Search this Site:
|
Identity Theft Information Parts 1 & 2
IDENTITY THEFT & RELATED CONSUMER RIGHTS:
Originally compiled by Jack H. (Nick) McCall Jr. (2003)
Introductory Note: This article provides a summary of various issues relating to identity theft. It is intended to be purely informational in nature and to provide an overview of the issues regarding identity theft; it does not constitute legal advice regarding any specific situations, nor does it necessarily cover all legal and practical aspects of identity theft. Please contact a lawyer for legal advice regarding any specific set of facts or circumstances. I. IDENTITY THEFT: THE BASICS What is identity theft, and what’s happening with it? A pervasive new crime, "identity theft," is occurring with greater frequency, in part because of certain aspects of the Information Age. Think about all of the things we take care of online: shopping, making travel plans, paying bills, banking, filling prescriptions, personal emailing, business emailing, making appointments, applying for insurance or loans, etc. We put so much information “out there” that it would be naïve for us to think that all of it is safe. The problem has become so pervasive that we now have National Consumer Protection week dedicated to informing the public about what identity theft is, how to prevent it from occurring, and how to deal with the consequences if it does occur. This article addresses those issues. Identity theft occurs when someone uses another person’s personal information (such as a name, Social Security number, credit card number or bank account number) to engage in theft, conceal crimes, or obtain credit fraudulently. It can even be used to obtain illegal entry to, or employment in, the United States. Identity theft is a crime, and it can be a costly and devastating crime for its victims as well as for the credit grantors who are defrauded. Identity theft can, among other harms, mar a person’s credit history and jeopardize a solid credit rating or result, if unchecked, in a denial of credit. Further, it can affect a person’s federal tax history and Social Security earnings, if others use the stolen information for false employment or tax data. Here are some of the most common ways that identity thieves can cause you serious trouble and inconvenience: • The identity thieves open a new credit card account, using your name, date of birth, and Social Security number. When they use the credit card and don’t pay the bills, the delinquent account appears on your credit report. • The identity thief can call your credit card issuer and, pretending to be you, change the mailing address on your credit card account. Then, the identity thief runs up charges on your account. Because the bills are going to the new address and not to your address, you may not immediately realize you have a problem until after the thief has charged large amounts on your credit card. • They may establish cellular phone service in your name and not pay for it. • They could open a bank account in your name and write bad checks on it. • In some cases, thieves have used Social Security numbers to help others fraudulently obtain jobs or new employment. They may also be used to forge immigration and travel documents. This can create confusion with your IRS tax records and Social Security Administration files, as your files might reflect earnings you have not received or jobs you have not held. Many people attribute the rise in identity theft to the advent of the Internet, but that’s something of a misconception. Studies have shown that only slightly more than 10 percent of the theft happens online; rather, the majority of identity theft occurs when someone steals your mail, checkbook, or wallet. Other ways thieves work include dumpster diving; facilitating inside jobs with temporaries, interns, and workers in your home or office (cleaning services, child-sitters, etc.); mailbox theft; and even false address changes at the Post Office. Of course, none of those mundane means of identity theft has the media sizzle of widespread data security incidents involving millions of individuals at institutions like ChoicePoint, Bank of America, Marriott, CitiFinancial, Card System Solutions, and DSW Shoe Warehouse. The idea that someone has hacked into a company’s computers and downloaded thousands of individuals’ personal data is more sinister and cinematic than the vision of a drifter finding your wallet or stealing your mail. But while those high-profile incidents are troubling, they ultimately will affect far fewer people than garden variety, everyday theft. For example, last year ChoicePoint paid $5 million to the Federal Trade Commission (“FTC”) and consumers for selling records of at least 163,000 individuals to a ring of identity thieves. But only 800 affected people actually suffered identity theft. Further, an incident involving Providence Health System in Portland, Oregon, in late 2005 shows that old-school theft is still critical: 365,000 unencrypted patient records were stolen from an employee’s car, and the health-care provider notified affected patients and employees on its own. Providence became the subject of a nine (9) month investigation by the Oregon State Attorney General into whether it violated consumer protection laws by failing to take reasonable measures to protect medical