Identity Theft: A Cost of Business?

Identity Theft:A Cost of Business?

THOMAS A. HEMPHILL

In early 1998, a man using baseball superstar Tony Gwynn’sbank account, Social Security, and driver’s license identifica-tion numbers cashed a $950 check on the San Diego Padres

outfielder’s account at a bank in Anaheim, California. But that wasnot the end of Gwynn’s problems. A Gwynn impostor used hisname to test drive a Ford Escort, which was not returned to thedealership.1 “Identity theft,” as the Gwynn incident is called, occurswhen an individual appropriates another person’s name, address,Social Security number, or other identifying information to commitfraud.2 Among the most common forms of identity theft includeopening new credit card accounts, taking out loans in the victim’sname, and stealing funds from existing checking, savings, or in-vestment accounts.3 Yet the latest vehicle for perpetrating identitytheft can be found on the “Information Highway.”

“The computer and, more recently, the Internet have broughtidentity theft to a much more insidious level,” says Norman A.Wilcox, chief executive officer of the Horsham, PA-based NationalFraud Center (NFC), Inc., a private entity studying economic crimesince 1986.4 “They have allowed the identity thief to obtainpersonal identifiers of multiple persons quicker; to access higherquality fake identification tools (driver’s licenses, birth certificates,Social Security cards, etc.) and, through e-commerce, to renderthe credit transaction completely impersonal. The potential harmcaused by an identity thief using the Internet is exponential,” saysWilcox.5 The U.S. Secret Service and the Federal Trade Commission

© 2001 Center for Business Ethics at Bentley College. Published by Blackwell Publishers,350 Main Street, Malden, MA 02148, USA, and 108 Cowley Road, Oxford OX4 1JF, UK.

Business and Society Review 106:1 51–63

Thomas A. Hemphill is a Ph.D. candidate in the School of Business and Public Management,The George Washington University, majoring in business administration with a primary field instrategic management and public policy.

verified the increasing use of the Internet by criminals to acquireinformation they need to assume another person’s identity andcommit fraudulent financial transactions.6

Just how pervasive is identity theft in America? The U.S. PostalInspection Service estimates that 50,000 people a year havebecome victims of identity theft since the mid-1990s.7 Further-more, the U.S. Secret Service investigated identity theft losses toindividuals and institutions of $745 million in 1997, a 75 percentincrease over the $442 million lost in 1995 and, during the sametime periods, arrests for identity fraud increased from 8,806 to9,445.8 According to Trans Union Corporation, one of the threemajor national credit bureaus, the total number of identity theftinquiries to the company’s Fraud Victim Assistance Departmentgrew from 35,235 in 1992 to 522,922 in 1997.9 And the SocialSecurity Administration’s Office of the Inspector General con-ducted 1,153 Social Security number misuse investigations in1997, compared with 305 in 1996.10

These alarming (yet dispassionate) statistics reflect the demo-graphic trends and economic losses attributable to this category ofcrime. Yet there are acute personal losses reflected in this privacyviolation that thereafter affects an individual’s everyday life, aswitnessed first-hand by journalist Stacy Sullivan. Sullivan wrotean op-ed piece for the New York Times that vividly describes thepersonal hell she has confronted since someone used her SocialSecurity number in 1996 (when she was living overseas) to ordertelephone service in Los Angeles County, and then disappeared.11

After not being able to collect on the unpaid phone bills, Ms.Sullivan’s debt record was passed on to the three major nationalcredit bureaus (Equifax, Experian, and the above mentioned TransUnion) and she has been labeled a financial delinquent and poorcredit risk. Even though she made extensive efforts—within whatshe refers to as a bureaucratic “Kafkaesque maze”—to remedy hersituation and clear her name, four years later the unpaid bills arestill reflected on her credit report and she is unable to rent anapartment.

