a prospective lender that a consumer may be a victim of identity theft and that it should take reasonable steps to verify a consumer’s identity before granting credit to a person claiming to be the consumer.[10] An initial fraud alert stays in the consumer’s file for at least 90 days and during this time, the consumer is entitled to a copy of all information in her file at each credit reporting agency.

Second, the 2003 amendment specified additional protections for a person who can show that she is an identity theft victim. A victim can ask for an “extended fraud alert” that will stay in her file for seven years if she can provide an identity theft report, which is a report filed with a federal, state, or local law enforcement agency regarding her stolen identity. An extended alert entitles the consumer to two free file disclosures from the credit reporting agency in a 12-month period following the placing of the alert.[11] The agency must provide the disclosure to the consumer within three business days of the request.[12]  

These additional disclosures can help the consumer detect signs of fraud and whether fraudulent accounts have been opened in her name or if someone has reported a change in her address.[13] During the seven years after the filing of the extended alert, a user of a credit report or a lender may not issue a new line of credit, new credit cards, or raise an existing limit without letting the consumer know or taking other reasonable verification precautions.[14] Additionally, as with the 90-day fraud alert, the credit reporting agency must refer the alert to the other nationwide agencies.

Furthermore, the 2003 amendment’s specifications on the extended fraud alert stipulated that an identity theft victim who has a seven-year extended fraud alert included in her file may have credit reporting agencies remove her name from marketing lists for “pre-approved” credit offers for five years starting on the date of the extended fraud alert.[15]


Other Federal Laws Targeting Identity Theft

Another applicable federal law is the Identity Theft Assumption Deterrence Act of 1998, which makes it illegal to knowingly produce an identification document of another person with intent to commit, aid or abet illegal activity and to knowingly traffic in or use false means of identification.[16] The Act also provides for forfeiture of property used in the fraud.[17] 

A third law is directed at the Internet, the Internet False Identification Prevention Act of 2000.[18] This law is intended to address the “proliferation of websites that distribute counterfeit identification documents and credentials over the Internet.”[19] The law expanded the scope of existing federal identify theft and fraud crimes to include the “transfer of a document by electronic means.”

Several federal agencies collaborate to enforce these federal laws. Those include the F.B.I., Secret Service, Postal Inspection Service, Social Security Inspector General, and Immigration and Customs Enforcement.[20] Federal law enforcement authorities also collaborate with international authorities as well as state and local law enforcement agencies. The Department of Justice has the job of prosecuting federal identity theft cases.[21]

Federal law imposes time limits on identity theft recovery, so a consumer should dispute a fraudulent transaction in a timely manner. 

In the case of unauthorized use of an ATM or debit card, if a victim reports an ATM or debit card lost or stolen within two business days of discovery, the consumer is not liable for more than $50.  If the victim waits to report the loss, but still reports it within 60 days after receiving the statement, the consumer could be liable for up to $500. If he doesn’t report within 60 days after receiving the statement, all the money in the account could be lost.[22]

For unauthorized use of a consumer’s credit card, the Fair Credit Billing Act limits liability for unauthorized credit card charges to a maximum of $50 per card.[23] To trigger the Fair Credit Billing Act’s protections, though, the victim must send a notice of the billing error to the card issuer within 60 days after the first bill containing the error was mailed.[24]  The 60-day notification deadline applies even if the identity thief changed the address on the victim’s account and so the victim did not receive the bill.

A creditor must also follow several deadlines. It must acknowledge a complaint in writing within 30 days after receiving it and resolve the dispute within two billing cycles, but not more than 90 days after receiving the victim’s letter.[25] While the consumer awaits resolution of the dispute, she need not pay the disputed amount and the creditor is prohibited from taking legal action or attempting collection of the disputed amount and may not report the consumer delinquent on the disputed portion of the bill. [26]


State Responses to Identity Theft

          While federal law targets and punishes identity theft and the financial harm that flows from it, state legislatures have also enacted laws to combat identity theft.[27] Most state laws contain restitution provisions, and some contain forfeiture provisions. Most states’ laws require private and government entities to notify consumers of security breaches involving personally identifiable information.