records, and a patient filed a class action complaint alleging that Providence was negligent in failing to safeguard his health information. A settlement agreement was filed in September 2006. There are conflicting reports regarding whether the crime of identity theft is increasing or decreasing. The Better Business Bureau reported 8.9 million cases of identity theft in the United States last year, 3500 were reported in Tennessee. The mean fraud amount per victim was $6,383 in 2006, nearly double what was reported for 2003. In response to these rising numbers, the Tennessee legislature has filed dozens of bills on the subject of identity theft. One bipartisan measure entitled “The Credit Security Act of 2007” (House Bill 200) would allow consumers to put a freeze on their credit report and remove their Social Security number as a form of identification. The bill also provides additional protections for consumers and businesses when there has been a breach of data information. In contrast, the 2007 Identity Fraud Survey Report released by Javelin Strategy & Research reports a decline in identity theft of approximately 12% from the prior year. This translates to a fraud reduction of approximately $6.4 billion. The report cites various factors that have contributed to the decline including better consumer education and awareness, increased precautions taken by consumers, and increased usage of online banking enabling consumers to monitor their accounts. According to the survey, young adults are at the highest risk for identity theft because they are less likely to take routine safeguards such as shredding documents or regularly checking their bank accounts or credit reports. The Better Business Bureau agrees that, generally, the Internet helps in reducing identity theft. Monitoring your checkbook and credit card status online is a huge deterrent to identity theft because people find problems quickly and can report them right away. And some companies, like E-Trade, are now offering free fraud protection to ease concerns. Sophisticated companies understand and appreciate that their customers want to feel secure when they do business, whether it’s in person or online. More recently, MasterCard and Visa USA officials have begun development of an independent standards-setting organization to certify that member banks and merchants meet minimum data security requirements. Such an entity would both set and monitor standards for the entire payment card industry. This would not only improve security in that industry, but it would also have the indirect effect of contributing to the developing “standard of care” for data protection across industry sectors. And, MasterCard recently announced that it is launching an incentive program to bring merchants into its SecureCode program, which securely collects and processes cardholder authentication data from online merchants. Is identity theft a crime, and what laws apply to it? Yes. The Identity Theft and Assumption Deterrence Act, enacted by Congress in October 1998, is the federal law making it a federal crime when someone “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.” Under this law, a name or Social Security number is considered a “means of identification.” So is a credit card number, cellular telephone electronic serial number, or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual. Violations of this law are investigated by various federal law enforcement agencies, and federal identity theft cases are prosecuted by the U.S. Department of Justice. In most instances, a conviction for identity theft carries a maximum penalty of fifteen (15) years imprisonment, a potential fine, and forfeiture of any personal property used or intended to be used to commit the crime. Schemes to commit identity theft or fraud also may involve violations of other federal laws, such as credit card fraud, computer fraud, mail fraud, wire fraud, immigration fraud, financial institution (i.e., bank) fraud, or Social Security fraud. Each of these federal offenses is a felony and carries substantial penalties – in some cases, as high as 30 years in prison as well as fines and criminal forfeiture. Congress is also considering new laws to fight "phishing" attacks, a form of online fraud in which Internet users are tricked into providing financial account data and passwords to phony websites run by fraudsters. If you have received an e-mail that appears to have come from your bank, complete with trademarks and generally appropriate sounding language that ultimately requests your personal information, someone has tried to "phish" in your pond. Lawmakers want to create new criminal sanctions and stricter penalties for those who send fake e-mails or use phony websites in these phishing scams. Sen. Patrick Leahy (D-VT) has introduced a bill (S. 472) on Capitol Hill, and the Virginia General Assembly already has passed legislation (HB 2631) making it a felony to use a computer to gather personally identifying information “through the use of material artifice, trickery or deception.” That legislation is awaiting the governor’s signature. Along those same lines, a couple of pieces of legislation have been introduced in the House of Representatives recently. The legislation is designed to protect internet users from the unknowing transmission of their personally