Identity theft: myths, methods, and new law.

• Author: Towle, Holly K.

1. INTRODUCTION

   For centuries, philosophers have considered the concept of human identity, (1) a notion that refers to an individual's sense of "self" and distinguishes one individual from another. In modern society, not only does one's identity--and the ability to prove it--serve to distinguish one person from another, but it also plays an obvious role in many of today's commercial and personal transactions. Doctors need to disclose medical records only to their patients; buyers of real estate need to know that the persons signing the deed really are the ones who own the property; vendors need to know that the person purporting to purchase product on behalf of a company really is the employee authorized to do so; governments need to know that the person claiming benefits is the person entitled to them; and police need to know who they are actually arresting.

   Identity theft has been described as one of the "fastest growing crimes in the nation," (2) and "the crime of the new millennium." (3) If so, certainly there is a need to understand what identity theft is and its legal underpinnings. Hence, this article is intended to explain what identity theft is, how it happens and legal responses to it. This article includes an extensive discussion of the latest federal response, the Fair and Accurate Credit Transactions Act of 2003 ("FACT"), as well as a discussion of state statutory and common laws. Finally, the article ends with suggestions for how to avoid identity theft.

   In one sense there is nothing new here given that determining with whom one is really dealing has always been important. However, making that determination becomes more complex when e-commerce is involved (4) because there is no face-to-face interaction and documents, such as a driver's license picture or handwritten signature, cannot be easily examined. Data can be collected that tends to identify a person, such as a social security number, telephone number, maiden name, birth date and the like. However, laws increasingly restrict that collection, and some identifiers may be public information or discoverable with an ease that may make the information of questionable use. This situation provides opportunity for illegal activity which can be exacerbated in electronic settings.

   The reality, however, is that the opportunity for identity theft has always existed and that "offline" methods for illegal activities cannot be ignored. For example, a 2003 Federal Trade Commission ("FTC") survey indicated that "a lost or stolen wallet or pocket book, or theft of the victim's mail including lost or stolen credit cards, checkbooks, and social security cards," were the most commonly mentioned ways that an identity thief obtained information. (5) This was 25% of those who knew how their information was obtained; a group which accounts for 51% of all victims (leaving almost half of victims not knowing how their personal information was obtained). (6) Identity thieves also include persons who give the name of another person in order to delay or avoid being charged with a crime. In fact, there is nothing more "face-to-face" or "non-electronic" than an arrest.

   The likely difference between now and yesterday is not a difference between online and offline activities, but changes in technology which generally allow thieves to do more, online or off:

   At one time, not that many years ago, a breeder document, such as a driver's license, meant something; it could be used to establish a person's identity with little or no question. Now, technology has enabled criminals to produce fraudulent documents, which can be used to procure additional fraudulent documents. Counterfeit documents, such as credit cards, used to be easily detectable; now it is relatively easy to produce a counterfeit hologram that usually passes for the real thing..... Technology and the ability of the criminal element to adapt and defeat existing identification methodologies, predicated on breeder documents that are susceptible to counterfeiting, have made it necessary to develop different, more advanced identity authentication systems. (7) Whether real or hyperbole, identity theft is being tied to the information age and the identity thief's "stock in trade is your everyday transaction." (8) As noted, identity theft has been described as one of the "fastest growing crimes in the nation," (9) and "the crime of the new millennium." (10) While certainly this potential exists, a 2003 study actually indicates that all forms of identity theft have impacted only 4.6% of the population. (11) Further, even when recommendations are made to increase efforts to reduce identity theft in some areas, this is not necessarily viewed as an appropriate allocation of resources. (12) While no one would want to be in any group of identity theft victims, media coverage tends to leave the impression that this is an urgent, major crime for a hugely significant portion of the American public, and legislators are scrambling to get on the bandwagon with ever increasing amounts of legislation. Therefore, there is the need to look at this topic in more detail, including from a legal perspective

2. WHAT IS IDENTITY THEFT?

   "Identity theft" is a term referring to a variety of crimes, all of which involve "stealing" someone's personal identifying information. (13) The identity thief may use a variety of methods to obtain this information, ranging from "basic street theft to sophisticated, organized crime schemes involving the use of computerized databases or the bribing of employees with access to personal information on customer or personnel records." (14) Once an identity thief obtains the necessary information, he can transact business as his victim. The thief profits by using his victim's personal information to take funds from her bank accounts, take over her very identity, run up vast debts, or commit crimes. (15) In a recent Internet twist, two identity thieves opened accounts to sell goods on an Internet auction site--but there were no goods and they had opened their accounts under the names of their victims. When buyers at the auction did not receive their goods, they thought the victim, not the thief, was the seller who had defrauded them. (16) The pattern is that the victim herself is seen as the wrongdoer and bears the burden of proving that she did not do what she is alleged to have done. What does identity theft typically involve? As explained by one group:

   The term, 'identity theft', is itself complicated because it is used to refer to several different types of crimes in which personal or financial data is compromised. However, as the number of cases have increased, patterns have emerged, making it possible to classify identity theft into the following categories:

   * Fraudulent Authentication/One-Time Identity Theft

   * Financial Institution Fraud

   * Credit Card Fraud

   * Fraudulent Loans

   * Communications and Utilities Fraud

   * Other (17)

   The Federal Trade Commission collects data regarding identify theft complaints through its Consumer Sentinel program. (18) While not comprehensive, it may indicate the most popular uses for stolen identifying information. An identity thief's fraudulent activities generally take one (or both) of two basic forms: so-called "criminal identity theft" (providing a victim's personal identifying information to law enforcement upon arrest) or financial fraud, further distinguished as "true name fraud" (using a victim's identifying information to open new accounts in the victim's name) and "account takeover" (gaining access to a victim's existing accounts and making fraudulent charges). (19) Although criminal identity theft does take place, traditionally the vast majority of identity thefts have been financial (20) and are usually a component of one or more other white-collar or financial crimes. (21) However, there is also "identity fraud," which encompasses identity theft but also includes creating or using a fictitious identity, as opposed to stealing and using a real one. (22) In modern society, it may be that we will actually see as much or more of that kind of criminal activity than the type which regulators tend to be responding to most:

   The use of a false identity created from fraudulent documents or a stolen identity (identity theft) in the commission of a crime has long been used by criminals and criminal organizations to facilitate criminal activities and avoid detection. As is evident from the previous section, quantifying the impact of identity fraud is difficult, but as the statistics in the next sections report, terrorism, money laundering and financial crimes, drug trafficking, alien smuggling, and weapons smuggling are growing concerns for the public and private sectors. Laws and regulations that have been instituted since 1998 are another indicator of the dramatic increase in the widespread use of these methods by criminals and terrorists. (23) In any event, the focus here is on aspects of identity theft involving financial or white collar crimes. Table 1 uses 2002 data to illustrate how identity thieves misuse victims' information. (24) Each victim included in the table data reported at least one type of identity theft, while 22% reported experiencing more than one type. (25)

   According to the above, more than twice as much identity theft concerns new accounts as opposed to existing accounts. However, the 2003 FTC Report presents a different picture, indicating that as those surveyed, the most identity theft in the last 5 years occurred with respect to existing accounts, not new accounts. (27)

   New accounts and other fraud 4.7% Other existing accounts 2.0% Existing credit card only 6.0% Total victimization 12.7% Of the "new account" category, the 2003 FTC Report indicates that the following kinds of accounts were opened by identity thieves, with the most common being a new credit card account:

   Credit cards 8% Loans 5% Telephone services 5% (includes wireless and...