Identity Theft: A Personal Risk Management Approach (Part 3)

September 2005

After identifying and analyzing the identity theft loss exposure (see Part 1), the next step is to select the appropriate risk management techniques (see Part 2). Then insureds must handle and monitor the exposure, keeping track of new reforms as they are implemented.

by Robin Olson
IRMI

Insurance is an increasingly important risk management technique for the identity theft loss exposure. As this crime and the accompanying expenses and time involved grow exponentially, the demand for insurance protection has also spiraled. Insurance bureau organizations such as the Insurance Services Office, Inc. (ISO), insurance companies, and banks now offer various types and limits of coverage.

Insurance Services Office, Inc.

ISO is an organization that collects statistical data, promulgates rating information, and develops standard policy forms for more than 1,500 participating insurance companies and their agents. ISO developed an identity fraud expense endorsement in 2002 to its homeowners policy. This endorsement provides $15,000 limits for any one identity fraud incident first discovered during the policy period and subject to a $250 deductible. This endorsement covers six categories of expenses.

1. Costs for notarizing affidavits or related documents verifying the fraud. Financial institutions, creditors, and related agencies may require these documents to resolve the credit issue.

2. Costs for certified mail to law enforcement agencies, credit bureaus, financial institutions, or creditors.

3. Lost income due to the insured's or policyholder's time off work to complete fraud affidavits and to meet with law enforcement agencies, credit agencies, and legal counsel. The endorsement covers up to $200 per day, with a maximum limit of $5,000.

4. Loan application fees for reapplying for loans when the original application is rejected solely because the lender received inaccurate credit information. These fees range from $100 to over $1,000.

5. Reasonable attorney fees (ranging from $200 to $350 per hour in urban areas and from $100 to $250 per hour in rural areas) incurred as a result of identity theft, including expenses from the following.

   • Defending lawsuits brought against an insured by merchants, financial institutions, or their collection agencies.
   • Removing criminal or civil judgments wrongly entered against an insured.
   • Challenging the accuracy or completeness of the consumer credit report.
6. Long distance telephone charges to creditors or merchants, law enforcement agencies, banks, or credit bureaus to report or discuss the incident. Resolving the theft may involve dozens of hours of long distance charges spanning several months or longer.

This endorsement contains three exclusions. First, there is no coverage for a business-related loss. Second, any expense incurred due to any fraudulent act by an insured, including a spouse or family member, is excluded. Third, any loss other than the six specified expenses is not covered. For example, if the insured victim requests compensation due to the mental aggravation accompanying the theft, no coverage applies.

Insurance companies have some latitude in charging for this endorsement, but the annual premium charge is normally under $100.

Insurance Companies

More individual insurance companies are now offering their own identity theft protection, normally as an endorsement onto their homeowners policy. American International Group (AIG) offers a homeowners endorsement that reimburses expenses up to $30,000 with an annual premium of $75. According to Kirk Hodgson, Business Development Manager with AIG, this coverage provides free credit reports, costs for certified mail, free legal assistance, and lost wages up to $1,000 per day. The plan currently includes a $500 deductible, but AIG is in the process of eliminating this deductible. According to Mr. Hodgson, this coverage is "not an easy sell, but growing awareness of the problem is slowly making this product easier to market."

Nationwide Insurance Company's plan extends beyond simply reimbursing a policyholder's expenses. According to Deb Harmon, Project Manager with Nationwide, "What makes this plan unique is its service component. We work on the policyholder's behalf to rectify the problem by directly contacting creditors, credit bureaus, and law enforcement agencies." When the insured contacts Nationwide regarding the identity theft, the company brings in an Identity Theft Assistant to perform all the leg work and deal with the hassle of resolving the issue. Ms. Harmon added that "emergency cash advances are provided for customers out of the country, including unique translation services." This protection is so extensive that it even provides emotional support via licensed professional counselors to help victims deal with the stress. The policy limit is $25,000 with no deductible, carrying a $45 annual premium.

Allstate offers the standard reimbursement plan with a $20,000 limit that costs $30 per year with no deductible. According to spokesperson Bill Mellander, the insured "has the option of selecting the restoration services plan for the same $30 annual premium which provides the insured with an expert in electronic data recovery. This ‘personal assistant' articulates the whole process to our insured, gives them constant updates, and educates them about the crime in general."

Other insurance companies playing an active role in identity theft protection are the Chubb Group of Insurance Companies, Encompass Insurance, Farmers Group, Fireman's Fund, Travelers, and Hartford Insurance, per the Insurance Information Institute.

