Federal Internet Law & Policy
An Educational Project
Fraud: ID Theft Dont be a FOOL; The Law is Not DIY

The Internet Company

Internet companies have become aware of the sensitivity of customers information. Posted privacy policies articulating care and handing of sensitive information have become common place. Options for handling information include restricting staff that has access to a business’s customer information to a few who have a need to know. Some companies conduct background checks on those who do have access to sensitive information. If an employee pockets a few thousand credit card numbers as a result of sloppy information practices, the company could be liable as well. Appropriate questions could be, how is that information secured and stored, and how do you dispose of it when it is no longer needed. Paper shredders now cost $40 down at the local office supply store (I bought one for Christmas and let my kids shred anything with personal information on it). Safes and locking file cabinets are also very affordable.

Ebusinesses regularly make security a part of the business plan. They consider consider the security of interactions with the public and of online transactions. Could any of the “sploits of the month” defeat security efforts and permit a skript kiddy to rifle through data? Organizations designate an individual on staff to be responsible for the security of the network and data. Security and firewall can be designed with the confidentiality of data in mind. If a project is big enough, one can conduct a security audit. There are also available voluntary trust programs, like the Better Business Bureau or Truste that show customers that a site is taking prudent precautions.

As subscribers go online with broadband connections and fixed IP addresses, they are increasingly vulnerable to intruders rifling through hard drives. ISPs are increasingly attempting to educate subscribers about the dangers of the barbarians online. Some have added a firewall to the service package provided to new customers and recommend to new subscribers that they keep their sensitive data on removable media, like key chain drives, that are not always attached to the computer.

There are a number of laws that deal with your customer’s information. The FCC’s Customer Proprietary Network Information rules prohibit telephone carriers from stealing this information from you when you order telephone service. The Electronic Communications Privacy Act (ECPA) governs when it is appropriate for you to turn information over to federal agents and what documents they have to present to you before you should supply that information Any children’s information collected online falls under the Children’s Online Privacy Protection Act.

Some ISPs make this a part of the training for customer support staff. After all, when customers have trouble with Netscape, who do they call? When customers worried about Y2K, who did they call? They called their ISP. Identity Theft has become so endemic that some ISPs provide an FAQ on your company website linking to the appropriate identity theft information.

Derived From Identity Theft: Prevalence and Cost Appear to Be Growing , GAO-02-363, p. 11 (Mar. 2002)

"Since our May 1998 report, various actions-particularly passage of federal and state statutes-have been taken to address identity theft. The federal statute,14 enacted in October 1998, made identity theft a separate crime against the person whose identity was stolen, broadened the scope of the offense to include the misuse of information as well as documents, and provided punishment-generally, a fine or imprisonment for up to 15 years or both. Under U.S. Sentencing Commission guidelines-even if (1) there is no monetary loss and (2) the perpetrator has no prior criminal convictions-a sentence as high as 10 to 16 months incarceration can be imposed. Regarding state statutes, at the time of our 1998 report, very few states had specific laws to address identity theft. Now, less than 4 years later, a large majority of states have enacted identity theft statutes.

"In short, federal and state legislation indicate that identity theft has been widely recognized as a serious crime across the nation. As such, a current focus for policy makers and criminal justice administrators is to ensure that relevant legislation is effectively enforced. Given the frequently cross-jurisdictional nature of identity theft crime, enforcement of the relevant federal and state laws presents various challenges, particularly regarding coordination of efforts. Although we have not evaluated them, initiatives designed to address these challenges include the following:

"After enactment of the 1998 Identity Theft Act, the Attorney General's Council on White Collar Crime established a Subcommittee on Identity Theft. Purposes of the Subcommittee are to foster coordination of investigative and postdoctoral strategies and promote consumer education programs. Subcommittee leadership is vested in the Fraud Section of the Department of Justice's Criminal Division, and membership includes representatives from various Justice, Treasury, and State Department components; SSA/OIG; the FTC; federal regulatory agencies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation; and professional organizations, such as the International Association of Chiefs of Police (IACP), the National Association of Attorneys General, and the National District Attorneys Association.

. Various identity theft task forces, with multiagency participation (including state and local law enforcement), have been established to investigate and prosecute cases. Such task forces enable law enforcement to more effectively pursue cases that have multijurisdictional elements, such as fraudulent schemes that involve illegal activities in multiple counties or states. At the time of our review, the Secret Service was the lead agency in 37 task forces across the country that were primarily targeting financial and electronic crimes, many of which may include identity theft-related elements.

. Also, under the 1998 Identity Theft Act, the FTC established a toll-free number for victims to call and is compiling complaint information in a national Identity Theft Data Clearinghouse. FTC's Consumer Sentinel Network makes this information available to federal, state, and local law enforcement. According to FTC staff, use of the Consumer Sentinel Network enables law enforcement to coordinate efforts and to pinpoint high-impact or other significant episodes of identity theft.

Furthermore, there is general agreement that, in addition to investigating and prosecuting perpetrators, a multipronged approach to combating identity theft must include prevention efforts, such as limiting access to personal information. In this regard, federal law enacted in 1999, the Gramm-Leach-Bliley Act,15 directed financial institutions-banks, savings associations, credit unions, broker-dealers, investment companies, investment advisers, and insurance companies-to have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter fraudulent access to such information. Prevention efforts by financial institutions are particularly important, given FTC data showing that a large majority of consumer complaints regarding identity theft involve financial services-new credit card accounts opened, existing credit card accounts used, new deposit accounts opened, and newly obtained loans.

Finally, given indications that the prevalence and cost of identity theft have increased in recent years, most observers agree that such crime certainly warrants continued attention from law enforcement, industry, and consumers.16 Also, due partly to the growth of the Internet and other communications technologies, there is general consensus that the opportunities for identity theft are not likely to decline.

"Under the Identity Theft and Assumption Deterrence Act, the Federal Trade Commission is responsible for receiving and processing complaints from people who believe they may be victims of identity theft, providing informational materials to those people, and referring those complaints to appropriate entities, including the major credit reporting agencies and law enforcement agencies. For further information, please check the FTC's identity theft Web pages . You can also call your local office of the FBI or the U.S. Secret Service to report crimes relating to identity theft and fraud." - USDOJ Identity Theft and Fraud





Chairman Inouye Introduces Identity Theft Prevention Bill, Senate 4/24/2007


Federal Activity







Annual Identity Theft Reports


- CY-2006 IDT State Reports - (PDF)


- CY-2005 IDT State Reports - (PDF)


- CY-2004 IDT State Reports - (PDF)


- CY-2003 IDT State Reports - (PDF)


- CY-2002 IDT State Reports - (PDF)

Consumer Sentinel Annual Fraud and Identity Theft Reports

- Sentinel CY-2007 - (PDF)

- Sentinel CY-2004 - (PDF)

- Sentinel CY-2006 - (PDF)

- Sentinel CY-2003 - (PDF)

- Sentinel CY-2005 - (PDF)

- Sentinel CY-2002 - (PDF)