Federal Internet Law & Policy
An Educational Project

Fraud: ID Theft

Dont be a FOOL; The Law is Not DIY
Navigation Links:
:: Home :: Feedback ::
:: Disclaimer :: Sitemap ::

ID Theft
- The Theft
- The Victim
- The Paranoid
- The Internet Company
- Reference

- Agencies
- - White House
- - DHS
- - NIST
- - NTIA
- - FCC
- Reference
- Cryptography

Crimes Against Network
- Worms, Viruses, Attacks
- Hackers
- Wireless Malware
- WiFi Security
- Cyberwar
- Network Reliability
- Infrastructure Protection
- - Kill Switch

Crimes Over Network
- CyberStalking
- Fraud
- - Auctions
- - Phishing
- Gambling
- ID Theft
- Offensive Words

Info Gathering
- Wiretaps
- Forensics
- Carnivore
- Patriot Act
- Data Retention
- Safe Web Act

- Assessment
- Reliability
- Vulnerabilities

The Internet Company

Internet companies have become aware of the sensitivity of customers information. Posted privacy policies articulating care and handing of sensitive information have become common place. Options for handling information include restricting staff that has access to a business’s customer information to a few who have a need to know. Some companies conduct background checks on those who do have access to sensitive information. If an employee pockets a few thousand credit card numbers as a result of sloppy information practices, the company could be liable as well. Appropriate questions could be, how is that information secured and stored, and how do you dispose of it when it is no longer needed. Paper shredders now cost $40 down at the local office supply store (I bought one for Christmas and let my kids shred anything with personal information on it). Safes and locking file cabinets are also very affordable.

Ebusinesses regularly make security a part of the business plan. They consider consider the security of interactions with the public and of online transactions. Could any of the “sploits of the month” defeat security efforts and permit a skript kiddy to rifle through data? Organizations designate an individual on staff to be responsible for the security of the network and data. Security and firewall can be designed with the confidentiality of data in mind. If a project is big enough, one can conduct a security audit. There are also available voluntary trust programs, like the Better Business Bureau or Truste that show customers that a site is taking prudent precautions.

As subscribers go online with broadband connections and fixed IP addresses, they are increasingly vulnerable to intruders rifling through hard drives. ISPs are increasingly attempting to educate subscribers about the dangers of the barbarians online. Some have added a firewall to the service package provided to new customers and recommend to new subscribers that they keep their sensitive data on removable media, like key chain drives, that are not always attached to the computer.

There are a number of laws that deal with your customer’s information. The FCC’s Customer Proprietary Network Information rules prohibit telephone carriers from stealing this information from you when you order telephone service. The Electronic Communications Privacy Act (ECPA) governs when it is appropriate for you to turn information over to federal agents and what documents they have to present to you before you should supply that information Any children’s information collected online falls under the Children’s Online Privacy Protection Act.

Some ISPs make this a part of the training for customer support staff. After all, when customers have trouble with Netscape, who do they call? When customers worried about Y2K, who did they call? They called their ISP. Identity Theft has become so endemic that some ISPs provide an FAQ on your company website linking to the appropriate identity theft information.

Derived From Identity Theft: Prevalence and Cost Appear to Be Growing , GAO-02-363, p. 11 (Mar. 2002)

Since our May 1998 report, various actions-particularly passage of federal and state statutes-have been taken to address identity theft. The federal statute,14 enacted in October 1998, made identity theft a separate crime against the person whose identity was stolen, broadened the scope of the offense to include the misuse of information as well as documents, and provided punishment-generally, a fine or imprisonment for up to 15 years or both. Under U.S. Sentencing Commission guidelines-even if (1) there is no monetary loss and (2) the perpetrator has no prior criminal convictions-a sentence as high as 10 to 16 months incarceration can be imposed. Regarding state statutes, at the time of our 1998 report, very few states had specific laws to address identity theft. Now, less than 4 years later, a large majority of states have enacted identity theft statutes.

In short, federal and state legislation indicate that identity theft has been widely recognized as a serious crime across the nation. As such, a current focus for policy makers and criminal justice administrators is to ensure that relevant legislation is effectively enforced. Given the frequently cross-jurisdictional nature of identity theft crime, enforcement of the relevant federal and state laws presents various challenges, particularly regarding coordination of efforts. Although we have not evaluated them, initiatives designed to address these challenges include the following:

After enactment of the 1998 Identity Theft Act, the Attorney General's Council on White Collar Crime established a Subcommittee on Identity Theft. Purposes of the Subcommittee are to foster coordination of investigative and postdoctoral strategies and promote consumer education programs. Subcommittee leadership is vested in the Fraud Section of the Department of Justice's Criminal Division, and membership includes representatives from various Justice, Treasury, and State Department components; SSA/OIG; the FTC; federal regulatory agencies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation; and professional organizations, such as the International Association of Chiefs of Police (IACP), the National Association of Attorneys General, and the National District Attorneys Association.

