Center for Problem-Oriented Policing

Responses to the Problem of Identity Theft

Your analysis of your local problem should give you a better understanding of the factors contributing to it. Once you have analyzed your local problem and established a baseline for measuring effectiveness, you should consider possible responses to address the problem. As noted at the beginning of this guide, some of the risk factors relating to identity theft may lie beyond the immediate influence of local police, or they may appear to lie beyond the usual scope of local police responsibility. These include

  • preventive measures businesses should take to safeguard their records from employee misuse or from outside intrusion;
  • marketing or authentication practices of credit card or retail companies that make it easier for identity thieves to open card accounts or make fraudulent purchases;
  • preventive measures government agencies should take to safeguard their records from employee misuse or from outside intrusion;
  • technologies that make counterfeiting cards, checks, or other forms of identity easier for offenders;
  • preventive measures people should take to safeguard their personal information;
  • opportunities the Internet provides for purchase or theft of personal information; and
  • actions credit-reporting agencies take in response to victims’ requests for help in repairing their credit records.

However, studies of successful interventions to reduce or prevent check and credit card fraud have shown that there are things local police can do to impact some of the above factors. It requires the development of various partnerships with local and state government agencies and with businesses.

† See the POP Guide on Check and Card Fraud.

The following response strategies provide a foundation of ideas for addressing your particular problem. These strategies are drawn from a variety of research studies and police reports. Several of these strategies may apply to your community’s problem. It is critical that you tailor responses to local circumstances, and that you can justify each response based on reliable analysis. In most cases, an effective strategy will involve implementing several different responses. Law enforcement responses alone are seldom effective in reducing or solving the problem. Do not limit yourself to considering what police can do: give careful consideration to who else in your community shares responsibility for the problem and can help police better respond to it. In the case of identity theft, there are clear implications for businesses, other government agencies, and consumer advocacy groups.

General Considerations for an Effective Response Strategy

As we have seen, identity theft is a complex crime, composed of many sub-crimes and related to many other problems. Thus,identity theft crimes fall under the authority of many different agencies, including the local police, Secret Service, Postal Inspection Service, FBI, Homeland Security, local government offices, and motor vehicle departments, to name just a few.Regional and state law enforcement agencies may have established multi-agency task forces to combat identity fraud. For example, the Financial Crimes Task Force of Southwestern Pennsylvania consists of local law enforcement, Secret Service agents, and postal inspectors. At a minimum, multi-agency task forces should include motor vehicle departments and local and state government agencies that keep public records. These multi-agency task forces fulfill an important need because, at present, the Secret Service, which has primary responsibility for investigating identity theft, does not accept cases unless there is a financial loss of over $200,000 and a multi-state fraud ring is involved. This leaves many victims in the lurch.

Thus, it will be important for you to work with local agencies to coordinate responses, so that you can participate more fully in designing and implementing preventive strategies. In addition, if local police have the first official contact with the victim, they can be an important investigative resource. FTC data indicate that the victim often knows who the offender is, or has significant amounts of information about the offender. In 2003, 62 percent of the complaints in the FTC identity theft database contained information about the offender.

However, because of the complexity—and expense—of developing multi-agency task forces, your initial efforts should focus on local factors that will help reduce or prevent identity theft and mitigate the harm done to victims. Thus, the responses listed below are divided into two sections:

  • Prevention : What to do to prevent identity theft from occurring in your jurisdiction.
  • Victim assistance : How to respond to victims who come to you for help.

It should be emphasized that these two stages are closely related, and that collecting information in one stage helps in addressing the other. For example, obtaining information in the victim assistance stage will help you develop prevention strategies.

† The costs to the victim—in terms of both out-of-pocket expense and time spent resolving problems—are substantially smaller if the misuse is discovered quickly. No out-of-pocket expenses were incurred by 67 percent of those who discovered misuse of their personal information within five months (Federal Trade Commission 2003b). [Full Text]

Finally, since identity theft occurs in conjunction with a variety of other crimes, and given the limited resources that may be available to you, it may not be feasible to address all such crimes at once. It may be more effective to be on the lookout for rashes of specific types of identity theft, such as credit card fraud or immigration fraud (if your jurisdiction is near an entry point). Focusing on a specific crime will make it easier to collect relevant information and to measure response effectiveness.

