Document View

In 2005 alone, 9.3 million Americans were victims of identity theft, and more than 27 million Americans have been victims of this crime in the past three years.3 While statistics vary, the average estimated losses from identity fraud since 2003 have exceeded $50 billion each year and are estimated to have totaled more than $56 billion in 2006.4 On average, consumers spent approximately 40 hours cleaning up their credit reports and other financial records, and the average amount of fraud per victim was approximately...

Copyright Aspen Publishers, Inc. Mar 2007

How can it be that two of me exist? How could someone else get instant credit or a credit card in my name, purchase a car, steal my children's information, or even declare bankruptcy in my name? There are measures in place to protect against identity theft ... right? Credit card companies will ask for identification and confirm my application prior to sending a credit card. Retail stores will confirm that I am who I say I am before giving me an instant line of store credit. These measures will protect me. As long as I pay my bills on time and watch out how much money I spend, I will be able to maintain good credit and do not have to worry about a thing ... or do I?

The truth is that, unless a person is proactive and takes serious steps to reduce exposure to identity theft by physical means or cyber attack, identity theft remains a real possibility. Unless an individual actively monitors credit history, financial accounts, and Social security records, it is impossible to respond to such theft until after the damage has been done. It is vital to become informed and actively involved in this process of learning about and securing against identity theft.

About Identity Theft

According to the US Postal Service, identity theft is America's fastest growing crime.1 As defined by the 1998 Identity Theft and Assumption Deterrence Act, "Identity Theft" occurs when a person knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit or to aid or abet any unlawful activity that constitutes a violation of federal law or that constitutes a felony under any applicable state or local law.2

In 2005 alone, 9.3 million Americans were victims of identity theft, and more than 27 million Americans have been victims of this crime in the past three years.3 While statistics vary, the average estimated losses from identity fraud since 2003 have exceeded $50 billion each year and are estimated to have totaled more than $56 billion in 2006.4 On average, consumers spent approximately 40 hours cleaning up their credit reports and other financial records, and the average amount of fraud per victim was approximately $6,383.5 During 2005, the most reported causes of identity theft were credit card fraud (26 percent), phone or utilities fraud (18 percent), bank fraud (17 percent), and employment fraud (12 percent).6 Of particular importance, electronic funds transfer-related fraud was the most frequently reported type of identity theft bank fraud during 2005.7 Cybercrime and identity theft share a tight nexus. Therefore, it is not surprising that cybercrime jumped to the number one crime in the United States. In 2004, cybercrime grossed more than $105 billion, exceeding drug trafficking proceeds for the first time.8

Ten Steps to Reduce Identity Theft Risk

What can a person do to safeguard his or her information? By understanding the risk to a person's identity, individuals can greatly reduce the chances of identity theft. If a person were to spend just a few hours on one weekend reviewing and implementing the following changes, he or she could dramatically reduce the chances of being a victim.

I. Carrying Documents

An individual should carefully control all documents that he or she carries. For example, a person should never carry identification that lists his or her Social security number (SSN). That means, a person should not carry a Social security card, a passport, or other identification that may use the SSN, such as a driver's license, school identification card, or insurance card. Moreover, a person should never include his or her SSN on checks. If a SSN appears on checks, proof of automobile insurance, or similar documents, an individual should request a new card or checks that do not contain the SSN and use an alternative identification number instead. In some instances, insurance companies will not issue new cards that do not contain the SSN. In this case, an individual should cut out the number from the card and provide it to medical personnel only when services are rendered.

Please note that carrying personally identifiable information does not just mean in a purse or wallet. An individual should sanitize bags, briefcases, and the car's glove box for this information as well. A person should remove credit cards that are duplicative or other non-essential cards and memberships that might provide an identity thief with access to more information.

2. Distribution of Documents

An individual should not distribute his or her SSN to businesses or others who do not need it. Note that, even if companies such as financial institutions, medical professionals, or tax accountants must have this information, they will never contact a person via email for it. Before relinquishing a SSN, a person should be sure to ask how the entity intends to safeguard it.

3. Shred Unnecessary Documents

An individual should buy and use a shredder for most documents and mail; ripping up documents or credit card offers will not suffice. In fact, MSNBC recently tested this very situation by ripping up a credit card application and then taping it back together and filling it out. They even changed the address on the credit form and used a cell phone number different from that listed in the contact information for verification. One month later, a new credit card was issued to the new address.9 Dumpster diving for documents at offices and homes is becoming a more popular trend, but is easily rectified by shredding.