identifiable information through spyware programs. And bills with slightly more specific language than the Virginia measure have been introduced in Arizona, New Mexico, and Washington. These bills would make it a felony to falsely represent a business or organization in an e-mail or website in order to obtain personally identifying information from an individual. Many states have also passed laws related to identity theft. Tennessee’s law making it a crime is found at Tennessee Code Annotated Section 39-14-150, which states that: (a) A person commits identity theft who knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or otherwise promote, carry on, or facilitate any unlawful activity. (b) As used in this section, “means of identification” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual, including: (1) Name, social security number, date of birth, official state or government issued driver license or identification number, alien registration number, passport number, employer or taxpayer identification number; (2) Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; (3) Unique electronic identification number, address, routing code or other personal identifying data which enables an individual to obtain merchandise or service or to otherwise financially encumber the legitimate possessor of the identifying data; or (4) Telecommunication identifying information or access device. (c) A violation of this section is a Class D felony. Tennessee also has a statute that prohibits “criminal impersonation.” This statute, found at Tennessee Code Annotated Section 39-16-301, states that: (a) A person commits criminal impersonation who, with intent to injure or defraud another person: (1) Assumes a false identity; (2) Pretends to be a representative of some person or organization; (3) Pretends to be an officer or employee of the government; or (4) Pretends to have a handicap or disability. (b) Criminal impersonation is a Class B misdemeanor; provided, that, upon conviction under subsection (a), the maximum fine of Five Hundred Dollars ($500) for such offense shall be imposed if the criminal impersonation was committed in order to falsely obtain a drivers license or other photo identification license. In addition, Tennessee has the Tennessee Identity Theft Deterrence Act of 1999, Tenn. Code Ann. §§ 47-18-2101 to 47-18-2107, a civil law enforceable by private lawsuits. Echoing the criminal law, it prohibits directly or indirectly “obtaining, possessing, transferring, using or attempting to obtain, possess, transfer or use, for unlawful economic benefit, one or more” identification documents, financial documents, or personal identification numbers of another person. If someone violates the criminal law, they probably violate this as well, and it would give a victim a chance to sue the perpetrator in court for damages. You could recover as one component of a damage award the greater of $10,000; $5,000 per day for each day that your identity has been assumed; or 10 times the amount obtained or attempted to be obtained by the thief. You could also recover restitution for your actual losses, interest, and penalties under the Tennessee Consumer Protection Act (“TCPA”), which provides for triple damages; and your attorneys. fees and costs. The TCPA was enacted to protect consumers from those who engage in unfair or deceptive acts or practices in the conduct of any trade or commerce within Tennessee. Tenn. Code Ann. § 47-18-102(2). In the context of identity theft, this statute becomes more relevant when it is a business that has stolen a consumer’s identity. Earlier this year, a Chancellor in Williamson County, Tennessee ordered two businesses, National Fulfillment, Inc. and Entertainment America, Inc. to place $300,000 in an escrow account pending the outcome of a trial. The lawsuit includes allegations that the businesses violated the Tennessee Identity Theft law and the TCPA when they billed consumers’ credit cards for a product that never existed. As discussed previously, identity theft occurs not only when someone improperly uses your name or Social Security number, but also when they improperly use your financial information such as a credit card or bank account. The Tennessee Legislature has passed some other laws to address related aspects of identity theft. One such law provides that your driver’s license can no longer display your social security number unless you specifically request in writing that the number be displayed. Tenn. Code Ann. § 55-50-331(b)(2). As discussed elsewhere herein, you should not allow your Social Security number to appear on your license, and if it is there you should get it removed immediately, or at least when you renew. In 2005, the legislature prohibited persons who accept credit cards or debit cards for business to print or cause to be printed more than five digits of the card number or the expiration date on either the receipt retained by the merchant or the receipt provided to the cardholder at the point of the sale or transaction. This law immediately applied to any cash register or other machine or device that electronically prints receipts for credit card or debit card transactions if the machine first went into use on or after January 1, 2005. Effective January 1, 2007, the bill applies to cash registers or other machines or devices that were