Identity Theft Policies - Research Paper Example

IDENTITY THEFT POLICIES Identity theft per se is fraud which take on many forms. As discussed in this paper, identity theft may be more appropriately termed as personal identity theft, which Hoffman and McGinley (2010) defines as “the use of an individual’s personal identifying information without his or her knowledge and with the intent to aid or abet any unlawful activity such as fraudulent obtaining of services, merchandize, money, and / or credit” (p. 2). The President’s Identity Theft Task Force Report simply defines identity theft as the “misuse of another individual’s personal information to commit fraud” (in Biegelman, 2009, p. 2). Roberson (2008), however, observed that the terms “identity theft” and “identity fraud” are often used interchangeably, but maintained that the aforementioned terms are legally distinct. The former has something to do with taking something directly from the victim without consent, whereas the latter involves deception or scam by the perpetrator in the process of taking something from the usually unsuspecting victim. Identity theft is not an aftermath of the digital age, but rather, an act which evolved with the passing of time. For instance, Hoffman and McGinley (2010) considers the term “identity theft” as “a modern name for an ancient crime” (p. 1). It may be recalled from the Bible that Isaac’s son Esau sold his birthright to his brother Jacob for a bowl of stew (Genesis 25: 29-34, New King James Version [NKJV]). Later, with the aid of goat’s skin and the birthright, Jacob deceived his dying father Isaac into blessing him instead of the first-born Esau (Genesis 27: 1-39, NKJV). This could well be the earliest account of identity theft on record. In the United States (US), the very first victim of identity theft in the modern world was Hilda Schrader Whitcher, secretary in a wallet company, whose Social Security card facsimile was used in the 1930s as an insert in the wallets as a marketing strategy to show that the card actually fits into the wallet. As of 1943, close to six thousand other individuals were found to have been illicitly using Withcher’s Social Security number and to date 40,000 people were reported by the Social Security Administration to have used her number (Hoffman and McGinley, 2010; Biegelman, 2009; Ritchie, 2006; Hamadi, 2005). Biegelman (2009) considers Nigerian fraud activities which became rampant during the early 1970s as a significant boost for credit card fraud in the US. The term “identity theft”, however, is of recent origin, having been first used in 1991 by The Boston Globe in the US; although a similar term, “identity thief” was used much earlier by The Athens Messenger, a newspaper in Ohio, US in 1966. Extent of Identity Theft in the US At the dawn of the new millennium, deceitful use of credit cards by persons other than their lawful owners accounted for one half of reported identity theft complaints (Biegelman, 2009). According to the latest available statistics, close to ten million American fell prey to identity theft perpetrators in just a year (Kim, 2009). Surprisingly, as revealed in Kim (2009), even with the influx of new technology, low-tech methods are still very popular among identity thieves, with 43 percent of all identity theft facilitated by stolen wallets and other physical documents. Based on complaints lodged with the Federal Trade Commission (2007), credit card fraud make up the biggest chunk of all identity theft committed at 26 percent. Credit card fraud is committed when a person other than the owner of a credit card acquires through any means, a credit card number and uses this information to make a purchase. Figure 1 shows a pie chart of the different methods by which identity theft is committed. Figure 1. Types of identity theft As shown in Figure 1, the second biggest method of committing identity theft is utilities fraud at 18%. Bank fraud follows at 17%, whereas employment fraud is committed in 12% of the reported cases. In 5% of the reported identity theft cases, loan fraud is committed, while government fraud is reported in 9% of the cases. Other forms of identity theft are committed in the rest of the complaints (“2009 Identity Theft”, 2009). The above percentages, however, do not display the costs incurred in resolving identity theft cases, Citibank (2007) alone indicated that more than a billion dollars were paid by consumer-victims in reported cases of identity theft. Hence, identity theft is a scourge among consumers, as it is among credit card companies and similar institutions. Stana (2004) revealed that credit issuing banks suffer losses from 18% to 42% of their respective overall fraud figures from fraudulent applications and account takeovers. The National Institute of Justice (2010a) reported that the two largest credit card companies have estimate losses from aggregated identity theft cases in their domestic operations of 114 million dollars, but went on to add that credit card companies do not include such cases as lost / stolen cards, cards which were never received by the rightful owner, counterfeit cards, mail order fraud and telephone order fraud in their list of identify theft related losses. This suggests that losses from identity theft may actually more than the figures on record. Identity Theft Policies of Selected Credit Card Issuing Companies Notwithstanding the loss of valuable assets due to identity theft, credit card companies chorus on the significant increase of privacy and information security during the second half of this decade, which may be attributed in part to the imposition of various policies to safeguard consumers against identity theft. Such increase in security and privacy is believed to have spawned from the efforts of the respective institutions as mandated in the Gramm-Leach-Bliley Act (GLBA) enacted in 1999 “to reform the banking industry and establish safeguards for customers’ non-public