Below is an overview of federal laws in connection with identity theft crimes.
- The Identity Theft and Assumption Deterrence Act (the “ITADA”)
The ITADA, passed in 1998, makes identity theft a distinct crime from wire fraud, covers theft of data (as well as documents), and encompasses businesses and persons that seek access to personal records through banks, state and federal agencies, or insurance companies. The ITADA mandates significant fines and imprisonment even for first offenders. The federal criminal jurisdiction requires an underlying felony (such as fraud or conspiracy) and involvement of an “identification document” that: (a) is purportedly issued by the United States, (b) is used or intended to defraud the United States, (c) is sent through the mail, or (d) is used in a manner that affects interstate or foreign commerce.
- The Fair and Accurate Credit Transactions Act (the “FACTA”)
The FACTA was established as a national detection system to deter fraud resulting from identity theft in its early stages with or without subsequent law enforcement investigation. The FACTA, among other rights, allows victims to alert all three major credit rating agencies of suspected criminal use of their financial data or accounts affecting a credit rating. The FACTA created the rights to “free” annual credit reports, and requirements that mortgage lenders provide actual FICO credit scores (not just credit account data) if that score is used to determine interest rates for a housing loan. The FACTA also mandates that merchants show only the last five digits of credit card numbers on receipts. The FACTA further is responsible for developing a system to “red flag” suspicious requests for consumer data, and allows military personnel to “freeze” credit files when they are deployed overseas.
Under the FACTA, consumer “red flags” include fraud alerts from a reporting business that has identified a data breach, unusual patterns in credit usage, suspicious documentation, credit usage after long periods of inactivity, known mail drop addresses, and other anomalies.
The FACTA also requires employers to shred documents containing employee data; any business that supplies or facilitates consumer credit must secure or destroy consumer information. This “disposal rule” requires reasonable and appropriate destruction of all information derived from a consumer credit report, prior to its disposal. Failure to comply with destruction requirements (i.e. shredding) carries penalties of up to $2,500 per violation. There is an implied obligation within the FACTA disposal rule to conduct due diligence for hiring or contracting data disposal personnel, which includes reference checking, physical inspection of licenses or certificates, and audits.
- The Fair Credit Reporting Act (the “FCRA”)
The FCRA requires consumer reporting agencies (CRAs) to adopt reasonable procedures to maintain and report consumer data with confidentiality, accuracy, relevancy, and reasonable security. CRAs must ensure “reasonable procedures to assure maximum possible accuracy of the information concerning the subject of the report.”
Victims may sue for willful or negligent failure to verify the accuracy of disputed information or correct inaccurate information resulting from a stolen identity. Consumers who report errors or fraudulent transactions are entitled to a “reasonable investigation” and an expectation that errors will be corrected and reported back promptly. The statute provides for attorney’s fees and punitive damages for willful violations. Under the FCRA, identity theft victims may authorize law enforcement agencies to obtain their credit reports and other records without obtaining a subpoena and at no personal cost. The FCRA imposes a two-year statute of limitations that begins when an inaccurate disclosure or report is filed, not when the consumer actually becomes aware of inaccuracies.
The FCRA also includes a “disposal rule” requiring any business that has access to or which utilizes consumer reporting information to dispose of this sensitive information properly. The FCRA’s disposal rule is broader than FACTA’s in that it targets any company that complies, sells or purchases reports containing private personal or medical information. This includes employment agencies, banks, private investigators, landlords, auto dealers, insurance agents and others. The FCRA disposal rule applies to any information, in any format, and mandates that the disposal method must render the documents or information unreadable and incapable of being reconstructed.
- The Gramm-Leach-Bliley Act (the “GLBA”)
The GLBA directs eight federal regulatory agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule to ensure that financial institutions prevent unauthorized disclosure of consumer financial information, including fraudulent access, by implementing appropriate policies, procedures and controls. Also known as the Financial Services Modernization Act of 1999, the GLBA defines financial institutions as a “business significantly engaged in providing financial services or products for personal, family, or household use.” The GLBA is relevant to traditional banks and credit unions, and also includes check-cashing and payday loan services, non-bank lenders, real estate appraisers, tax preparers, debt collectors, financial advisors, and insurance agents and brokers.
- The Right to Financial Privacy Act (the “RFPA”)
The RFPA falls under the ambit of the FDIC and targets industrial loan companies, trust companies, savings associations, credit unions and consumer finance institutions. The RFPA creates statutory Fourth Amendment protection for personal bank records by providing that ‘no government authority [state or federal] may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described and the customer authorizes access; there is an appropriate administrative subpoena or summons; there is a qualified search warrant; there is an appropriate judicial subpoena, or there is a written request from an authorized government authority.
The RFPA prohibits banks and other covered entities from requiring customers to release financial records as a condition of doing business, and mandates banks to provide customers with access to records of all disclosures made to third parties.
- The Health Insurance Portability and Accountability Act (the “HIPAA”)
The HIPAA, which is administered by the U.S. Department of Health and Human Services (HHS), establishes nationwide security standards for electronic health care information. This ‘security rule’ requires all covered entities to be compliant with specific administrative, technical, and physical security standards and procedures for electronic data. HIPAA rules apply not only to doctors, clinics, hospitals, pharmacies, and laboratories, but may also apply to certain collection agencies, health insurers, and lawyers, and also to any businesses that maintain self-insured employee health care plans.
In addition to federal laws, each state has its own law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.
Thirty-four states have introduced or have pending legislation regarding identity theft during the 2012 legislative session, including Louisiana which enacted its Business Identity Theft Prevention Act. For more information on state laws, visit the website of National Council of State Legislatures.