Identity theft: the internet connection.(Fair and Accurate Credit Transaction Act of 2003)

Summary

Concern is growing about identity theft--where one person assumes the identity of another by stealing personally identifiable information (PII), such as credit card or Social Security numbers. High profile incidents disclosed in early 2005 involving ChoicePoint, Bank of America, and LexisNexis, where the PII of more than a million Americans may have been compromised, have refocused congressional attention on this issue. Many associate the rise in identity theft cases with the Internet, but surveys indicate that comparatively few victims cite the Internet as the source of their stolen PII. Still, the Internet may play a role, particularly through a practice known as "phishing." Congress already has passed several laws to address identity theft, and continues to debate whether additional action is needed. This report will not be updated; for information on pending bills and current legislative action, see CRS Report RL31408.

Introduction

The growth in the number of cases of "identity theft," where one individual assumes the identity of another to commit fraud, is alarming to many consumers, including many Members of Congress. Despite widespread public perception that the Internet is a major contributor to the rise in identity theft, surveys indicate that comparatively few individuals who know how a thief acquired their personally identifiable information (PII) cite the Internet. Some attribute the rise in identity theft instead to carelessness by businesses in handling PII, and by credit issuers that grant credit without proper checks. Identity theft can be separated into "low-tech" crimes by thieves who acquire PII through traditional means such as lost or stolen wallets or "dumpster diving," and "high-tech" crimes by thieves who compromise computer databases or use the Internet. A survey released in January 2005 (discussed below) found that computer crime accounted for 11.6% of identity theft cases in 2004, compared with 68% from paper sources.

Computer crimes do not necessarily involve the Internet; they may be caused by data security or computer security lapses (such as insider theft). Still, the Internet can be used to acquire an individual's PII, particularly through a practice known as "phishing." The Internet also could enable hackers to access computer databases if the databases are connected to the Internet. Also, PII may be inadvertently placed on the Internet through human error. (1) The networked nature of the Internet age, coupled with steadily increasing computer power, not only allows the linking of enormous databases to facilitate information access, but also makes that information more vulnerable to misuse. The ease, speed, and relative anonymity of online transactions may further exacerbate harm to the consumer when identity theft occurs.

Identity Theft: Definition, Prevalence, and How It Occurs

The Federal Trade Commission (FTC) defines identity theft as …