personal information stored by financial institutions” (American Bar Association, 2007, p. 23). The standards specified in the GLBA are meant to uphold the integrity of financial data from the clients and guarantee that client information is protected against unauthorized access. The following paragraphs review such pertinent policies of five credit card companies to afford protection for their clients against identity theft. The policy review is intended to help visualize how current policies and procedures against identity theft may be improved to better ensure the protection of client information and privacy. The following companies were selected for this paper: Citibank, Hongkong and Shanghai Banking Corporation (HSBC), Capital One, JP Morgan Chase and Bank of America. Identity theft policies of Citibank Citibank offers its client both preventive and corrective measures against identity theft. It is a matter of policy for Citibank to uphold the privacy of client information by sustaining physical, electronic and procedural standards based on existing legislation. Citibank employees are trained well to prepare them to handle personal information under the strictest conditions of confidentiality. Citibank only conducts business with other business organizations which take responsibility in safeguarding the client information that such companies need in providing services for Citibank. Clients are given an updated copy of the Citibank Privacy Notice applicable to each type of credit card account when the account is opened and every year thereafter that the account is active. Clients are also welcome to request for a copy anytime by calling the toll free Customer Service number. Information collected from Citibank clients which may be disclosed to affiliates and non-affliliated third parties include: (1) clients’ name, address and telephone number, (2) transaction information such as account balances, payment history and account activity, and (3) information from consumer reporting agencies, credit bureau report and client credit score. Citibank consumers are given the freedom to dictate how their personal information may be used and shared. Hence, clients can request Citibank to limit the disclosure of personal information1 by simply filling out the Privacy Choices Form or calling Customer Service. Citibank does not share information provided by the consumer or by third parties, such as the credit bureau, with their affiliates, unless such disclosure is permitted by law. However, Citibank’s privacy policy is very clear that it has the prerogative to utilize client information to facilitate business processes and to gain insight about the spending behavior of consumer – as long as the information disclosed does not personally identity the clients. It was observed that California and Vermont have stricter information disclosure requirements than the rest of the states, as shown by a special provisions in the bank’s privacy statement (Citibank 2010a). If a client becomes a victim of identity theft, Citibank offers corrective measures described collectively as the Citi® Identity Theft Solutions. Services under the Citi® Identity Theft Solutions include: (1) assistance in the identification of any other compromised accounts, (2) client education and assistance regarding the procedure in resolving the problem, (3) work with the client in placing fraud alerts to the three major credit reporting agencies, (4) assistance in contacting other creditors which have fraudulent accounts, (5) advisory on the filing of police reports, (6) sending of necessary information to help resolve the identity theft case, (7) monitoring the client’s credit bureau until the case has been resolved, (8) support and follow up until resolution of the case, etc. (Citibank, 2010b) Identity theft policies of HSBC The Hongkong and Shanghai Banking Corporation ([HSBC] 2010) makes use of electronic, physical and administrative standards to ensure that the personal information of their clients are properly safeguarded. HSBC employs only carefully trained professionals and involves only respectable and trustworthy companies to help serve their clients and makes sure that only these professionals and companies gain access to client information. The bank meticulously maintains security measures in compliance with applicable federal standards. HSBC also practices responsible information sharing. This implies that if circumstances require in consideration of benefits for the client such as in fraud control or for general business purposes, information is shared among HSBC family of Affiliates. Moreover, responsible information sharing is made possible by allowing choices for the clients to allow or disallow HSBC to share their information. HSBC collects demographic information, such as name, address, and social security number, as well as credit information Once a client visits the HSBC website, certain information about internet usage are also collected. Such information will not be shared in violation of applicable legislation. Client information is shared within the HSBC family of companies for general business purposes or for endeavors which are considered beneficial to the client as long as disclosure of such information is in violation of applicable laws. Meanwhile, sharing of client information with non-HSBC affiliates are allowed in most states to allow trusted companies to make special offers which are believed to be beneficial for the client. For California and Vermont residents, however, where existing laws require permission from the client for disclosure of information with non-affiliates, it has become HSBC policy not to share client information to companies outside the HSBC family of companies. Identity theft policies of Capital One Capital One normally sources out their information about their clients through application forms, questionnaires, transaction records, communications, credit bureau reports, census