Written Testimony for U.S. Senate Judiciary Subcommittee
on Technology, Terrorism, and Government Information
Senator Jon Kyl, Chairman
Testimony Provided by:
Beth Givens, Director
Senator Kyl, Senator Feinstein:
Thank you for the opportunity to testify before your Subcommittee today.
The Privacy Rights Clearinghouse is a nonprofit consumer information and advocacy program based in San Diego, California. The PRC was established in 1992. We have been assisting victims of identity theft since 1993, when we first started learning about this crime. Our guides for identity theft victims can be found on our web site at . I estimate that I have assisted at least 4,000 victims of this crime, and that others on our staff have assisted many thousands more over the years.
I appreciate the ability to provide written and oral testimony on the skyrocketing crime of identity theft, its impact on victims, and possible solutions. And I commend you and the Subcommittee members for addressing this issue. My written testimony is in four parts.
Topic number one is the crime itself - what is identity theft, how much of it is going on, and why it is happening in epidemic proportions.
Second, I will discuss the many ways in which identity thieves obtain the bits and pieces of information they need to impersonate others -- mainly Social Security numbers (SSN) and credit card account numbers.
Third, I will explain some of the impacts on victims.
And fourth, I will recommend legislative and industry measures to prevent identity theft and to expedite the ability of victims to regain their financial health.
First, what is identity theft? There are numerous variations of this crime. Essentially, it occurs when someone uses bits and pieces of information about an individual -- usually the Social Security number -- to represent him or herself as that person for fraudulent purposes. Examples are obtaining credit cards and loans in someone else's name and then not paying the bills, opening utility accounts, renting an apartment, getting a cellular phone, purchasing a car or a home, and so on. Another type of identity theft - what I call the worst case scenario - is when the perpetrator commits crimes in the victim's name and gives that person a criminal record.
Victims are not liable for the bills accumulated up by the imposters, thanks to federal law. But they do have the anxiety and frustration of spending months, even years, regaining their financial health and restoring their good credit history.
How many victims of this crime are there? We don't have accurate statistics. But I estimate that there are 500,000 to 700,000 victims this year. [Sept. 2003 Update: Recent surveys show there are currently 7-10 million victims per year, greatly exceeding our earlier estimates.] A 1998 report by the U.S. General Accounting Office tracked identity theft statistics from 1992 to 1997, based on figures provided by the Trans Union credit reporting agency (CRA). A graph on page 40 shows a dramatic 16-fold increase in the volume of calls from individuals to Trans Union's Fraud Department during the six-year period from 1992 to 1997. Trans Union now receives well over 2,000 calls a day from victims of identity theft. [U.S. General Accounting Office, www.gao.gov "Identity Fraud," Report No. GGD-98-100BR, 1998, p. 40]
Why are these figures significant? When individuals learn they are a victim of this crime, the first step they should take is to contact the three bureaus and place a fraud alert on their file. The CRAs are Trans Union, Equifax, and Experian (formerly TRW). Therefore, the number of calls received by the CRAs' fraud departments is a good indicator of the volume of this crime.
Why is this crime so rampant today? It is very easy for the criminals to obtain the information needed - in particular, Social Security numbers. Non-Social Security Administration uses of the SSN have not been prohibited by law, at least not to date. As a result, SSNs are used as identification and account numbers by many entities -- insurance companies, universities, cable television companies, military identification, banks, securities brokerage companies, and the like. In about a dozen states, the SSN is used as the driver's license number.
Identity thieves can obtain SSNs by stealing mail where those numbers are included. They sift through the trash outside of businesses and residences in hopes of finding unshredded documents containing SSNs and other data. Dishonest employees can obtain SSNs in the workplace by obtaining access to personnel files or accessing credit reporting data bases (commonly available in auto dealerships, realtors' offices, banks and other businesses that approve loans).