Specific Responses to Identity Theft

Prevention

  1. Raising businesses’ awareness of their responsibility to protect employee and client records. Offenders steal many identities from inadequately protected business records. There are many common-sense, low-tech ways to protect databases. You may work through local business associations, or establish working relationships with local businesses. Do not assume that all, or even most, businesses are aware of the opportunities afforded identity thieves by poor protection of their records. Many businesses do not institute security procedures because they do not consider them cost-effective. Mindful of businesses’ reasonable concern for profits, you should try to convince businesses that the costs of losing data, in terms of both their reputation with clients and possible lawsuits by victims, are much higher than those of following the many simple procedures to protect private information. State and/or federal laws such as GLB (Gramm-Leach-Bliley Act), HIPAA (HealthInsurance Portability and Accountability Act of 1996), and FACTA (Fair and Accurate Credit Transactions Act) require certain businesses or institutions to protect information better. The Internet provides considerable information on how businesses should protect their records. The Privacy Rights Clearinghouse recommends the following practices:
    • Develop a comprehensive privacy policy that includes responsible information-handling procedures. Use a shredder or similar document-disposal method.
    • Conduct regular staff training, new-employee orientations, and spot checks on proper information care.
    • Support and participate in multi-agency financial-crimes task forces.
    • Limit data collection to the minimum of information needed; for example, limit requests for social security numbers.
    • Put limits on data disclosure. For example, must social security numbers be printed on paychecks, parking permits, staff badges, time sheets, training program rosters, staff promotion lists, monthly account statements, client reports, etc.?
    • Restrict data access to only those employees with a legitimate need to know. Audit electronic trails. Impose strict penalties for browsing and illegitimate access.
    • Conduct employee background checks. Screen cleaning services, temp services, etc.
    • Include responsible information-handling practices in business school courses, and even in elementary schools, if children have access to computers.
  2. Educating people about protecting their personal information. The Internet has an enormous amount of information on how to avoid becoming an identity theft victim (see Appendix B for a selection of the main sources). Some police departments include special sections on identity theft on their websites, all with information on how to protect one’s identity. To get the message out, you need to work through the community’s main support organizations: schools, consumer advocacy groups, seniors’ community centers and organizations, neighborhood watch meetings, and other community service groups. If your police department has a website, include information sources on protecting identity on the site. If budget permits, print out information brochures to hand out at meetings. The best publication on preventing identity theft is available free on the Internet or from the Federal Trade Commission: Identity Theft: When Bad Things Happen to Your Good Name. [Full Text]It should be emphasized, however, that there have been no scientific evaluations of the effectiveness of the advice given in this document and on many websites. Much of the advice is “common sense” (for example, don’t leave personal information such as credit card statements in your trashcan).
  3. Collaborating with government and other service organizations to protect private information. Social security numbers and driver’s licenses are the two most common forms of identification used in the United States. While identity theft awareness has increased considerably since the Identity Theft Act of 1998, agencies still need support in efforts to reduce the use of social security numbers as identifiers (very common on health insurance cards, for example), and local agency personnel may need to be constantly reminded of the risks involved in lax use of private information. Although some of the following recommendations are probably beyond the scope of local police, it is important that you work with agencies concerned about these issues, since it helps solidify your relationship with those whose help you may need to investigate identity theft cases or help victims resolve the problems they face, such as getting a new driver’s license. The Privacy Rights Clearinghouse recommends the following practices:
    • Keep social security numbers out of general circulation.
    • Prohibit the use of social security numbers to obtain a driver's license, health insurance ID, or other forms of identification.
    • Prohibit the sale of social security numbers, available now on information-broker websites.
    • Maintain central clearinghouses in each state for lost and stolen driver's licenses.
    • Conduct better photo- and ID-checking for new, duplicate, and replacement IDs.
    • Restrict access to birth certificates in states where they are now publicly accessible.
    • Remove social security numbers and other sensitive information from public records, especially when accessible on the Internet.
  4. Working with local banks to encourage credit card issuers to adopt improved security practices. The major credit card companies have national and international reach, so it is unlikely that your local efforts will directly influence their security policies. It is also clear that their marketing policies sometimes contribute to identity theft—such as the massive number of preapproved offers of credit they mail to consumers. However, local banks often have agreements with the major credit card companies, especially as many ATM (or debit) cards also serve as credit cards. Thus, local banks, as customers of credit card companies, may have some influence on their card-issuing policies. In addition, by working closely with local banks, you may make it easier to establish procedures for local identity theft victims to repair the damage done, and get their accounts operating again. Bear in mind that some financial institutions won’t give investigators information about their clients’ accounts unless through a court order or similar legal process (the new Fair and Accurate Credit Transactions Act removes this requirement as of June 2004). However, they will give the information to their client—the victim. Thus, working closely with the victim is vital (see response #6). You should urge your local banks and businesses to pressure credit card companies to do the following:
    • Conduct better identity verification, especially when the person’s address is reported as changed or differs from what his or her credit report indicates.
    • Conduct better identity verification for those using pre-approved credit cards. Don't rely solely on social security numbers. Have the person provide his or her utility bills, tax record address, etc.
    • Improve identity checking procedures for "instant" credit, favored by identity thieves.
    • Put photographs on credit cards, or other authentication indicators such as smart chips or PINS.
    • Request additional ID when verifying credit card purchases at the point of sale.
    • Enable customers to put passwords on credit accounts.
    • Truncate digits on account numbers printed on receipts at the point of sale.
    • Use account-profiling systems to detect unusual activity. Notify the consumer of possible fraud.
    • Check if there is an existing account in the applicant's name.
    • Check the social security master-death index.
    • Reduce the number of pre-approved credit applications mailed to consumers. Don't mail such offers to anyone under 18. Print an opt-out phone number prominently on all such offers (1-888-5OPTOUT).
    • Prohibit convenience checks, or at least provide an opt-out to credit card and bank customers.
  5. Tracking delivery. Much of identity theft depends on the delivery of documents and products.30 Vacant houses or apartments are prime locations for delivery of products or diverted mail. Credit applications or driver’s license renewal forms are at risk in mailboxes; products bought with stolen credit cards on the Internet are delivered to such addresses. Maintaining a close relationship with local postal inspectors and delivery companies such as UPS or FedEx may help you track items back to thieves. You can work with the local post office and delivery companies to train employees to
    • take note of deliveries to houses that are vacant or up for sale;
    • spot driver’s license renewals and credit card statements that go to unfamiliar addresses; and
    • maintain records of applications to forward mail or packages (the Postal Service now requires people to show ID to submit a change-of-address or mail-forwarding application).

