|
|||||||||||
Identity Theft
Identity theft, or the practice of stealing someone’s personal information with the intent to fraudulently obtain goods, property, credit, utility services, employment, or government documents, is a widespread crime. According to the Federal Trade Commission (FTC), identity theft was the number one complaint received nationwide in 2008. Further, New York State has the sixth highest per capita identity theft rate in the United States, with more than 116 complaints per 100,000 residents.1
For victims of identity theft, the crime can cause feelings of helplessness,
rage, loss, and violation. In New York, identity theft carries a punishment of
up to seven (7) years 2
Click on the link below to find more information about this topic.
- Types of Identity Theft
- Preventing Identity Theft
- Warning Signs of Identity Theft
- Mitigating Identity Theft
- Security Breach
- Deceased Relatives and Identity Theft
- Child Identity Theft
- Debt Collection and Identity Theft
There are many types of identity theft. New Account identity theft occurs when a thief uses a victim’s identifying information to open a new account. Account Takeover identity theft occurs when a thief uses a victim’s existing account to make or obtain unauthorized purchases, services, or withdrawals, for example. This category of identity theft encompasses check fraud. Criminal identity theft occurs when a thief uses a victim’s identification when encountering law enforcement. For instance, an imposter might show a fake driver’s license to police when pulled over during a traffic stop. Benefits identity theft involves stealing a person’s identity for use in obtaining government service, health benefits, and the like. Each type of identity theft may merit a different response by a victim, as discussed below.
While identity theft is not completely preventable, there are several steps that consumers can take to lessen their potential exposure. The following will reduce the likelihood of becoming a victim:
Be Careful When Giving Out Personal Information
Whether through the telephone, online, or in person, scammers may try to get you to reveal nonpublic information about yourself. Before you provide information such as a Social Security number (SSN), mother’s maiden name, or bank account information, verify the requestor’s identity, and his or her need for the information. In some situations, it is not appropriate or even against the law for the person or entity to require that information.
Guard Your Trash and Mail
Identity thieves can steal discarded trash or search through mail to find your valuable personal information. In order to prevent this, shred your charge receipts, insurance forms, copies of credit applications, medical benefit statements, checks and bank statements, expired credit cards that you're discarding, and credit offers you get in the mail. Use a cross-cut shredder, if possible.
Consumers can stop receiving prescreened offers of credit or insurance by visiting
www.optoutprescreen.com or by calling 1-888-567-8688. These opt-outs are generally good for five (5) years. However, it is possible to opt out permanently from prescreened offers. To obtain a form to permanently opt-out of such offers, consumers should visit the above referenced website. Consumers may also choose to opt out from offers from individual institutions, or from types of offers.
Deposit outgoing mail containing personal identifying information into secure postal receptacles. Pick up mail from your mailbox promptly. When you’re planning to be away from your home, contact the United States Postal Service (USPS) at 1-800-275-8777, or online at
www.usps.gov, to request a vacation hold. The Postal Service will hold your mail at your local post office until you can pick it up or are home to receive it.
Beware of the Internet
While the Internet contains countless services and conveniences, it also is home to scammers, identity thieves, and others. For more on safely using the Internet, see the Consumer Law Help Manual Chapter on the Internet.
Protect Your Passwords
Be careful of where you store your Internet passwords and banking PIN. Further, do not use easily identifiable passwords, such as your mother’s maiden name, the last four digits of your Social Security number, phone number, or your birth date. The most protective passwords use a combination of letters and numbers. For more information on creating passwords, please see the Consumer Law Help Manual Chapter on the Internet.
Watch Your Purse and Wallet
Only put in your purse or wallet what you need for that day or trip. Do not carry around your Social Security card, extra checks, or any other credit cards if you do not immediately need them.
Obtain Your Free Credit Reports
Under federal law, consumers can receive a free credit report from each of the three (3) credit reporting agencies (TransUnion, Equifax, and Experian) every twelve (12) months. The CPB recommends that consumers space or stagger credit reports, obtaining one every four (4) months, in order to get a comprehensive view of one’s credit history. Consumers can obtain their free credit report by visiting
www.annualcreditreport.com, or by calling toll-free 1-877-322-8228.