Another reason identity theft is rampant is because of credit industry practices. Credit grantors make it all too easy to obtain credit. Many credit issuers do not adequately check the identities of applicants before granting credit. Instant credit opportunities are especially popular with identity thieves for this reason. Credit grantors are all too eager, in their competitive zeal, to obtain new customers. It is not uncommon for households to receive several pre-approved offers of credit per week. In fact, a Los Angeles Times news story reported that credit issuers mailed 3.4 billion pre-approved offers of credit to consumers in 1998. ("Charges are flying over credit card pitches," by Edmund Sanders, Los Angeles Times, June 15, 1999, p. D-1. www.latimes.com)
Another reason identity theft is skyrocketing is that it does not yet get the attention of law enforcement that more violent crimes receive - like breaking and entering, mugging, robbery by gunpoint, and bank thefts. Many violent criminals and organized crime rings are moving to identity theft because they know that law enforcement resources are not yet sufficient to investigate the majority of such crimes. Identity thieves are rarely apprehended and sentenced. If they are, penalties are minimal and rarely include jail time. Community service and parole are the usual sentences.
My second topic is the methods used by identity thieves to obtain identifying information about their victims. Typically, they obtain the Social Security number and name. That's often all that is needed to apply for credit (called "application fraud"). They also might obtain credit card numbers and hijack existing accounts (called "account takeover). Other pieces of information useful to identity thieves are dates of birth, mother's maiden name, and driver's license numbers.
One such method is the old fashioned way -- by stealing a wallet or purse. The thief either uses the information obtained or provides the contents to a crime ring. Even if the individual does not carry the Social Security card in the wallet (and we recommend that they do not), he or she might have an insurance card or student ID with that number on it.
Another strategy is to fish credit card slips and loan or credit applications from the trash. Unfortunately many businesses, banks, mortgage companies, and restaurants do not shred these documents.
We are seeing an increase in the "inside job" in the workplace -- dishonest employees with access to computer terminals connected to one of the credit reporting agencies. They might look for names similar to theirs, or just someone with good credit. Obviously what goes hand in hand with this type of access is the negligence of the company which is permitting such uses in an unmonitored environment.
"Insiders" have also used their access to personnel records to obtain Social Security numbers of identity theft victims. In a recent case in San Diego, a dishonest employee had unfettered access to a storage room where past payroll information was filed. She obtained SSNs of over 100 current and former employees and used them to obtain credit in their names.
We learned of a case where a member of a Nigerian crime ring was employed temporarily at a very large corporation. He downloaded the employee list containing SSNs and then one by one the employees' identities were used for fraudulent purchases. The employees didn't know about it until they started sharing stories and learned that many of them had been hit. It wasn't until much later that the human resources department confessed that they had known about the theft, but they didn't want to tell the employees and cause them to panic.
Sadly, some identity theft is perpetrated by relatives or friends, roommates, household workers like health care givers, and spouses going through a divorce who have a grudge. These individuals obtain Social Security numbers, driver's license numbers, and credit card numbers by having access to their personal effects.
Mail theft is another way of obtaining identifying information, as mentioned above. We urge people not to leave their paid bills out at the mailbox for the carrier to pick up. It's better to drop them off at the Post Office. There's also insider mail theft, where credit card mail is stolen from the mail processing areas by postal employees.
Then there's the change of address routine. The thief fills out a change of address card so the victim's mail is diverted to the thief's drop box. The thief obtains bank statements and credit card bills, monthly investments reports, and pre-approved offers of credit containing the information necessary to impersonate the victim. The Postal Service has recently initiated changes to make this more difficult.
Application fraud is another method. The imposter fills out a credit application -- perhaps a pre-approved offer of credit retrieved from the trash -- with the victim's name and identifying information and has the credit card mailed to another address. The major credit card issuers say they are now more wary of changes of address, but their efforts are not foolproof.