data, real estate records, and telephone calls made by clients. This information is used to further improve services and to protect clients from identity theft and fraud. To protect vital client information Capital One employs security and safety measures on all buildings and facilities by placing secure areas. Electronic security measures include the use of passwords and encryption. Procedural security measures consist of customer identification procedures aimed at preventing identity theft and fraud. Only authorized employees are allowed access to client information and this is strictly for business purposes. Employees are trained on security procedures and security awareness, with regular audits performed to ensure compliance. Whenever third party companies are hired to perform a specific business function, Capital One employs a rigid selection and monitoring process to ensure that all client information is secured and utilized within the parameters set by the company. (Capital One, 2010a) Capital One also utilizes firewall systems, intrusion detection software and 128-bit Secure Socket Layer (SSL) data encryption. Furthermore, the company employs international security and authentication standards in conjunction with guidance provided by the federal government. (Capital One 2010b) Identity theft policies of JP Morgan Chase At JP Morgan Chase, information may be disclosed to any person or entity with the client’s consent and when the company is required by law. Transmittal, transfer and processing of client information anywhere in the world is performed when the company deems it appropriate or necessary. The company has put in place safety measures that encompass the physical, electronic and procedural aspects of information security. Based on existing legal parameters, JP Morgan Chase has created compliant procedures which prevent unauthorized individuals and entities from gaining access, utilizing the data, performing modifications and removal of client information. The client information collected, utilized and retained by JP Morgan Chase is limited to certain companies within the group and may be shared with affiliates and business units as permitted and required by law. This also includes disclosure of information as requested by regulatory authorities and law enforcement agencies. For certain circumstances that JP Morgan Chase would provide client information to other companies, it is agreed that security of the information will be ensured at all times and will only be used according to the purposes specified by JP Morgan Chase. In compliance with Section 236 of the Patriot Act, JP Morgan Chase requests clients opening new accounts to provide identification information and pertinent documents. JP Morgan Chase also provides its clients several choices regarding how their information is shared between affiliates and third parties. (JP Morgan Chase, 2010a). Chase Bank, the consumer banking division of JP Morgan Chase, offers three choices namely: (a) third party sharing, (b) affiliate sharing, and (c) affiliate marketing. The third party sharing option allows the client to decline sharing their information with non-financial companies outside the JP Morgan Chase group. Affiliate sharing on the other hand, allows the client to disallow sharing of their information between companies inside the JP Morgan Chase group. The affiliate marketing option allows the client to limit the marketing efforts of JP Morgan Chase companies when they do not have any business or accounts with them. For clients with Vermont clients, accounts will be automatically set with the three privacy choices in effect. In case information will be shared with other financial institutions with a joint marketing agreement with JP Morgan Chase, only the client’s name, contact information and transaction information will be disclosed. For clients in California, information will not be shared with third party non-financial companies regardless whether or not the first privacy choice was selected. Also, client information will not be disclosed to companies within and outside JP Morgan Chase unless privacy choices are provided or permitted by California law. (JP Morgan Chase, 2010b) Identity theft policies of Bank of America The Bank of America sums up its identity theft policies in its four-pronged privacy commitment to its consumers: (1) protection of customer information, (2) client notification on the use of their information, (3) freedom of choice for the client on how information provided may be used; and (4) respectful and lawful procedures in the collection, usage and processing of client information. Client information is shared among company affiliates of the Bank of America in compliance with applicable laws, including marketing offers. Non-affiliated institutions, which are engaged to act on behalf of the Bank of America are made contractually bound to uphold the confidentiality of customer information and to make use of such information to provide the services they are asked to perform. Clients of the Bank of America have the option to request for the non-disclosure of their application information, consumer report information, and information from outside sources. Information about Vermont clients are not shared even among Bank of America affiliates, except when authorized by the client. Information about California clients are not shared with companies outside of Bank of America, except when permitted by law or with the consent of the client (Bank of America, 2010). Analysis Perusal of the identity theft policies of the five selected banks led to an observation that the banks have very similar policies. This should, however, be readily explained by the fact that the main law which governs information security and privacy in the banking industry, the Gramm-Leach-Bliley Act, is being complied with by the respective banks. However, as maintained by Webber and Webber (2007), “the act is more descriptive than