in use before January 1, 2005. The law does not, however, apply to transactions in which the sole means of recording a credit card or debit card account number is by handwriting or by an imprint or copy of the card -- the “mom and pop” store exception. A violation constitutes an unfair and deceptive trade practice under the TCPA. Tenn. Code Ann. § 47-18-126. Congress and several states are also considering data security as well, in an effort to force holders of data to handle it more carefully, protect it more vigorously, and notify consumers promptly of any breaches. Tennessee passed a law in 2005 that added data security provisions to the Tennessee Identity Theft Deterrence Act of 1999. Congress is considering several new bills that would further enhance data security, require notice of security breaches and enhance criminal penalties, law enforcement assistance and other protections. In sum, if someone holds or licenses computerized data that includes personal information in Tennessee, they have an affirmative obligation to report any breaches of their data security “to any resident of Tennessee whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person” and to do so “in the most expedient time possible and without unreasonable delay.” If more than 1,000 people are affected, then notification must go to credit bureaus as well. Tenn. Code Ann. § 47-18-2107. Look for Congress to do something in this regard that may wind up trumping state laws, at least if the states’ laws are less stringent. What can you do to prevent identity theft? There are several safeguards you can take to protect your personal information and decrease the chances that you will become a victim of identity theft. The following are some helpful hints for keeping your personal information from being stolen: • In general, provide your personal information only when you receive an appropriate benefit in return for the disclosure. If you disclose personal data, consider using a post office box or business address and a business phone number. If you provide your residential address and phone number, ask how it will be used and how you can restrict any further use. You don’t have to give every piece of information that you are asked for – only provide what is needed for the transaction. • More specifically, on your checks do not use your home address and telephone number. Instead, use a post office box if you have one; if not, use your business address and phone number. Never have your Social Security Number printed on your checks. You can handwrite it on your checks when necessary, but if you have it printed on them, then anyone can get it. • Carefully check your bank statements, credit card statements and other financial statements regularly. If a statement does not arrive on time, notify the bank, credit card company or other financial provider that it has not arrived. A missing bill could indicate that someone has taken over your account and changed the address to his own. • Request your free annual credit report (discussed in more detail in subsequent sections) to see if there are any debts that you do not recognize. If there is a debt you do not recognize, notify the creditor immediately to dispute the charge. Remember that errors on your credit report are not uncommon and do not automatically indicate that your identity has been stolen. A study released by the U.S. Public Interest Research Group in June 2004 found that 79% of the consumer credit reports surveyed contained some kind of mistake. • Discard documents containing personal information by shredding them and until you discard them, keep such documents in a secure location. • Put your vehicle registration in your trunk instead of your glove compartment. Car thieves now use the registration information to steal identities, and even if all you do is slow them down, that has some value. • The next time you order checks, have only your initials (instead of first name) and last name put on them. That way, if your checkbook is stolen (or lost), others will not know if you sign your checks with just your initials or your first name, but you and your bank will know how you sign your checks. That will make fraudulent checks easier to spot. • When writing checks to pay your credit card accounts, do not put the complete account number on the “For” line of your checks. Instead, just put the last four (4) numbers. The credit card company knows the rest of your account (card) number, and anyone who might be handling your check as it passes through all of the check processing channels will not have access to it. • Be aware of those around you in checkout lines when paying by check or credit card. Cellular phones with built-in cameras make it easy for someone to photograph your checks or credit cards and obtain your account numbers. Consider abandoning your “debit cards,” or Visa and MasterCard clones that draw from your checking account. Typically, it is much more difficult to get a thief’s charges resolved on these accounts than it is with a real credit card. • Do not disclose your e-mail address to commercial sites unless you are familiar with the site’s privacy and use policies (which are required to be posted and available), how your e-mail address will be used and with whom the e-mail address with be shared. If a site requires an e-mail address merely to