The Internet is becoming a more popular resource for identity thieves. Yes, there are web sites that sell individuals' Social Security numbers. Social Security numbers can be purchased for as little as $20. They are found in records called "credit headers" that are sold by credit reporting agencies to information brokers. Credit headers include name and name variations, current and former addresses, telephone numbers (including unlisted numbers), year and month of birth, and SSN. At this time, there are no restrictions on the sale of credit headers to information brokers. Consumers have no way to "opt-out" of the sale of their credit header data. The information broker industry adopted a voluntary privacy policy in 1997, but it has been ineffective in restricting the sale of sensitive personal information to the general public. (See the Individual Reference Services Group guidelines at www.irsg.org.)
There are many more schemes. Most victims with whom we have spoken haven't a clue as to how their identifying information was obtained by the imposter.
My third topic is what happens to the victims of these crimes? Even though each identity fraud case is different, what happens to the victims is, sadly, all too similar.
They get little to no help from the authorities who issued the identifying information to them in the first place.
Law enforcement doesn't investigate many such crimes. There's just too much identity fraud occurring for them to handle all such cases, although the financial fraud departments of many police departments are being expanded.
Many police and sheriff's departments refuse to issue a police report to the victims. They claim that the banks and credit card companies are the real victims because they suffer the financial losses. Many victims find they need the police report to prove their innocence to the credit card companies and the check guarantee services.
Many victims report they do not get effective help from the credit grantors, banks, and the CRAs. They describe difficulty in reaching the credit reporting agencies, and tell how they are treated disbelievingly by some creditors. Victims also report that flagging their credit report for fraud doesn't always stop the imposter from obtaining more credit.
Victims must also deal with abusive collection agencies. They are threatened with law suits, garnished wages, and having their homes taken away from them.
Another common experience of victims is that they must spend a great deal of time cleaning up the mess. I've talked to many who are taking the day or the week off work so they can make the necessary phone calls, write the letters, and get affidavits notarized. This costs them money as well. Many victims are saddled with this situation for years.
In a recent survey we conducted with CALPIRG, we found the average amount of time spent by victims to regain their financial health was 175 hours. And those cases had dragged on for an average of two years, with many cases taking more than four years to be resolved. ("Nowhere to Turn: Victims Speak Out on Identity Theft." May 2000. www.privacyrights.org/ar/idtheft2000.htm)
Victims are often scarred emotionally. They feel violated and helpless -- and very angry. I've heard people use the word "rape" to describe how they feel. I've talked to many who are crying or close to it because they cannot stop what is happening to them, and no one else will either. I've talked with elderly people who are terrified of losing their life savings and their homes.
It's little wonder that victims feel violated, helpless and angry. They are unable to rent an apartment, get a job, qualify for a mortgage, buy a car, all because someone else's bad credit history is recorded on their credit report. Essentially the entire burden of this crime is placed on the shoulders of the victims.
The worst-case scenario is when the thief commits crimes in the victim's name. We learned of a case where the imposter was a major drug dealer, using the identity of a high-tech company president. This man travels out of the country often and has to carry a letter from law enforcement which explains he is not the drug dealer, because he gets pulled into secondary inspection every time he comes back to the U.S. Recently law enforcement from another state, who had not read the entry on the FBI's NCIC crime data base completely, entered his bedroom in the early morning hours and tried to arrest him at gunpoint. He was able to convince them they were seeking the wrong person.
Another case that came to our hotline was an Hispanic man, a U.S. citizen, who was visiting relatives in Tijuana, Mexico, across the border from San Diego. He was taken into secondary inspection by U.S. Customs on his return trip to San Diego. A search of his SSN showed he was wanted for a crime in the Bay Area. He was transported from San Diego to San Francisco and put in jail. It took him 10 days before one of the officers believed him, took his fingerprints as he had requested all along, and realized they had the wrong person.
Another worst-case scenario is when the imposter is working under the victim's name and SSN, and the earnings show on the victim's Social Security Administration record. We learned of one such a case that had been going on for 10 years. The imposter obtained the victim's birth certificate, a public record in California. And even when the victim acquired a new SSN, the impersonator was able to obtain it shortly thereafter. Victims of employment fraud often must deal with the Internal Revenue Service because IRS records show they are under-reporting their wages.
