Ireland: Identity Theft Be Cautious or Be Caught!

Have you ever thrown out a document that contained either your name, address, date of birth, or your PPS number on it? Have you ever bought products on the internet that required you to provide your name, address and credit card details? Of course you have, almost everyone has at some stage. Generally the public are very careless about protecting their personal details. This will have to change however as identity theft is one of the fastest growing crimes in the world. The possible consequences of identity theft are very serious and can have devastating effects on victims and their families.

Englishman Derek Bond, 72, was arrested at gunpoint while on a wine tasting holiday in South Africa. He spent 20 days in a South African prison before his ordeal ended. He was detained by the FBI in Durban on February 6^th, mistaking him for a "Derek Sykes", a wanted man in the USA. Derek Bond was a victim of identity theft. John Lewis, prosecutor in the US Attorneys office in Houston Texas said "His details were used as long ago as the late 1980's". His distraught family was informed the he was on a top 10 most wanted list. Things looked so bad for Mr. Bond that he even agreed to be extradited to the USA to speed up the process of clearing his name. It was a full 14 days before the FBI discovered that Mr. Bond was claiming mistaken identity. A further 6 days passed slowly by before the FBI realised their mistake and Mr. Bond was released.

English woman Catherine Litherland almost lost her family home in Hale, Cheshire, twice, while living abroad in New York. Her tenant Angela Hargreaves found her birth and marriage certificate in a cupboard and proceeded to sell her house to one buyer for £430,000 and to another for £480,000. Hargreaves was only caught because suspect documents were found in her possession after been held for shoplifting.

Recently the media in the USA has been awash with stories of stolen personal and financial details, and the potential for identity theft. Choicepoint, a commercial data broker company in the USA, which collates information on almost every American consumer, sold the personal details of 145,000 people to criminals by mistake. Most of those affected would never have found out, as Choicepoint was only legally forced to inform California residents of this data breach. California was the only state in the USA that had this legal protection; consumers must be notified of security breaches. Public outrage finally forced Choicepoint to inform all those affected.

States right across the USA are currently in the process of introducing legislation to address some of these issues. Arkansas, Georgia, Montana, North Dakota and Washington have all recently signed into law measures that ensure that consumers are notified in the event of a data breach involving their personal details. Many American consumer groups are lobbying for a national law. This would make it easier to educate consumers about their rights. However, some states would find weaker federal legislation unacceptable.

Since California introduced its notification law in July 2003, there have been 61 serious breach notifications, affecting on average 165,000 people each time. Approximately 25% of breaches occurred in financial institutions, another 25% in universities, medical companies 15%, the government 8% and retailers at 7%.

At a Senate Judiciary Committee in early April, the 3 largest data brokers in the USA, Choicepoint, LexisNexis, and Acxiom, were asked if any of the companies had a security breach prior to 1993. All companies testified that they had. No consumers affected were ever informed as notification laws only offered consumers rights after 1993.

Recently, Card Systems Solutions, an American company that processes credit card payments, suffered a data breach that involved over 40 million credit card accounts. Visa, Mastercard, American Express and Discover were all affected. Currently the FBI is investigating.

It is estimated by the American General Accounting Office, that the number of people in the USA who become victims of identity theft every year, is anything between one quarter to three quarters of a million people. To make matters even worse, the Federal Bureau of Investigations (FBI), believe terrorists have mastered identity theft to obtain employment, finance operations and gain access to secure locations.

Society it must be said has made it easy for criminals to operate in this way. Our information driven world has made it possible for our personal data to be stored in any variety of global locations.

Some countries have strong privacy laws protecting your personal information, but many do not. Some companies have strong privacy standards, but many have none.

In Pune, India, banking giant Citigroup outsourced some of its call centre operations to a company called "Mphasis BPO". In December of last year, three employees of Mphasis BPO stole the account details and PIN numbers of four Citibank customers. The three employees then quit their jobs. Shortly afterwards these three people with the help of others withdrew over $300,000 from the Citibank customer’s accounts. The Citibank customers affected were all New York based.

