Identity theft

Definitions

 * Federal law defines identity theft as:


 * knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.


 * Identity theft is also defined in the Code of Federal Regulations (CFR) as “fraud committed or attempted using the identifying information of another person without permission.”


 * The Federal Trade Commission (FTC) defines identity theft as “a fraud committed or attempted using the identifying information of another person without authority.”


 * The OECD has stated that: "ID theft occurs when a party acquires, transfers, possesses, or uses personal information of a natural or legal person in an unauthorised manner, with the intent to commit, or in connection with, fraud or other crimes."


 * The U.N. Intergovernmental Expert Group has defined identity theft as:


 * occurrences in which information related to identity, which may include basic identification information and in some cases other personal information, is actually taken in some manner analogous to theft or fraud, including theft of tangible documents and intangible information, the taking of documents or information which are abandoned or freely available, and the deception of persons who have documents or information into surrendering them voluntarily.


 * The term identity theft is defined in the United Kingdom, as “the act whereby someone obtains sufficient information about an identity to facilitate identity fraud ('ID fraud'), irrespective of whether, in the case of an individual, the victim is alive or dead.”

Overview
Identity theft is a form of fraud in which the personally identifiable information of an individual, such as a Social Security number, name, or date of birth, is co-opted by another person to facilitate committing a criminal or fraudulent act by impersonating the victim. As Senator Jon Kyl, Chairman of the Senate Judiciary Subcommittee on Technology, Terrorism and Government Information put it, “there are few clearer violations of personal privacy than having your identity stolen and used in the commission of a crime.”

Identity theft is the fastest growing type of fraud in the United States; in 2008 about 9.9 million Americans were reportedly victims of identity theft, an increase of 22% from the number of cases in 2007. According to the FTC’s most recent (2005) survey on identity theft, approximately 8.3% of the U.S.’ adult population may have fallen victim to identity theft. With recent data indicating that the number of identity theft incidents is on the rise, the current proportion of the population falling victim to identity theft may be even higher than the level estimated by the FTC in 2005. In addition, the Federal Trade Commission (FTC) estimates that it costs consumers about $50 billion annually. Identity theft, also sometimes referred to as identity fraud, does not usually occur as a stand-alone crime. Instead, identity theft is often committed as part of some other fraud or white-collar crime, including fraud on existing accounts &mdash; such as unauthorized use of a stolen credit card number &mdash; or fraudulent creation of new accounts &mdash; such as using stolen data to open a credit card account in someone else’s name. An identity thief could also take other actions on behalf of the victim, such as establishing residency/citizenship, securing employment, obtaining government benefits, and committing other crimes in the victim’s name. In addition, identity theft can play a facilitating role in potentially more violent crimes such as drug trafficking, people smuggling, and international terrorism.

An increase in globalization and a lack of cyber borders provide an environment ripe for identity thieves to operate from within the nation’s borders &mdash; as well as from beyond. Federal law enforcement is thus challenged with investigating criminals who may or may not be operating within U.S. borders; may have numerous identities &mdash; actual, stolen, or cyber; and may be acting alone or as part of a sophisticated criminal enterprise.

How personal information is obtained
Identity theft can happen in a variety of ways, but the basic elements are the same. Criminals first gather personal information, in a variety of ways, including:


 * 1) Dumpster diving. They rummage through trash looking for bills or other paper with personal information on it.
 * 2) Skimming. They steal credit/debit card numbers by using a special storage device when processing the card.
 * 3) Phishing. They pretend to be financial institutions or companies and send spam or pop-up messages to get the victim to reveal his or her personal information.
 * 4) Changing address. They divert a victim's billing statements to another location by completing a change of address form.
 * 5) Old-fashioned stealing. They steal wallets and purses; mail, including bank and credit card statements; pre-approved credit offers; and new checks or tax information. They steal personnel records, or bribe employees who have access.
 * 6) Pretexting. They use false pretenses to obtain personal information from financial institutions, telephone companies, and other sources.

Perpetrators
Increasing globalization and the expansion of the Internet have provided a challenging environment for law enforcement to both identify and apprehend identity thieves targeting persons residing in the United States. For one, these criminals may be operating from within U.S. borders as well as from beyond. There is no publically available information, however, delineating the proportion of identity theft (or other crimes known to be identity theft-related) committed by domestic and international criminals.

Secondly, while some identity thieves operate alone, others operate as part of larger criminal networks or organized crime syndicates. The FBI has indicated that it, for one, targets identity theft investigations on larger criminal networks. These networks may involve identity thieves located in various cities across the United States or in multiple cities around the world, and these criminals may be victimizing not only Americans, but persons living in countries across the globe. A third challenge includes identifying identity thieves operating under multiple identities, such as their actual identities, various stolen identities, and cyber identities and nicknames.

What data thieves do with the information
These data thieves then sell the information or use it themselves. While identity theft is not solely an Internet issue, a number of high profile data security breaches involving the personally identifiable information (PII) of citizens and consumers has drawn significant attention to the issue.

Once they have the victim's personal information, identity thieves use it in a variety of ways.

Credit card fraud:


 * They may open new credit card accounts in the victim's name. When they use the cards and do not pay the bills, the delinquent accounts will appear on the victim's credit report.
 * They may change the billing address on the victim's credit card so that the victim no longer receives bills, and then run up charges on the victim's account. Because the victim's bills are sent to a different address, it may be some time before the victim realizes there is a problem.

