Criminal Identity Theft in California: Seeking Solutions to the Worst Case Scenario

Criminal Identity Theft in California: Seeking Solutions to the Worst Case Scenario

Presentation by Beth Givens, Director
at Identity Theft Summit on March 1, 2005
Sacramento, CA, Convention Center


Conference sponsored by California District Attorneys Association, California Office of Privacy Protection (Calif. Dept. of Consumer Affairs), and California Governor Arnold Schwarzenegger


Thank you for the opportunity to talk about criminal identity theft today. We at the Privacy Rights Clearinghouse call criminal identity theft the “worst case scenario” of identity theft for reasons that will become clear to you in my presentation.


I will over these four topics:

First, what criminal identity theft is.

Second, some examples of individuals’ experiences.

Third, California’s Identity Theft Registry, an attempt to ameliorate some of the harmful impacts of criminal identity theft.

And fourth, I will close with recommendations involving legislation, education, research, and state government responses.


First, what is criminal identity theft?

Criminal identity theft occurs when an imposter gives another person’s name and personal information, such as a Social Security number, driver’s license number, and date of birth, to a law enforcement officer upon arrest or during an investigation. Or the imposter may give to law enforcement a counterfeit driver’s license or identification card containing another person’s information.


In a typical situation, an individual stopped for a traffic violation, for shoplifting, or another misdemeanor, claims to not be carrying identification. He or she then gives the identifying information of another person to the officer. Often this information is of a family member, roommate, or friend.


In misdemeanor situations, the cited or arrested individual is usually released and told to appear in court when notified. The imposter does not appear in court, however, and at that date a warrant for the arrest of the innocent person is issued. The next time the innocent person – the criminal identity theft victim – is stopped for a broken tail light, the officer runs a search of the criminal records files and discovers the outstanding warrant. The victim is often brought to the police department and booked, even jailed.


Another typical scenario in which the victim discovers that he or she has a wrongful criminal record is when applying for a job – when a background check is conducted and the individual is denied employment. The inability to find work can go on for years.


Let me give you three such stories, from our files at the Privacy Rights Clearinghouse, and from the media.

Mark is a 10-year Marine veteran with expertise in information technology. A decade ago when serving in Africa, his brother used his identifying information when arrested for traffic tickets and when convicted on felony charges in another state. Mark was recently laid off from a computer technology job and has applied for several positions for which he says he is eminently qualified. But none of the applications has resulted in an interview. One employer alerted him to two felonies and six misdemeanors uncovered in a background check. “Obviously,” Mark told the PRC in an e-mail message, “no IT firm or professional organization would hire a felon to manage sensitive and confidential information.” (From the PRC’s files)


The situation of Bay Area woman Stancy Nesby received considerable media attention in September 2004. Her purse was stolen in the late 1990s by someone who then used her identity when arrested for crimes. Nesby has since been detained six times, arrested four times, and jailed four times for five days on no-bail felony bench warrants naming her, even though a state judge determined that she was not the person arrested by law enforcement in 1999. In one arrest, her children were taken away and placed with Child Protective Services. She has had to hire an attorney to represent her and is suing the city of San Francisco for its failure to withdraw warrants. (Joyce Cutler, “Woman Sues City Over Arrests, Jailings Allegedly Spawned by ID Theft, Bad Warrants,” BNA Privacy and Security Law, Sept. 20, 2004)


The third case is that of Sacramento man Rodney Ware who received media attention in November 2004. His case involves both financial fraud and criminal identity theft. His wallet was stolen in 1989, and shortly after that he began to get notices in the mail that he owed the City for many light rail tickets. After that, he had to deal with fraudulently opened bank accounts, fake drivers licenses, fraudulent credit accounts, cell phone accounts, and fraudulent local phone service in several states. He has been arrested several times -- in the airport, in front of his home, and at a new employment orientation session. There have been several warrants for his arrest in several states including Colorado and Kansas. He has had to go to court in these other states to clear his name. The crimes include hit and run, illegal drugs, bad checks, traffic tickets, among others.


Mr. Ware considered changing his name and Social Security number before learning of the Identity Theft Registry. And in November 2004 he appeared in court here in Sacramento where a judge issued a court order declaring him innocent of the charges. With this order, he was able to add his name to the Registry. He said to reporters, “I don’t feel haunted by law enforcement anymore. I have something that identifies me as a victim instead of a criminal.” The news story concludes: “The next time Ware is stopped by law enforcement, one phone call to a special hotline staffed around the clock should clear up any confusion.” (Sacramento News 10, Nov. 24, 2004)


California Identity Theft Registry

In the late 1990s, Tom Papageorge of the Los Angeles District Attorney’s office hosted a series of meetings in which several of us attempted to search for legislative solutions to criminal identity theft. The voluntary ad hoc task force included local, state, and federal law enforcement, prosecutors, a criminal identity theft victim, myself as a consumer advocate, and Mari Frank who is an identity theft victim, an expert on ID theft, and attorney.