In the face of continuing data breaches, especially the 2017 breach of Equifax where hackers accessed people’s names, Social Security numbers, addresses, driver’s license numbers and stole credit card numbers for over 200,000 people,[28] states have enacted additional measures and amended existing security breach laws.

For example, in January 2018, Colorado state legislators introduced House Bill 1128, which was signed into law four months later.[29] The law requires Colorado businesses to inform customers within 30 days if their data has been compromised. Additionally, it requires companies and government agencies to develop policies ensuring that “unneeded records are destroyed and to implement and maintain security measures against data breaches.” It also requires businesses to notify the Colorado Attorney General of a data breach if it affects at least 500 people.[30]


Resources for Identity Theft Victims

The Federal Trade Commission devotes substantial resources to assisting victims or potential victims of identity theft. It has published a 131-page guide with checklists and form letters for attorneys and others focused on helping victims.[31] 

According to this guide, a victim of identity theft has three goals. First, she should immediately seek to stop or minimize further fraud from occurring.  Second, the victim should prove that identity theft occurred and that she’s not responsible for the debts incurred.  Finally, she should correct errors on her credit report to restore her financial reputation and credit score.

After confirmation of identity theft, the FTC recommends following these steps:

·       Step 1: Place an initial fraud alert on credit reports.  The alert lasts for 90 days and can be renewed every 90 days. The consumer only needs to contact one of the three consumer reporting agencies.   That agency must then contact the other two agencies on the victim’s behalf.

·       Step 2: Seek confirmation letters from all three reporting agencies of successful placement of the 90-day fraud alert.

·       Step 3: Review credit reports for evidence of additional identity theft.  If new account identity theft appears, the FTC recommends considering a credit freeze. This prevents new credit accounts unless the consumer lifts the freeze. The right to implement a credit freeze varies from state to state. But generally, the consumer reporting agencies will allow the freeze even if a consumers’ state does not specifically provide for it. 

·       Step 4: Contact each of the three consumer reporting agencies separately and possibly pay a nominal fee for the freeze. The Federal Trade Commission warns that fraud alerts and credit freezes can help, but they don’t protect consumers from transactions that do not involve pulling a credit report.

·       Step 5: Cancel or close any compromised bank, credit card or other account.

Proving that one is not responsible for a charge or series of charges can be difficult for a consumer, but there are tools to help avoid responsibility for fraudulent charges and to correct one’s credit report. These include the Identity Theft Affidavit and the Identity Theft Report. The Affidavit is a sworn statement that provides critical, detailed information disputing the charges or debts. The Identity Theft Report, for which the FTC provides a template, facilitates removal of inaccurate identity theft-related information from the credit report.  It requires the consumer to report the crime to law enforcement. The consumer is subject to criminal penalties if she files a false police report.[32] 

There are four benefits to filing an Identity Theft Report[33]:

o   It can block fraudulent information from appearing on a credit report;

o   It can prevent a furnisher of information (such as the bank) from refurnishing the contested information to a consumer reporting agency;

o   It can prevent collection of debts resulting from the identity theft; and

o   It makes the consumer eligible for an extended 7-year fraud alert.

Civil Remedies

          An identity theft victim can file a civil action for identity theft in many states. [34] In North Carolina, for example, a victim can sue the perpetrator for up to triple the actual damages, or $5,000, whichever is greater.[35] A state law claim may also be based on negligence, fraud, libel, or conspiracy to defraud.

In our next module, we will cover federal laws that protect consumers from unfair, deceptive and abusive acts and practices in advertising and marketing.

 



[1] Rogan v. City of Los Angeles, 668 F. Supp. 1384 (C.D. Cal. 1987). 