Under federal law,3 consumers are also entitled to a free report if a company takes an adverse action against them, such as denying an application for credit, insurance, or employment, provided that the consumer requests the report within sixty (60) days of receiving notice of the action. The notice will give the consumer the name, address, and phone number of the consumer reporting agency that supplied the information about him or her. Individuals may also obtain one free report a year when they are unemployed and plan to look for a job within sixty (60) days; on welfare; or the credit report is inaccurate because of fraud. Otherwise, a credit reporting company may charge you up to $11.00 for any other copies of a credit report.
To purchase a copy of your report, contact:
Equifax: 800-685-1111; www.equifax.com
Experian: 888-EXPERIAN (888-397-3742); www.experian.com
TransUnion: 800-916-8800; www.transunion.com
Protect Your Social Security Number
§ N.Y. General Business Law § 399-dd
Don’t carry your Social Security card in a wallet or write the SSN on a check (businesses cannot require this).4 Only give out your SSN when absolutely necessary. Your employer and financial institutions will need your SSN. Other businesses may need your SSN to do a credit check, such as when applying for a utility or renting an apartment. Some businesses, however, just want your SSN for their records. When someone seeks your SSN, you should ask:
- Why do you need my Social Security number?
- How will it be used?
- How do you protect my Social Security number from being stolen? What will happen if I do not give you my Social Security number? Some business may refuse to do business with you if you refuse to provide your SSN. However, the decision is yours.
In addition to the above limitations placed on the release of Social Security numbers, federal law governs the release of nonpublic information. For instance, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a Privacy Rule9 that limits the disclosure of all information contained in your medical chart, or in doctors’ or hospitals’ computer systems, as well as billing information. Further, financial institutions are required to safeguard nonpublic personal information under the Financial Privacy and Safeguards Rules of the Gramm-Leach-Bliley Act (GLB Act).10 Under the GLB Act, consumers also are given the limited ability of opting-out of some sharing of nonpublic personal information with unaffiliated companies. Under the Fair Credit Reporting Act (FCRA), consumers may be able to opt-out of disclosures to affiliates concerning the consumers’ creditworthiness as gathered from third parties. Consumers may also opt-out of affiliate sharing for marketing purposes.11
Warning Signs of Identity Theft
The following are indications that you may be a victim of identity theft:
- You notice accounts that you did not open, and debts on your existing accounts that you do not recognize.
- There is incorrect information on your credit report, including wrong personal information, such as addresses, SSN, name or initials, or wrong employers;
- You stop receiving bills or other mail. A missing bill can mean that a thief has taken over your account and changed the billing address;
- You receive credit cards for which you did not apply. Creditors cannot send you credit cards unless they received a signed credit application;
- You are denied credit, or offered higher interest rates than expected, for no apparent reason; and,
- You receive letters or calls from debt collectors or business concerning items or services that you did not buy.
For those individuals who have become victims of identity theft, there are several steps to take, depending on the severity of the fraud. These include:
1. File a police report. Police departments in New York State are required to take a report from, and give a free copy of such report to, a suspected victim of identity theft.12 The police report can be important to provide to financial institutions or to credit reporting agencies. It also will enable victims to obtain a copy of all application and transaction records on accounts opened fraudulently in their name.13 Victims should be as detailed as possible with the police, informing them of the exact accounts affected. Where the theft involves mail fraud, a victim should also contact the United States Postal Inspection Service, either online at http://postalinspectors.uspis.gov/, or via telephone at 1-877-876-2455.
2. File a report with the Federal Trade Commission (FTC). By sharing your identity theft complaint with the FTC, you are providing information to help law enforcement throughout the country apprehend the identity thieves, as identity theft often crosses jurisdictional boundaries. Victims can file a complaint online at www.ftccomplaintassisstant.gov, by calling the FTC’s identity theft hotline at 1-877-ID-THEFT (438-4338), or by writing the Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. The identity theft complaint that you make to the FTC, together with the police report, can assist you in placing an extended fraud alert on your credit report (see below). It also can be useful to provide to affected creditors, banking institutions, and/or credit bureaus.
3. Notify relevant creditors/banking institutions. Victims should notify both the businesses that have been affected by the information theft, as well as those that may be affected in the future. Contact the fraud departments within each organization. Keep written notes of everyone you speak to about the fraud.
4. Close the affected accounts. When an account has been compromised, it should be closed and reopened with a new account number. Passwords associated with those accounts should be changed. Once you have resolved your identity theft dispute with the company, ask for a letter stating that the company has closed the disputed accounts and discharged the fraudulent debts. This letter will assist you if errors relating to the account(s) reappear on your credit report or if you are later contacted about the debt.