Banks

Banks are also beginning to offer this protection to their customers. Pittsburgh-based PNC Bank implemented a plan in April 2004 that is very popular. This protection is a no-cost reimbursement plan with $2,500 limits, which can range up to $10,000 based on the level of banking services provided. According to Laila Krause, Executive Vice President of PNC, "our customers started expressing concerns about this exposure. Thus, this product gives them peace of mind with worldwide protection." It contains a $100 deductible per policy period. Customers also have the option of purchasing the True Credit Plan for $3.65 per month which provides ongoing credit monitoring. American International Specialty Lines Insurance Company, a subsidiary of AIG, underwrites this plan.

According to Bankrate.com, Washington Mutual Bank offers a free plan to its customers, which includes a toll-free access line to the bank's Identity Theft Resource Center, free access to credit education specialists, and $5,000 in insurance (no deductible) to offset recovery costs, including legal fees and lost wages.

Current Laws and Legislation

The federal government has passed various laws and taken other action in the last few years designed to stem the rising tide of identity theft losses. More reforms, however, are needed in this endeavor, particularly in the area of prevention and relief for victims of this crime.

Several new important actions are discussed below. In addition, many state laws have now passed in an effort to reduce the impact of this crime.

Identity Theft and Assumption Deterrence Act of 1998

Enacted by Congress in October 1998, this Act makes identity theft a federal crime. Under this federal law, identity theft occurs when someone:

• knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.

Under this Act, a name or Social Security Number (SSN) is a "means of identification" along with a credit card number, cellular telephone electronic serial number, or any other piece of information that can be used to identify a person. Federal agencies such as the U.S. Secret Service, the FBI, the U.S. Postal Inspection Service, and the Social Security Administration's Office of the Inspector General investigate these crimes. The U.S. Department of Justice prosecutes federal identity theft cases.

According to Identity Theft (Silver Lake Editors, 2004), this Act accomplished four objectives:

• It identified persons whose credit had been compromised as true victims. In the past, the person whose credit was decimated was not recognized as a victim.
• It established the FTC as the central point of contact for victims to report acts of identity theft. The FTC assists law enforcement agencies in this crime.
• It provided increased sentencing potential and stronger asset forfeiture provisions.
• It closed loopholes in federal law by making it illegal to steal someone's identity.

ID Theft Data Clearinghouse

The ID Theft Data Clearinghouse was created pursuant to the Identity Theft and Assumption Deterrence Act and began operation in November 1999. The Clearinghouse operates the federal government's database for tracking identity theft complaints and serves as a place for victims to receive valuable information to mitigate their losses. This information is shared electronically with other law enforcement agencies nationwide, allowing these agencies to spot patterns of illegal activity. The Clearinghouse also sends information to private companies to assist them in providing better protection for consumers. The Clearinghouse received over 247,000 identity theft complaints during the 2004 calendar year.

Identity Theft Penalty Enhancement Act

California Senator Dianne Feinstein spearheaded the drafting of the Identity Theft Penalty Enhancement Act, allowing harsher sentencing when identity theft occurs in connection with other serious crimes such as terrorism. In signing the bill in July 2004, President George W. Bush remarked that this Act will "dramatically strengthen the fight against identity theft and fraud. Prosecutors across the country report that sentences for these crimes do not reflect the damage done to the victim. Too often, those convicted have been sentenced to little or no time in prison. This changes today."

Fair and Accurate Credit Transactions Act (FACTA)

A new federal rule effective June 1, 2005, requires companies that use consumer reports to discard the personal information properly, rather than simply tossing paper files in a trash container or sending unscrubbed computer hard drives to the recycler.

State Laws

Many states have promulgated laws making identity theft a crime or providing help in recovery for victims. Where specific criminal identity theft laws do not exist, the practices may be prohibited under other state laws. California's Notice of Security Breach Law specifies that if any company or agency that has collected financial or personal information about a California resident discovers that non-encrypted information has been stolen by an unauthorized party, the company or agency must immediately report this incident to the resident.

Texas State Representative Helen Giddings was herself a victim of identity theft, when checks she ordered during the fall of 2004 were stolen. She has spent over 1,000 hours in an effort to clear up her good name. In addition, she was forced to hire an attorney and an additional person on a part-time basis to keep up with the faxing of documents, e-mails, and various correspondences with merchants, banks, and credit bureaus. As a result of this terrible experience, she pushed through several important pieces of legislation which the governor signed into law in June 2005.

• When a customer requests a signature be obtained upon delivery of blank checks by a courier, the courier must honor the consumer's request. A violation carries a penalty of $1,000 per delivery.
• Debt collectors are prohibited from continuing to contact a consumer who has proved the debt incurred was the result of a theft.
• A merchant must delete any electronic record indicating a customer has issued a dishonest check, provided the customer presents a copy of the report filed with a law enforcement agency stating the check was unauthorized.
• Banks must note "forged" instead of "account closed" when the customer's checks are stolen and used fraudulently. This notation prevents a merchant from attempting to have a victim arrested or turning the check over to a collection agency. The victim must complete a forgery affidavit and a police report as a prerequisite to this process.
• An identity theft victim may not be denied access to credit that would otherwise be approved in the absence of the theft.
• Civil penalties are imposed on identity thieves. Representative Giddings commented that "The current laws addressing identity theft are woefully inadequate and the rights of victims are not clearly defined. This bill gives law enforcement guidelines to more appropriately respond to cases that do arise."

