Identity Theft –HOW TO DEFEND AGAINST IT AND FIGHT BACK

Scott A. Durfee
Harris County District Attorney’s Office

"Described as the neoteric crime of the information technology era, identity theft is the illicit use of another’s identifying facts (name, date of birth, Social Security number, address, telephone number, or other similar information) to perpetuate an economic fraud by opening a bank account, obtaining credit, applying for bank or department store cards, or leasing cars or apartments in the name of another." Kurt Saunders & Bruce Zucker, Counteracting Identity Fraud in the Information Age: the Identity Theft and Assumption Deterrence Act, 8 Cornell J. Law & Public Policy 661, 662 (1999).

A 2003 Federal Trade Commission survey showed that over a one-year period nearly 10 million people – or 4.6 percent of the adult population – had discovered that they were victims of some form of identity theft. Fed. Trade Comm’n, Identity Theft Survey Report at 4 (2003) (www.ftc.gov/os/2003/09/synovatereport.pdf). This survey also established the total cost of this crime approaches $50 billion per year, with an average loss from the misuse of a victim’s personal information of $4,800. Id. at 6.

In this information age, it is impossible to defend oneself against a persistent identity thief: they can attack more places than you can defend. See Sun Tzu, Art of War ("[I]n the case of those who are skilled in attack, their opponents do not know where to defend . . . . Preparedness everywhere means lack everywhere.") You can, however, avoid being the "low hanging fruit" that is easily harvested by the identity thieves by being aware of the ways that identifiers are stolen and taking simple defensive positions against them. Here are some ways identities are stolen and how you can keep it from happening to you:

They . . . pickpocket your wallet or purse and using the credit cards, identification, and PIN numbers stored therein.

You . . . travel light. Empty out your wallet or purse and keep only the identification information and cards absolutely necessary for your day-to-day activities. Do not carry your bank account numbers, personal identification numbers, passports, birth certificates, and, most importantly, your Social Security card. For the cards you do carry, make a photocopy of them or a list of the key numbers and keep them in a secure location so that, if lost or stolen, you can report the loss immediately. Do not carry any more blank checks with you than you need: checks may be cashed, and they may also contain sensitive information often pre-printed on the checks themselves (i.e. address, bank account number, telephone number). For that matter, review your checks to see what kind of unnecessary personal information is imprinted on them. Do not wait to react to the loss, even if you think it might turn up later.

You . . . opt out of preapproved credit card offers by calling 1-888-5-OPTOUT (567-8688). Do not use unsecured mailboxes (i.e. "raise the flag" curbside boxes) for important mail: drop it off in a post office collection box or at the local post office. Promptly remove your mail from your mailbox after delivery, and make arrangements for gathering your mail while on vacation.

  Similarly, you can opt out of information sharing by the credit bureaus (a form letter and addresses are available at www.ftc.gov/bcp/conline/pubs/alerts/optoutalrt.htm), direct mail marketing (www.the-dma.org/consumers/offmailinglist.html), telemarketing (www.donotcall.gov), and e-mail marketing (www.dmaconsumers.org/offemaillist.html).

You . . . have a clear understanding of which accounts you have open, when the statements are issued for those accounts, and phone numbers and addresses to report fraud for each account. If you have not received a statement at the usual time, assume the worst and notify your bank or credit provider.

Also, you should cancel dormant credit accounts, which are most vulnerable to changes of address because you will not notice anything unusual until you are billed. Likewise, you should place passwords on your accounts: avoid using easily available information like your mother’s maiden name, the date of birth of yourself or a family member, your zip code, or your social security number

You . . . regularly check your credit history for anomalies. You are entitled to one free credit history check per year with each of the three credit bureaus – Equifax, Experian, and Trans Union. Go to www.annualcreditreport.com to register for these histories. Because you do not have to get the checks from each agency at the same time, you should stagger your credit history checks so that you get a fresh credit check every four months.

You . . . never give your personal information to someone who has contacted you. Legitimate businesses or governmental agencies never contact people and ask for PIN numbers or other identifying information.

You . . . be conscious of others around you as you provide this information. There is nothing impolite about asking someone to step back out of earshot, or covering your keypad as you punch in the numbers.

You . . . destroy identifying information that you discard. Tear or shred charge receipts, credit applications, insurance forms, bank checks, expired charge cards, credit offers, and statements that you are discarding.

They . . . hack into your computer by replay attacks or eavesdropping on your password, or by guessing your password.

You . . . use appropriate firewalls to protect your computer against hackers. Good PC programs include Trend Micro PC-cillin Internet Security 2005 and ZoneAlarm Internet Security 5.5. For Apple computer users, MacWorld magazine says that the OS X operating system comes with a good firewall, but for enhanced protection and ease of use, they recommend NetBarrier X3.

You . . . place identifying information in a locked desk, safe, or other secure location. Know where your office’s personnel files are and, if you believe they are not secure, complain to your employer in writing. For governmental employees, sign an "opt out" statement declining to allow disclosure of your personal information under the Public Information Act. See Tex. Gov’t Code § 552.024 (opt out provision of the Act).