Finally, in order for victims to extricate themselves from the identity theft mess they find themselves in, they have to be fairly savvy consumers. They must be assertive with the credit card, banking and credit reporting industries. They must be assertive with all kinds of other officials as well. I have talked with many consumers who are not equipped to deal with the challenges that this crime brings to them -- individuals whose first language is not English, or those whose English language skills are such that they cannot communicate at the level of complexity that this problem requires. Those who are semi-literate or illiterate cannot write the necessary letters. Unfortunately, there are not enough consumer assistance offices to help these people.
My fourth and final topic is legislative and industry solutions to the crime of identity theft.
The awareness of identity theft among consumers has skyrocketed in the past year -- primarily because of media coverage. I think consumers are becoming much more wary of disclosing personal information and having it given out without their consent, especially on the Internet. These outcries by members of the public have resulted in some legislative attention brought to the issue, both on the federal level and in the states.
In 1998 Congress passed and the President signed the Identity Theft and Assumption Deterrence Act (18 USC 1028). It makes identity theft a federal felony - when someone knowingly uses the identification of another person with the intention to commit any unlawful activity under federal and state law. Violations of this Act are investigated by federal agencies like the U.S. Secret Service, the Social Security Administration, the FBI, and the U.S. Postal Inspection Service. Such crimes are prosecuted by the U.S. Department of Justice.
This new law allows for restitution for victims. It established an identity theft clearinghouse within the Federal Trade Commission. The FTC now offers a toll-free number for consumers to call, 877-IDTHEFT, as well as a web site, www.consumer.gov/idtheft.
In recent years nearly 40 states have criminalized identity theft. Most of them have made it a felony. A list of those states can be found on the FTC's web site at www.consumer.gov/idtheft/statelaw.htm
On the one hand, I'm pleased that this crime has been criminalized by these new laws. But I believe that in order to make a dent in identity theft, the practices of the credit industry must change dramatically. Until laws create incentives for the credit industry to change how they do business, the crime of identity theft will continue to climb at epidemic proportions.
I am encouraged by the introduction of Senate Bill 2328 by Senators Feinstein, Kyl, and Grassley, titled the "Identity Theft Prevention Act of 2000." It places the emphasis on prevention where it rightfully belongs. The points that follow include discussion of the key provisions of S.2328 (http://thomas.loc.gov).
Here are some suggestions for making credit industry practices more fraud-proof:
A change of address is often an indicator of fraud. Simple steps by both credit grantors and reporting agencies in verifying address changes would greatly reduce fraud incidents. S.2328 requires that if the card issuer receives a change of address notification, it must send a confirmation notice to both the new and former addresses. Further, if a card issuer receives a request for an additional credit card within 30 days of receiving a change of address, it must also notify the cardholder at the old and new addresses. Credit reporting agencies must notify credit issuers when they become aware that a credit application bears an address for the consumer that is different from the address they have on file.
A penalty should be assessed whenever a credit grantor extends credit to an imposter after the victim has placed a fraud alert on the credit file (a provision of S.2328).
All consumers should be able to receive one free copy of their credit report annually (a provision of S.2328). With more consumers checking their credit reports frequently, identity theft will be detected earlier and the impact will be minimized. Six states have passed such laws: Colorado, Georgia, Massachusetts, Maryland, New Jersey, and Vermont.
Consumers should be able to notify the credit bureaus to put a "freeze" on their credit report -- to prevent their credit report from being furnished without specifically authorizing the release. A Vermont law requires that users of credit reports obtain permission from the consumer prior to obtaining the credit report (Title 9 sec. 2480e at www.state.vt.us. Click on "Statutes Online"). In California, state Senator Debra Bowen's SB 1767 would adopt the Vermont "opt-in" model.
