Tuesday, February 10, 2009

Identity Theft: Breaches & Laws


By: Bill Carraway, Certified Identity Theft Risk Management Specialist


Examples of breaches that put people at risk for Identity Theft are so numerous we will only be able to cite a few examples here. There are also a number of laws that effect businesses and consumers, and though I am not an attorney I will mention a few things about these laws. For questions on the legal aspects of the laws consulting an attorney is a good idea (Pre-Paid Legal Law Firms have attorneys well versed in these laws and the NC Attorney General’s office can help with NC Law).

Some of the common breaches and incidents involve lost or stolen laptops, data bases hacked, inadvertent releases of information and just plain bad record keeping that puts information out. Identity Theft is also becoming the darling crime of criminals because so few TD Theft thieves are caught and prosecuted. Let’s start by taking a look at some examples.

A common type example is: (March 10, 2008) - - Blue-Cross Blue-Shield of Western New York says it is notifying tens of thousands of its members about identity theft concerns after one of it's company laptops went missing. Or, MEMPHIS — Two laptop computers containing data on 320,000 donors to Lifeblood, the Memphis region's blood bank, have gone missing and are presumed stolen, officials said Wednesday. Maybe even something like this: Updated Monday, January 28, 2008 12:59 AM Students' personal data stolen A university laptop containing past students' archived information and Social Security numbers was stolen from a faculty member while traveling earlier this month, potentially exposing 677 alumni who graduated between 1999 and 2004 to identity theft. Or more from TJ Max: The TJX data breach affected more than 94 million credit and debit card accounts, more than twice the number acknowledged by the big retailer, a group of banks allege in a new court filing. I could go on and on with examples but I think you get the idea.

There are also the incidents that are clear criminal activities and not just lost or possibly stolen information such as: 1. A former church office manager who stole more than $50,000 from Windward Unity Church and racked up more than $12,000 in debt on credit card accounts she opened in her daughter's name pleaded guilty yesterday to four counts of theft and three of identity theft, 2. An El Paso man was indicted Wednesday on federal fraud and identity-theft charges for allegedly stealing money from the bank accounts of 15 Marines who were deployed to Iraq. Edgar Alejandro Hermosillo, 24, was indicted by a federal grand jury in Las Vegas, Nev., on one count of conspiracy, one count of wire fraud and two counts of identity theft, the indictment stated, 3. Database Administrator sells 8.4 Million Consumer Records for $580,000 A Database Administrator (DBA) at Fidelity National Information Services, a consumer reporting agency in based in Florida, made $580,000 over 5 years (So, no one noticed for FIVE YEARS), by selling stolen consumer records, according to Dan Goodin of the Channel Register, 4. SAN FRANCISCO ? The head of a major website that trafficked in stolen credit card numbers has been arrested and indicted after a 16-month investigation. Max Ray Butler ran CardersMarket, an online forum for people who steal, share or use others' credit card information illegally, according to the indictment and 5. OMAHA, Neb. -- TD Ameritrade said someone hacked into a database and stole contact information for more than 6 million customers. And finally a warning from authorities:
HOUSTON -- Everyone will be a victim of the fastest-growing crime in the United States, Houston police predicted. Investigators said they see about 1,300 cases of identity theft a month -- about 40 reports per day.

And then are the lawsuits, ID Theft is the next class action target, and other legal situations. Let’s look at a couple of these: How much compensation does a consumer deserve for the loss of a laptop computer loaded with personal information? Raelyn Campbell figures it’s $54 million -- if you throw in a little extra for lost time and frustration. Six months after bringing a damaged laptop computer into a Best Buy electronics store for repairs, and three months after the firm admitted losing it, Campbell filed the whopper of a lawsuit recently in Washington, D.C., Superior Court; (CBS4) MIAMI-DADE A South Florida woman started a class-action lawsuit against the giant clothing company chain, Gap Inc. after the company admitted computers containing the personal information of hundreds of thousands of job applicants were stolen; Over the past six months, more than 100 class-action lawsuits have been filed in federal courts against a wide range of retailers who have allegedly violated the Fair and Accurate Credit Transactions Act (FACTA) of 2003. And these are the just the beginning, so if you have a business that has non-public information for customers or employees you are subject to the laws and you are in danger if you are not careful. Identity Theft and the breaches that lead to it are serious business and we all need to be vigilant and aware.

