Identity Theft: The Crime of the New Millennium - Tips for Prevention and Recovery
By: Lewis Brisbois' Data Privacy & Cybersecurity Team
Twenty years ago, as I was working with the FBI and the Secret Service in prosecuting large identity theft rings – often associated with data breaches (although the term “data breach” had not yet entered our daily vernacular) – we created protocols to help consumers prevent identity theft and assist victims recovering from it. These protocols involved working with a number entities, including the credit reporting agencies, the Federal Trade Commission, and the Internal Revenue Service, to ensure proper monitoring of consumer accounts and prompt reporting of suspected fraud.
I wrote an article at the time summarizing these protocols, among other things: Sean B. Hoar, Identity Theft: The Crime of the New Millennium, 80 Or. L. Rev. 1423 (2001). Although I hoped at the time that the crime of identity theft would taper off over the years, it has only continued to grow. It is clearly still the crime of the new millennium.
Protocols for prevention of and recovery from identity theft have not changed much over the years, although more resources are available to assist consumers in preventing, detecting, and recovering from the crime. It is also clear that, much like data breaches, it may not be possible to prevent identity theft, but it is important to put measures in place to promptly detect and respond to theft when it occurs.
Establish a fraud alert: The first thing every adult consumer should do is consider placing a fraud alert on their credit file. An initial fraud alert is free and will stay on the credit file for at least 90 days. An extended fraud alert can be obtained for up to seven years if the consumer is a victim of fraud or identity theft and they can present a copy of an identity theft report if necessary. Active duty military can also obtain an alert to for up to one year while deployed. The alert informs creditors of possible fraudulent activity within the file and requests that the creditor contact the consumer prior to establishing any accounts in their name. To place a fraud alert on a credit file, consumers can contact any of the three credit reporting agencies identified below. Additional information is available at AnnualCreditReport.com.
As referenced at Annualcreditreport.com, consumers can request fraud alerts online at the following locations:
Fraud alerts can also be requested by mail at the following addresses:
P.O. Box 105139
Atlanta, GA 30348-5139
P.O. Box 2002
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
Credit monitoring: All consumers should also consider obtaining a credit monitoring service. This is very similar to an extended fraud alert, but it is typically a paid subscription service. There are many in the marketplace, beginning with services offered by the credit bureaus referenced above. It is important to research the entity offering the credit monitoring to ensure the company has a history of consumer protection service and compliance with consumer protection laws.
Obtain a copy of credit report: All consumers should also consider obtaining a free copy of their credit report from one of the credit bureaus referenced above. They can then review it to make sure no one has attempted to open up credit in their name. They can get a report online at AnnualCreditReport.com, by calling 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
Establish a credit freeze: Perhaps the best means of preventing access to credit files is to establish a credit freeze – also known as a security freeze - with the three credit bureaus referenced above. This should only be done if the consumer does not need access to new credit because a security freeze locks down the consumer’s credit. Placing a security freeze should be provided at no cost. This will prevent new credit from being opened in the consumers name without the use of a PIN number that will be issued to her when she initiates the freeze. A security freeze is designed to prevent potential creditors from accessing credit reports without authorization. As a result, using a security freeze may interfere with or delay the ability to obtain credit. Security freezes must be separately placed on credit files with each credit reporting agency. In order to place a security freeze, consumers will be required to provide the consumer reporting agency with information that identifies the consumer including their full name, Social Security number (SSN), date of birth, current and previous addresses, a copy of their state-issued identification card, and a recent utility bill, bank statement, or insurance statement.
If a Social Security number has been stolen, contact the Internal Revenue Service: As with any type of identity theft, it is important to contact the governmental or financial entity responsible for processing the type of identity information to alert them of the theft in order to prevent potential fraud. As an example, if mail is stolen, the Postal Inspection Service should be contacted. If a driver’s license is stolen, the appropriate Department of Motor Vehicles should be contacted. If a credit card has been stolen, the issuing bank should be contacted. Similarly, if a SSN has been stolen, the Internal Revenue Service should immediately be alerted because the SSN is central to the tax return filing system. This can be done by filing an IRS Form 14039, Identity Theft Affidavit which can be obtained here. This will help to protect against someone filing a false tax return in the consumer’s name.
File a police report: Although police departments often do not have the resources to investigate individual cases of identity theft, a police report should still be filed. This will often be done through a telephone call with the local police department. This allows the agency to at least track reports of identity theft, which periodically results in the connection of individual thefts to a larger crime. It also provides the consumer proof of the incident should it be needed for an extended fraud alert or for insurance purposes. If the theft occurred online, a complaint should also be filed with the Internet Crime Complaint Center.
There are a number of other measures that can and should be taken, depending on the nature of the identity theft. See 80 Or. L. Rev. at 1443. Outlining all the possible measures would require another 25-page law review article with another 93 footnotes. It is important, however, to act quickly to prevent fraudulent activity. The Federal Trade Commission has a number of informational resources, as does the Internal Review Service.