browse it, use yourname@privacy.net. If you want to access a website or other online forum that requires you to complete a registration form or give an e-mail address, consider using www.bugmenot.com to get a free password you can use instead. This website allows you to type in the address of the site you want to read (for example, the Knoxville News Sentinel site) and then it will give you a user ID and a password. Occasionally these do not work, but more often than not they do. It’s also wise to have multiple e-mail addresses and to select one or two of them – not ones you use at work or for important or personal communications – these purposes. A good idea is to get a free G-mail or Hotmail address and use that for completing online registrations; you can also use sites such as www.dodgeit.com, www.mailinator.com, and www.spamgourmet.com to obtain “dummy” or “disposable” e-mail addresses. • Have a “non-published” residential telephone number – that is, one which is neither available in the printed directory nor from directory assistance – or a “non-listed” number that is not printed in the directory but available from directory assistance. (CD-ROMs containing nationwide listings of telephone directories are now readily and cheaply available from computer and discount stores. Nationwide telephone directories are also available on the Internet, and there is no charge for Internet users to search these directories.) If your address and phone number are in a directory, they are widely available. If your address is included in a local directory, it will also be in the nationwide directories. • Do not complete street directory information forms (e.g., a request to complete street address information for a commercially published directory other than a telephone book). These directories include alumni directories, church directories, employer directories, etc. • Avoid ordering products or services by telephone from companies if you don’t know their data sharing practices. If you do, inform the merchant that you do not want your name, address and telephone number given to others. (Not only do the national catalog retailers “capture” and store your personal information, but many local retailers such as pizza delivery services capture your phone number and generally have your name and address displayed on their computer screen merely to be confirmed by you when you contact them to order their products.) You can also use “Caller ID” blocking services that are widely available from the phone companies to prevent your phone number from being displayed when you order products or services over the phone. • Avoid completing product warranty or registration cards, consumer surveys, contest entries, preferred buyer promotions and the like. Also avoid using preferred shopper, store discount or check cashing cards. These cards generally permit the retailer to compile lifestyle information – number, ages and sex of people in the household, income level, and similar information, which is then used to compile targeted mailing lists, which are sold for marketing purposes. (However, do complete registration cards for products such as infant car seats or other products where it is very important for safety or health reasons that the manufacturer be able to contact you in the event of a product recall. If you have concerns about the company’s privacy practices, please contact the company directly for more information.) • Keep your computer’s internal defenses up-to-date. Install all operating system patches as soon as you can, or better yet set up your computer to install them automatically when they are issued. Invest in a solid anti-virus program that updates itself automatically. Use a basic firewall. If your ISP (AOL, Earthlink, etc.) offers security software, accept it but consider supplementing it. Also, consider using a web browser other than Microsoft Internet Explorer, which is the most common avenue for hackers to exploit since it’s the most popular browser. There are simple and free ways to tweak various web browsers to help prevent hidden code on web pages from invading your computer, and you can find them at http://www.cert.org/tech_tips/securing_browser/. • Most importantly, understand the business practices of companies you patronize and only do business with companies that offer you appropriate choices with regard to your information. For example, limit your mail order shopping to companies who pledge not to resell your name and address to other companies. Complete credit applications and promotion entry forms only if the application has an “opt out” box for marketing information. If you’re not sure whether a company will respect your wishes, either don’t provide the information requested or provide non-personal data such as a business phone number instead of your home phone number – better yet, ask and shop elsewhere if you’re not comfortable with the answer. • Finally, place the contents of your wallet or purse/billfold on a photocopy machine and copy both sides of each license, credit card, etc. Give the copy to a family member or friend, or store it in a safe place. That way, if your wallet is ever lost or stolen, you will know what you had in your wallet or purse/billfold, and all of the account numbers and phone numbers so that you can call and cancel those accounts and get