Take a byte out of ID crime

Companies must do their part in combating identity theft -- not just wait until mandated by law

More than a year after President Bush commissioned a task force on the topic, the Department of Justice has finally drawn up legislation to combat identity theft. And if the DoJ's efforts remain consistent with the objectives stated in the task force's strategic plan (PDF), the new bill could in fact mark significant progress in protecting personal identity data.

[ Mario Apicella's column is now a blog! Get the latest storage news in the Storage Adviser blog. ]

Just last month I myself became a victim of identity theft. Fortunately, it was of a less damaging variety, one that the DoJ labels "existing account fraud," which it defines as an incident in which "thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft."

It appears that the thieves had access to only my credit card number, but they made good use of that information. I first realized that something was wrong when the grocery store rejected payment with my Visa. I used another card to check out, without thinking much of it because I had just used the same card without problems at another store.

Back at home, a message from my bank informed me that my card had been suspended because of "suspicious activity." Suspicious, indeed: Checking my account online, I found about 30 fraudulent transactions for a total of about $600.

Not more than 24 hours apart, the charges were registered in Europe, the United States, and Canada, including a hotel bill in Germany, payment to an Islamic organization in California, and another to the Red Cross in Washington. Obviously, someone was treating themselves to quite a shopping spree using my account number while my card was still in my wallet.

A call to my bank confirmed that my credit card number had been hijacked. "Wait to see if those temporary charges become confirmed," I was told, "then call us again to dispute what's left."

Two days later, only a handful of those charges had been confirmed. I called every payee and found that none of them had bothered to check the identity of my impersonator. That person was able to pay using only my credit card number, without having to prove his or her identity.

Worse yet, my impersonator had given a completely different name and address for those bogus transactions, and the merchants failed to check these against the information associated with my card.

I probably won't have to take any direct financial impact from that experience because either my bank or the merchants will absorb the loss. However, that expense eventually trickles down to everyone in the form of higher service fees or an increased cost of goods and services.

One of the merchants I used in the past must have disclosed my card number inadvertently, which the task force takes to task in the first objective stated in its plan: "keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education."

Companies should undoubtedly take better custody of sensitive data entrusted by their customers, which includes not only enforcing more effective data protection technologies such as encryption but also informing customers promptly when a disclosure happens.

The fact that a number of vendors did not confirm the identity of my defrauders suggests to me that some organizations are not currently heeding the second goal of the task force: "making it more difficult for identity thieves who obtain consumer data to use it to steal identities."

Thankfully, my loss was negligible, but for all who have had their finances, good name, and credit tarnished by ID theft, the task force's third and four goals -- "assisting the victims of identity theft in recovering from the crime" and "deterring identity theft by more aggressive prosecution and punishment of those who commit the crime," respectively -- are welcome objectives to be codified in law.

I have a new credit card now, but I certainly hope that this new legislation -- currently before Congress -- will live up to the goals stated by the task force. If anything, companies should get wise to the importance of implementing proper data security measures. Too much is at stake for us all.

Join me on The Storage Network with questions or comments.