According to Ms. Sullivan, her problem could have been pre-vented if the telephone company had properly checked the identityof the person who had established phone service in her name. Sheends her essay by posing a simple question to the American busi-ness community: Is it too much to ask that companies that issue

52 BUSINESS AND SOCIETY REVIEW

credit cards, sell merchandise, or provide services take simple pre-cautions to identify their customers? This is a reasonable queryfrom a person who has been victimized twice; first by a thief, andsecondly by a private sector which ostensibly values the consumeras an important stakeholder. From the vantage point of retail creditissuers and credit reporting bureaus, these firms calculate that it isnot cost efficient to engage in improving security practices. Afterall, a certain amount of fraud is simply a cost of business, regard-less of what economists refer to as the negative externality borne bythe victimized consumer. With this enlightened approach to corpo-rate responsibility, is it any wonder that retail credit issuers andthe consumer credit reporting industry are under increased scru-tiny by the media, consumer groups, and the federal government?

CONSUMER PROTECT THYSELF

Granted, protecting personal identifying information from publicconsumption is initially the responsibility of the consumer. To thatend, limiting access to a Social Security number (SSN) is theconsumer’s first line of defense. The expanded use of the SSN as acommon identifier for consumer financial transactions has led toa staggering increase in efforts by thieves to obtain SSN cards.In fact, the U.S. Social Security Administration maintains a“disallowed file” containing information on every person whoseapplication for an SSN was denied because he or she submittedfraudulent documentation.12 This database currently holds over94,000 entries and is increasing by an average of 10,000 entriesannually.13

Another way to limit the public availability of personal identify-ing information is for the consumer to exercise the “opt-out”options which credit bureaus, marketers, and many on-line busi-nesses make available to consumers. The three major credit report-ing bureaus allow the consumer to opt-out of receivingpre-screened credit card offers by calling a single toll-free number(1-888-5-OPTOUT).14 However, of the three major credit reportingbureaus, only Experian offers consumers the option to removetheir names from lists used for marketing and promotional pur-poses.15 Representing the direct marketing industry, the DirectMarketing Association allows consumers to opt-out of direct mail

THOMAS A. HEMPHILL 53

marketing, e-mail marketing, and/or telemarketing solicitationsfrom many national companies.16 By removing his or her namefrom these lists, the consumer prevents companies from renting orselling this personal information to other firms.17

Properly disposing of mail and other personal documents con-taining sensitive information will contribute to keeping this infor-mation out of the possession of identity thieves. A disposal routineinvolving an inexpensive paper shredder will go a long way inensuring that this avenue of opportunity will be sealed off towould-be perpetrators. Furthermore, securing important personaldocuments and information from prying eyes and ears shouldbecome a common part of a consumer’s routine. Whether limitingthe number of credit cards carried in wallets, placing key docu-ments in a secure place, or making sure that personal identifyingnumbers (PINs) for cash withdrawal or telephone calling cards areknown only to the owners, due diligence is the responsibility of theconsumer to minimize the risk of identity theft. Finally, annuallyobtaining a copy of your credit report from all three major nationalcredit reporting bureaus (to review for fraud or inaccuracies) ishighly recommended.

Yet given all these above-mentioned precautions, can a con-sumer completely prevent identity theft from occurring? Probablynot, says the Federal Trade Commission (FTC), especially if the per-petrator is determined to commit the crime.18 In that case, the FTCrecommends that an identity theft victim immediately undertakethe following three basic steps to manage the damage to his or hercredit record:19

• First, contact the fraud departments of each of the three majornational credit bureaus (Equifax, Experian, and Trans Union)and inform them that you are an identity theft victim. Requestthat a “fraud alert” be placed in your file, as well as requestingthat creditors call you before opening any new accounts orchanging your existing accounts, thereby preventing any addi-tional accounts from being fraudulently opened in your name.Also, request a copy of your credit report from all three bureausand review them for any fraudulent account activities.

• Second, contact creditors, which may include credit card compa-nies, banks, investment companies, and public utilities, for anyaccounts that may have been tampered with or opened fraudu-lently. This contact, while initially verbal in nature, should befollowed up in a letter as this is the consumer protection


procedure mandated under the Fair Credit Billing Act to resolveerrors on credit card billing statements.