Other states have also passed numerous statutes concerning this growing crime. Citizens can access http://www.ncsl.org/ for a list of state statutes specifically addressing identity theft.

Necessary Reforms

Additional reforms are needed, including those outlined below.

Stricter Sentencing of Identity Thieves

Even though the Identity Theft Penalty Enhancement Act was passed in 2004, this law applies only to U.S. Postal Service and interstate acts of identity theft. For acts of intrastate identity theft, many states still do not classify this action as a felony and the criminal is given a lenient sentence. Stronger state laws requiring stiffer sentences will assist in deterring some of these thefts.

Tougher Standards on Breeder Documents

Breeder documents are documents used to obtain other documents used for identity; e.g., using a birth certificate to get a driver's license. Driver's licenses present particular problems in this regard. According to the American Association of Motor Vehicle Administrators (AAMVA), a person's driver's license is easily counterfeited. The AAMVA asserts that the variety and dissimilarity make it easy for criminals to counterfeit. Having a uniform design with certain security specifications would help make driver's licenses more difficult to counterfeit. Shared and well-integrated databases among all the state motor vehicle departments would also assist in this regard.

Increased Use of Biometrics

Biometric technologies (the study of physical characteristics such as finger prints, hand geometry, eye structure, or voice pattern) are being tested and used to fight identity theft include fingerprinting, earprinting, retina scanning, iris scanning, voice recognition, facial recognitions, and handwriting analysis. The use of this technology can add layers of security that standard.

Improved Encryption Standards for Businesses

Encryption is converting data into a form or code that is not easily understood by unauthorized persons. Enhanced encryption standards would prevent many of the personal identification thefts from financial institutions occurring in 2005. Businesses that retain computerized personal information on their customers should be required to utilize encryption technology to reduce the exposure to this crime.

Stricter Reporting Requirements

The financial services industry has received considerable criticism for not promptly reporting incidents of compromised personal and financial information. There are numerous bills on data breaches on the federal level and hundreds on the state level under consideration. Most of these bills aim to push credit-card issuers and banks to quickly advise cardholders and customers whose accounts are breached. Many of these financial institutions disagree with any types of draconian laws, arguing that too many such warnings may result in a "cry wolf" response. The current system, however, is clearly not working.

Heightened Assistance for Victims

Identity theft victims struggle in multiple ways to restore their good names. Adding to the problem is the fact that the victims bear the burden of proof in restoring their good names. Fortunately, more states are passing laws designed to assist victims in this effort. According to the Congressional Research Service, Remedies Available to Victims of Identity Theft (July 2003), a consumer may have a security freeze placed on his or her credit report by making a request in writing with a consumer credit reporting agency. This prohibits the consumer reporting agency from releasing the consumer's credit report or any information without the consumer's express authorization. California law also stipulates that identity theft victims who are sued regarding an obligation resulting from the theft may bring a cross-claim alleging identity theft.

The state of Washington has also enacted an extensive identity theft statute that includes a provision which allows victims to receive information about the alleged crime from parties who engaged in transactions with the thief. The victim can request that such parties provide copies of all relevant information related to the fraudulent transaction.

Conclusion

The mass media is spotlighting with increasing frequency the scourge of identity theft, primarily due to the escalating incidents of the crime and the evolving methodologies identity thieves utilize. Where identities were previously stolen one by one, thieves are increasingly stealing massive numbers of them in a single strike.

With the odds growing daily that an individual may become a victim, a comprehensive personal risk management approach is essential. Persons should be aware of the many ways this crime can occur. They should also recognize the factors that make them a better target for thieves. In this regard, effective loss prevention techniques should be practiced to mitigate the threat.

If a theft occurs, the victim needs to follow a highly organized set of procedures to reduce the severity of the crime. Organization, patience, and a calm and methodical approach to this problem help immensely.

An individual should also look into insurance and protection plans offered by insurers and banks, particularly since the number of identity theft cases is rapidly escalating. A thorough comparison of these plans is necessary and an analysis of the financial strength of each company is also in order.

After the risk management techniques are implemented, the individual should annually monitor the plan because the crime is rapidly evolving, the individual's circumstances and environment change, and insurance and protection policies often are amended. By following a systematic, organized, and comprehensive personal risk management plan, a person can be properly informed and prepared to face America’s fastest growing crime.

---

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author’s employer or IRMI. This article does not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.