5. Place a security freeze or fraud alert on your credit reports. Where an identity thief has used a victim’s information to open new accounts, or may in the future, it is advisable to place a security freeze or fraud alert on your credit report. A fraud alert is a special message on the credit report that a credit issuer receives when checking a consumer’s credit rating. It tells the credit issuer that there may be fraud involved in the account. It does not limit access to your file. A fraud alert can help protect you against identity theft, but it can also slow down your ability to get new credit. It should not stop you from using your existing credit cards or other accounts. A Security Freeze means that your credit file cannot be accessed by potential creditors, insurance companies, or employers doing background checks - - unless you give your personal consent or authorization. The following chart summarizes the differences between fraud alerts and security freezes:
| Fraud Alert | Security Freeze | |
| How do I place a fraud alert/security freeze? | Initial alert: Contact the credit bureau over the phone, via its website, or via mail. Extended alert: Write one of the credit bureaus and provide a valid police report from the FTC. | Write each credit bureau. They must accept requests via mail (return receipt requested), telephone, or secure electronic means. |
| Do I have to contact all three credit bureaus? | No. Once you place a fraud alert with one credit bureau, that bureau will contact the others. | Yes. |
| How long does it take for the fraud alert/security freeze to become effective? | For the credit bureau that the individual consumer contacts, the fraud alert is placed immediately; the others will place the alert within 24 hours of receiving notice from the first bureau. | Credit bureaus are required to place the security freeze within three (3) business days of receiving the request. Some may place it much more quickly. |
| How long does a fraud alert/security freeze remain in place? | Initial alert: 90 days, renewable. Extended alert: 7 years. Active Duty alert: 1 year. | Indefinite. |
| What is the cost? | Nothing. | There is no cost for the first placement of the freeze, $5 to remove or thaw the freeze per credit bureau, per time. No fee for identity theft victims submitting either an FTC affidavit or police report, or for victims of domestic violence, according to NY law. |
| Who can see my credit report? | Current creditors, employers, potential creditors, prescreeners, collection agencies, or anyone via court order. | Current creditors, government agencies, prescreeners, collection agencies, or anyone via court order. |
| Can I open new credit accounts? | Yes. Initial alert: The creditor should take steps to verify that you have authorized the request. Extended alert: Creditors are required to verify your request for new credit by contacting you via the phone number(s) that you provide. |
Yes. However, you would have to “lift” or “thaw” the freeze in order to obtain new credit, and this can take up to three (3) business days. Each of the credit bureaus will send you a PIN, and instructions on how to lift the freeze. Beginning September 2009, bureaus must accept requests to lift or thaw over the telephone or via secure electronic means, and lift the freeze within 15 minutes. |
| Can a creditor get my credit score? | Yes. | No. |
| Can I get my own credit report for free? | Yes. Initial alert: Placing an initial alert entitles you to one (1) free credit report, in addition to the one (1) free credit report obtainable annually through annualcreditreport.com Extended alert: Placing an extended alert entitles you to two (2) free credit reports in the 12 months following placement of the alert, in addition to the free annual credit report. | Yes, all consumers are entitled to one (1) free credit report from each bureau per twelve (12) month period. Reports should be obtained through annualcreditreport.com. |
| Will placing a fraud alert or security freeze prevent an identity thief from opening a new account? | Probably. The creditor is required to take reasonable steps to verify your identity before issuing credit. For extended alerts, the creditor must call your designated phone numbers to verify credit. However, a creditor could still issue credit to an identity thief. | Probably. A potential creditor will not be able to obtain your credit score or see any of your credit history. Under these circumstances, most creditors would not open a new account. |
| Does this affect my receiving pre-approved or pre-screened offers? | Initial alert: No. Consumers must contact 888-5OPTOUT, or www.optoutprescreen.com to be removed from pre-screening lists. Extended alert: Yes. Consumers will be removed for five (5) years from receiving pre-screened offers. | No. Consumers must contact 888-5OPTOUT, or www.optoutprescreen.com to be removed from pre-screening lists. |
| How do I remove a fraud alert/security freeze? | There are no specific mechanisms for removal. | Follow instructions of each credit bureau. Each bureau must process individual’s request within three (3) business days of receipt of request. In September 2009, a bureau must release freeze within 15 minutes if request made by telephone or via secure electronic means. |