The FTC recommends that you call the bureaus and tell them that you are an identity theft victim. You should request that a "fraud alert" be placed in your file, as well as a victim’s statement asking that creditors call you before opening any new accounts or changing your existing accounts.

Under the Fair Credit Reporting Act, you are entitled to an investigation by the credit bureau if you believe that your file contains incorrect information. If you disagree with the results, you have the right to include in your credit file a brief statement giving your side of the story.

The FTC recommends that you speak to someone in the fraud department of each creditor within two days of discovering the loss or theft to minimize your exposure, and follow up with a written communication to ensure that there is no misunderstanding. Under federal law (15 U.S.C. § 1643), your losses are limited to $50 per card and you’re not responsible for charges made after you report the card lost or stolen. The FDIC also recommends that you instruct your card companies to close your accounts instead of asking for the fraudulent charges to be removed. Open new credit card accounts with new account numbers and PINs, and ask that the password be used before any inquiries or changes can be made on the account.

Contact the police where the information was stolen, if that location is known. Otherwise, contact your local law enforcement agency. In either case, sign an affidavit verifying that unauthorized transactions in your name are fraudulent. If it is apparent that the identity thief stole your mail or has filed a falsified change-of-address form, contact your local postal inspector. See www.usps.gov/websites/depart/inspect.

Because the thief may attempt to access your bank account using your information, you should likewise replace your old ATM card with a new one and change your existing PIN to one that cannot be easily guessed by a thief. Id. Under the Electronic Funds Transfer Act, your losses are limited to $50 if you report your ATM card lost or stolen within two days after discovering the loss. If you wait between two and sixty days, you may be liable for up to $500. After sixty days, the bank is not required to reimburse you for your losses.

A list of the major check verification services is available at the Texas Department of Public Safety’s website (www.txdps.state.tx.us/administration/
driver_licensing_control/idtheft/idtheft2.
htm.)

The SEC can be contacted by mail at SEC, 450 Fifth Street, NW, Washington, DC 20549-0213, by phone at 202-942-7040, or by e-mail at help@sec.gov.

Report the misuse to the SSA’s Fraud Hotline at 1-800-269-0271, and follow up in writing. You should also call the SSA at 1-800-772-1213 to verify the accuracy of the earnings reported on your SSN, and to request a copy of your Social Security Statement.

File a complaint with the FTC by telephone at 1-877-IDTHEFT (438-4338); by mail at: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave., NW, Washington, DC 20580; or online at: www.consumer.gov/idtheft. The FTC has been mandated by federal law to act as a clearinghouse for victims of identity theft and to assist in providing relevant information.

The FTC has standardized the format for disputing fraudulent debts and accounts opened by an identity thief in its ID Theft Affidavit, which can be downloaded from the web at www.consumer.gov/idtheft/affidavit.htm.

Federal Law. In the fall of 1998, Congress passed the Identity Theft and Assumption Deterrence Act, which provides that

[whoever] knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law [commits identity theft].

18 U.S.C. § 1028(a)(7). This offense, in most instances, carries a maximum of 15 years imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the crime. Other federal criminal statutes implicated by identity theft include credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344).

Expunction – A victim of misidentification may petition the district attorney for assistance in having his misappropriated identity redacted from court records if the identity was misused in a criminal proceeding. See Tex. Code Crim. Proc. art. 55.01(d).

Identity Theft Investigations and Prosecutions – Peace officers are now obliged, upon learning of an identity theft, to notify the victim and the DPS of the theft, and make a report. Tex. Code Crim. Proc. arts 2.28, 2.29; see also Art. 60.19 and (detailing DPS’s responsibilities upon receipt of the information, which include preparing a PIN for ). The system is also more victim-friendly, placing venue for identity theft crimes (Penal Code § 32.51) "in the county of residence for the person whose identifying information was fraudulently obtained, possessed, transferred or used." See Tex. Code Crim. Proc. art.13.29.

"Phishing" Fraud – A new statute makes "phishing" for identifiers a state jail felony. See Tex. Bus. & Comm. Code § 48.001, et seq.

PINs for Drivers’ Licenses – An identity theft victim may file a declaration with the DPS to create a PIN for his or her driver’s license to prevent misuse by an identity thief. See Tex. Gov’t Code art. 411.0421.

Security Freezes on Consumer Reporting Agency Files – An identity theft victim is entitled to a "security freeze" (i.e. a notice placed on a consumer file that prohibits a consumer reporting agency from releasing a consumer report relating to the extension of credit involving that consumer file without the express authorization of the consumer) upon written request by certified mail to a consumer reporting agency. See Tex. Bus. & Comm. Code § 20.034.

Scott Durfee is the general counsel for Harris County District Attorney Charles A. Rosenthal, Jr. A frequent writer and speaker on identity theft, ethics, and criminal law issues, Durfee also plays keyboards for a band called Death by Injection (www.deathbyinjection.com) and coaches his daughter’s volleyball team, the Lightning Bolts.

Texas Paralegal Journal © Copyright 2006 by the Paralegal Division, State Bar of Texas.

Top of Page