replacements. It is also a great idea to carry a copy of your passport with you when you travel abroad, and to leave another copy with a family member or trusted friend while you are gone in case you have to get a replacement. II. RESPONDING TO IDENTITY THEFT What can you do to fight the effects of identity theft? If you believe that you have been the victim of identity theft, you should take several important steps: • First, immediately report the crime to the local law enforcement agency in the jurisdiction where the crime occurred and get a police report. You will need to send copies of the police report to the credit grantors and potentially to federal or state agencies. None of those entities will act without the police report. • Next, contact the three main credit reporting agencies to get copies of your credit report – fraud victims are entitled to free copies over and above any other free copies you may have already obtained or received – and ask about the agencies. fraud alert services. The three main agencies are Experian, Equifax and TransUnion; contact information is provided below. • Inform the credit grantors who have extended credit to the thief in writing about the situation and enclose copies of the police report. • Contact the Social Security Administration if someone is using your Social Security number. • Contact your bank and credit card companies if someone is using your bank account, checking account or credit card numbers. • DOCUMENT EVERYTHING IN WRITING, and keep copies of the documents for at least ten (10) years, if not forever. You may solve ninety percent of the problem, but that last ten percent could keep cropping up, and you may need to be able to demonstrate the efforts you’ve made to correct things. In addition, the Federal Trade Commission and the Tennessee Division of Consumer Affairs have some helpful resources regarding identity theft. You can find these resources by going to:
Here’s how to contact the three (3) nationwide credit bureaus to notify them of the identity theft and obtain a copy of your credit reports: Experian (formerly TRW): Dialing 1-888-397-3742 will connect you to a recording that has instructions for requesting copies of credit reports if you have been denied credit, employment or insurance. Requesting Consumer Assistance will connect you to a representative who can assist with more specific requests. You can also contact Experian via the Internet at www.experian.com, or you can write to P.O. Box 2002, Allen, TX 75013. However, the company seems to prefer handling identity theft issues by telephone. Equifax: Dialing 1-800-685-1111 connects you to a recording that addresses requests for copies of your credit report, fraud incidents and what to do if you disagree with information on the report. You can also contact Equifax via the Internet at www.equifax.com, or write to Equifax Information Services, LLC, Disclosure Department at P.O. Box 740241, Atlanta, GA 30374. (With Equifax, be sure you ask for the phrase “fraud alert” to be placed at the top of your credit report.) TransUnion: Calling Consumer Relations at 1-870-322-8228 connects you to a recording that addresses requests for copies of your credit report, and you may ask to speak to a representative. You can also contact Trans Union via the Internet at www.transunion.com. You can contact the TransUnion Fraud Victims Assistance Department at 1-800-680-7289, or at P.O. Box 6790, Fullerton, California 92834. What laws protect victims of identity theft?
• If negative information is removed as a result of a consumer's dispute, it may not be reinserted without notifying the consumer within five (5) days, in writing.
• They have a duty to investigate disputed information from consumers. • They must inform consumers about negative information which has been or is about to be placed on a consumer's credit report within 30 days.
Fraud Alerts • Adding fraud alerts to consumers’ files. FACTA adds a new section to the FCRA which provides for two (2) varieties of fraud alerts that consumers may add to their files with nationwide credit bureaus. New Section 605A provides for “one call” fraud alerts that allow consumers who believe that they are or might be victimized by fraud or identity theft, to add a fraud alert to their files with the credit bureaus. The credit bureau must refer the alert to the other credit bureaus, and all of the bureaus must not only include the alert in the consumer’s file, they must also provide the alert each time they generate that consumer’s credit score. The bureau must also notify the consumer of the right to a free credit report and must provide a requested report within three (3) business days of the consumer’s request. • Limited time period for alerts. But be warned: this type of fraud alert stays active only for ninety (90) days. To obtain an extended alert that lasts for seven (7) years, a consumer must provide the bureau with an identity theft report. The Federal Trade Commission must still define an “identity theft report” through the issuance of regulations, but under the Act, the report must at least include: (1) allegations of identity theft; and (2) a copy of an official, valid report filed by a consumer with a federal, state or local law enforcement agency. Further, the consumer will be subject to criminal penalties if the information is false.
