Title: COUNTERMEASURES

Countermeasures

One of the first actions taken against identity theft within the United States was to criminalize it. In 1996, the State of Arizona became the first government to initiate legislative action against identity theft through passing a law which made identity theft a felony and punishable with a prison sentence of up to one and a half year in addition to restitution and a fine of up to $150,000. After California followed Arizona’s lead, the federal government introduced its first initiative. The 1998 Federal Identity Theft and Assumption Deterrence Act identified identity theft as a federal crime, provided a legal definition, and outlined penalties for any violation of the Act. To many the Act represented an important first step with regard to the fight against identity theft. Matejkovic & Lahey claim the Act accomplished a number of significant tasks. Among them are the classification of individuals as primary victims as opposed to financial institutions, and the federalization of the crime, which gives victims the opportunity to request aid from law enforcement officials.

In 2004, the US Congress increased the potential punishments for convicted identity thieves. The Identity Theft Penalty Enhancement Act adds a two year prison sentence to any individual convicted of using a stolen credit card number or other personal information to commit a crime. Furthermore, the Act also directs the US Sentencing Commission to think about enhancing the penalties for employees who illegaly obtain personal data from their company’s database. When he signed the bill into law, President George W. Bush remarked how the Act would “dramatically strengthen the fight against identity theft and fraud. Prosecutors across the country report that sentences for these crimes do not reflect the damage done to the victim. Too often, those convicted have been sentenced to little or no time in prison. This changes today.” Whether enhancing penalties for identity theft violations is a step in the right direction is arguable. According to Betsey Broder, Assistant Director for the Federal Trade Commission’s Division of Planning and Information, the Act will make it more likely for an identity thief to be prosecuted because “A prosecutor is less likely to bring a case if they’re not going to get any serious jail time when the [sic] get a conviction.” The Act, therefore, is not a means to solve the problem but rather to increase the incentive for both prosecutors and law enforcement personnel to take a greater effort to convict and catch identity thieves. Additionally, one of the primary motives behind increasing the penalties is the fight against terrorism. As Dennis M. Lormel, Chief Terrorist Financial Review Group FBI, noted in his Congressional Testimony, “Terrorists and terrorist groups require funding to perpetrate their terrorist agendas (…) There is virtually no financing method that has not at some level been exploited by these groups. Identity theft is a key catalyst fuelling many of these methods.” Consequently, the ultimate drive behind the Act may be a good indication for its implementation. Prosecutors may be more inclined to make a greater effort to prosecute identity thieves but only if, or primarily if, they have some sort of terrorist connection. Therefore, if identity theft is committed as a stand alone crime penalties remain the same. An additional drawback is the fact that the Act applies “only to U.S. Postal Service and interstate acts of identity theft. For acts of intrastate identity theft, many states still do not classify this action as a felony and the criminal is given a lenient sentence.” The effectiveness of higher sentences, however, primarily relies on the conviction rate which appears to be relatively low. As a result, policy makers perhaps should focus more on prevention of identity theft through increased security instead of deterrence through higher sentencing.

In the years following the Identity Theft Assumption and Deterrence Act, Congress shifted its focus and began to draft legislation of a more preventative nature through increasing organizational responsibility. The shift began in 1999 with the introduction of the Gramm-Leach-Bliley Act which became an essential piece of legislation through its provisions on the mandatory protection of consumers’ personal financial information by financial institutions. More recently, California initiated legislation which requires private corporations to notify consumers in case of a data security breach. In 2003, California became the first state to pass two significant data security breach laws. First, the California Security Breach Information Act requires any company which stores customer data electronically to notify its California customers of a security breach to the company’s computer system when the company knows or has reason to believe that unencrypted information about customers has been disclosed. The second law, commonly known as the California Financial Information Privacy Act, establishes new limits on the ability of financial institutions to share nonpublic personal information about their customers with affiliates and third parties. The legislation hardly comes as a surprise after hackers gained access to the state government’s payroll database, which contained sensitive personal information of over 250,000 state employees, in 2002. The members of the California legislature were among the employees whose personal information was exposed through the data security breach. Benjamin Wright describes the onset for the current laws when he writes, “Many employees, including the legislators, felt the California government was too slow to notify them about the burglary.” Data security breach notification legislation is also an important debate at the federal level, especially after some particularly high profile cases involving major data security breaches. In the most highly publicized case, Choicepoint, a company which obtains and sells personal information, including names, Social Security Numbers (SSNs), birth dates, employment information, and credit histories to more than 50,000 businesses, settled a case after the FTC pressed charges as a result of a significant data security breach in 2005. The data security breach caused at least 800 cases of identity theft and personal financial records of approximately 163,000 consumers became available for identity thieves to take advantage of. The FTC pressed charges against Choicepoint claiming it “did not have reasonable procedures to screen prospective subscribers, and turned over consumers’ sensitive personal information to subscribers whose applications raised obvious ‘red flags.’” Furthermore, the FTC also claimed Choicepoint was in violation of FTC provisions because the company made false and misleading statements about the privacy of consumer information. Choicepoint, ultimately, had to pay a total of $15 million, of which two thirds for civil penalties and the other third for consumer redress. The settlement became the largest to date.