4. Opt Out of Pre-Approved Credit

A person can reduce the number of offers for "Approved Credit" by opting out of pre-approved offers of credit. How? By contacting the three major credit reporting bureaus: Equifax, Experian, and TransUnion. A consumer can call all three bureaus with a single telephone number (888) 5-OPTOUT to get off the marketing lists that credit bureaus give to credit card companies, or visit www.optoutprescreen.com and fill out the forms online. Please note that the consumer will be asked to supply his or her SSN to be removed from these lists. It is also possible to contact each credit reporting bureau separately at the addresses below.

* Equifax: (888) 567-8688 or Equifax Options, P.O. Box 740123, Atlanta, GA 30374-0123

* Experian: (800) 353-0809 or Experian, P.O. Box 919, Allen, TX 75013

* TransUnion: (800) 680-7293 or TransUnion, P.O. Box 97328, Jackson, MS 39238

A consumer may also opt out of additional offers by contacting the Direct Marketing Association (DMA) at www.dma.org, downloading the opt-out form, and mailing it to:

* Mail Preference Service: Direct Marketing Association, P.O. Box 9008, Farmingdale, NY 11735

* Telephone Preference Service: Direct Marketing Association, P.O. Box 9014, Farmingdale, NY 11735

5. Obtain a Free Credit Report

Under the Fair and Accurate Credit Transactions Act of 2003 (FACTA),10 an individual is entitled to receive one free credit report from each of the three credit reporting bureaus each year.11 To run the free credit report, a person should visit www.AnnualCreditReport. com; call toll-free (877) 322-8228; or mail a completed Annual Credit Report Request Form available at the Web site to: Annual Credit Report Request Service: P.O. Box 105281, Atlanta, GA 30348-5281.

Please note that the FACTA free credit report is available only at www.AnnualCreditReport.com. Other Web sites calling themselves free actually have strings attached and will provide a free report only if a consumer signs up for a paid credit watch service.

Running a credit report once a year is the absolute minimum that a consumer should do. In fact, it is recommended that an individual run a credit report through a credit bureau of choice at least every three months.

6. Use a Monitoring Service

A free credit report is a great starting place, but it is essential to spend the time and money to select a monitoring service from Equifax (www.equifax.com), Experian (www.experian.com), or TransUnion (www.transunion. com). Each one offers similar services, so the choice really depends on what specific services an individual needs, pricing options, and which Web site or delivery service the individual likes best. The purpose behind monitoring is to catch fluctuations in credit (such as account balances), the addition of new lines of credit, and any other changes indicative of a problem.

7. Secure the Mail

Each household should purchase a locking mailbox. Individuals should not put bills or other mail inside this receptacle for pick-up but instead should use a US Post Office collection box for all bills or other sensitive information.

8. Secure Important Documents

An individual should keep copies of all important documents, especially those of a financial nature or that contain the SSN, in a fire-resistant safe at home or preferably in a bank safety deposit box. In addition, a person should place a copy of all credit cards (front and back) or other items with important personal information that might normally be contained in a purse or wallet in the safe. If these items are stolen, the individual will have easy access to the phone number and other card information to facilitate cancellation of the cards before harm can be done.

9. Use a Bank with Increased Security

A consumer should also seek out financial institutions with increased security measures. A consumer has many options when choosing a bank or credit card. Some of these include having the individual's picture placed on the front of the card, which can greatly reduce impersonation attempts. In addition, various institutions offer different levels of online password protection and authentication to access an account on the Internet. Some financial institutions use what is called dual-factor authentication to confirm a person's identity, that is, something that the consumer has (keyfob or smartcard) and something the consumer knows (password). An individual can help protect information by choosing stronger passwords, such as those containing a seemingly random mix of numbers, letters, and wildcards (such as %, $, ^, &, @) and that cannot be found in the dictionary. A consumer should research these security offerings prior to making banking decisions, as some security measures are more easily overcome than others.

10. Be CyberSmart

A computer user should make sure that he or she is protected online. He or she should be sure to install a hardware and software firewall between the computer and the Internet. Many software firewalls are free (such as wivw.zonealarm.com). A computer user should also install anti-virus and anti-spyware software to protect the computer from attacks and should always keep the computer's operating system and programs up to date and patched. A user should never interact with email that is from someone that is not familiar. That is, a user should not open such email, click on attachments, or respond to the message. This is extremely important since phishers will often bait computer users by sending email requests in which they pose as a financial institution and request information under the guise that the user's account will be shut down or that the institution has lost the user's information. Even if a user is confident that the email is legitimate, he or she should call the financial institution to confirm the legitimacy of the email. For more information please go to either Stay Safe Online at www.stay sqfeonline.info for Eight Cyber Security Tips to keep a person safe online or GetNetWise at www.getnetwise.org.

