President Bush has signed into law a bill that mandates minimum sentences for perpetrators of identity fraud, including "phishers," who fake e-mails and Web sites to steal bank account information and other potentially valuable data.
Some say that by putting the matter into federal hands, the new legislation will solve the problem of inadequate enforcement on the part of state agencies. Others, though, say it's not likely that a minimum five year sentence, for example, will deter someone intent on committing a crime that can, under current law, already lead to a punishment as harsh as 15 years of jail time.
Anyone who clicks on the included hyperlink and types in their personal details is unwittingly connecting not to their own bank, but to a scam artist engaged in thefor illegally obtained credit card numbers, bank account information, and Social Security numbers.
President Bush on Thursday signed into law a bill that boosts criminal penalties against phishing and many other forms of identity fraud, also called identity theft. Known as the Identity Theft Penalty Enhancement Act, or ITPEA, the measure sets up punishment guidelines for anyone who possesses someone else's identification-related information with intent to commit a crime.
"Identity theft undermines the basic trust on which our economy depends," Bush said before signing the legislation. "When a person takes out an insurance policy, or makes an online purchase, or opens a savings account, he or she must have confidence that personal financial information will be protected and treated with care. Identity theft harms not only its direct victims, but also many businesses and customers whose confidence is shaken."
Though solid numbers are hard to come by, identity fraud has been called the fastest-growing crime in the United States, affecting millions of Americans at a cost of billions of dollars a year. The Federal Trade Commissionthat 10 million Americans become victims of identity fraud a year, while researcher Gartner at around 7 million.
"Once it is damaged, it can take years to completely clear one's credit history, and in the meantime, the obstacles pile up," said House Judiciary Chairman F. James Sensenbrenner, R-Wisc., after the House of Representatives approved the ITPEA in June. "Purchasing large items like cars and homes becomes almost impossible because the victim is unable to qualify for a decent loan rate--if he or she qualifies at all."
By mandating minimum prison sentences, ITPEA is designed to deter the type of identity fraudsters who have been prosecuted but have received little jail time. A House report says one woman, Dolores Rodriguez, surreptitiously worked under her husband's SSN while receiving more than $80,000 in disability benefits--but was sentenced only to home confinement and probation. In another case, after Diana Fergerson pleaded guilty to stealing another person's identity and obtaining credit and Social Security benefits, she was sentenced to five years probation and restitution.
In addition, ITPEA rewrites a second section of the current law, which restricts only transferring or using someone else's ID. That 1998 law was part of Congress' earlier effort to tackle identity fraud. Now merely possessing the "identification of another person with the intent to commit, or to aid or abet" a crime is illegal.
Chris Hoofnagle, deputy director of the Electronic Privacy Information Center in Washington, D.C., says that ITPEA is intended to encourage prosecutors to bring more ID fraud cases.
"A big problem in identity theft comes from lack of enforcement," Hoofnagle said. "There are problems with state authorities who tend not to want to deal with the problem. If you're a Washington, D.C., resident and someone in California steals your identity, both Washington and California police will play ping-pong with your case to avoid dealing with it. They have other priorities. Enforcement at a federal level may deter the crime and provide the opportunity to capture thieves who are evading state enforcement."
But ITPEA's mandatory minimum prison terms have irked some Democrats, who say judges should be granted considerable leeway when handing out sentences.
"Congress is not in a better position to determine what the appropriate sentences are in individual cases before the crime occurs than a judge is when he has heard the evidence," Rep. Robert Scott, D-Va., said at a House committee meeting on May 12. "Mandatory minimum sentences not only defeat the rational sentencing system that Congress adopted, but (they also) make no sense in our separation-of-powers scheme of governance. Moreover, the notion that mandating a two- or five-year sentence to someone who is willing to risk a 15-year sentence already is not likely to add any deterrence."
Phishing season over?
Though not all the reasons for the reported rise in identity fraud are clear, most appear to stem from relying on SSNs as a means of identification, coupled with the dramatic growth in credit card use in the past 20 years. The U.S. Justice Department warns Americans to be extremely cautious before divulging their SSNs.
Laptops can be rich sources of personal data for thieves, as the University of California recently, warning 145,000 blood donors that they could be at risk for identity theft due to a stolen university laptop. In 2002, the IRS it lost 2,300 computers that potentially contained personal information about American taxpayers. In addition, persistent bugs in Microsoft Windows and Internet Explorer to seize control of a PC and read all the information on it.
Phishing, or sending spam that impersonates a legitimate business, is one of the biggest worries of e-commerce companies. Security firm MessageLabsphishing messages were almost nonexistent in September 2003 but have become a huge problem since then.
MasterCard Internationallast month that it was going to try to track down the culprits and shut down Web sites that pose as its own, and EarthLink is taking steps to to the fraudulent Web sites. Some privacy advocates recommend that consumers open a new e-mail account just for business-related purposes and never use it for general correspondence.
For now, though, identity fraudsters appear to be traditionalists: A report released last year by the Federal Trade Commission said only 3 percent of people who reported identity fraud cited misuse of their Internet accounts.