• Additional alert for active military personnel. Section 605A also allows consumers on active military duty to add an alert of their status to their files. Consumers on active duty include reservists who are on active duty, other than at their usual station. Once a military consumer requests the active duty alert, it will become part of his/her credit report for a twelve (12) month period. The intent of this type of alert is to deter identity theft from military personnel who are stationed away from old addresses. If you have a family member or friend about to go abroad in the military, urge them to use this to freeze their credit files before they depart. • Limits on credit transactions. Under these alerts, users of credit reporting information may not proceed with a credit transaction unless the user “utilizes reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person making the request.” If the alert is an extended fraud alert, then the consumer may provide a telephone number in the alert that the user must use to verify the requester’s identity, or the consumer may designate another reasonable method of contact. Some consumer advocates have urged that customers ought to be able to direct companies to freeze their credit reports more easily than this. They point out that companies granting credit would benefit in the long run because of reduced write-offs. Credit-extenders respond that they fear an economic downturn from reduced sales because of needlessly frozen credit. Many states are legislating this now, although Tennessee has yet to act on it. In addition to its fraud alert provisions, FACTA also added other provisions designed to assist with identity theft prevention, credit history restoration and information accuracy. Some of those provisions are: Identity Theft Prevention • Creditors to implement red-flag guidelines and regulations. The FTC, the National Credit Union Administration, and specified banking agencies to issue regulations that will require financial institutions and creditors to “establish reasonable policies and procedures” for implementing to-be-issued “red flag” guidelines regarding identity theft. A more concrete provision calls for regulations to prevent “account-takeover” identity theft by imposing special verification procedures when a card issuer receives a notification of a change of address from a cardholder and subsequently receives a request for an additional or replacement card. • Businesses must provide identity theft victims with business transaction information. The revised FCRA gives requires businesses who have dealt with an identity thief to provide information about the transactions to the thief’s victim and to law enforcement agencies. However, the provision imposes prerequisites that a victim must meet and allows a business to decline to provide the information if the business determines “in the exercise of good faith” that any of the following exceptions exists: the business does not have a “high degree of confidence in knowing the true identity of the individual” requesting the information, the request is based on a misrepresentation of fact, or the information requested is “Internet navigational data or similar information”. The bottom line, though, is that you have a right to see copies of the paperwork that a thief used to open an account in your name. This gives you an advantage because you’ll have something to compare and show people to prove it’s not you. • Businesses must protect certain consumer information. FACTA adds two provisions that seek to protect key consumer information. Section 605 will require merchants to truncate credit and debit card numbers on electronically printed receipts (though with delayed and staggered effective dates). Section 609 will now allow consumers requesting a report to order the agency to withhold the last five (5) digits of the consumer’s social security number on the report. In addition, regulations now require users to dispose of the consumer information they acquire through consumer reports, including the erasing of electronic data. Credit History Restoration • Agencies must block identity-theft-related information. FACTA adds a new section, 605B, to the FCRA that requires agencies to block identity-theft related information within four (4) days of receiving specified information: proof of the consumer’s identity, a copy of an identity theft report, the consumer’s identification of the fraudulent information, and the consumer’s statement that the information does not relate to any transaction by the consumer. The agency must also notify the furnisher that a block is in place, and furnishers must implement procedures to prevent them from re-furnishing such information (to anyone, apparently, not just the notifying agency). Although the new provision allows an agency to rescind the block under certain circumstances, the agency must both notify the consumer of the rescission and the specific reason for the rescission within five (5) business days, just as an agency must notify a consumer that it is reinserting formerly deleted information. If the consumer notifies a reseller that a report contains identity-theft-caused information the reseller must block the report. • Furnishers must cease furnishing identity-theft-related information. In turn, the FCRA now requires furnishers who have received notice of a block to have reasonable procedures to prevent them from refurnishing the information. The consumer can also trigger that responsibility by notifying the furnisher directly that the furnisher has furnished fraudulent information. • Furnishers may not sell or place for collection identity theft debt. Once a furnisher has been notified that an agency has blocked a consumer’s information as having resulted from identity theft, the furnisher may not sell or transfer the debt or place it for collection. This is not limited to third-party collectors. • Debt