New Report On Identity Theft

US AG, Michael B. Mukasey, and FTC Chairman William Kovacic recently announced the publication of a new report on identity theft. In April of '07, the President's Identity Theft Task Force published a strategic plan, listing 31 recommendations, for combating identity theft. This new report details the steps the government has taken to accomplish the recommendations set out in the original report.

Compliance With The Red Flag Rules

This article reports that less than-third of US banks will be compliant with the Red Flag rules by the November 1 deadline. All told, U.S. financial institutions are expected to spend more than $200 million on compliance with the rules. For more on the Red Flag rules, see these posts.

ID Theft Ring Uncovered

Prosecutors announced that they have uncovered the identities of the thieves behind the T.J. Max, Barnes & Noble, and The Sports Authority identity theft cases. The case, which involves 11 people, is being dubbed the largest identity theft case ever prosecuted. The thieves reportedly stole 40 million confidential records. Investigators say the suspects obtained their information largely through hacking into wireless networks. See here for a copy of the indictment.

Identity Theft Monitoring Services

Many companies offer these services as additional protection for identity theft. Are they worth purchasing? Are they effective? Privacy Rights Clearinghouse recently published this new guide: "Straight Talk about Identity Theft Monitoring Services."

Deadline For Red Flag Rules Approaching

With the so-called Red Flag rules set to become effective on Nov. 1, the FTC is beginning a campaign to help educate the public on the details of the new regs. The FTC recently published an Alert to help companies better understand the law. The Red Flag rules require certain types of companies to implement identity theft prevention programs. See this previous post for more info.

2008 Security Breach Report

The Identity Theft Resource Center recently published their 2008 security breach incidence report. For each incident the report provides the number the exposed records, the breach type (print or electronic), and a link to a news article about the incident. So far in '08, the report counts 346 security breach incidents totalling upwards of 16 million exposed records.

California Expands Identity Theft Law

California Governor Arnold Schwartzenegger recently signed into law SB 612 which makes it easier to prosecute identity theft crimes in California. Under the old system, prosecutions could only take place where the crime occurred, which is usually in the perpetrators' towns or cities. With the passage of this bill, prosecutors can now charge people with identity theft in the jurisdictions where the victims live. This is significant because prosecutors are generally more aggressive when they're fighting criminals in their home town.

Texas AG Settles With EZCORP Over Identity Theft

The Texas Attorney General's Office announced a settlement yesterday with EZCORP over the company's failure to adequately safeguard customer's personal information. Apparently, the company had simply dumped 483 customer records laden with social security numbers and other highly sensitive information in the trash. The AG's office filed suit under Texas Business & Comm. Code Section 48-102, claiming the company had failed to implement "reasonable procedures" to safeguard customers personal information. The AG's website includes a picture of a credit application that was found in the trash.

Suing For Identity Theft Using RICO

Check out this National Law Journal article, "RICO And Data Thieves" (subscription). Historically, data theft has been largely prosecuted using the Computer Fraud and Abuse Act (CFAA). The author, Nick Akerman, suggests that filing suit under the Racketeer Influenced and Currupt Organizations (RICO) statute might have some advantages. As the author points out, RICO, unlike the CFAA, provides for treble damages and attorney fees.

Do Data Breach Laws Reduce Identity Theft?

A new working paper entitled "Do Data Breach Laws Reduce Identity Theft?" (Carnegie Mellon University) analyzes the effect of data breach laws on the presence of identity theft. Although the authors acknowlege limitations to their study, they conclude that they found no statistically significant effect that data breach laws reduce identity theft. This is one more indication that an effective approach to tackling the problem of identity theft requires more than enacting legislation alone.

Maryland Identity Theft Statute Held Not To Apply To Fictitious Identities

Maryland's highest court recently published a surprising ruling: to be prosecuted under the Maryland identity theft statute (Criminal Law Article 8-301), one must have stolen the identity of an actual person. The statute does not apply, the court reasoned, in cases where an individual commits identity theft using a fictitious identity. The majority of the case centers on an analysis of the term "another" in the statute. After delving into the statute's legislative history, the court determined that "another" must refer to an actual person for the statute to apply.

Life Sentence For Identity Theft?

According to this Baltimore Sun article, a Maryland woman indicted on identity theft charges could face life in prison. Belinda Marie Glock, 33, was indicted on counts of aggravated identity theft (18 USC 1028A(a)(1)) and fraud in connection with access devices (18 USC 1029(a)(2)).

2007 Internet Crime Report

The 2007 Internet Crime Report, published by the Internet Crime Complaint Center (a partnership among the FBI, the National White Collar Crime Center, and Bureau of Justice Assistance), includes some interesting findings. The report demonstrates (not suprisingly) that internet fraud is on the rise. Reported losses were $240 million compared to $200 million in 2006. Other notable findings include that the most common crime occurred through the use of email and that those affected were more likely to be males rather than females. For IC3's previous reports see here.

Identity Theft Tops FTC Complaint List

According to the FTC's annual report on the subject, identity theft topped the list of FTC complaints for the 7th year in a row. Roughly 32% (or over 260,000) of the Agency's 2007 complaints were due to identity theft. The report also demonstates that the most frequent type of identity theft complaint in 2007 was credit card fraud (23%). The metropolitan areas reporting the highest per capita rates of identity theft were Napa, California; Madera, California; and Greeley, Colorado.

Red Flag Regulations

The most recent National Law Journal features an article entitled "Scrambing With ID Theft Programs" (subscription) discussing the so-called "Red Flag Regulations" which implement two sections of the Fair and Accurate Credit Transactions Act. The regulations, formally termed
"Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003," require financial institutions and companies offering consumer credit to institute identity theft prevention programs to detect "red flags" which might signal possible foul play. The regs go into effect Nov. 1 of this year.

FTC Settlement With Life Is Good, Inc.

The FTC recently announced a Proposed Settlement with clothing company Life Is Good, Inc. The FTC's Complaint against the company had alleged that the company, contrary to it's privacy policy, failed to adequately protect and secure the sensitive information it maintained about its customers. The proposed settlement requires, among other things, that the company designate at least one employee to coordinate the security program and that the company develop reasonable procedures for selecting and supervising service providers that handle customers’ personal information.

Preparing For A Data Breach

Philip Gordon of the Workplace Privacy Counsel blog provides 5 key points for employers to consider as they prepare for the possibility of a data breach: be prepared, train your HR professionals, determine your notice obligations, help your employees, and learn from your mistakes.

MD Identity Theft Task Force Issues Report

The Maryland Task Force to study Identity Theft recent published it's report. Over 230 pages, the report recommends, among other things, that the penalties for felony identity theft be increased, that the State ban credit card skimming devices, and that the State should enact legislation to enable a court to order the forfeiture of all property of a criminal convicted of identity theft obtained from the crime.

Sears Sued For Failing To Adequately Protect Website

This Washington Post article reports on a class action suit against Sears for failing to adequately secure the personal information on its website managemyhome.com. The site's security vulnerabilities came to light after Ben Edelman pointed out the ease with which anyone could access the purchase history of the site's users. See here for a copy of the Complaint filed in Cook County, Illinois.

Security Breach Laws

The National Conference of State Legislatures site contains a list of all state security breach notification laws. The Maryland Statute (Commercial Law 14-3501 et. seq.) was recently amended by SB 194 which went into effect Jan. 1 of '08.