. Various identity theft task forces, with multiagency participation (including state and local law enforcement), have been established to investigate and prosecute cases. Such task forces enable law enforcement to more effectively pursue cases that have multijurisdictional elements, such as fraudulent schemes that involve illegal activities in multiple counties or states. At the time of our review, the Secret Service was the lead agency in 37 task forces across the country that were primarily targeting financial and electronic crimes, many of which may include identity theft-related elements.

. Also, under the 1998 Identity Theft Act, the FTC established a toll-free number for victims to call and is compiling complaint information in a national Identity Theft Data Clearinghouse. FTC's Consumer Sentinel Network makes this information available to federal, state, and local law enforcement. According to FTC staff, use of the Consumer Sentinel Network enables law enforcement to coordinate efforts and to pinpoint high-impact or other significant episodes of identity theft.

Furthermore, there is general agreement that, in addition to investigating and prosecuting perpetrators, a multipronged approach to combating identity theft must include prevention efforts, such as limiting access to personal information. In this regard, federal law enacted in 1999, the Gramm-Leach-Bliley Act,15 directed financial institutions-banks, savings associations, credit unions, broker-dealers, investment companies, investment advisers, and insurance companies-to have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter fraudulent access to such information. Prevention efforts by financial institutions are particularly important, given FTC data showing that a large majority of consumer complaints regarding identity theft involve financial services-new credit card accounts opened, existing credit card accounts used, new deposit accounts opened, and newly obtained loans.

Finally, given indications that the prevalence and cost of identity theft have increased in recent years, most observers agree that such crime certainly warrants continued attention from law enforcement, industry, and consumers.16 Also, due partly to the growth of the Internet and other communications technologies, there is general consensus that the opportunities for identity theft are not likely to decline.

"Under the Identity Theft and Assumption Deterrence Act, the Federal Trade Commission is responsible for receiving and processing complaints from people who believe they may be victims of identity theft, providing informational materials to those people, and referring those complaints to appropriate entities, including the major credit reporting agencies and law enforcement agencies. For further information, please check the FTC's identity theft Web pages . You can also call your local office of the FBI or the U.S. Secret Service to report crimes relating to identity theft and fraud." - USDOJ Identity Theft and Fraud



  • Identity Theft and Assumption Deterrence Act of 1998 Public Law 105-318 (1998) [TEXT] [PDF]
  • Credit Cards
  • 15 U.S.C. § 1643
  • "a consumer's liability for the unauthorized use of her credit card may not exceed $50 if she does not report the loss before the credit card is used. If she notifies the card issuer before any use, she is not responsible for any charges she did not authorize." 
  • 15 U.S.C. § 1693 et seq the Electronic Funds Transfer Act
  • Debit Cards
  • 15 U.S.C. § 1601The Truth in Lending Act as amended by the Fair Credit Billing Act
  • "If a person fails to report to her bank that money has been taken from her debit card account more than 60 days after she receives the statement, there is no limit to her liability and she could lose all the money in her account. "
  • 18 U.S.C. § 1028 [TEXT]
  • Legislation
  • Federal Activity

  • FTC Will Study Experiences of Identity Theft Victims, FTC 7/3/2008
  • Chairman Inouye Introduces Identity Theft Prevention Bill, Senate 4/24/2007
  • FDIC Identity Theft Symposiums: Fighting Back Against Phishing and Account Hijacking
  • FTC Testifies on Data Security and Identity Theft, FTC 6/15/2005
  • FTC Testifies on Security of Consumers’ Financial Data, FTC 4/15/2005
  • Information Security: Securities and Exchange Commission Needs to Address Weak Controls Over Financial and Sensitive Data. GAO-05-262, March 23., GAO 3/29/2005
  • Federal Bank and Thrift Regulatory Agencies Jointly Issue Interagency Guidance on Response Programs for Security Breaches, Fed Reserve 3/29/2005
  • FTC Testifies on Data Security and Identity Theft, FTC 3/11/2005
  • New ID Theft Consumer Assistance Initiative To Be Unveiled by FTC, FTC 2/4/02
  • Federal Trade Commission Announces ID Theft Affidavit, FTC 2/6/02
  • Cases and Scams
  • FTC Testifies on Identity Theft and the Impact on Seniors, FTC 7/19/02
  • FTC Calls for Stiffer Penalties for Identity Thieves, FTC 7/15/02
  • FTC Chairman Muris to Speak about ID Theft, FTC 5/3/02
  • FTC Testimony on Identity Theft, FTC 3/21/02
  • Oct 23-24 FTC Workshop on Identity Theft Victim Assistance.
  • Report from the FTC Identity Theft Data Clearinghouse, Figures and Trends on Identity Theft, Nov 1999 through Sep 2000 Report Text  Report Charts [Powerpoint]
  • Hearings

  • U.S. Congress, House Committee on Ways and Means, Role of Social Security Numbers in Identity Theft and Options to Guard Their Privacy, 112th Cong., 1st sess., April 13, 2011.
  • "Identity Theft: Restoring Your Good Name " Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information   DATE: March 20, 2002
  • February 14, 2002 Subcommittee Hearing "Privacy, Identity Theft, and the Protection of Your Personal Information in the 21st Century?"
  • Prepared Statement Of The Federal Trade Commission On Identity Theft Before The Committee On Banking And Financial Services United States House Of Representatives Washington, D.C. September 13, 2000
  • Caselaw

