One case under investigation by the FBI in conjunction with the U.S. Postal Inspection Service involved a man who’d obtained personal information—names and birth dates—of attorneys in the Boston area from the
Martindale-Hubbell directory
of attorneys.
Using this information, he and a co-conspirator visited the Massachusetts Bureau of Vital Records— which had an open records policy—and were able to obtain copies of birth certificates of their victims.
Using that information, they were able to contact the Social Security Administration and obtain SSNs for most of the attorneys. Once they had the SSNs, the thieves
ordered credit reports
and looked and determined the attorneys’ creditworthiness and existing accounts. Their first theft was to call one of the attorney’s banks and order a wire transfer of $96,000.
Half of the money went to a casino and the rest went into the crook’s personal accounts.
1 3 7
L A W S A N D A G E N C I E S T H A T P R O T E C T Y O U … O R D O N ’ T
This was a stupid first move. Once the bilked attorney realized the money was missing, he notified his bank—and the bank notified the Office of the Comptroller of the Currency and the FBI. The FBI got the necessary warrants and the wire transfers were easy for the bank to trace.
In the meantime, the crooks were still using the stolen IDs. They added themselves as authorized users to the credit card accounts of several attorneys and ordered emergency replacement cards from others. By the time the FBI and Massachusetts police arrested the two, they had at least 12 different license or identification cards from three states and at least four or five credit cards, all in the names of the attorneys whose identities they’d stolen.
With stories like this one circulating in post-9/11
America, politicians in Washington D.C. realized that
the 1998 Identity Theft Act wasn’t a strong enough
protection.
California Senator Dianne Feinstein led the drafting of the
Identity Theft Penalty Enhancement Act
of 2002, which allowed harsher charging and sentencing when identity theft occurs in connection with these other serious crimes.
The sentencing enhancements would increase penalties for the most serious forms of identity theft and strengthen prosecutors’ ability to bring these cases. In particular, the proposed legislation would define a new crime of “
aggravated identity theft
” that in-1 3 8
C H A P T E R 6
cludes the most damaging forms of identity theft, and which would carry greater penalties. Enhanced five-year consecutive penalties would result if a terrorist or terrorist-related offense is involved.
The proposed law also
streamlined proof requirements
by including the possession of identifying information with intent to commit identity theft as an element of the crime. These provisions, together with the enhanced sentences for aggravated identity theft, made ID theft cases easier to investigate and to prosecute successfully.
T H E P A T R I O T A C T
Feinstein’s Enhancement Act wasn’t the only new law designed to help federal prosecutors clamp down on ID thieves. An even more potent—though more controversial—tool was the
USA Patriot Act
of 2001.
This law, enacted in the weeks after the 9/11 attacks, made significant changes to how the Feds could investigate and prosecute a variety of suspects—including suspected ID thieves.
Most of the controversies surrounding the Patriot
Act had to do with its effects on constitutional privacy rights. The parts of the Act designed to combat ID theft were more technical…and less controversial.
New rules related to opening bank accounts were announced during the summer of 2002 and were designed to thwart terrorist funding—but could also
1 3 9
L A W S A N D A G E N C I E S T H A T P R O T E C T Y O U … O R D O N ’ T
help fight identity theft and other forms of fraud.
The rules required financial institutions (including banks and trust companies, savings associations, credit unions, securities brokers and dealers, mutual funds and futures merchants or brokers) to implement “reasonable procedures” for: 1)
verifying the identity
of any person seeking to open an account, to the extent reasonable and practicable; 2)
maintaining records of the information used to verify the person’s identity; and 3)
determining whether the person appears on any list of known or
suspected terrorists
or terrorist organizations.
The U.S. Treasury Department and the Social Security Administration agreed to develop and implement a system by which banks and other financial institutions could access a database to verify the authenticity of SSNs provided by people opening accounts.
The financial institutions subject to the proposed rules would also be required to establish programs speci-fying procedures for obtaining identifying information from customers seeking to open new accounts.
A joint agency statement issued by the Treasury Department and the SSA said: This identifying information would be essentially the same information currently obtained by most financial institutions and for individual customers generally, including the customer’s name, address, date of birth and an identification number (for U.S. persons, a
1 4 0
C H A P T E R 6
Social Security number and for non-U.S. persons, a similar number from a government-issued document). Customers with signature authority over business accounts would fur-nish substantially similar information.
The proposed rules raised concerns mostly from credit card issuers. They complained the new rules would create problems especially for
online applications
.
C A L I ’ S A N T I - I D T H E F T L A W
About the same time that the Feds were announcing new banking rules derived from the USA Patriot Act, California was putting a new law into effect that prohibited the public posting or display of an individual’s SSN—including printing the number on any card required to access products or services.
This state law got a lot of media attention as both a privacy protection and a blow to easy ID theft.
The California law also stated that no one could be required to transmit his or her Social Security number over the Internet, unless the connection were secure or the SSN encrypted. And institutions were
not allowed to print
an individual’s SSN on any mailed materials, unless required by state or federal law.
The law did not prohibit the collection, use or circulation of SSNs for internal verification or administrative purposes. But, if a California resident sent a written request to a bank or other institution requesting that his or her SSN not be used, the request had to be honored within 30 days of receipt—without any additional fee. And financial institutions could not deny services to any individual who opted out.
