Identity theft is a growing and pervasive type of crime that is particularly insidious because the victim must spend months or years recovering and repairing the damages. As Holtfreter and Holtfreter (2006) explain, “identity theft, also known as identity fraud, refers to all types of crime in which someone wrongfully obtains and uses another individual’s personal data in a way that involves fraud or deception, typically for economic gain (United States Department of Justice, 2005)” (p. 57). The problem of identity theft has an impact on businesses as well as individuals. As, Deybach (2007) states,
As identity theft continues to grow as a crime and a social, financial and security concern, questions of liability become more crucial. In light of the criminal and social considerations, the litigious environment of the United States, and existing and emerging laws concerning corporate responsibility for the protection of personal data, commercial entities have begun to take actions of their own to protect the data of their customers and, increasingly, their employees. (p. 14)
The federal government has enacted several laws aimed at improving protections related to identity theft. Many states have also taken legislative action regarding identity theft protections. Businesses are faced with the challenges of understanding and following federal and state laws in order to ensure customer and employee information is protected.
At the federal level, three laws are principally involved: the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act (FACTA), and the Identity Theft Penalty Enhancement Act (ITPEA). Both FACTA and ITPEA build upon and extend the FCRA specifically in the area of identity theft protection. ITPEA increases the penalties for felonious identity theft. FACTA provides several regulatory requirements aimed at improving the identity theft problem. Specifically,
The purpose of the FACTA is to ‘amend the Fair Credit Reporting Act (FCRA), to prevent identity theft, improve resolutions of customer disputes, improve the accuracy of consumer records (and), make improvements in the use of, and consumer access to, credit information.’ (One Hundred Eight Congress of the United States of America, 2003) (Holtfreter and Holtfreter, 2006, p. 57)
Holtfreter and Holtfreter describe the major enhancements provided by FACTA,
- national fraud alert systems;
- truncation of credit and debit card receipts;
- “Red flag” indicators of identity theft;
- information sharing by debt collectors and creditors with identity theft victims;
- identity theft account blocking;
- keeping fraudulent debt from being transferred or reported; (p. 57 – 58)
For businesses that are operating in the financial and banking industries and are subject to FACTA, the implications are that regulators will begin to require that measures are taken to ensure compliance with these new requirements. FACTA may mean, for example, information systems that identify and truncate credit and debit card numbers before printing to receipts. FACTA pre-empts some state laws, so businesses in Texas, California, and Massachusetts may find a lessened legal burden (p. 63).
At the state level, there is significant variation in the extent of legal requirements. For example, California has significant legal protections for consumers and several laws provide a variety of protections, including breach notification and data protection laws for both financial and medical records. By contrast, Arizona has no legal requirements or protections (except those provided by applicable federal laws). California and Massachusetts are considered to have the most stringent breach notification and data protection laws. Businesses operating within these states can expect to implement significant internal controls, including data encryption, access controls to provide traceability and non-repudiation for confidential information, and notification to consumers and state authorities in the event of security breaches and unauthorized data access.
Identity theft is a growing problem. Businesses must take pro-active measures to ensure that risks and liabilities associated with identity theft and related security incidents are minimized. As Deybach states,
Many of the corporate risks associated with identity theft can be mitigated by the development and implementation of sound policies, systems and procedures. Others will ultimately become matters for the courts. (p. 17)
Understanding statutory and regulatory requirements and complying with applicable federal and state laws is an important aspect of mitigating these risks for any business.
Deybach, G. (2007). Identity theft and employer liability. Risk Management, 54(1), 14. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1195022681&Fmt=7&clientId=62763&RQT=309&VName=PQD
Holtfreter, R. E., & Holtfreter, K. (2006). Gauging the effectiveness of US identity theft legislation. Journal of Financial Crime, 13(1), 56. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=994688151&Fmt=7&clientId=62763&RQT=309&VName=PQD