• Third, file a report with your local police or the police in the com-munity where the identity theft took place. Make sure that a copyof the police report is filed with each creditor affected by the fraudas proof of the crime.

Given the magnitude of the growth and financial and personalimpact that identity theft has on the economy and personal lives,emphasis has shifted from primary responsibility resting with theconsumer to shared responsibility with institutions in society, bothgovernmental and business.

IDENTITY THEFT LAW AND ENFORCEMENT

In October 1998, the U.S. Congress passed and President Clintonsigned the “Identity Theft and Assumption Deterrence Act” (the Act)into law.20 The Act makes it a federal crime (carrying a maximumpenalty of 15 years imprisonment, a fine, and forfeiture of any per-sonal property used or intended to be used to commit the crime) foranyone who

knowingly transfers or uses, without lawful authority, ameans of identification of another person with the intent tocommit, or to aid or abet, any unlawful activity that consti-tutes a violation of federal law, or that constitutes a felonyunder any applicable state or local law.21

Under this Act, a “means of identification” can include a name,a SSN, date of birth, driver’s license or other government issuedidentification number, alien registration number, governmentpassport number, employer or taxpayer identification number,biometric data, e.g., fingerprint, voice print, retina, or iris image,unique electronic identification number, address, or routing code,and telecommunication identifying information or access device.22

The Act allows the U.S. Secret Service, the FBI, the U.S. PostalInspection Service, and the U.S. Social Security Administration’sOffice of the Inspector General to investigate and the U.S. Depart-ment of Justice to prosecute identity theft cases.23 The Act alsoidentifies the FTC as the primary agency for complaint and con-sumer education for victims of identity theft.24 In addition to this


federal legislation, 22 states have passed laws addressing penal-ties for identity theft.25

On March 30, 2000, Senator Dianne Feinstein (D-California)introduced S.2328, “The Identity Theft Prevention Act of 2000,”in the U.S. Senate. Bill S.2328, possibly the next legislative phaseof preventing identity theft, is focused on consumer credit trans-actions and credit reports. It includes provisions requiring: 1) con-sumer credit card notification of a change of address or request foradditional credit cards; 2) notice of potential fraud by consumerreporting agencies to credit report users; 3) an extension of civilmonetary penalties to Social Security identity fraud activities;4) the FTC to develop a model form for consumers to use to notifycreditors and credit reporting agencies of identity fraud; and 5) thata free annual personal credit report be issued by credit reportingagencies to the consumer upon request. Enforcement of the bill’sprovisions would be primarily the responsibility of the FTC,although depending on the institution issuing the credit card, theOffice of the Comptroller of the Currency, the Board of Governors ofthe Federal Reserve System, the Federal Deposit Insurance Corpo-ration, the Director of the Office of Thrift Supervision, or theAdministrator of the National Credit Union Administration mayhave jurisdiction.

Federal executive agencies have also been actively involved ininstituting programs to reduce the threat of identity theft. Forinstance, the U.S. Social Security Administration (SSA) has insti-tuted ongoing training on document authenticity for its employeeswho process SSN applications and must evaluate birth certificatesand Immigration and Naturalization Service documents.26 The SSA,in cooperation with the U.S. Department of State, is also developinga program of “enumeration at entry” which will provide SSNs at thetime that a non-citizen enters the country and is eligible for a num-ber.27 In certain instances, the SSA will assign a new SSN to anidentity theft victim to establish a new credit record and end thefraudulent activity.28 The U.S. Secret Service, in partnership withthe nation’s financial industry, has developed and maintains“skimming” and counterfeit check databases to identify defendantsof identity theft.29 In a cooperative effort, the U.S. Secret Serviceand Citicorp are developing a protocol for the identification of iden-tity theft to commit bank fraud, credit fraud, and money laundering


within electronic commerce in tandem with the immediate notifica-tion of the proper law enforcement authorities.30