collectors must notify creditors of fraudulent debt. FACTA imposes new notification responsibilities on debt collectors; once a consumer notifies a debt collector that a debt may be fraudulent or may have resulted from identity theft, the debt collector must notify the creditor of that allegation and must provide the consumer with all information about the debt to which the consumer would be entitled if the consumer were in fact the liable party. Information Accuracy • Agencies to issue new accuracy and integrity regulations for furnishers. The agencies that enforce the FCRA will establish guidelines for furnishers regarding the accuracy and integrity of furnished information and will issue regulations requiring furnishers to establish reasonable policies and procedures for implementing those guidelines. • Consumers may dispute furnished information directly with the furnisher. The prior version of the FCRA had no provision by which a consumer could dispute an inaccurate item of information directly with the furnisher; rather, the consumer had to dispute the item with the agency which the FCRA then required to notify the furnisher. The FCRA, prior to amendment by FACTA, required the furnisher to reinvestigate the item only upon receiving the agency’s notice, notice from the consumer was irrelevant and ineffective. Now a consumer may trigger a furnisher’s responsibility to reinvestigate by disputing the item directly with the furnisher where the circumstances of the dispute meet the conditions of set forth in the regulations. • Financial institution furnishers to notify customers of negative information. The FCRA now requires a financial institution to notify a customer that it is furnishing negative information about that customer; however, financial institutions may take advantage of a safe harbor provision. The Federal Reserve Board is to provide a model notice not to exceed thirty (30) words. • Agencies must notify furnishers of reinvestigation results. Now an agency that reinvestigates an item of information upon a consumer’s dispute must notify the furnisher that furnished the information if the agency deletes or modifies it from the consumer’s file because the agency found it to be inaccurate, incomplete or unverifiable. • Furnishers must block unverifiable information. Under the prior version of the FCRA, once an agency notified a furnisher that a consumer disputed information that the furnisher had reported to the agency, the furnisher had to reinvestigate that item and report the results of the investigation back to the agency. Now the furnisher must also take steps to modify, delete or block that information to prevent it from re-reporting the inaccurate information. Consumers may enforce this provision. Free Credit Reports • Agencies must provide consumers with a free annual credit report. Consumers now have a right to a free annual credit report from nationwide and nationwide specialty consumer reporting agencies. On an annual basis, consumers may obtain a free credit report from each of the nationwide agencies within fifteen (15) days, after making the request by telephone, Internet or mail. • Tennessee residents have been able to obtain their free credit reports since June 1, 2005. You can get yours through www.annualcreditreport.com, or you can call any of the credit bureaus’ numbers listed above. To whom should I report identity theft? The Federal Trade Commission
The Federal Trade Commission (the “FTC”) is the federal clearinghouse for complaints by victims of identity theft. Although the FTC does not have the authority to bring criminal cases, the Commission assists victims of identity theft by providing them with information to help them resolve the financial and other problems that can result from identity theft. The FTC also may refer victim complaints to other appropriate government agencies and private organizations for further action. As noted above, the FTC also runs the federal government’s identity theft websites at http://www.ftc.gov/bcp/edu/microsites/idtheft and www.onguardonline.gov. These sites have abundant useful information (including form letters), and you can also file a complaint online. (See the attached Exhibit A for a sample of the form of complaint you can file with the FTC.) If you’ve been a victim of identity theft, you can file a complaint with the FTC by contacting the FTC’s Identity Theft Hotline, as follows: By phone:
By mail:
More identity theft resources can be found at the Privacy Rights Clearinghouse’s website at www.privacyrights.org or the National Consumer Law Center’s web site at www.consumerlaw.org. Note that each of these Internet sites also provide a form of “Identity Theft Affidavit,” which can be downloaded and when completed, provides a very useful document to be provided to credit grantors, employers and federal and state agencies that make inquiries as to the identity theft. A copy of the Identity Theft Affidavit is attached as Exhibit B. The Tennessee Division of Consumer Affairs
The Tennessee Division of Consumer Affairs can also be contacted to file complaints regarding any consumer matter, including identity theft. The contact information for this organization is as follows: By phone:
By mail:
ONE VERY IMPORTANT TIP: The importance of reporting an identity theft case to the police cannot be overemphasized. Your banks or credit card companies, and various agencies you may deal with – including the FTC, if you choose to file a complaint, or the IRS if you have tax-related issues arising from the identity theft – will probably want you to provide a copy of the police report. The Identity Theft Affidavit also calls for you to attach a copy of the police report to it – see Item 22 of the form affidavit – if you have one available or can obtain a copy from the police or sheriff’s department that investigated it.
|
Printable Version | Email this Page | Bookmark | Normal font