The work of our task force resulted in the Torlakson bill, AB 1862, signed into law in September 2000. It established Penal Code 530.7, the California Identity Theft Registry. (


The Registry is a data base, developed and maintained by the California Department of Justice, in which information about individuals who are victims of criminal identity theft is recorded. Access to the data base is provided to “criminal justice agencies, victims of identity theft, and individuals and agencies authorized by the victim.” The bill also required the California DOJ to establish and maintain a toll-free number to enable these entities access to the Registry.


The Registry was developed in 2001 and has been in operation ever since. It is managed by Bud Wilford.


Here’s how it works.

Let’s say you have learned you are a victim or criminal identity theft – like the three individuals whose stories I told you a moment ago. You will need to obtain verification from the court in the California jurisdiction where the arrest and/or conviction occurred that you are indeed a victim of criminal identity theft. Then you have your fingerprints taken at one of the state’s many Livescan sites. You complete the application to enter the Identity Theft Registry and send it along with the all-important court verification – known as the CR-150 form – to the California Department of Justice.


Once you’ve accomplished all this – which could take several months at minimum – let’s say you are stopped for speeding, or for a broken tail light. When the law enforcement officer runs a check on your identity, you tell him or her that you are a victim of criminal identity theft and that an official record of your status is kept by the California DOJ. You give the officer the Registry’s toll free number (888-880-0240) which is staffed every day of the year 24 hours a day. You must also give a PIN number, which you receive once you are successfully accepted into the Registry. If all goes well, the officer verifies your status as a criminal identity theft victim, and your only concern is to deal with the broken tail light or the speeding ticket.


For employment, Bud Wilford tells me that his office will send a letter to the employer verifying your status as a criminal identity theft victim. He says that letters are far more common than phone calls in this situation.


Sounds simple enough, right? Unfortunately, the most difficult part of the whole process is obtaining court verification that you are a victim of criminal identity theft. The order that the individual is seeking from the court is known as a “Certificate of Identity Theft: Judicial Finding of Factual Innocence.” It’s also known by the form number, CR-150.


When the Registry was first developed, victims found it difficult to use the court system to obtain the necessary document that they are indeed innocent. In fact, in the early days, this process really required the assistance of an attorney. For the first couple of years, I’m told, there were only two registrants in the Registry. I’m told by Bud Wilford that there are now 30 registrants – four years after the Registry was developed.


What has made a difference for some victims is a guide developed by the California Office of Privacy Protection for victims of criminal identity theft, available on its web site, The OPP had the assistance of law students at Stanford Law School’s Center for Internet and Society. Now, individuals can represent themselves much more easily than in the early days of the Registry, and are not as likely to have to hire an attorney.

The guide offers step-by-step instructions, and has all the necessary documents and forms. Further, it’s written in plain English, at, I would guess, an 8th grade level at most. The packet is also available through the web site of the California Attorney General,



This is a conference seeking solutions, so let me now discuss my recommendations. In preparing this presentation, I have relied on what we have learned from actual victims contacting the PRC. And I’ve talked at length with an individual who has assisted several individuals in the court process of obtaining the CR-150. That person is Mr. Jay Foley of the Identity Theft Resource Center in San Diego. He and his wife Linda, the founders and executive directors of the Center, assist victims through the entire life cycle of identity theft. They have in-depth understanding of the plight of victims of both credit and financial identity theft, as well as the worst case scenario of criminal identity theft. Their web site is


My recommendations are in the following categories: Legislation, education, and research.


First, possible legislation:

  • There must be, if not already, enhanced penalties for those who use another person’s identifying information when arrested, cited, and convicted. And those penalties must be sufficient to act, as much as possible, as a deterrent.
  • Further, criminal identity thieves should be required to pay the court costs and other costs for their abuse of the system.
  • For criminal identity thieves, there needs to be less probation and more real time.
  • There must be more multi-jurisdiction cooperation in these cases.
  • And there must be a victim-hand-holding function established, so a victim has the same individual to deal with as a “constant” throughout the whole process. Perhaps this could be done through the victim-witness assistance programs in most district attorneys’ offices.
  • And another recommendation on the victim’s side of the equation, there should be the development of uniform court procedures across the state for the handling of the entire CR-150 process. More on this in a moment.