[5] Id; 9 Most Common Types of Identity Theft, Mountain Alarm, (June 14, 2016), https://www.mountainalarm.com/blog/9-most-common-types-of-identity-theft/.

[6] Growing Trends in Identity Theft, Office for Victims of Crimes, (Oct. 2010), https://www.ovc.gov/pubs/ID_theft/growingtrends.html.

[8] Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159, 117 Stat. 1952.

[10] Jeff Blyskal, Security Freeze v. Fraud Alert: Deciding the Best Option, Consumer Reports (Sept. 13, 2017), https://www.consumerreports.org/consumer-protection/security-freeze-vs-fraud-alert-deciding-the-best-option/

[11] Summary of Rights Under the FRCA of Victims of Identity Theft, TransUnion, https://www.transunion.com/docs/rev/personal/Fraud_Bill_of_Rights.pdf (last visited June 28, 2018).

[12] 15 U.S.C. 1681c-1.

[13] Summary of Rights Under the FRCA of Victims of Identity Theft, TransUnion, https://www.transunion.com/docs/rev/personal/Fraud_Bill_of_Rights.pdf (last visited June 28, 2018).

[15] §1681c-1(b)(1)(B)

[16] Identity Theft and Assumption Deterrence Act of 1998, Pub. L. 105-318, 112 Stat. 3007 (codified as 18 U.S.C. 1028 (a)(7)).

[17] Kristin Finklea, Identity Theft: Trends and Issues at 4, Congressional Research Service (January 16, 2014), https://fas.org/sgp/crs/misc/R40599.pdf.

[18] Internet False Identification Prevention Act of 2000, Pub. L. 106-578, 114 Stat, 3075 (Dec. 28, 2000).

[19] Identity Fraud: A Critical National and Global Threat, Joint Project of the Economic Crime Institute of Utica College and LexisNexis, a Division of Reed Elsevier Inc., 1, 26 Economic Crime Institute (Oct. 28, 2003), https://www.lexisnexis.com/presscenter/hottopics/ECIReportFINAL.pdf.

[21] Kristin Finklea, Identity Theft: Trends and Issues at 4, Congressional Research Service (January 16, 2014), https://fas.org/sgp/crs/misc/R40599.pdf.

[23] 15 U.S.C. § 1601; Disputing Credit Card Charges, Consumer Information, Federal Trade Commission, https://www.consumer.ftc.gov/articles/0219-disputing-credit-card-charges (last visited June 28, 2018).

[24] 12 C.F.R. §226.13(b)(1).

[25] 12 C.F.R. § 226.13(c)(1).

[26] 12 C.F.R. § 226.13(d)

[28] Dara Kerr, Equifax Hackers Possibly Pilfered 200,000 Credit Cards at Once, C|Net, (Sept. 14, 2017), https://www.cnet.com/news/equifax-hackers-said-to-have-pilfered-200000-credit-card-accounts/.

[29] Craig Johnson, After Equifax: What States Are Doing to Protect You (and How to Contact Your Representative!), Clark (Jan. 24, 2018), https://clark.com/protect-your-identity/after-equifax-what-states-are-doing-to-protect-you-and-how-to-contact-your-representative/.

[30] Ed Sealover, Colorado Governor Signs Law Requiring More Protection of Consumer Data, Denver Business Journal, (May 29, 2018), https://www.bizjournals.com/denver/news/2018/05/29/colorado-governor-signs-law-requiring-more.html.

[31] Guide for Assisting Identity Theft Victims, Federal Trade Commission, (Sept. 2013), https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf

[32] 15U.S.C. 1681a(q)(4)(C).

[33] Guide for Assisting Identity Theft Victims at 22, Federal Trade Commission, (Sept. 2013), https://www.consumer.ftc.gov/articles/pdf-0119-guide-assisting-id-theft-victims.pdf.

[34] Identity Theft, National Conference of State Legislatures, http://www.ncsl.org/research/financial-services-and-commerce/identity-theft-state-statutes.aspx (last visited June 28, 2018).