Recently in the UK, a reporter for the Sun newspaper, Oliver Harvey, was able to buy personal information on 1000 account holders of Barclays, the Woolwich, HSBC and Lloyds TSB from a call centre agent in India. He paid a total of 5,000 $US (£2,750) for account holder’s addresses, secret passwords, credit card details, passports and driving license information. He even received the expiry date of some cards as well as the 3 digit security codes. Harvey was also promised he could get the account details of up to 1000 people a month from various call centers in Delhi, India.

Outsourcing consumer’s personal details to foreign countries has become a thorny issue internationally. Senator Hillary Clinton introduced legislation in the USA on April 14^th that prohibits US businesses and health care organisations from sharing consumer’s personal details with foreign affiliates or subcontractors without the consent of the consumer. This legislation also makes companies financially responsible if their subcontractors are deemed to have improperly handled consumer’s personal details.

Luckily for us in Ireland, and indeed for most of the European Union, identity theft is not as much of a problem. A small blip on this radar is the United Kingdom, as approximately 0.17% of their population is a victim of account hijacking, new account fraud and various other types of identity fraud. In the USA this figure stands at approximately 3.4%.

Why is identity theft such a big problem in the USA compared with the European Union?

In the USA, Social Security Numbers (SSN’s) are used as a primary identifier. This is the key piece of information an identity thief needs. In Europe these national ID numbers appear a lot less than SSN’s do in the USA.

In Europe, our privacy laws are set out in the European Union directives on privacy. Personal information is available only to the people that need to access it to fulfill their job function. There are strict rules regarding transfer of data to third parties and to regions outside the EU. Information is kept private. Businesses cannot sell or share personal or financial information. This is not the case in the USA.

Credit reporting is much more controlled. In Europe, financial institutions share credit information with each other but not with outsiders. However in the USA almost any business can access credit information on any consumer instantly.

In Europe we are also vulnerable to credit card fraud when the possession of the credit card cannot be verified. This occurs when purchases are made over the phone or on the internet. We do also get direct mail offerings from credit card companies, but not nearly as much as in the USA, where much of it is stolen from mailboxes.

Fear of ID theft can hurt the economy. A recent poll carried out by Privacy & American Business and Deloitte & Touche LLP, found that up to 64% of people surveyed decided not to make a purchase with a particular company because they were not sure how their personal information would be used. They also found that 76% of people surveyed did not shop online at a particular website because they found the privacy statement too complicated or unclear. To put this in perspective, if the figures reflected the population of the USA, then because of privacy concerns, 140 million people decided not to make a purchase, and 109 million people didn’t shop online. Consumer trust does affect purchasing decisions, and this means that companies need to have strong privacy standards, and store all customer information in a secure manner.

So what can we do to protect ourselves from identity theft?

Be very careful about disposing your financial and personal information, e.g. bank statements, credit card statements, and documents containing your PPS or social security number. Consider shredding all personal documents.

When throwing out old computers, be extremely careful to delete personal information permanently. Discarded computers are often sold on the internet. There is a large range of software available that can retrieve information from even reformatted hard drives. Hackers can get to this information in minutes.

When using the internet, read the websites privacy statement very carefully. This is very important, as some companies do rent and sell their customers personal information. If a website does not have a privacy statement, do not disclose any personal information. In Ireland, it is illegal for a website not to have a privacy statement. Companies can be fined up to €100,000 and forced to delete databases containing consumer information gleaned from these websites.

When inputting personal information, and, or credit card information, ensure the website is secure. You can do this by viewing the website address, which should have https:// before it. The "s" at the end of the "http" means secure. This means that the information you supply is encrypted and the chance of it being compromised are slim. If the site is not secure do not disclose any personal information.

Ensure your computer has a good firewall, up to date anti-virus software and anti-spyware software.

If you use a post box, ensure it is secure. Stolen mail is often used to steal an identity. Opposition to the use of post boxes in rural Ireland is well founded as their use is an increased risk.

Only deal with reputable companies that have strong security and privacy policies. Be aware that many companies now outsource various administration functions to foreign countries. This means that your personal and financial information could be held on computers in various locations worldwide. Standards of privacy vary greatly around the world, with some countries having no data protection laws at all.