The Federal Trade Commission (FTC) received more than half a million identity-theft complaints in 2003, up from 404,000 in 2002. The actual number of incidents may be higher; not all cases are reported. In 2002, the FTC estimated that 9.9 million Americans were victims of identity theft, at a cost of $47 billion to the victims, businesses, and banks. Identity theft accounted for 42% of the complaints in a government database of fraud, and cost the average victim more than $1,000 in damages.

Identity theft could happen to anyone, as it recently happened to me. One evening, I received a call from Steve, who was calling about a $25,000 order for computer equipment that had been placed with his company in my name. The transaction had already been approved, but he was confirming the order because the shipping address differed from the billing address. The order was placed over the Internet using my credit card and included my home phone number and address.

I immediately called the credit card company and cancelled my card, even though it was still in my wallet. I explained the situation to MasterCard, but they were uninterested in pursuing it. Steve was not surprised with MasterCard’s reaction, but would not provide the shipping address without a police report. He suggested that I call the police and report the incident, which I was hesitant to do.

Within a few days, I received a suspicious phone call. A woman claimed to be from MasterCard, updating its records because the computer system was down. The connection was poor and there was a great deal of static. She repeated my name and read off my address. When she asked me to confirm the last four digits of my Social Security number, I hung up the phone. Although I thought the call suspicious, I again hesitated in taking action.

The next evening I received another call, this one from American Express wanting to confirm my application for a new credit card to be mailed to my new address in Brooklyn. American Express confirmed that the person who had applied for the account had my Social Security number and other personal data. At that point, I was certain that my personal information had been hijacked, and I took the three steps recommended by the FTC:

After taking immediate action to protect your personal identity, some follow-up actions are recommended: Call the FTC’s Identity Theft Hotline at (877) IDTHEFT or (877) FTC-HELP, or visit www.consumer.gov/idtheft/index.html for more information. The FTC puts information into a secure consumer fraud database where it can be used to help other law enforcement agencies and private entities in their investigations and victim assistance.

Review the credit report and request a fraud investigation of suspicious items in the report. Additionally, request another credit report in three to six months, to review further activity.

As a further precaution, add a fraud victim statement to your file, which can remain in a credit report for seven years. This statement asks lenders to contact you by phone before granting credit. This eliminates instant credit, because a verification call must be received. It also prevents accessing a personal credit report online. Victim statements are generally added when a consumer has confirmed that someone is using personal information in a fraudulent manner.

Steps for Preventing Identity Theft

Use a paper shredder to ensure that all documents containing personal data cannot be retrieved from the trash. To reduce the volume of mail containing personal information, opt out of prescreened credit card offers by calling (888) 5-OPTOUT.

Additional Precautions When Using Computers

Federal Laws

In October 1998, Congress passed the Identity Theft and Assumption Deterrence Act, amending 18 USC section 1028 to make it a federal crime when anyone:

Violations of the act are investigated by the U.S. Secret Service, the FBI, and the U.S. Postal Inspection Service and are prosecuted by the U.S. Department of Justice.

How Does Identity Theft Happen?

Identity theft is insidious. Eighty percent of the victims who report identity theft do not know how their personal information was obtained. There are countless ways that one’s identity can be stolen, including: stealing wallets, purses, or credit cards; stealing mail (both outgoing and incoming); diverting mail using change of address forms; or stealing personal data from the trash. Some thieves obtain credit reports by pretending to make a legitimate request, or steal personal information sent over the Internet. In 52% of the cases in which the victim discovered how information was stolen, the thief turned out to be a family member, neighbor, or coworker. Business record identity theft is often conducted by insiders that work for schools, hospitals, tax preparers, or municipalities and exploit or sell the stolen data. Many victims are not even aware of the theft until notified by their employers or vendors that customer or employee personal records have been stolen (see Exhibit 1).

How Is Personal Information Used?

Once personal information is obtained, it can be used in a variety of ways, including having credit card statements diverted to a new address, opening up checking or credit card accounts, and borrowing money. Some victims have discovered that thieves have obtained government benefits or documents in their name, such as driver’s licenses, tax reports, and Social Security cards. Although there may be limits to victims’ financial responsibility for debts, it often will take countless hours to erase the bad credit created by the theft. According to a May 2000 survey conducted by two nonprofit advocacy agencies (the California Public Interest Research Group and the Privacy Rights Clearing House), most victims spend an average of 175 hours and up to 23 months actively trying to resolve the problems created by identity theft (see Exhibit 2).

I was never able to figure out exactly how my identity was stolen. Two possibilities in my case were the trash in my office, where I had thrown out copies of medical insurance forms, and a theft about a year earlier of personal information files at the college where I teach. But it also could have been stolen online or in some other way; there are numerous opportunities for criminals to obtain this information. Shortly after my experience, my college adopted specific guidelines that included the shredding of documents that contain personal information.

Small businesses with few internal controls may be the entities most vulnerable to this type of crime. Business and personal records should be protected from unauthorized access, and internal controls should be put in place to protect sensitive data from dishonest employees or Internet thieves. A company’s financial health could be seriously undermined if personal or proprietary information is compromised.