Identity Theft Tips

Federal Identity Theft Task Force Reviews Prosecution Standards

In May of 2006, the President signed an Executive Order establishing an Identity Theft Task Force, directing it to develop a coordinated strategic plan to combat id theft. Among other recommendations, the plan was directed to include suggestions for "ensuring just and effective punishment for those who perpetrate identity theft." Task Force recommendations specific to prosecution and punishment for identity theft -- which can also be found in detail on the FTC's website -- include:

· Requiring each United States Attorney's Office to appoint an identity theft coordinator and develop an Identity Theft Program for each District, and creating working groups and task forces to focus on the investigation and prosecution of identity theft.

· Amending federal statutes and guidelines used to prosecute identity-theft related offenses. Specific proposed amendments include:

• Amending the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted. Also, add new crimes to the list of predicate offenses for aggravated identity theft offenses, such as mail theft, tax fraud, and conspiracy to commit those crimes.
• Amending the statute that criminalizes the theft of electronic data to eliminate the current requirement that the information must have been stolen through interstate communications.
• Amending 18 U.S.C. § 1030(a)(5) to eliminate the current requirement that the defendant's key-logging or malicious spyware actions must cause ‘damage' to computers and that the loss must exceed $5,000.
• Outlawing pretexting.
• Enacting legislation to make it a felony for data brokers and telephone company employees to sell or transfer customer information without prior written authorization from the customer.
• Amending the U.S. Sentencing Guidelines to ensure that an identity thief's sentence can be enhanced when the criminal conduct affects more than one victim.

Victims Who Don't Prosecute Perpetuate ID Theft Crimes

Contrary to popular belief, not all victims of criminal identity theft are interested in prosecuting the criminal.

Most cases of ID theft involve at least two victims: the individual whose personal information is used to commit the crimes and the company or retailer that granted the credit, accepted the credit card or check from the offender. The individual is typically off the hook for financial liability while the creditor is left holding the loss. Yet, ironically, it is the creditor – the one with the loss – who refuses to pursue prosecution. Why? Time and money.

For many credit card companies and corporations who fall victim to identity theft crimes, it's easier and less costly to write off the loss as a cost of doing business. It's a bottom line decision. But it's not just big companies that write off losses. Small companies don't have the staff to appoint a dedicated advocate to manage the case and won't spend the money to hire a lawyer because the resulting costs could well exceed the amount of recovery.

So does this lack of pursuit of justice or punishment perpetuate identity theft crimes? That particular debate is ongoing with plenty of finger pointing from all sides. However, many of the individuals who are left to clear their records experience a lack of cooperation from credit card companies and credit reporting agencies.

Without the same outrage and feeling of violation that is felt by individual victims, agencies have little motivation to prioritize identity fraud cases and are content to leave the decision to file charges and pursue punishment up to prosecutors.

ID Theft in Cyberspace is Difficult to Prosecute

Prosecutorial victories to convict and dole out punishment for cybercrimes and online ID theft are few and far between. Part of the reason is because the lion's share of spam threats doesn't come from the U.S., it comes from gangs based in Asia and Russia. And, although cybercrime laws are being updated in several countries, including Russia, law enforcement efforts are not as aggressive as those in the U.S.

Another reason for so few cybercrime convictions is that criminals are somewhat of a moving target. They may not be physically moving from place to place, but they are able to reroute the cyber schemes through multiple networks that are difficult to trace. And to add fuel to the fire, they continually devise new and more sophisticated techniques to get past anti-spam software and firewalls. One of the latest types of spam slipping through corporate systems is image-based spam.

If there's good news, it's that law enforcement agencies are more determined to gear up rather than give up the fight. The latest technologies being implemented to fight spam and phishing expeditions are reputation services designed to identify and rate suspicious e-mail. The goal is to cut off the destructive malware at the gateway so it can't enter the network.

There's an element of patience required to successfully track and capture online identity thieves. Yet, once arrested, multiple indictments can lead to a theft conviction, resulting in decades of prison time.

State Laws for ID Theft Define Their Own Penalties

Identity theft and fraud is a federal crime and violations are investigated by federal law enforcement agencies. Federal identity theft statutes are used to determine punishment for ID theft crimes. However, individual state laws differ in classification and associated punishment for identity theft cases.

For example, in Georgia, the punishment for financial identity theft is “imprisonment for not less than one nor more than 10 years or a fine not to exceed $100,00, or both for first offense. Punishable by imprisonment for not less than three nor more than 15 years, a fine not to exceed $250,000, or both for subsequent offenses.”

In Arkansas, financial identity fraud is considered a Class C felony, which means that it is punishable by imprisonment for 10 or more years, but less than 25 years. These two states have drastically different sentencing guidelines.

To find out what classification applies to convictions for identity theft crimes in your state, contact your state Attorney General or local consumer protection agency.

Identity Thieves Can Be Charged with Multiple Crimes

We often think of criminal identity theft as a single crime committed against a single individual. But most cases are more far reaching than that. Take the case of Robert Soloway who was arrested in Seattle on May 30, 2007. Described as one of the world's most prolific spammers, Soloway was accused of using networks of compromised ‘zombie' computers to send out millions of spam e-mails.

But Soloway was indicted for more than being a ‘spammer' – a federal grand jury returned a 35-count indictment for multiple identity theft crimes, including mail fraud, wire fraud, e-mail fraud, aggravated identity theft and money laundering.

What makes the use of ‘zombie' computers so lethal is that the people who own the them have no idea their computers have been infected with the malicious code. Using the network of compromised machines, Soloway was able to send out millions and millions of unsolicited bulk e-mails directing them to his Internet marketing company. What was the service he was selling? He sold e-mail advertising packages that would send as many as 20 million e-mail ads in 15 days for $495. And he's been doing it since 2003.

Soloway's case is the first in the country in which federal prosecutors used identity theft statutes to prosecute a spammer for hijacking someone else's domain name.

Although prosecutors had not yet calculated guideline sentencing at the time of this writing, it is likely Soloway will be facing decades in prison.