80 J. Kan. Bar Assn 6, 19 (2011). Protecting Personal Information from Identity Theft: An Integrated Approach.

• Author: ByJohnathan Rhodes

Kansas Bar Journal

Volume 80.

80 J. Kan. Bar Assn 6, 19 (2011).

Protecting Personal Information from Identity Theft: An Integrated Approach

Kansas Bar Journal Volume 80, June 2011 80 J. Kan. Bar Assn 6, 19 (2011) Protecting Personal Information from Identity Theft: An Integrated Approach ByJohnathan Rhodes Ultimately, you cannot prevent identity theft from happening to you, ... [y]ou can only reduce your chances.

-Beth Givens(fn1)

I. Introduction

The most stolen Social Security number in United States history is 078-05-1120. In 1938, two years after Social Security numbers were first issued, a wallet manufacturer promoted its product by demonstrating how a Social Security card could easily fit inside its wallets. One executive decided to use the actual card of his secretary, Hilda Schrader Whitcher, as the sample card. Wallets with Whitcher's reproduced card were sold across the country and many purchasers adopted her Social Security number as their own. In 1943, 5,755 people were using this number. Although the Social Security Administration later voided Whitcher's number, people continued to use it. More than 40,000 people have reported this as their number over the years. As late as 1977, 12 people were found to still be using this number.(fn2)

It is unlikely that the federal government fully comprehended the ramifications of identity theft when it first issued Social Security cards in 1936. A search for "identity theft stories" on the Internet will produce numerous stories in which identity thieves have ruined victims' credit. Identity theft has exploded in recent years and, because we all have identities, we are all potential victims. Although the state and federal governments have enacted various safeguards against identity theft, some believe that it is not a top priority. Inspector General Glenn Fine, of the U.S. Department of Justice, stated that the effort to combat this problem has lagged in recent years.(fn3) He further noted, "We found that to some degree identity theft initiatives have faded as priorities." At a minimum, all of us are consumers who should be concerned with what lawmakers, government agencies, and businesses are doing with our personal information. This article will analyze what state and federal lawmakers have done to curb this pervasive crime and what businesses are obligated to do to protect our identity.

II. The Magnitude of the Problem

Identity theft is one of the fastest growing crimes in the nation. In 2008 alone, more than 10 million Americans became victims of identity theft.(fn4) In 2006, victims spent an average of 40 hours resolving identity theft cases, which was a 17 percent increase over the previous two years. According to a Federal Trade Commission (FTC) survey, 10 percent of victims spent more than 100 hours resolving problems associated with identity theft, and 5 percent spent more than 1,200 hours.(fn5) In total, more than 40 million hours are lost each year resolving identity theft issues. The monetary loss is equally startling. In 2006, the average monetary loss of an identity theft case was $6,383 and the total cost of identity theft in the United States was $56.6 billion.(fn6)

Most identity theft does not occur on the Internet. Ninety percent occurs through lost or stolen wallets, checkbooks, or credit cards.(fn7) But, as discussed below, shrewd identity thieves have found other avenues to commit this crime.

A. Unsecured wireless networks

Some identity thieves drive through residential neighborhoods looking for unsecured wireless networks, or they stay home and simply log into their neighbors' unsecured wireless networks. These "hackers" can steal bank and credit card information located on the victim's computer.(fn8) They can also download illicit material and make fraudulent purchases, making it appear as if the victim had committed these acts. One San Diego detective reported that drug addicts will connect to unsecured wireless networks and steal identities, order credit cards, or open bank accounts.(fn9) This is particularly dangerous because it appears as if the owner of the network is the one committing these acts. The detective noted that drug users will typically barter stolen identifications for drugs.