prescriptive” (p. 17-10). Hence, the legislation leaves up to the different banks how they would interpret the definition of protecting the security and confidentiality of client information. It was also observed that a few states, particularly California, Nevada and Vermont have stricter information security legislation. Use and sharing of client information in these three states are very much different from the other states. Additionally, disclosure of client information is more limited in these three states than the rest of the other states. Figure 2, however, shows that two of the three states belong to the top ten states with the most occurrences of identity theft. Figure 2. Top ten states for ID theft occurrences As depicted in Figure 2, Nevada and California are on the second and third spot respectively with 113 and 111 victims of identity theft for every 100,000 population (Thomas, 2004). These figures suggest that strictly limiting disclosure or sharing of client information does not necessarily offer greater protection against identity theft. Recommendations With all the high tech measures being adopted by practically all credit card issuing institutions, crafty identity thieves will almost always come up with cunning tricks and deceptive tactics to lull their prey into a false sense of security. Identity theft victims, and sometimes even bank personnel or store cashiers fall off-guard to credit card fraud because there are loopholes in the process which allow defrauders to do their thing. A simple safeguard of including the credit card legal owner’s clear photograph can aid cashiers to spot identity thieves trying to use the card they stole or found somewhere to make a purchase. Not all credit cards contain a photo of the account holder. It may be helpful against identity theft if all credit cards be issued with the owner’s picture. Research is a key factor in combating an evolving crime. Yet, as reported by the National Institute of Justice (2010b), there is a dearth of data regarding indirect costs of identity theft or the cost-benefit data pertaining to increased security measures. Hence, research into possible strategies to mitigate the harm from identity crimes are inhibited. Moreover, even if the Federal Trade Commission maintains a database of complaints involving identity theft, the law enforcement sector does not keep a national database of identity theft incidents reported nor a repository of how such incidents were resolved and how law enforcement became a part of the solution. Information regarding past crimes can boost research on how the government and the banking sector can join hands in the battle against identity theft. References 2009 Identity Theft Statistics (2009). Retrieved 24 July 2010, from: http://www.spendonlife.com/guide/2009-identity-theft-statistics. American Bar Association. (2008). Data security handbook. Chicago, IL: ABA Publishing. Bank of America. (2010). Bank of America privacy policy for US consumers 2010. Retrieved 27 July 2010, from: https://www.bankofamerica.com/privacy/ Control.do?body=privacysecur_cnsmr Biegelman, M. T. (2009). Identity theft handbook: detection, prevention and security. Hoboken, NJ: Wiley. Capital One (2010a). Privacy notice. Retrieved 27 July 2010, from: https://www.capitalone.com/protection/privacy/notice_english.php?linkid=WWW_Z_Z_Z_PROPR_C1_01_T_PRONE Capital One (2010b). Security policy. Retrieved 27 July 2010, from: http://www.capitalone.com/protection/security/index.php?linkid=WWW_1009_Z_A0B2084C1F86D22A0E1FFBF38F9G1F85_GBLFO_F3_02_T_FO4 Citibank. (2007). Information security and identity theft [Microsoft Powerpoint file]. Philadelphia, PA: The Ninth Annual SmartPay Conference. Citibank. (2010a). Privacy. Retrieved 23 July 2010, from: http://www.citibank.com/us/cards/privacy.htm Citibank. (2010b). Citi® Identity Theft Solutions. Retrieved 27 July 2010, from: http://www.citicards.com/cards/wv/detail.do?screenID=700 Federal Trade Commission. (2007). 2006 identity theft survey report. McLean, VA: Synovate. Hamadi, R. (2005). Identity theft: what it is, how to prevent it, and what to do if it happens to you. London: Vision. Hoffman, S. K. & McGinley, T. G. (2010). Identity theft: a reference hanbook. Santa Barbara, CA: ABC-CLIO. HSBC. (2010). Privacy & Security. Retrieved 23 July 2010, from: http://www.hsbccreditcard.com/ecare/privacy_nli#web_terms6 The Phrase Finder (2010). Identity theft. Retrieved 27 July 2010, from: http://www.phrases.org.uk/meanings/identity-theft.html JP Morgan Chase (2010a). Privacy and security. Retrieved 27 July 2010, from: http://www.jpmorgan.com/pages/privacy JP Morgan Chase (2010b) Privacy policy. Retrieved 27 July 2010, from: https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/privacy_security/protection/page/privacy_policy Kim, R. (2009). 2009 consumer identity protection services scorecard: competition intensifies as vendors aggressively expand offering. Pleasanton, CA: Javelin Strategy and Research. National Institute of Justice. (2010a). Identity theft research review: cost of identity theft. Retrieved 27 July 2010, from: http://www.ojp.usdoj.gov/nij/ publications/id-theft/cost.htm National Institute of Justice. (2010b). Identity theft research review: identity issues that need more research. Retrieved 27 July 2010, from: http://www.ojp.usdoj.gov/nij/publications/id-theft/research.htm Ritchie, P. (2006). The credit road map: a practical guide for navigating your way to good credit. Tempe, AZ: Success Road Map Press. Roberson, C. (2008). Identity theft investigations. New York: Kaplan. Stana, R. M. (2004). Identity theft: prevalence and cost appear to be growing. In C. L. Hayward (Ed.), Identity theft (pp. 17-72). Hauppauge, NY: Nova Science Publishers. Thomas, B. (2004). Facts and figures: identity theft. United States House of Representatives: Ways and Means Committee. Webber, L. & Webber, F. (2007). IT project management essentials. New York: Aspen Publishers. Read More