Second, education. This is key. Jay Foley of the Identity Theft Resource Center has walked several criminal identity theft victims through the court process in two different counties’ Superior Courts. He and the victims he has assisted have found that there is almost no knowledge of the CR-150 process and the Registry.

There must be a broad-based education campaign to reach the following:

  • judges
  • court clerks
  • court administrators
  • Livescan operators
  • Prosecutors and staff in District Attorneys’ and Attorneys’ General offices
  • law enforcement
  • attorneys, especially criminal defense attorneys
  • victim-witness assistance programs
  • legal services for low-income individuals
  • law school clinics
  • consumer advocates
  • community-based organizations, especially those serving low-income and non-English speaking individuals
  • in short, anyone who might come in contact with a victim of criminal identity theft.

Educational materials should be in more languages than just English.


The California Office of Privacy Protection has done a vital service by preparing its guide, available on the OPP web site, in a very readable form. This must be widely disseminated, and if it’s not already in other languages, it needs to be. Perhaps a short version can be written, brochure-size, that could be handed out by court clerks, law enforcement, victim-witness programs and so on – in multiple languages.


A brochure is one educational tool, but there are more. The CR-150 process and the Identity Theft Registry must be included on the agendas of the many conferences that all those people I just listed attend. Not just for one year’s conference, but on an ongoing basis.


The media can serve as a great educational vehicle. The people that I just listed as the targets of education all have their own professional and trade associations, with their own magazines and newsletters. Stories about the CR-150 process and the Registry should be submitted to them for publication. And they should not be limited to just California publications. Californians who are victims of criminal identity theft are having to travel all over the country to work with law enforcement and participate in court hearings in states where there is no CR-150 process and no Registry. I feel for individuals who have to work within the criminal justice systems of states that do not have these systems in place.


Bud Wilford of the California DOJ tells me that there is a proposal in the works to develop a new ID Theft File by the NCIC so law enforcement agencies can flag “stolen identities” and “identify imposters.” This can’t come too soon.


My third recommendation is research – in two areas: criminal identity theft in general, as well as the effectiveness of the CR-150 process and the Registry.


How many criminal ID theft victims are there? How does it happen? How does it impact the victims’ lives, both in the short-term and the long run? Is there disparate impact depending on race/ethnicity, income, education, and so on? The short answer is “yes.” By the way, both the Identity Theft Resource Center and the Privacy Rights Clearinghouse can help with such research because we are contacted by many victims.


In terms of the CR-150 process and the Registry, we need to know how effective they are. Why are there only 30 people in the Registry right now? How can the court verification process be made even simpler than it is now. How much time does it take to finally get into the Registry? Remember, for all those months that the victim is attempting to get the CR-150 form and listed in the Registry, they are vulnerable to being arrested and detained. In addition, they are virtually un-hirable. What sorts of uses are made of the Registry? For those unable to obtain the CR-150 form, what happened that makes it difficult or impossible for them to get court clearance?


Another aspect of research is to find out what is happening in other states. For example, Ohio and Virginia now have identity theft passport programs.


And finally, there must be an in-depth investigation conducted of the information broker industry. We know from talking with victims that getting a CR-150 document is not the end of the nightmare. Employers can still have access to the wrongful criminal records when they conduct employment background checks using the services of any one of the many commercial information brokers.

  • See Beth Givens’ 2000 speech on this topic, “Identity Theft: The Growing Problem of Wrongful Criminal Records".
  • See also Beth Givens’ 2002 speech, “Public Records on the Internet: The Privacy Dilemma."

As we’ve all learned these past two weeks as the Choicepoint data breach has unfolded, the information broker industry is not strongly regulated. A good research study could track the flow of records from law enforcement and the courts, to data compilers and beyond to the information brokers. The research would also examine what happens or does not happen when court records are sealed or expunged.


The largest information brokers are ChoicePoint, Lexis-Nexis, Acxiom, WestLaw, and Info USA. But there are many more who sell their wares for a fee – to virtually anyone -- on the Internet, no questions asked. and are just a couple.


Thank you for listening.


In closing I want to acknowledge and thank Bud Wilford of the Californioa DOJ’s Identity Theft Registry, Jay Foley of the San Diego-based Identity Theft Resource Center, and Paul Satkowski of the DMV. All have helped me understand the complex crime of criminal identity theft.


Thank you again for the opportunity to speak here today.