  • REMIJAS v. NEIMAN MARCUS GROUP, LLC, Court of Appeals, 7th Circuit 2015 
  • Class plaintiffs have suffered harms as a result of hack of personal information. "the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an "objectively reasonable likelihood" that such an injury will occur."
  •  Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012) 
  • Standing: reasoning that the plaintiff had financial injury from paying higher premiums in light of defendant's failure to implement security policies
  • In re Target Corp. Data Sec. Breach Litig., MDL No. 14-2522 (PAM/JJK), 2014 WL 7192478, at *2 (D. Minn. Dec. 18, 2014)
  • Standing: "Plaintiffs' allegations plausibly allege that they suffered injuries that are `fairly traceable' to Target's conduct. This is sufficient at this stage to plead standing. Should discovery fail to bear out Plaintiffs' allegations, Target may move for summary judgment on the issue."
  • In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916, at *8 (N.D. Cal. Sept. 4, 2014)
  • Addressing issue of harm: "Unlike in Clapper, where respondents' claim that they would suffer future harm rested on a chain of events that was both `highly attenuated' and `highly speculative,' the risk that Plaintiffs' personal data will be misused by the hackers who breached Adobe's network is immediate and very real."
  • Reports

  • GAO-02-363 Identity Theft: Prevalence and Cost Appear to be Growing
  • Identity Fraud: Information on Prevalence, Cost, and Internet Impact is Limited , General Accounting Office (May 1998)
  • FTC Consumer Sentinel Network Reports

    Annual Identity Theft Reports

    - IDT CY-2006 FIGURES - (PDF)

    - CY-2006 IDT State Reports - (PDF)

    - IDT CY-2005 FIGURES - (PDF)

    - CY-2005 IDT State Reports - (PDF)

    - IDT CY-2004 FIGURES - (PDF)

    - CY-2004 IDT State Reports - (PDF)

    - IDT CY-2003 FIGURES - (PDF)

    - CY-2003 IDT State Reports - (PDF)

    - IDT CY-2002 FIGURES - (PDF)

    - CY-2002 IDT State Reports - (PDF)

    Consumer Sentinel Annual Fraud and Identity Theft Reports

    - Sentinel CY-2007 - (PDF)

    - Sentinel CY-2004 - (PDF)

    - Sentinel CY-2006 - (PDF)

    - Sentinel CY-2003 - (PDF)

    - Sentinel CY-2005 - (PDF)

    - Sentinel CY-2002 - (PDF)

  • Statistics

  • FTC Report, National and State Trends in Fraud and Identity Theft Jan. - Dec. 2004 (Feb. 1, 2005)
  • Links

  • USG
  • FBI:  Protecting Yourself Against Identity Fraud
  • Social Security Administration
  • Identity Theft
  • Fraud Hotline
  • When Someone Miss Uses Your Number
  • Identity Theft And Your Social Security Number
  • FDIC
  • Classic Cons. and How to Counter Them A laundry list of dirty tricks used by fraud artists
  • Pretext Calling and Identity Theft
  • Your Wallet: A Loser's Manual
  • A Crook Has Drained Your Account. Who Pays?
  • Identity Theft
  • Dept of Justice
  • Fraud Section
  • Identity Theft and Fraud
  • DOJ Identity Theft and Fraud Webpage
  • ID Theft A Quiz for Consumers
  • Dof Education
  • Don't let identity thieves steal your future!
  • Preventing and Responding to Identity Theft
  • Treasury: ID Theft Resource Page
  • Privacy Clearing House: Identity Theft Resources
  • ID Theft Survival Kit
  • Immigration and Customs: Cyber Crime Center: Cyber Crimes Section
  • CPSR Some Frequently Asked Questions on SSNs
  • Victims Assistance of America: Advocates for Victims of Identity Theft
  • National White Collar Crime Center Paper on Identity Theft pdf
  • Identity Theft: A Bibliography of Federal, State, Consumer and News Resources
  • Papers

  • USG
  • FTC
  • Financial Institutions and Customer Data: Complying with the Safeguards Rule [TXT] [PDF]
  • Information Compromise and the Risk of Identity Theft: Guidance for Your Business [TXT] [PDF]
  • OnGuard ID Theft
  • Sasha Romanosky, Carnegie Mellon University , Richard Sharp, Carnegie Mellon University , Alessandro Acquisti, Carnegie Mellon University Data Breaches and Identity Theft:Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal? TPRC 2010
  • Press Release, Identity Theft - Victim's Perspective ITRC 6 th Annual Study Released , Identity Theft Resource Center (May 27, 2009).
  • Gartner Says Number of Identity Theft Victims has Increased More Than 50 Percent Since 2003 , Gartner Newsroom (Mar. 6, 2007)
  • Latanya Sweeney, AI Technologies to Defeat Identity Theft Vulnerabilities, CS 3/4/2005
  • Most ID Theft Begins At Home , Computer Crime Research Center (Jan. 30, 2005)
  • Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 HASTINGS L.J. 1227 (2003).
  • News