The Identity Thief Has Struck! Now What!

A person will greatly reduce the chances of experiencing identity theft by taking the 10 steps toward prevention listed earlier in this article. Nevertheless, identity theft can still happen. What should a person do in such circumstances?

1. FTC Web Site. Immediately upon discovering identity theft, an individual should go to the Federal Trade Commission's (FTC) Web site at www.consumer.gov/ idtheft and read the information on this Web site. The site contains examples of letters to credit bureaus, ID theft affidavits, and other forms that an individual can use to report this crime.

2. Notify a Credit Bureau. The individual should place an initial fraud alert with the three credit reporting bureaus by calling any credit bureau. The credit bureau will ask for the individual's SSN to prove identity. Calling any one credit reporting bureau will automatically place a fraud alert at all three bureaus. As soon as an individual places the fraud alert, he or she is entitled to order a free copy of credit reports. An individual should immediately review and save them in order to identify and/or document future changes in credit due to the theft. The telephone numbers to call are:

* Equifax: (800) 525-6285

* Experian: (888) EXPERIAN (397-3742)

* TransUnion: (800) 680-7289

3. File the Reports. An identity theft victim should file a police report, an identity theft report, and complete an ID theft affidavit. The filing of an identity theft report will entitle the individual to an extended alert that will remain on file with the credit reporting bureaus for seven years.

4. Cancel Accounts. A victim should next cancel all compromised accounts by calling the financial institutions directly. The person should attempt to review relevant accounts online immediately, without waiting for a paper statement to arrive in the mail. If there are any unauthorized charges, the person should dispute them immediately. The FTC Web site provides a sample dispute letter. While there are limits to the amount of money a financial institution can charge an innocent person for fraudulent purchases made by a criminal, the sooner an individual reports fraudulent activity, the greater the chances are that the individual will have zero liability.

5. File an FTC Complaint. An individual should file a complaint with the FTC by using the online complaint form at www.consumer.gov/idtheft, by calling the FTC's Identity Theft hotline, toll-free: (877) IDTHEFT (438-4338), or by writing Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

6. Notify check guarantee companies. If an identity thief has fraudulently established bank accounts using the victim's name, the victim should call the following check guarantee companies to report fraud: Telecheck at (800) 366-2425 and the International Check Services Company at (800) 526-5380.

7. Contact the Social security Administration. If an individual's SSN is being misused, he or she should contact the Social security Administration (SSA) Office of the Inspector General. An individual may file a complaint online at www.soaalsecurity.gov/oig, caU toll-free: (800) 269-0271, fax: (410) 597-0118, or write: SSA Fraud hotline, P.O. Box 17768, Baltimore, MD 21235. In addition, an individual may want to verify the accuracy of the earnings reported on his or her Social security number or request a copy of his or her Social security statement by calling SSA toll-free at (800) 772-1213.

8. Report Passport Loss. Finally, an individual should report the loss or theft of a passport by contacting the US Department of State through www.tmvel.state.gov/ passport/passport_1738.html.

Summary

The time and money to respond after an identity theft has occurred is extensive. By taking the 10 steps outlined in this article, reviewing information provided by the FTC, and becoming more aware of the nature of this threat, an individual can greatly reduce the risk of such theft. Other information on identity theft is available from the following sources.

* Federal Trade Commission at www. consumer.gov/idtheft

* Better Business Bureau's ID Theft Program at www.bbbonline.org/IDtheft/

* CALPIRG at http://calpirg.org/

* Federal Bureau of Investigation, Internet Crime Complaint Center (IC3) at www.ic3.gov.

* Identity Theft Resource Center at www, idtheftcenter. org

* Privacy Rights Clearing House at www. privacy rights, org/identity.htm

* Social security Online at www.ssa.gov/pubs/idtheft.htm

* US Department of Justice at www.usdoj.gov/criminal/ fraud/idtheft.html

* US Postal Inspectors at www.usps.com/postalinspectors/ idthft_ncpw.htm

[Author Affiliation]

Christopher T. Pierson, JD, PhD, is an attorney in the Phoenix office of Lewis and Roca LLP. He established the firm's Cybersecurity and Cyberliability practice group and counsels corporate clients on ways to control their information technology issues, including hacking attacks, data extortion, data theft, and other types of data breaches. In addition, he counsels clients on compliance with state and federal laws, regulatory compliance issues, and privacy laws affecting electronic information. This article is adapted from an article published in the October 2006 issue of Nevada Lawyer, used with permission.