In February 2000, the FTC launched a three-part initiative tohelp consumers combat identity theft.31 Following its 1998 con-gressional mandate to be the nation’s clearinghouse for identitytheft information, the agency has installed a toll-free number whereidentity theft victims can report the crime and get advice fromtrained counselors, developed an on-line consumer complaint formwhere identity theft victims can enter their complaint informationdirectly into the FTC’s secure database, and developed a 21-pageconsumer booklet (available on-line) that addresses all aspects ofidentity theft.32 Late in 1999, the Federal Deposit Insurance Corpo-ration advised its member banks to report incidents of identity theftto the proper law enforcement authorities and help victims restoretheir financial integrity.33

While the efforts of federal and state governments to providegreater penalties, criminal enforcement, theft prevention, and vic-tim remediation of identity theft are necessary and welcome, theprimary institutional responsibility for identity theft preventionand victim remediation rests in the business sector. After all, busi-ness is the issuer of credit and provider of services and productsthat are the targets of the perpetrators of identity theft. It is to theimprovement of industry identity theft prevention practices that wenow turn.

IMPROVING INDUSTRY SECURITY PRACTICES

For credit issuers and credit reporting bureaus, the most importantstrategy to adopt is a corporate-wide consumer privacy policy andimplementation of a secure information-handling regime. To assistthese firms, there are long-established fair information practiceprinciples (principles) that have evolved to meet the consumer pri-vacy and security requirements of the Information Age.34 The fivecore principles of individual privacy protection for the consumerare categorized as follows: 1) notice/awareness; 2) choice/consent;3) access/participation; 4) integrity/security; and 5) enforcement/redress.

The first core principle of notice/awareness is fundamental: theconsumer must be given notice of a business’ information practices


before any personal information is accepted. Consumer choice orconsent, the second core principle, gives consumers options as tohow information collected from them may be used beyond thatwhich is necessary to complete the present business transaction.The third core principle, access, refers to an individual’s ability toaccess and view data about him-or-herself and contest that data’saccuracy and completeness. Accurate and secure data is the fourthprinciple. To assure data integrity, a business should use onlyreputable sources for information and cross-reference it againstmultiple sources, offer consumer access to data, and destroy orconvert data to an anonymous form. The fifth and final principle,enforcement and redress, allows for all the preceding principles tobe effective. Without an enforcement and redress mechanism, aconsumer privacy policy is merely a suggested set of corporateguidelines rather than a prescriptive mechanism, and does notensure compliance with the principles.

As Stacy Sullivan asked in her op-ed essay, why can’t creditusers and issuers, i.e., retail vendors and credit lenders, institutesimple precautions to protect their customers? The answer is, theycan. For instance, take the example of credit card identity theft.Retail outlets can require a second form of identification along witha credit card, such as a driver’s license or another governmentissued document. This is usually a standard procedure when acustomer pays by personal check. In addition, a retail associatecould actually verify that a signature on a credit receipt matchesthe signature on the back of the credit card. Finally, credit cardissuers can, as a standard practice, establish purchasing profileson their clients based on purchasing histories. This could simplyinvolve an upper limit on a dollar amount of purchases madewithin a certain time period. When upper limit is exceeded, an alertwill be electronically transmitted to the retail outlet initiating thetransaction recommending additional personal identification fromthe card user.

As mentioned earlier, both credit reporting bureaus and directmarketers offer some opportunities for consumers to opt-out ofreceiving pre-screened credit card offers and direct marketingsolicitations. Usually, the secondary use of consumer informationby business firms involves two types of choice/consent regimes:either “opt-in” or “opt-out.” Both regimes require affirmative stepsby the consumer (“yes/no”) or may allow the consumer to decide


the nature of the information revealed and the uses to which it willbe applied. Yet a different approach will yield increased consumercontrol of identifying personal information. Pertaining to the issueof disseminating their names and related personal information, allcredit reporting bureaus, credit issuers, and direct marketersshould require an explicit choice by consumers: either opt-in oropt-out. In addition, the nature of the secondary use of this infor-mation (including potential consumer benefits) should beexplained to assist in consumer choice. This required consumerchoice eliminates the passive decision-making associated with notmaking a choice to opt-out or opt-in and allowing a business toassume disinterest in the use of a name and related personalinformation.