Choicepoint, among other cases, has led to an onset of a significant number of breach notification acts at the state level. At present, 42 states have some form of breach notification law in place, which differ slightly based on applicable parties, type of data ‘lost’ and type of notification required. The differences, however subtle, do cause or could cause confusion among the various organizations and as such perhaps federal legislation is a need which has yet to be attended to due to the controversial nature of the idea itself.  

In her conclusion, Lilia Rode writes “Security breach notification statutes like California’s ensure that consumers are protected from identity thieves.” While perhaps in the long run security breach notification manages to provide sufficient protection, with regard to its short-term results she is incorrect. Security breach notification’s strongest asset is the way in which it forces corporations to provide the highest form of security for the customer’s personal data, so in and of itself breach notification laws do not protect the consumer. Furthermore, notifying consumers that their information has been compromised helps them to become more aware and cautious of potential irregularities but perpetrators can still commit identity theft with the information they obtained through the data security breach. Consequently, data security breach notification is valuable due to its ability to influence the incentives of corporations to provide better security but as a countermeasure alone it fails to provide complete protection for consumers.  

Additionally, in 2003, Congress passed, and the President signed into law, the Fair and Accurate Credit Transactions Act (FACTA). FACTA is another initiative which increases organizational responsibility. FACTA provides a number of provisions to fight identity theft, among these are “compulsory credit card number truncation on receipts, mandates to card issuers to investigate change of address and new card requests, fraud alert requirements by credit reporting agencies, mandatory blocking of identity theft-related information on credit reports, and free annual credit reports.” The Act, therefore, serves a number of purposes. First, the truncation of credit numbers on receipts is an effort to prevent identity theft from occurring. Second, the mandate to investigate requests for new cards and address changes tries to aid in the detection of identity theft attempts. Third, placing a fraud alert on someone’s credit card is an instrument to stop repeat identity theft. Fourth, the mandatory blocking of identity-theft related information is a means for the victim to return to his or her original credit rating and therefore reduce the devastating damage of the crime. The annual credit reports are certainly a valid tool for individuals to discover any irregularity within their credit history as a result of identity theft. Especially, with the relatively short statute of limitations, the annual credit reports can help citizens to actually have a legitimate claim in court in case they fall victim to an identity thief. As to the effectiveness of these measures, some appear skeptic. The ITRC indicates on its website how a fraud alert on a credit report is not necessarily a guarantee a company or financial institution is not going to extend credit to the perpetrator, because they can simply ignore the alert. A more effective means to prevent any further acts of identity theft is the credit freeze which a number of states introduced. The credit freeze allows residents to prevent anyone from viewing their credit reports and opening up a new line of credit. Even individuals who have never been victims of identity theft can request credit agencies to place a credit freeze on their account for a fee. In California, for example, residents pay $10 to each Credit Reporting Agency (CRAs) (three in total) to freeze their credit. Due to the fact that the credit freeze is an initiative taken at the state level by only a restricted number of states, not everyone in the US can take advantage of this option. The inability of some victims to take advantage of the credit freeze provides a significant strain on their opportunity to prevent identity theft from occurring or reoccurring.

Another significant element of FACTA was the request made by Congress to the Department of Treasury to undertake a study on “the use of biometrics and other similar technologies to reduce the incidence and costs to society of identity theft by providing convincing evidence of who actually performed a given financial transaction.” The Department of Treasury concluded in its study how biometric technology is not a ‘silver bullet’ to reduce identity theft and “Biometrics are not likely in the near term to be very useful to confirm the true identity of an individual at the initial point of opening an account or submitting an application to a financial institution if the person has no prior relationship with the institutions.” Additionally, the Department notes the major obstacles which make biometrics at this point in time a sub-optimal solution. These obstacles include consumer concerns, costs, lack of accuracy and reliability of technology, and the absence of interoperability of biometric systems.

Legislative action continues to expand with regard to identity theft. Predominantly at the state level, various bills are introduced on a yearly basis. As noted by the National Conference of State Legislatures, “[i]n the 2007 legislative session, states continue to strengthen laws to protect consumers from identity theft. From increasing penalties to expanding the definition of identity theft and law enforcement role in investigating cases, states enacted several bills to help fight identity theft. States went further to assist identity theft victims after the victimization, by enacting laws that prohibit discrimination against an identity theft victim, allow expungement of the records related to the underlying theft and created Identity Theft Passport programs to help victims in clearing their name and financial records.”