| Contact information for the credit bureaus | TransUnion: 1-800-680-7289; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790;
www.transunion.com. Equifax: 1-800-525-6285; P.O. Box 720241, Atlanta, GA 30374-0241; www.equifax.com. Experian: 1-888-EXPERIAN (397-3742); P.O. Box 9532, Allen, TX 75013; www.experian.com. |
TransUnion: 1-888-909-8872; Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790;
www.transunion.com. Equifax: 1-800-349-9960; P.O. Box 105788, Atlanta, GA 30348; www.equifax.com. Experian: 1-866-580-6066; P. O. Box 9554, Allen, TX 75013; www.experian.com. |
6. Obtain New Identification. In certain circumstances, it may make sense to obtain new identification, including driver’s licenses, passports, or even a new SSN. The DMV may waive the payment of fees for the replacement of a new driver’s license, permit, registration, or plates lost, where such item was lost as a result of a crime.14 Lost passports must be reported to the United States State Department. The Social Security Administration may issue a victim a new SSN, if a victim continues to experience problems and it determines that the victim’s situation meets its guidelines. A new SSN may not resolve all of your problems, however. Credit bureaus may combine the records from your old SSN and the new one. Further, the absence of a credit history under your new SSN may make it difficult to get credit.
7. Keep Records. This is important for two reasons. First, identity theft victims tend to be repeatedly victimized. Thus, keeping written records and copies of all correspondence and conversations, makes the case easier to resolve if a fraudulent debt reappears on a victim’s credit report three years later. Second, if the thief is caught, the records of time spent can be used to recover restitution from the criminal.15 Regardless of whether the identity thief is apprehended, elderly and disabled victims of identity theft may be eligible for compensation by the NYS Crime Victim’s Board for out-of-pocket expenses incurred from consulting with a financial advisor to mitigate the identity theft loss.16 Reimbursement of those costs can be sought if services are commenced within one year from the date of the incident.
8. Contact the CPB for Assistance. The CPB’s Identity Theft Prevention and Mitigation Program may also assist in helping consumers reclaim their identity. Victims should visit www.nysconsumer.gov for more information, or call 1-800-697-1220.
§ N.Y. General Business Law § 899-aa, State Technology Law § 208
New York’s Security Breach law requires that New York residents receive notice whenever there is unauthorized access to their computerized personal information containing a combination of a name, SSN, driver’s license number, account number, or credit and debit card number. A business or State agency must disclose notice of the data breach in the most expedient time possible. However, where law enforcement requires a delay, the business or State agency may delay notification of the data breach. Notification can be made by any one of the following methods: written, electronic (but only with consent of the person notified) or by telephone. A business or State agency can also use substitute notice, if it can demonstrate to the New York State Attorney General that the cost of providing notice would exceed $250,000 or that the affected class of people to be notified exceeds 500,000 persons. They may also use substitute notice if there is not sufficient contact information for those who have been affected. Substitute notice consists of all of the following:
- e-mail (when you have this information);
- conspicuous posting on the entities’ web site; and,
- notification to major statewide media.
Notice to victims shall include contact information for the person, business, or agency making the notification and a description of the categories of information that are reasonably believed to have been acquired by a person without valid authorization, including the specific elements of information that are reasonably believed to have been acquired. In addition, where more than 5,000 New Yorkers are affected, the business or agency must inform the credit reporting agencies.
Besides sending notice to the affected individuals, the breached entity must also send notice of the breach to the New York State Consumer Protection Board, the NYS Attorney General’s Office, and the Office for Cyber Security and Critical Infrastructure Coordination.
Does this mean that I am a victim of Identity Theft?
Not necessarily. It is important for data breach victims to learn as much as they can about the data breach so that they can better assess their risk of identity theft. It is critical for those individuals to continue to monitor their credit reports and be alert for suspicious activity. Consumers may choose to add a fraud alert or security freeze to their credit reports. Where bank or financial information is compromised, individuals should close all affected accounts, credit cards, and debit cards, and have new account numbers issued. If a consumer’s insurance information is affected, a change in policy number is warranted.
Should I purchase Identity Theft Insurance?