But when identity theft takes place, clearing one’s credit recordas quickly and efficiently as possible is crucial for the consumer’sreturn to a normal life. The establishment of an “identity theft”ombudsman offering a single source of contact for the identity theftvictim to clear his or her credit record at all three reporting bureauswould go a long way in accelerating consumer remediation.Already, the credit reporting agencies are operating a singletoll-free number to opt-out of pre-screened credit card offers; whynot extend this cooperation to assist the consumer from treblinghis time and efforts to regain control of his personal life? The pres-ent system replicating efforts among three entities adds only frus-tration, insult, and as Stacy Sullivan and others have experienced,potentially further injury to the aggrieved consumer.

But the credit reporting industry is not intransigent to consumerconcerns and identity theft victims’ woes. The Associated CreditBureaus (ACB), an international trade association representing500 consumer information companies, in March 2000 announceda commitment on behalf of its membership to voluntarily imple-ment a comprehensive six-point program to assist identity theftvictims in a more timely and effective manner.35 The six-pointprogram is as follows:36

• Advocate the use and improve the effectiveness of security alertsthrough the use of codes transmitted to creditors. These alertsand codes can help creditors avoid opening additional fraudulentaccounts.


• Implement victim-assistance best practices to provide a moreuniform experience for victims when working with personnelfrom multiple fraud units.

• Assist identity theft victims by sending a notice to creditors andother report users when the victim does not recognize a recentinquiry on the victim’s file.

• Execute a three-step uniform response for victims who call auto-mated telephone systems: automatically adding security alertsto files, opting the victim out of pre-screened credit offers, andsending a copy of his or her file within three business days.

• Launch new software systems that will monitor the victim’scorrected file for three months, notify the consumer of any activ-ity, and provide fraud unit contact information.

• Fund, through ACB, the development of a series of consumereducation initiatives to help consumers understand how to pre-vent identity theft and also what steps to take if they are victims.

This six-point program, which was to be implemented by October2000, was the result of collaboration between the ACB Board ofDirectors and former state Attorney General M. Jerome Diamond.The latter interviewed consumer identity theft victims and lawenforcement officials, made on-site visits to credit reporting agencyfraud units, and obtained input from privacy advocates.37

CONCLUSION

While many of the traditional approaches of prevention and detec-tion of identity theft have relied on in-person verification of iden-tity, the Internet operates in an environment of privacy andanonymity. As an example of the magnitude of financial damagethat on-line identity theft can cause, the NFC’s Wilcox points tothe recent case of Expedia, a Microsoft subsidiary and on-linetravel site, which was bilked of between $4 million and $6 millionby thieves who used stolen credit card numbers to purchaseon-line travel.38 Wilcox recommends technological solutions, suchas digital certificates/digital signatures, biometrics (for example,eye retina scanning), and authentication (independent verifica-tion), be employed to limit future Internet identity theft damage.39

The issue of identity theft has reached a level of maturity (andconcern) which precipitated the U.S. Department of the Treasury


convening the first ever “National Summit on Identity Theft” onMarch 15, 2000.40 Attracting more than 150 participants fromfederal, state, and local government agencies, financial institu-tions, credit card companies and reporting bureaus, identity theftvictims, consumer advocacy groups, and the business sector, thesummit focused in on the prevention of identity theft, remediation,and law enforcement efforts.41 The summit offered an opportunityfor participants to initiate a cooperative and systematic approachto addressing the various aspects of this troubling problem. Fromthe private sector, the announcement of the ACB’s new six-pointprogram to assist identity theft victims is a significant step in thedirection of the industry internalizing a negative externality. Onething is certain: after summit attendees heard identity theft victimspersonally recount their horror stories of the long-term effects ofthis crime on their lives, only the most jaded private sector repre-sentatives will continue to dismiss identity theft as a “cost ofbusiness.”