Phone or utilities fraud:


 * They may open a new phone or wireless account in the victim's name, or run up charges on the victim's existing account.
 * They may use the victim's name to get utility services like electricity, heating, or cable TV.

Bank/finance fraud:


 * They may create counterfeit checks using the victim's name or account number.
 * They may open a bank account in the victim's name and write bad checks.
 * They may clone the victim's ATM or debit card and make electronic withdrawals, draining the victim's accounts.
 * They may take out a loan in the victim's name.

Government documents fraud:


 * They may get a driver's license or official ID card issued in the victim's name but with their picture.
 * They may use the victim's name and Social Security number to get government benefits.
 * They may file a fraudulent tax return using the victim's information.

Other fraud:


 * They may get a job using the victim's Social Security number.
 * They may rent a house or get medical services using the victim's name.
 * They may give the victim's personal information to police during an arrest. When they fail to show up for their court date, a warrant for arrest may be issued in the victim's name.

Investigations and prosecutions
Identity theft is defined broadly, and it is directly involved in a number of other crimes and frauds. As a result, there are practical investigative implications that influence analysts’ abilities to understand the true extent of identity theft in the United States. For instance, only a proportion (the exact number of which is unknown) of identity theft incidents are reported to law enforcement. While some instances may be reported to consumer protection agencies (e.g., the FTC), credit reporting agencies (e.g., Equifax, Experian, and Trans Union), and law enforcement agencies, some instances may be reported to only one. For example, the FTC indicates that of the 82% of identity theft complaints that included information on whether the theft was reported to law enforcement, 35% were reported to law enforcement.

Another issue that may affect analysts’ abilities to evaluate the true extent of identity theft is that law enforcement agencies may not uniformly report identity theft because crime incident reporting forms may not necessarily contain specific categories for identity theft. In addition, there may not be standard procedures for recording the identity theft component of the criminal violations of primary concern. Issues such as these may lead to discrepancies between data available on identity theft reported by consumers, identity theft reported by state and local law enforcement, and identity theft investigated and prosecuted by federal law enforcement.

Various federal agencies are involved in investigating identity theft, including the Federal Bureau of Investigation (FBI), the United States Secret Service (USSS), the United States Postal Inspection Service (USPIS), the Social Security Administration Office of the Inspector General (SSA OIG), and the U.S. Immigration and Customs Enforcement (ICE). In addition, federal law enforcement agencies may work on task forces with state and local law enforcement as well as with international authorities to bring identity thieves to justice. The Department of Justice (DOJ) is responsible for prosecuting federal identity theft cases.

Impact of identity theft
According to the Federal Trade Commission, identity theft is the most common complaint from consumers in all 50 states, and accounts for over 35% of the total number of complaints the Identity Theft Data Clearinghouse received for calendar years 2004, 2005, and 2006. In calendar year 2006, of the 674,354 complaints received, 246,035 or 36% were identity theft complaints. With continued media reports of data security breaches, concerns about new cases of identity theft are widespread.

The U.S. Department of Justice estimates that over 10 million Americans are victims of identity theft each year.

Victims of identity theft may incur damaged credit records, unauthorized charges on credit cards, and unauthorized withdrawals from bank accounts. Sometimes, victims must change their telephone numbers or even their social security numbers. Victims may also need to change addresses that were falsified by the impostor. With media reports of information security breaches increasing, concerns about new cases of widespread identity theft have received significant attention in Congress.

In 2007, identity theft alone cost businesses over $40 billion. The average data breach today will cost businesses $192 per-incident. According to a Ponemon Institute study, almost 33% of customers surveyed stated that they would cut ties with a company that had a data breach.

Public disclosures of identity thefts have heightened interest in the security of sensitive personal information; security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers; liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization; prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.

Federal legislative activities
Congress continues to debate the federal government’s role in (1) preventing identity theft and its related crimes, (2) mitigating the potential effects of identity theft after it occurs, and (3) providing the most effective tools to investigate and prosecute identity thieves.

With respect to preventing identity theft, one issue concerning policymakers is the prevalence of personally identifiable information &mdash; and in particular, the prevalence of social security numbers (SSNs) &mdash; in both the private and public sectors. One policy option to reduce their prevalence may involve restricting the use of SSNs on government-issued documents such as Medicare identification cards. Another option could entail providing federal agencies with increased regulatory authority to curb the prevalence of SSN use in the private sector. In debating policies to mitigate the effects of identity theft, one option Congress may consider is whether to strengthen data breach notification requirements. Such requirements could affect the notification of relevant law enforcement authorities as well as any individuals whose personally identifiable information may be at risk from the breach.

In April 2007, the President’s Identity Theft Task Force issued recommendations to combat identity theft, including specific legislative recommendations to close identity theft-related gaps in the federal criminal statutes. In a further attempt to curb identity theft, Congress directed the FTC to issue an Identity Theft Red Flags Rule (effective June 1, 2010), requiring that creditors and financial institutions with specified account types develop and institute written identity theft prevention programs.

Several laws restricting the disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts have been enacted at the federal level, including:


 * Section 5 of the FTC Act
 * Fair Credit Reporting Act of 1970 (FCRA), and
 * Gramm-Leach-Bliley Act Privacy and Safeguards Rules
 * Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPPA)

Congress also has passed several laws specifically related to identity theft:


 * Identity Theft and Assumption Deterrence Act of 1998
 * Fair and Accurate Credit Transactions Act of 2003 (FACT); and
 * Identity Theft Penalty Enhancement Act of 2004.