Vermont Cases Shine Light on ID Theft

March 10 , 2005 in Industry News

Last week, 111 Vermonters learned that their identities might have been stolen. ChoicePoint, a company they probably never heard of and never knew harbored their personal and financial information, was expected to send them letters saying some of that information might have landed in the wrong hands.

Also last week, Sen. Patrick Leahy, D-Vt., learned that a staff member was one of about 2.1 million people whose personal information might have been on tapes lost by Bank of America. At first Leahy was told his own information was lost, but he later learned that was not the case.

In mid-February, PayMaxx, a national payroll processor, acknowledged that a flaw in its system left about 100,000 of its customers’ W-2 forms accessible on the Internet.

And Wednesday, intruders using stolen passwords from legitimate customers accessed personal information on as many as 32,000 U.S. residents in a database owned by the information broker LexisNexis.

These four incidents add to a growing concern that since 9/11, with a push for greater information in an increasingly computerized world, this information is becoming more prone to theft.

The stakes are high. When information that defines people’s identities to banks, the government and a host of other entities is stolen, it can send them on a nightmarish ride to clear their records and even to prove who they are.

In response to the recent high-profile identity leaks, Congress begins hearings today to look at what’s going on and what should be done about it. Leahy plans to testify.

Wednesday night, he had this comment about the LexisNexis breach: “This is the latest window on security weaknesses that jeopardize the personal information that data brokers hold about every American, and the view is a chilling one.”

In Vermont, officials are investigating whether ChoicePoint violated any laws. Also, legislation under discussion would seek to make it more difficult to collect information on individuals and easier to act when the information has been stolen.

Those who investigate cases of fraud and identity theft say everyday people need to act, too, and look out for themselves and their information.

Information in demand

Thieves posing as legitimate ChoicePoint customers—using stolen identities—managed to buy personal information of about 140,000 people, including 111 Vermonters. Firms such as ChoicePoint collect information about people from a variety of sources and sell it to businesses trying to measure a prospective employee, insurance companies looking to gauge the risk of a potential customer, or individuals who want to check on a doctor’s track record or on lawsuits against a business. Even federal agencies use such services to check people out.

Particularly since the terrorist attacks of Sept. 11, 2001, demand has skyrocketed for information about who should be allowed on airplanes, who should be hired and who should be allowed to enter certain buildings. Companies such as ChoicePoint are filling that demand.

“They’ve grown to enormous sizes. The public has very little concept,” said Leahy’s spokesman, David Carle.

While Leahy focuses congressional scrutiny on the risks technology presents, a person’s identification can be stolen in simpler ways—from pickpocketing a wallet to sifting through garbage.

A 2003 Federal Trade Commission survey found 4.6 percent of the respondents had been the victims of identity theft in the past year, amounting to a $33 billion loss in business and costing the victims an average of 30 hours to resolve their problems.

“It’s a big problem, and it’s growing,” said Gary Kessler, an associate professor at Champlain College in Burlington, where two new programs indicate just what a growing field this is. Two years ago, Champlain started a major in which students learn how to investigate computer misuses. In the fall, the college will launch a major that teaches students how to provide information security.

Scramble for protection

Before Leahy knew his office was involved in the Bank of America case, he was asking for hearings on privacy issues in response to the ChoicePoint case.

“Our upcoming Judiciary Committee hearing will let some sunshine in on these practices so the American people can know how their information is being collected, stored, sold and used, and so that Congress can consider the need for privacy and security rules to protect the public,” Leahy said in a statement Friday.

The committee should look at how information is handled by these companies, the government’s use of these companies and the handling of sensitive information by overseas data companies, Leahy said.

State legislators also are working to fix the leaks in the system.

A year ago, the Legislature made identity theft a crime and began a study of the state’s use of Social Security numbers on public records, which found that the numbers are used extensively and that changing that practice would be complex.

Rep. Harry Chen, D-Mendon, wants to continue that study and act on one of its recommendations. He has sponsored a bill that would prohibit the use of Social Security numbers in public places and on identification cards used for consumer goods.

“Do you have an insurance card?” Chen said. “Pull it out and look at the number on it. Chances are good it’s your Social Security number.”

“We’re hearing all this about ‘Don’t give out your Social Security number,’ and yet we’re giving it out all the time.”

Julie Brill, assistant state attorney general who oversees consumer fraud cases, said the Attorney General’s Office is investigating whether there were any violations of the law in the ChoicePoint case.

When news of the case broke, the state Attorney General’s Office asked that the 111 Vermonters whose information might have been released by ChoicePoint be notified, which the company agreed to do. The letters should have arrived last week.

Brill said Vermont needs a law like California’s, which mandates companies automatically notify victims in such cases. “I think it’s very important that Vermonters get the same protections as California,” Brill said.

Information at risk

Name, address, Social Security number—those are the simple pieces of information about a person that can cause so much consternation. In the wrong hands, that information can allow someone to pretend to be you, open credit card accounts in your name, change the address, then run up and run away from piles of debt in your name.

The first step toward doing that is to scour the free credit reports offered by three national agencies. If someone has opened a credit card account in your name but diverted it to a new address, for example, it would show up on the report. Credit reports can be flagged with a fraud alert if you learn your accounts are at risk.

Until Vermont made identity theft a crime last year, people were usually prosecuted for false pretenses, said Detective Cpl. Rick Garey of the Essex Police Department, who specializes in Internet fraud. Garey has yet to use the new identity theft statute, but said whatever the crime is called, it can be difficult to solve. Many of the offenses involve use of the Internet, with the victim in one state and the perpetrator far away in another.

“The problem is, where does the crime occur when it’s on the Internet?” Garey said. “Most of our suspects are not in Vermont.”

Interstate cases are turned over to the FBI but typically require a loss of $10,000 or multiple victims to receive action, he said. Even if police in other states cooperate, Internet thieves often use a series of address changes or have merchandise dropped at vacant buildings to avoid detection, Garey said.

Still, he said, it’s important to report any cases. Only then can police make links to other possible cases that can lead to solving a larger scheme.