B. Copy machines

Digital copy machines are ripe for identity theft because they can contain enormous amounts of confidential information. Almost 60 percent of the American public is unaware that, just like computers, many copy machines contain hard drives that store every document that has been scanned, printed, faxed, or emailed.(fn10) If you have made a copy in the last ten years, there is a good chance that an image of that copy is sitting on a hard drive somewhere. Nearly every digital copy machine built since 2002 contains a hard drive storing this information.(fn11) Copy machines can contain 15,000 to 20,000 documents, which will stay on the hard drive until someone removes them or new documents replace the old ones.(fn12) After digital copiers are disposed of, many of them go to wholesale warehouses and are placed on the used copier market.(fn13) There they sit, containing thousands of confidential documents, waiting to be sold. One expert noted, "It basically becomes an identity thief's dream."(fn14) Anyone can purchase a used copy machine and connect a computer to the machine, allowing the purchaser to download and print any document on the hard drive.(fn15) One company in California purchased a used copy machine and found numerous confidential documents, including a document containing Caroline Kennedy's private information.(fn16) This copy machine also contained emails, account summaries, budgets, nondisclosure agreements, and other highly confidential documents.(fn17) Regarding the potential security exposure of these copy machines, one person noted, "[It's an] issue that's going to have major ramifications. It's going to hit like a ton of bricks when it does hit."(fn18) Think about the copy machines at law firms that contain vast amounts of privileged material or those at other businesses that contain trade secrets. This information is being spread across the globe. Approximately 70 percent of used copy machines ultimately land overseas, mostly in China and Europe.(fn19)

[20]

Health care providers should be particularly wary of the information stored on their copy machines. Two components of the Health Insurance Portability and Accountability Act (HIPAA) are the Privacy Rule and the Security Rule. Unless otherwise permitted, HIPAA's Privacy Rule prohibits entities covered by HIPAA, including health care providers, from using or disclosing protected health information without an individual's authorization.(fn20) HIPAA's Security Rule requires entities that electronically transmit protected health information or maintain that information in electronic media to maintain reasonable and appropriate administrative, physical, and technical safeguards to keep the information secure.(fn21) Specifically, covered entities must protect against reasonably anticipated threats or hazards to the security of this information.(fn22) Providers and entities subject to HIPAA must think about the information that is being stored on their copy machines and secure it accordingly.

In Kansas, not only is it a good idea to take appropriate steps before disposing of digital copiers, but it is also the law. Before disposing of customer records within their custody or control, individuals and business entities are required by K.S.A. 50-7a03 to take reasonable steps to destroy, shred, or erase those customer records.(fn23) This requires reasonable measures, such as erasing or encrypting personal information before disposing of digital copiers. The FTC chairman stated, "[B]usinesses and government agencies should ensure that the information on the hard drives in digital copiers are wiped clean of personal information after the conclusion of use." On April 29, 2010, Rep. Edward J. Markey, of Massachusetts, asked the FTC to investigate the retention of documents on hard drives of digital copy machines.(fn24) Rep. Markey noted, "I am very concerned that these copy machines can be a treasure trove for identity thieves, allowing criminals to easily access highly sensitive personal information."(fn25) In response, the FTC began contacting copy machine manufacturers, resellers, and office supply stores about these privacy concerns.(fn26) In a letter to Rep. Markey, FTC Chairman Jon Leibowitz wrote that the FTC was trying to "determine whether [copy machine manufacturers and resellers] are warning their customers about these risks ... and whether [they] are providing options for secure copying."(fn27)

In November 2010, the FTC published Copier Data Security: A Guide for Business, which provides steps businesses can and should take before acquiring a digital copier, while using it, and before disposing of it.(fn28) While using the copier, the FTC recommends taking such measures as securely overwriting the hard drive at least once per month and integrating the copier with your secure network. Before disposing of the copier, businesses should check with the manufacturer, dealer, or servicing company for options to secure the hard drive.

C. Medical identity theft

Imagine getting a $12,000 bill for a liposuction that you never had, or reviewing your credit report to discover that you owe more than $100,000 in unpaid medical bills for treatment you never received. Rhonda...