1 4 1
L A W S A N D A G E N C I E S T H A T P R O T E C T Y O U … O R D O N ’ T
Although the law only applied to California, people
in the banking industry admitted it would have a
national effect. An executive with an Ohio-based
financial services company that had branches in most
of the U.S. said it would be much easier to apply the
California rule nationally than to segment customer
data by state.
While some banks had already stopped using SSNs by 2002, others used encryption techniques to obscure the numbers. These encryption techniques fall into two basic categories: Some use
algorithms to
alter SSNs
; others hide the first five digits of SSNs on all documents.
No sooner did the California rule go into effect than politicians there considered expanding it. One new proposal would allow customers to tell financial institutions not to share or sell their personal financial information—either to corporate affiliates or to third parties. This option, as we’ve already seen in previous chapters, is known as the
opt-out
.
In limited circumstances, where the third party was not a financial institution, customers would have to give
explicit permission for data-sharing
ahead of time.
Other states were also sharpening their laws against ID theft:
•
In Georgia, businesses could be fined up to $10,000 for the improper disposal of materials that contain personal informa-1 4 2
C H A P T E R 6
tion about customers. The new law also applies to information that is spoken, visual or electronic.
•
In October 2002, a New York law made stealing a person’s identity and possess-ing personal information a felony for the first time. The law allowed prison sentences of up to seven years for those convicted of using ID theft to steal more than $500. One interesting point: the law included references to security technologies not yet in general use—such as voice prints or retina scans.
•
In November 2002, Virginia Attorney General Jerry Kilgore said he would recommend that the state’s General Assembly strengthen penalties against ID theft.
Kilgore also urged local police to pursue the crime more aggressively.
So, the strengthening of ID theft laws at the state level makes for a kind of balance…since local law enforcement is on the front lines of the problem.
L A W S T H A T H E L P I D T H I E V E S
Hovering in the background of the federal and local efforts to strengthen the laws against ID theft is an issue that seems ridiculous—some laws actually
enable ID theft
.
In the fall of 2002, ID theft became a hot-button issue in King George County, Virginia. About two dozen King George residents complained to county officials after learning their SSNs were online in computerized versions of some court records, including
1 4 3
L A W S A N D A G E N C I E S T H A T P R O T E C T Y O U … O R D O N ’ T
mortgage-related documents
. The personal information appeared on land records uploaded to the county Web site as part of the jurisdiction’s efforts to bring all of its files up to date electronically.
The local bosses cited a 1998 Virginia law that mandated that clerks charge a $3 technology fee for the
purposes of updating their databases when records
were filed—although, whether the information was
put online remained up to the clerk of the court.
The King George County executive pointed out that, if a resident filed a complaint, his or her sensitive data would be removed from the site. And documents that were scanned and uploaded online would, in the future, exclude any sensitive information.
The executive pointed out that
marriage license
records
also contained personal information, including dates of birth and maiden names of mothers.
This information was a matter of public record and could be viewed by anyone who visited the county courthouse.
Other Virginia counties took steps to protect identities. A clerk in one nearby county pointed out that her office only made information online available to companies or agencies that had
established their bona
fides
—and paid for the service.
In another nearby county, the records manager said that his office also controlled access by offering a
subscription service
to professional firms. He noted
1 4 4
C H A P T E R 6
that the subscription model actually made the system more secure, because he could monitor who was looking at which documents.
During the summer of 2002, Florida real estate appraisers protested a state law would make some 500,000 SSNs public—putting the owners at risk for identity theft. The appraisers claimed that, starting that fall, they would have to release the Social Security numbers of Floridians who had homesteaded property to any business that requested them.
Specifically, the law held that state and county agencies must give SSNs to “reasonable businesses” with
a “legitimate business purpose” for the numbers,
such as research or verifying information.
The law required the businesses to submit a
written
request
and to explain why they wanted the numbers; those requests would be kept on file with state officials.
In 2000, Florida property appraisers had started collecting SSNs for
homestead exemption
—a state program that allows real estate owners to keep their property, regardless of court judgments, tax liens or other encumbrances. The numbers were used for identification to prevent tax fraud, and they had been kept confidential under state law.
The new law was explained at various times as a security measure and as a consumer advocacy measure; in fact, its origins traced back to
lobbyists for direct
1 4 5
L A W S A N D A G E N C I E S T H A T P R O T E C T Y O U … O R D O N ’ T
marketing companies
. But various politicians in Florida’s capital—as well as the leader of the state’s property appraisers association—insisted that the law did not apply to property appraisers’ use of SSNs on homestead exemption forms.
In late 2002, a series of surveys of residents in Washington state reflected growing concern about that state’s laws granting broad
public access to government records
. The laws—which had traditionally been defended as signs of clean government and no corruption—also posed a threat to ID security.
The main survey showed that the more concerned
someone is about identity theft and invasion of privacy, the less that person will support access to
government records by the media. The results were
mixed: Nine out of 10 adult Washington residents
said they favored open government; but three-quarters were concerned about misuse of information by
the press and identity thieves.