Legislative and Regulatory Responses to Identity Theft
Since 1998, when identity theft first became a federal crime, a number of statutes and regulations have clarified impermissible use of personal information and offered greater tools to law enforcement. However, no law or regulation is focused solely on account hijacking. These changes in federal law have either established standards for protecting information, provided consumers with more information about their credit history so they can be more vigilant in protecting their own identity, or increased criminal penalties for identity theft and enforcement tools in an effort to deter it. Each of these approaches is discussed below.
Standards for Protecting Information
In 2001, the federal banking agencies (FBAs)48 implemented section 501(b) of Gramm-Leach-Bliley Act (GLBA) by promulgating "Guidelines Establishing Standards for Safeguarding Customer Information."49 The objectives of the guidelines and of the written information-security program they require are to:
In addition, the guidelines require financial institutions to require service providers with whom they contract to implement a security program designed to meet the Guidelines' objectives.
- Ensure the security and confidentiality of customer information
- Protect against any anticipated threats or hazards to the security or integrity of such information
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA), in Section 113, requires that account numbers on credit card receipts be shortened or "truncated" so that merchants, employees, or others who may have access to the receipts do not have access to consumers' names and full credit card numbers. This provision does not require an implementing regulation. Section 216 of FACTA requires the FTC and the FBAs to promulgate regulations defining appropriate standards for the disposal of sensitive credit report information. Section 114 of FACTA, commonly referred to as the "red-flag" provision, requires the FTC and the FBAs to promulgate guidelines identifying patterns, practices and specific forms of identity theft, and regulations to implement the guidelines as part of an identity theft prevention program.
Although the Uniting and Strengthening America by Provding Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) focuses primarily on money laundering and terrorism, it does ensure strong customer identification programs which serve as a first-line deterrent against identity theft. Section 326, Verification of Identification, requires financial institutions to (1) implement a customer identification program for verifying the identity of any person seeking to open an account, and (2) maintain records of the information used to verify that person's identity.
Information to Consumers
FACTA contains several provisions specifically intended to reduce identity theft. Section 211 requires the three major credit-reporting agencies to provide consumers, at their request, with a free copy of their own credit report at least once every 12 months. Credit reports allow consumers to discover and correct errors in their credit records and to ensure that accounts have not been fraudulently opened in their names. The FTC has published an implementing regulation.
Section 112 of FACTA permits consumers who have, or may have, been victimized by identity theft to place an alert on their credit files in order to warn potential new creditors that the consumer may be an identity-theft victim and that some of the information contained in the credit report may be a result of the fraud. The FTC is currently drafting an implementing regulation.
Increased Penalties and Tools for Law Enforcement
The ID Theft Act makes identity theft a federal crime with penalties of up to 15 years' imprisonment and a maximum fine of $250,000. It establishes that the person whose identity was stolen is a victim (previously, only the credit grantors who suffered monetary losses were considered victims). This legislation enables the Secret Service, the Federal Bureau of Investigation (FBI), and other law enforcement agencies to combat the crime of identity theft; it allows for the identity-theft victim to seek restitution if there is a conviction; and it establishes the FTC as the central agency to act as a clearinghouse for complaints (against credit-reporting agencies and credit grantors), referrals, and resources for assistance to victims of identity theft.50
The Identity Theft Penalty Enhancement Act (Penalty Enhancement Act) was signed into law on July 15, 2004. It expands the existing prohibition against identity theft to (1) cover possession of a means of identification of another with intent to commit specified unlawful activity, (2) increase penalties for violations, and (3) include acts of domestic terrorism within the scope of a prohibition against facilitating an act of international terrorism. To achieve these objectives, the Penalty Enhancement Act amends the federal criminal code to establish penalties for aggravated identity theft, which the act defines as knowingly transferring, possessing, or using, without lawful authority, a means of identifying another person during and in relation to specified felony violations. The Penalty Enhancement Act prescribes a two-year prison sentence for aggravated identity theft and an additional five-year prison sentence for felony violations pertaining to terrorist acts.
The Internet False Identification Prevention Act of 2000, closing a loophole left by the ID Theft Act, enables law enforcement agencies to pursue those who formerly could sell counterfeit social security cards legally by maintaining the fiction that such cards were "novelties" rather than counterfeit documents.51
Each of these strategies (protecting information, customer disclosures, and increased penalties and tools for law enforcement) offers one or more mitigation techniques to deter identity theft, including account hijacking.
48 Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.
49 FDIC (2001) and 12 CFR 364, Appendix B.
50 Frank (1998).
51 Social Security Administration (2004).