Another important piece of legislation that needs to be enacted is a provision that takes the Social Security number out of circulation. A separate bill introduced by Senator Dianne Feinstein would prohibit the commercial sale of SSNs (Social Security Privacy Act of 2000). This measure would also limit uses of the SSN by private sector entities. Government agencies could not display the SSN on mailing labels and documents available to the public.
In California, a bill introduced by state Senator Debra Bowen during the 2000 session would prohibit the use of the SSN as an account or member number by such entities as insurance companies and universities. (SB 1767 can be found at www.leginfo.ca.gov. Click on "Bill Information.")
Credit grantors should be required to verify at least four pieces of information -- name, address, date of birth, SSN, driver's license number, and place of employment -- with information on the credit report. This is especially important in instant credit situations. If the consumer is applying in person, the credit grantor must inspect a photo ID.
As discussed earlier in this testimony, we consider the worst-case scenario of identity theft to be when the victim is burdened with a wrongful criminal record because of the activities of the imposter. This usually occurs when the imposter is arrested and released, perhaps for a traffic violation or shoplifting, and then does not appear in court. This results in a warrant for the arrest of the identity theft victim.
Victims of criminal record identity theft can find it impossible to obtain employment. Many have been jailed. It is common for such victims to be detained by U.S. Customs when entering the country after traveling abroad. They must carry a letter with them from law enforcement or the courts at all times in order to prevent wrongful detention. Such victims are faced with having their identity associated with a criminal record for the rest of their lives.
It is critical that legislation address the plight of such identity theft victims. There must be a way for them to learn that they have a wrongful criminal record. S.2328 includes an excellent provision enabling individuals to obtain the content of information about them that is compiled by an information broker, employment background check service, or individual reference service. If erroneous information is compiled in a background check for employment or other purposes, it is essential that the subjects of those investigations know the exact information that has been disclosed and the source from which the information was obtained.
Individuals who have wrongful criminal records must also be able to clear such records through an expedited process involving the law enforcement agency that made the arrest, the court system where the warrant was issued, and the official criminal records data bases at the state and federal levels. At present, there is no such process easily available to victims of criminal records identity theft. You might want to read about such a measure currently being considered in the California legislature, Assemblymember Susan Davis's AB 1897.
Victims of criminal record identity theft must also be able to locate all the information brokers that have obtained the erroneous information so they can have those records cleared as well. One solution would be to develop a national registry of individuals who are victims of criminal record identity theft and require all entities that conduct criminal records background checks to access that data base before reporting the criminal records information. In California, Assemblymember Tom Torlakson's AB 1862 would call for the development of such a data base within the California Department of Justice.
Legislation is not the entire answer to the vexing problem of identity theft. The credit granting and reporting industries must step up their efforts to assist consumers in preventing fraud altogether and in recovering from identity theft. The Associated Credit Bureaus announced an identity theft initiative in March 2000 that would streamline fraud-handling by the credit reporting industry (www.acb-credit.com). The ultimate goal of this endeavor should be "one-stop shopping" for fraud victims -- a single phone call to launch the fraud clean-up process.
Both creditors and the CRAs should increase the use of artificial intelligence computer programs to identify patterns of fraud and to quickly notify consumers of suspected fraud activity. The May 2000 identity theft victims survey conducted by the Privacy Rights Clearinghouse and CALPIRG found that the average amount of time that had transpired before individuals learned they were victims of identity theft was 14 months. (www.privacyrights.org/ar/idtheft2000.htm) Yet, evidence of fraudulent activity can often be easy to detect - numerous inquiries on the credit report in a short period of time, changes of address, monthly credit account bills that are much higher than usual, many late payments when the individual had none previously, and so on.
Before closing, I want to briefly discuss the role of law enforcement in investigating identity theft crimes and assisting victims. Three-fourths (76%) of the respondents to the PRC/CALPIRG identity theft survey reported that the police whom they contacted were unhelpful. Detectives were assigned to their cases less than half of the time. And one-fourth of the victims were not able to obtain a police report.