NOTES

1. Council of Better Business Bureaus, Inc., “Tony Gwynn: Victim ofIdentity Fraud,” Press Release at http://www.bbb.com/alerts/gwynn.asp,12 March 1998.

2. David Medine, Associate Director for Credit Practices, Bureau ofConsumer Protection, Federal Trade Commission, “Prepared Statement ofthe Federal Trade Commission on ‘Identity Theft’,” Subcommittee on Tech-nology, Terrorism and Government Information, Committee on the Judi-ciary, U.S. Senate at http://www.ftc.gov/os/1998/9805/idethef.htm, 20May 1998, Washington, D.C.

3. Beth Givens, The Privacy Rights Handbook, Privacy Rights Clearing-house, 1997, 231–232.

4. “National Fraud Center White Paper Says Internet Driving DramaticIncrease in Identity Theft—Balanced Approach Required to Address Issue,”National Fraud Center, at http://www.nationalfraud.com/pressrelease/IDTheft.htm, 16 March 2000.

5. Ibid.6. Brian Krebs, “Internet Increasingly Used to Commit Identity Fraud,”

Newsbytes at http://library.northern.com/PB20000308030000624.html,7 March 2000.


7. “Identity Theft Prevention Act of 2000,” S.2328, 106th Congress, 30March 2000.

8. Ibid.; National Fraud Center.9. “FTC Testifies: Identity Theft on the Rise,” Federal Trade Commission,

Press Release, at http://www.ftc.gov/opa/2000/03/idtest.htm, 7 March2000.

10. Ibid.11. Stacy Sullivan, “How I Lost My Good Name,” New York Times, 17

April 2000, A19.12. William A. Halter, Deputy Commissioner, U.S. Social Security

Administration, Testimony before the House Committee on Ways andeans, Subcommittee on Social Security, Hearing on the SocialSecurity Administration’s Program Integrity Activities, at http://www.ssa.gov/policy/ congcomm/testimony_03300.html, 30 March 2000.

13. Ibid.14. Federal Trade Commission, “ID Theft: When Bad Things Happen to

Your Good Name,” at http://www.ftc.gov/bcp/online/pubs/credit/idtheft.htm, February 2000.

15. Ibid.16. Ibid.17. Ibid.18. Ibid.19. Ibid.20. Public Law: 105-318, “Identity Theft and Assumption Deterrence

Act,” 30 October 1998.21. See Section 1028(a) of title 18, U.S. Code, Section 3. (a)(7).22. See Section 1028(a) of title 18, U.S. Code, Section 3. (d)(3).23. Federal Trade Commission.24. Public Law.25. Ibid.26. Halter.27. Ibid.28. Ibid.29. “Treasury Convenes Identity Theft Summit,” Press Release, at

http://www.treas.gov/press/releases/ps465.htm, 15 March 2000.30. Ibid.31. “FTC Targets Identity Theft (Consumers Will Benefit from Clearing-

house, Toll-Free Number),” Federal Trade Commission, Press Release, athttp://www.ftc.gov/opa/2000/02/idtheft.htm., February 2000.

32. Ibid.


33. “Banks Urged to Report Cases of Identity Theft,” The American

Banker 164: 210 (1999), 38.34. See Online Privacy Alliance, Resources, “Guidelines for Online

Privacy Policies,” at http://www.privacyalliance.com/resources/ppguidelines:shtml; Center for Democracy & Technology, CDT’s Guide toOnline Privacy, Privacy Basics: Generic Code of Fair Information Practices,at http://www.cdt.org/privacy/ guide/basic/generic.html.

35. Associated Credit Bureaus, Inc., “Credit Reporting Industry An-nounces Identity Theft Initiatives,” News release, 14 March 2000. It wasnot sheer coincidence that this identity theft initiative was announced byACB the day before the first “National Summit on Identity Theft” was toconvene.

36. Ibid.37. Ibid.38. National Fraud Center.39. Ibid.40. “Treasury Convenes Identity Theft Summit.”41. Ibid.


Documents

Identity Theft: A Cost of Business?