Victim Assistance

  1. Working with the victim. Victims have many protections under federal and state law that prevent them from being liable for unauthorized charges, withdrawals, or other unlawful activities of identity thieves. They also have rights regarding the accuracy of their credit reports. Police need to understand how consumers are protected, and provide victims with educational resources that explain their rights and the steps they need to take to assert them. The FTC’s comprehensive guide, When Bad Things Happen to Your Good Name, and its website, www.consumer.gov/idtheft, provide consumers with the information they need to deal with fraudulent debts and any negative credit-report information resulting from identity theft.

    Communicating with victims is important, as well.The most frequent complaint the Identity Theft Resource Center receives is that “the police just don’t care.”It is important to let victims know that the police do care and do understand. Remember that identity theft victims have been repeatedly victimized. Identity theft is an emotionally harmful crime. Furthermore, you should be aware that victims typically uncover more evidence in a case than do investigators, and more rapidly. Thus you should quickly develop a close working relationship with the victim. The steps you can take to do so are as follows:31

    • Assure the victim that you will take a police or incident report and give him or her a copy. This is important because many, if not all, identity theft crimes fall under several jurisdictions. For example, the offender steals the credit card in one state and uses it in another; the card company is located in yet a different state; and the victim lives elsewhere. Even though there may be many cross-jurisdictional issues involved, you should immediately respond to the victim by preparing a police or incident report. Without one, the victim will have difficulty filing an identity theft affidavit. At a minimum, file a report with the FTC Consumer Sentinel database.
    • Have available the Identity Theft Victim Guide, which outlines what steps a victim should take, and how the victim should prepare for the investigator’s phone call or visit. It should be mailed to the victim, as well as available on your department’s website. The guide should list what steps your department takes after receiving a complaint, and exactly what information and documentation the victim needs to provide when interviewed.
    • Recommend that, for the initial meeting, the victim prepare a rough written draft of the case. The victim should provide his or her name and contact details; state when he or she discovered the fraud; list any fraudulent activity to date, in chronological order; list the affected accounts; and provide facts about the imposter, if any are known.
    • At your initial meeting with the victim, he or she may be frustrated and angry. Inform the victim what it’s like “behind the scenes” of a fraud investigation; what the procedures will be from this point forward; how soon it will be before a copy of the police report is available; when he or she will hear from you next; and what the chances are of catching the offender.
    • Help victims to understand and exercise their rights under the federal credit laws. They will have to take many steps to restore their accounts, be released from fraudulent debts, and clean up their credit reports. Many of these steps must be followed up in writing. Therefore, direct the victim to Internet resources (such as the FTC website, www.consumer.gov/idtheft), or give the victim written materials that explain how the recovery process works. Help the victim secure the necessary paperwork, such as an identity theft affidavit, and give the victim a copy of the police or incident report regarding his or her case. Also give the victim information on how to contact the credit-reporting companies.
    • Enter the victim’s complaint information into the FTC’s Identity Theft Data Clearinghouse, letting the victim know that you are doing so on his or her behalf, or advise the victim to file a complaint with the FTC, either online at www.consumer.gov/idtheft, or by calling 1-877-ID-THEFT (1-877-438-4338). Explain to the victim that while the individual identity theft complaint may not be enough to bring to a prosecutor, putting it into the national database will enable investigators across the country to combine it with any other complaints about the same offender, making prosecution more likely.
  2. Preparing a plan to prevent or minimize the harm of identity theft when large identity databases have been breached. When a business or government agency reports that its employee records or client databases have been violated, police and others must act quickly to reduce the amount of time the thief has to use the stolen identities. Such a case occurred in California when a thief broke into state government databases and stole personal information of 265,000 employees, including the governor. The following steps were taken:
    • Toll-free, dedicated phone lines were set up for employees to call the three major credit bureaus to warn of the theft.
    • Employees received information packets on what to do to protect their identities and reduce damage, how to read credit reports, how a fraud alert on a credit file works, and so on.
    • The state held workshops for employees, distributed videos, and launched a webpage with helpful informati
    The FTC has published a response guide on what a business should do if files with customers’ personal information have been compromised. It sets out a step-by-step plan and includes a model letter to notify customers whose information was compromised. The guide is available online at http://www.ftc.gov/bcp/conline/pubs/buspubs/idtbizkit.htm.