Identity theft insurance may assist you in minimizing your losses. However, consumers should understand the product they are purchasing before they buy it. Consider the amount of coverage that the policy provides, whether it covers lost wages, and if so, how much, the amount of a deductible, any exclusions (such as when a family member is the culprit), whether an existing homeowner’s policy already provides such coverage, and whether the policy includes a personal counselor to assist you. Typically, the biggest cost to consumers is the time it takes to clear their name. You should be sure that the policy covers this type of loss. If you decide to purchase insurance, check the insurance with the NYS Consumer Protection Board, Better Business Bureau, and NYS Department of Insurance.
Should I purchase a Credit Monitoring Service?
Many services will, for a fee, monitor your credit reports for activity and alert you about changes. Both the price and type of services offered vary considerably. Some services monitor only one of the major credit bureaus, or only some types of records that would indicate identity theft. Moreover, credit monitoring services will only aid the discovery of new account identity theft. Monitoring will be of no assistance where the identity theft involves account takeover or governmental services. Consumers can also monitor their credit reports themselves, for free, by staggering the three (3) credit reports that they receive for free over the course of a year.
Deceased Relatives and Identity Theft
Identity thieves may become aware of a person’s passing through obituaries, the Social Security Death index, or other means. Sometimes, the thief is a relative of the deceased. Financial institutions and credit reporting agencies are not immediately notified by the government when someone passes away. The Social Security Death Index file is only periodically updated and distributed to those institutions. Therefore, when a loved one has passed away, the executor/administrator of the estate or the spouse should contact all of the deceased’s credit card companies and banks, as well as the Social Security Administration. Where accounts are joint, they should be closed or transferred into the other person’s name. If they are closed, it should reflect on the credit report that the account was closed because the individual is deceased. Creditors may ask for a copy of the death certificate; therefore the executor/administrator should obtain multiple certified copies of the death certificate to provide to them. The executor/administrator should also contact each of the credit reporting agencies to inform them of the passing.
Parents may suspect that their child is a victim of identity theft because he or she is receiving preapproved credit card offers in the minor’s name. The offer may have come as a result of opening a college account or a savings account for your child, however.
Where parents suspect that their child is a victim of identity theft, parents should request a credit report on behalf of their child. There should be no record of a credit file for underage children. Do not request a credit report unless you have reason to believe that your child is a victim of identity theft, because, by running a search, there is a chance that a new credit file will be created. Parents/legal guardians may request a check of their child’s credit file by submitting to each credit bureau:
- The full name of the child
- The child’s date of birth
- All addresses where the child has lived during the past five (5) years
- A copy of the child’s birth certificate
- A copy of the parent or guardian’s ID card, such as a driver’s license or other official identification. Where the requestor is a guardian, he or she should include documentation that shows valid guardianship.
- A copy of the child’s Social Security card.
Debt Collection and Identity Theft
§ N.Y. General Business Law § 604 et seq.
Consumers who are contacted by creditors or debt collectors in relation to a debt arising out of identity theft, can cease collection activity by presenting to them a copy of a valid police report and a written statement certifying that they are a victim of identity theft. Once receiving this information, a creditor/debt collector must conduct a good faith review of the information and notify the consumer of its determination before proceeding with collection activities. For more information, see the Consumer Law Help Manual Chapter on Debt Collection.
up1 Consumer Fraud and Identity Theft Complaint Data for 2008, FTC 2009.
up2 New York Penal Law § 190.77 et seq.
up3 Fair and Accurate Credit Transactions Act (FACT Act), 15 U.S.C. § 1681j.
up4 N.Y. General Business Law § 518-a.
up5 N.Y. General Business Law § 399-dd.
up6 N.Y. Education Law § 2-b.
up7 N.Y. Labor Law § 203-d.
up8 N.Y. Public Officers Law § 96-a.
up9 45 C.F.R. Part 160; 45 C.F.R. Part 164, Subparts A and E.
up10 15 U.S.C. § 6801-6809; 16 C.F.R. Parts 313 and 314.
up11 15 U.S.C. § 1681s-3(a)(3).
up12 Executive Law § 646; Criminal Procedure Law §20.40.
up13 Fair Credit Reporting Act, 15 U.S.C. § 1681(g).
up14 N.Y. Vehicle and Traffic Law §§ 401(3)(c) and 503(3)(ii).
up15 N.Y. Penal Law § 60.27.
up16 N.Y. Executive Law § 631.