It is clear that the crime of identity theft calls for some new approaches by law enforcement. One approach that is being explored in California is the development of a single unit within the police department that specialize in identity theft. The Los Angeles Sheriff's Department has established such a unit. Assemblymember Robert Hertzberg has introduced AB 1949 to fund three pilot projects in the state to establish such specialized units.
Additional suggestions for addressing the multi-faceted crime of identity theft can be found in the PRC/CALPIRG identity theft survey, a copy of which has been provided to the Subcommittee. ("Nowhere to Turn: Victims Speak Out on Identity Theft," http://www.privacyrights.org/ar/idtheft2000.htm)
Thank you for the opportunity to testify about the crime of identity theft. Please feel free to contact the Privacy Rights Clearinghouse if you seek additional information or assistance.
Identity Theft Resources Privacy Rights Clearinghouse, Aug. 1999
Privacy Rights Clearinghouse
Fact Sheet 17: "Coping with Identity Theft: What to Do When an Imposter Strikes."
Fact Sheet 17a "Identity Theft: What to Do When It Happens to You." Published w/ CALPIRG.
The Privacy Rights Handbook: How to Take Control of Your Personal Information, by Beth Givens, Avon Books, 1997, paperback $12.50. Contains a chapter on identity theft.
Privacy Piracy: A Guide to Protecting Yourself from Identity Theft, by Mari Frank, Esq., and Beth Givens (1999, Office Depot). Contact Office Depot at (561) 998-0283.
Fact sheets and book are available from the Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. (619) 298-3396, Fax (619) 298-5681. Online inquiry form: www.privacyrights.org/qwertyuiopasdfghjkl.php. Fact sheets, speeches, and case studies can be found on the PRC's web site, www.privacyrights.org.
CALPIRG
Theft of Identity: The Consumer X-Files. CALPIRG's overview of the growing problem of theft of identity, issued August 1996.
Identity Theft: Return to the Consumer X-Files. An update to the 1996 report, Sept. 1997.
These reports can be obtained for $20 each from:
CALPIRG, 926 J St., Suite 713, 926 J St., Suite 713, Sacramento, CA 95814. (916) 448-4516. Web: www.pirg.org/calpirg.
U.S.PIRG, 218 D St., S.E., Washington, D.C. 20003. (202) 546-9707. Web: www.pirg.org.
Reports and Magazine Articles
Identity Theft: Information on Law Enforcement Efforts, Prevalence and Cost, and Industry and Internet Issues. U.S. Government Accounting Office. Report No. GGD-98-100BR. Call the GAO to order a free copy: (202) 512-6000. Also available on the Web: www.gao.gov.
"Are you a Target for Identity Theft?" Consumer Reports Special Report, Sept. 1997, pp. 10-16.
"The Great Name Robbery," by Sharon Epel. Good Housekeeping, Aug. 1998, pp. 98+.
Five Steps to Prevent Stolen Identity Credit Fraud by Travis J. Perry. (1999) Available via the Web: www.futurecrime.com.
Identity Theft Prevention and Survival Tools
Written by Mari Frank, Esq., an attorney and victim of identity theft, who turned her experience into a guide to help other victims. Includes the book From Victim to Victor, attorney-written form letters on diskette, and six audiotaped interviews with victims and experts. Porpoise Press, 1998. $79.95 for entire kit, $39.95 for the book alone. Frank has alos written a book entitled Safeguard Your Identity.
Available from: Porpoise Press, 28202 Cabot Rd., Suite 215, Laguna Niguel, CA 92677. (800) 725-0807. Web: www.identitytheft.org.
Federal Trade Commission.
To file a complaint about your identity theft case that may help the FTC and other law enforcement agencies investigate and apprehend identity thieves, contact the FTC: (877) FTC-HELP. Web: www.ftc.gov/bcp/conline/edcams/identity/index.html. The web site lists federal and state identity theft legislation.
Web Sites