Federal Laws that spell out what a company must do are realistic enough to know that perfection is not going to be achieved. They do expect that reasonable measures are taken to comply and to protect information. More on that later, but in 2003 the FTC conducted a survey on Identity Theft and that survey said that in the five years since the Identity Theft Assumption and Deterrence Act of 1998 27.3 million American consumers were victims of Identity Theft. Almost 10 million of them were victims in 2002 alone. The costs and time in resolving these cases, as reported by consumers, was $5 billion and almost 33 million combined hours spent resolving the cases. Other statistics from the survey included these reports by victims: 67% reported that existing credit cards were affected; 52% discovered they were victims by reviewing their own accounts; 8% discovered the crime when they were denied credit; 26% reported they were alerted by account holders such as banks and credit card companies; 19% said that checking or savings accounts were breached; 15% said their information was used to obtain government documents, identification or on tax forms; and more. Of these victims 52% said they knew how their personal information was obtained and of them 25% said the info was stolen or lost. Only 4% of the victims said the theft of their information came from stolen mail, though it is important to note that ID Theft thieves will grab outgoing mail from mailboxes and get the information they need. A variation on this happens with college students who throw away pre-approved credit card offers without even opening them and then thieves search the dumpsters outside of dorms, get the offers, file a change of address, get the credit cards and run them to the max.

The main Federal Laws concerning identity theft are FACTA (The Fair and Accurate Credit Transactions Act, The Identity Theft Assumption and Deterrence Act, The Electronic Fund Transfer Act (EFTA), The Fair Credit Reporting Act (FCRA), The Fair Credit Billing Act (FCBA), The Fair Debt Collection Practices Act (FDCPA), Graham- Leach-Bliley (GLB) AND Health Insurance Portability and Accountability Act (HIPAA). FACTA provides for free annual credit reports, rights to obtain free reports when denied credit and other circumstances, rights for placing of fraud alerts and security statements on credit files, allows for credit freezes and for businesses the all important FACTA Information Disposal Rule. EFTA sets out consumer liability and reporting timelines for incorrect files and fraud and the responsibilities of the institutions. FCRA establishes consumer protections and processes for correcting incorrect or fraudulent information on credit files. FCBA spells out procedures for consumers to resolve credit billing errors and fraudulent transactions and generally limits consumer liability for fraudulent or unauthorized charges on credit cards. FDCPA prohibits debt collectors from using unfair or deceptive practices to collect debts and spells out rules they must follow when fraud or incorrect information is reported to them. GLB requires any company defined as a “financial institution” , and contrary to popular legend this involves most companies with “Financial Institutions” being defined as a business that is significantly engaged in providing financial services or products for personal, family or household use, to implement policies and procedures to maintain the security and confidentiality of personal information. And finally HIPAA requires ALL businesses with small self-insured or fully insured health plans, again contrary to popular opinion not just health care companies, to maintain the confidentiality, integrity and security of employee health information. And these are not the only laws as new red flag laws and a myriad of state laws also spell out liabilities and responsibilities down the line.

With the fast growing incidents of identity theft and the long list of laws is it any wonder that a service to protect oneself, their family and their business has become a necessity the same as providing for a home or business security system? It is also obvious that a plan to monitor and restore one’s identity that includes access to legal counsel has become imperative in this day and age. This entire area has now become the final segment of our lives that needs protection, just like we need auto, homeowners, health and business insurance. Protect your family and your business with a plan that addresses a complete solution and it is available for a very affordable cost.

No comments: