Identity Theft: The Growing Problem of Wrongful Criminal Records
Speech by Beth Givens, PRC Director
Presented at the SEARCH National Conference on
Privacy, Technology and Criminal Justice Information
I want to thank SEARCH for inviting me to speak at this conference. And I want to commend you on this conference and on the work of the Task Force. It's a pleasure to be here and to learn of your findings. (www.search.org)
My name is Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy program established in 1992. The topic of my presentation is identity theft.
We began to work with identity theft victims in 1993 and have developed several guides, available on our website at www.privacyrights.org. We operate a consumer hotline and have been contacted by tens of thousands of consumers over the years -- on everything from junk mail to Internet privacy. But the issue that has consumed most of our attention is identity theft.
The most common form of identity theft is when someone obtains the Social Security number (SSN) and perhaps a few other pieces of information about an individual, and uses that information to impersonate them and obtain credit in their name. The imposter might apply for credit, rent an apartment, get phone service, buy a car -- and then not pay the bills, giving the victim a bad credit rating. Victims must then spend months and typically years regaining their financial health.
Based on credit bureau statistics, we estimate that there are going to be 500,000 to 700,000 victims of this crime in 2000. [Sept. 2003 Update: Recent surveys show there are currently 7-10 million victims per year, greatly exceeding our earlier estimates. For more information, www.privacyrights.org/ar/idtheftsurveys.htm.]
The Federal Trade Commission calls this the fastest growing crime of our time. Alan Westin mentioned yesterday that an Opinion Research Corporation Survey (for Image Data) found that 1 in 5 households had experienced identity theft.
We recently conducted our own survey of identity theft victims with another nonprofit group in California, CALPIRG. We learned that the average amount of time it took before the victim became aware someone was using their identity to obtain credit was 14 months. And the average time it took to clear up the credit records was 2 years.
Today I want to talk about another kind of identity theft, what I call the worst-case scenario of identity theft. That is when an imposter commits crimes using the identity of someone else and gives that person a criminal record. For lack of a better term, we're calling this "criminal identity theft." My presentation is in five parts:
- A description of this crime and a few case histories.
- The work of an ad hoc task force in California that has been studying ways in which the victims can clear the record.
- Information on two legislative bills that have been introduced in the California state legislature as a result of our task force's efforts.
- The unresolved issues of the information brokers.
- Some recommendations for changes in the information broker industry to ease the plight of criminal identity theft victims.
Description and Case Histories
The reason I call this the worst-case scenario for identity theft is that there are no established guidelines for regaining a clean record. At least with credit-related identity theft, the victim deals with three credit bureaus and in most cases a finite number of fraudulent credit accounts. While the process is daunting for victims, it ends for most victims, albeit two, three, four years down the road. (See the PRC's identity theft publications at www.privacyrights.org/identity.htm.)
Credit-related identity theft victims usually find out about their plight when they are trying to obtain credit themselves, something many individuals do every few years, and for some, even more often. Another way consumers discover they are a victim is by being contacted by a credit issuer who spots a suspicious looking application. A third way is when individuals check their own credit report which more and more consumers are doing these days.
But the victim of criminal identity theft may not know that someone has burdened them with a criminal record until they are stopped for a traffic violation, the officer runs a check on their driver's license number, and they're arrested on the spot. Or perhaps they apply for a job, are turned down, and obtain the results of the background check because the employer is actually complying with the Fair Credit Reporting Act (something that is not being done across the board, and which I'll talk about in a moment).
Or, as happened to a young law school grad in San Diego: she showed up for her first day of work, was handcuffed and taken to jail. The background check done by her new employer, the San Diego County District Attorney's office, revealed a warrant for her arrest -- possession of marijuana, by the person who stole her wallet and assumed her identity. ("When dreams turn ugly: Stolen identity put her budding career in handcuffs," by Valerie Alvord, San Diego Union Tribune, Aug. 29, 1999, www.uniontrib.com).
Certainly, consumers are not checking their criminal records once or twice a year, as we recommend that people do with their credit reports. In fact there is no easy way for individuals to do so.
Credit-related identity theft can ruin your life for a couple years. Criminal record identity theft can ruin your life forever. It is virtually impossible to wipe the slate clean. Let me give you a few case histories.
Case 1: K. worked as a retail store department clerk after he finished his stint in the military. He was let go after the holiday season and didn't think much of it. He knew he could get other clerk jobs easily. But he was wrong. He applied for job after job and was turned down. Without employment, he lost everything and eventually became homeless. He got another job opportunity selling men's clothing. But when he showed up, he was told they changed their mind. He demanded to know why he was let go. That's when he learned of his erroneous criminal record. He was listed in a data base used by all the department stores in that part of the state that he was wanted for arson and shoplifting. When he put two and two together, he realized that the individual who stole his wallet several years ago had been using his identifying information when arrested and released. K. contacted us in 1996 and has been instrumental in our learning about this worst-case scenario of identity theft and in working with the legislative process to pass laws to prevent his situation from happening to others.
Since then we've learned of many more such situations.
Case 2: Pamela, who lives in the Los Angeles area, was impersonated by her sister who was arrested on drug charges. Pamela is of college age and has not been able to get any employment except a minimum wage job where she is hired by a friend of the family. She has attempted to clear her name through the court system but has not fully succeeded.
Case 3: Jose', a San Diego resident with roots in Mexico, was returning to San Diego from Tijuana, just south of the border. He was detained in secondary inspection, and arrested because his Social Security number matched someone who had committed crimes in the San Francisco area, 400 miles to the north. He was transported to San Francisco and held in jail for 10 days, all the while protesting that they had the wrong person. When finally they compared his prints with those on file, they released him because they realized they had the wrong person. He sued and won a small settlement for the wrongful arrest.
Case 4 : Many of you may have seen NBC's Dateline [April 18, 2000] -- the story of Scott Lewis of Ohio. This isn't identity theft, but the effect was the same. He, like Bronti, had been gainfully employed but had been laid off. He didn't think he'd have a problem getting a new job but he did. He lost everything, including his wife and baby, and ended up living with family members. Through an encounter with a private investigator who offered to help him, he learned that the sheriff's department had made a clerical error, assigning his Social Security number to the record of a murder suspect. When the sheriff's department was apprised of the error, they corrected the record immediately. Scott thought his run of bad luck was over, but it wasn't. The private eye suggested that they look at the records of an Ohio based information broker, and found that it still had the erroneous murder record on its files. The company did remove the error. But when an attorney helping Scott asked for the names of all the companies that this information broker had sold the erroneous record to, they said they didn't have that information. [Update 3/03: The case was settled, www.employeescreen.com/web/pdfs/NAPBS1.pdf]
You are probably wondering, just how much of this is going on? How many individuals are saddled with wrongful criminal records because of identity theft or other types of errors in criminal records?
There are no hard and fast figures. I got a call from the records manager in the police department of a major Southwestern city just last week. She said they put a couple people in jail wrongfully each month because of identity theft. They've started releasing them and cutting them a check to compensate them for their misfortune.
As I mentioned earlier, we recently conducted a survey of credit related identity theft victims. We asked those individuals if they were having to deal with wrongful criminal records. We were very surprised to find that 15%, or about one in six, said they had obtained a criminal record because of the actions of their imposter. By the way, you can read that report on our website. The title is "Nowhere to Turn: Victims Speak out on Identity Theft." (www.privacyrights.org/ar/idtheft2000.htm)
Do I think this problem is insignificant, happening to a very few unfortunate individuals? No. Do I think it's a problem that's going away? No, I think it's only going to grow as data bases grow and as they are merged with other data bases. There is no such thing as a perfect data base.
California Identity Theft Task Force
What is being done about this critical problem? Bronti's case prompted a few of us in Southern California to establish an ad hoc identity theft task force in order to study the vexing problem of criminal identity theft and examine the kinds of changes that are needed legislatively in order to enable such victims to clear their names.
Our informal group has met several times since last August 1999, almost a year, to brainstorm and come up with legislative proposals. The task force is comprised of the Los Angeles District Attorney's office, the California Attorney General's office, the Judicial Council of California, the Department of Motor Vehicles, the Los Angeles Police Department, the Los Angeles Sheriff's Department, myself and another consumer advocate, and two victims, one being Bronti.
Our work resulted in two bills being introduced in the California Legislature this year. Each has fared well so far in the legislative process.
Assemblyperson Susan Davis's AB 1897 establishes an expedited court process to enable individuals to petition the court to obtain a determination of factual innocence and get the record sealed, expunged or destroyed. This bill would fine-tune and expand some of the statutes already in place. Most importantly, it establishes one's local jurisdiction as the starting point for this process.
Assemblymember Tom Torlakson's AB 1862 is backed by the California Attorney General. It would enable the creation of a data base within the California Department of Justice to record information about bona fide victims of criminal identity theft. When such an individual is, say, applying for a job where they know there will be a criminal record background check, they can inform the employer that they are a victim of identity theft and let the employer know that this data base can be accessed to verify that fact. The job applicant would have PIN number access to the data base and can authorize others, such as employers, to access the data base also.
Both these bills are still young in their legislative life and are being fine tuned as they progress. You can track them if you wish at the State's web site -- www.leginfo.ca.gov (click on "Bill Information").
The Role of Commercial Information Brokers
There is another piece to the puzzle -- and that is the commercial sector information brokers. In both Bronti's and Scott's cases, they were denied employment time and time again because it appears that the employers had obtained the wrongful criminal record information about them. I think it is significant that these two individuals were not informed by their employers of the results of their background checks. And I'll return to that in my closing recommendations.
Our identity theft task force in California has come to the conclusion that we need to address the role of the information brokers -- but we have not yet had time to do that. So I'm going to jump ahead of our group's discussion and offer my own suggestions on ways to deal with the difficult issue of criminal identity theft.
The Fair Credit Reporting Act (FCRA) governs background check notification procedures when third parties conduct them for employers. This law needs to be amended to require that job applicants be given the results of background checks in every instance -- not just when the employer uses the report to make a negative decision about them. This is a loophole that I think results in a great deal of noncompliance with the FCRA. It's all too easy for the employer to say that they didn't use the background check when making the negative decision -- that the individual didn't have the requisite skills, or that the job pool had other individuals with more qualifications. (For the FTC's guidelines on how employers must comply with the FCRA, visit the FTC's website at www.ftc.gov/bcp/conline/pubs/buspubs/credempl.htm)
There's another loophole in the FCRA that needs to be plugged. In this day and age of Internet access to public records data, employers don't have to use third parties at all to conduct background checks. They can go online and do their own. And if they were to run a check on Bronti, they would find his criminal record and have no idea that it was created by an imposter. So employers must be required to disclose the results of background checks that they perform themselves and provide the source of the information to the job applicants.
When we get calls from individuals who suspect that there may be negative information "out there" somewhere in data bases preventing them from being hired, we suggest that they conduct their own background check by hiring a professional background checker or private investigator -- which is how Scott discovered having the rap sheet of a murderer. There is now a service called PrivacyScan (www.privacyscan.com) that caters to such individuals.
And there are numerous web sites where you can access public records and credit headers. These are just a few that I've found. (FYI, web sites such as these can be accessed by employers who do not use the services of a third-party employment background check company. When an employer conducts its own applicant investigations, it is not bound by the Fair Credit Reporting Act and does not have to notify an applicant if it has made an adverse decision based on the results of the background check.)
As I mentioned earlier, I believe there is a great deal of noncompliance with the Fair Credit Reporting Act. Otherwise, how do you explain Scott's situation where he was repeatedly turned down for employment but not told why. There must be much stronger penalties for noncompliance.
I recommend that the Federal Trade Commission do an investigation of the background check process and look at whether or not the FCRA is being adhered to regarding consumer investigative reports. The study should look specifically at the problem of criminal identity theft and ways that the FCRA can be amended to rectify this situation.
Yesterday, both Bob Belair and I alluded to the IRSG voluntary guidelines. IRSG stands for Individual Reference Services Group (www.irsg.org). It is comprised of 14 information brokers who signed onto a set of voluntary regulations with the FTC in 1997. I have been critical of these regulations from the start as not adhering to the Fair Information Principles (FIP) of Notice, Choice, Access, Enforcement, Accountability among others. (If you want to read more about the FIP, see our web site under "Speeches & Testimony" -- www.privacyrights.org/ar/fairinfo.htm).
For example, consumers should be able to obtain the actual copy of a report about them as compiled by the information broker for a reasonable fee. The IRSG agreement says that individuals should only be told the nature of the public record information that it makes available in background checks, plus the sources of that information.
The reason I believe the information broker should provide the data subject with the entire record, whether it is public or nonpublic information that has been compiled, is that it might report on the wrong Jane Smith, or it might have an imposter's record in an innocent person's name. Access at a reasonable price to the total report is necessary for the individual to know what others are seeing about them. This then ensures accountability of the information broker. You might be interested to know that California U.S. Senator Dianne Feinstein has introduced an identity theft bill, S.2328, that enables individuals to obtain a copy of their own dossier from information brokers at a reasonable price. (thomas.loc.gov)
In closing, I welcome the suggestions than any of you might have on ways we can address and solve the difficult problem of criminal identity theft. Too many people's lives have been ruined because of this crime. We must find solutions and find them soon. This crime is not going away.