Keeping Personal Information Private is a Challenge in an Online World
With identity theft victims numbering more than 10 million annually, the American Bar Association Business Law Section took an in-depth look at the crime from the perspective of prevention, victim’s assistance, company response and the Federal Trade Commission. The session took place April 22 during the section’s 2010 Spring Meeting in Denver.
- Joanna Crane, Federal Trade Commission, Washington, D.C.
- Paula Pierce, Victims Initiative for Counseling, Advocacy and Restoration of the Southwest, Austin, Texas
- Ron Plesco, National Cyber-Forensics Training Alliance, Pittsburgh
- Karen Trimmer, Chase Card Services, Wilmington, Del.
During the past 12 to 36 months, Ron Plesco says that his organization has seen a move from individual hackers getting into one person’s or one company’s account to a global approach to hacking that goes after big payment processors and other financial institutions.
Plesco, who is with the National Cyber-Forensics Training Alliance in Pittsburgh, spoke as part of the panel, “Identity Theft: What Thieves Don’t Want You to Know About the Crime and What Victims Want to Tell You About the Aftermath” during the ABA Business Law Section 2010 Spring Meeting in Denver April 22.
He explained that his organization discovered that all traffic from one of the three major payment processors was redirected to Russia and then came back without the original company knowing it. The result was that financial data for thousands of customers was exposed.
“ROI is just as important for these guys as it is for any other business. They are not going after individual users one-by-one,” Plesco said. Right now these organized efforts are targeting account clearing houses handling transactions by mid- to small-sized banks.
“Bigger banks have steps in place, but these small banks can have losses of $2 million a week for several weeks before people at the bank realize they have a problem. By the time the bank figures it out, the money is three steps ahead, generally out of the country and then back.”
He said that individual Twitter accounts are vulnerable as are text messaging and VOIP phone service.
In the current environment with so many people looking for jobs, Plesco said that many “work-at-home” schemes are actually advertisements for money mules who are told they can make up to $80,000 a year by just accepting some ATM cards and then taking out a specified amount of money with each.
He also explained a scam called pump-and-dump in which outside forces would take over one stock briefly drive up the price and then sell it. In one case, a stock price went up 20 percent in 30 minutes.
To counteract similar activities, representatives from the nation’s top online stock trading firms are meeting with the FBI, US Postal Service and the National Cyber-Forensics Training Alliance. “Right now we are finding information sharing on cyber crime across the industry is leading to industry-wide benefits,” Plesco said.
More information on the National Cyber-Forensics and Training Alliance is available here.
Paula Pierce introduced herself as a lawyer who helps identity theft victims, saying from her experience, “It’s normal for victims of identity theft to experience the same types of reactions as victims of rape, violence and shooting.”
Speaking on “ID Theft: The Victim’s Perspective,” Pierce said that victims have reactions ranging from embarrassment and sadness to anger and isolation to betrayal, rage and suicidal feelings.
One of the problems, she explained, was that businesses often are not sympathetic to victims. In some cases, businesses will ask if the person is really a victim or they imply that the ID theft is the victim’s fault. She acknowledged that another reason for the way companies treat victims is that they are often short-staffed with employees barely able to do their normal jobs let alone take time to hear about an unusual situation.
Plus, she said, criminals are getting smarter.
She told of one case where she represented a school teacher whose personal information was stolen when her district’s old records were discovered in a dumpster by members of a meth ring.
The teacher’s identity – and excellent credit rating – was used to buy tires at a Sears store, jewelry at a mall store and numerous mail-order items, including a $4,000 tanning bed, that were shipped to her home and signed for while she was teaching school.
The thefts were discovered when a quick-thinking security guard at the Sears store noticed someone filling the back of a pick-up truck with tires. Knowing that most people buy two tires or four tires at a time, the large number of tires made him suspicious. He detained the person and called police.
The police discovered a binder with multiple fake identities, copies of the school district’s old payroll records and maps to the victims’ homes.
What Lawyers Can Do to Help
Pierce said that lawyers should encourage their business clients to recognize the best defense is a good offense, noting that one credit card company calls its customers when an unusual purchase is made with their card. She said that businesses should partner with their customers who are victims, trust the Federal Fair Credit Reporting Act, and treat customers with compassion and common sense.
According to Pierce, victims of identity theft need customer service personnel who understand a victim’s rights under FCRA, while offering cooperation and understanding.
Lawyers also need to help their business clients understand the requirements of FCRA so they produce documents in a timely fashion, perform a meaningful investigation, and prevent removed items from appearing on a victim’s credit report along with blocked information relating to the fraudulent activity.
Identity theft is a growing problem, said Joanna Crane, Identity Theft Program manager with the Federal Trade Commission. “For years the problem was under-reported. In 1998 the GAO estimated that there were between 750,000 and one million victims a year.
“Using different data, the agency estimated that by 2003, there were 9.9 million victims annually with more than 11 million in 2009,” she said. She said in a new twist, thieves are taking medical identities as well.
A major problem for consumers is re-pollution of their credit reports with information pertaining to identity theft transactions that they thought was removed.
According to Crane, one of the most common identity theft crimes involves creating new accounts, in which a person uses the victim’s name and identity to apply for a new credit card or loan. Typically, it can take eight months to discover the crime.
She said that the hardest part of the experience for victims is the length of time – including hours spent – between discovery and resolution, loss of access to funds, not knowing what else might happen and the difficulty in proving innocence.
Businesses have obligations to their customers who are identity theft victims, she said. They need to provide closure letters absolving the victim of the fraudulent debt, make sure the fraudulent debt is not sold, ensure the fraudulent debt is not reported to any of the credit agencies and correct any fraudulent information that is mistakenly reported.
Consumers can take steps to prevent identity theft by posting fraud alerts with the major credit bureaus. When a consumer posts a fraud alert, creditors must take additional steps to verify identity before opening a new account.
Crane suggested that consumers take advantage of the free credit reports available once every 12 months. She also suggested that consumer take stock of their credit, scaling back where possible. Keeping credit card and other financial information secure and shredding or otherwise destroying old information are other suggestions.