Identity Theft Laws and Your Rights

Although identity theft is an old profession, new identity theft laws are just being introduced. This crime has just recently been raised to new levels of awareness due to its growth and impact on individuals and businesses. New laws are introduced to recognize identity theft as a crime and provide tougher punishment for criminals convicted of identity theft. There are also Federal and State identity theft laws requiring businesses to take certain responsibility for protecting consumer personal information collected in the course of their business transactions. Let's first cover the federal identity theft laws as described in the Federal Trade Commission's web site: CREDIT Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) establishes procedures for correcting mistakes on your credit record and requires that your record only be provided for legitimate business needs. The Federal Trade Commission (FTC), the nation’s consumer protection agency, enforces the FCRA with respect to consumer reporting companies. The Fair Credit Reporting Act requires each of the nationwide consumer reporting companies – Equifax, Experian, and TransUnion – to provide you with a free copy of your credit report, at your request, once every 12 months to help you detect errors and identity theft. The FCRA promotes the accuracy and privacy of information in the files of the nation’s consumer reporting companies. Fair and Accurate Credit Transaction Act The 2003 addition of FACTA (Fair and Accurate Credit Transaction Act) to The Fair Credit Reporting Act (FCRA) and identity theft laws was intended to fight identity theft. While FCRA was originally created with the objective to promote the accuracy, fairness, and privacy of consumer information in the files of reporting agencies, the FACT Act was specifically intended to fight identity theft by giving consumers certain rights if they become or suspect of becoming an identity theft victim. Fair Credit Billing Act This law establishes procedures for resolving billing errors on your credit card accounts. It also limits a consumer's liability for fraudulent credit card charges to $50. The law applies to "open end" credit accounts, such as credit cards, and revolving charge accounts such as department store accounts. It does not cover installment contracts. Fair Debt Collection Practices Act The Fair Debt Collection Practices Act prohibits debt collectors from using unfair or deceptive practices to collect overdue bills that your creditor has forwarded for collection. Personal, family, and household debts are covered under the Act. Electronic Fund Transfer Act The Electronic Fund Transfer Act provides consumer protection for all transactions using a debit card or electronic means to debit or credit an account. It also limits a consumer's liability for unauthorized electronic fund transfers. Criminal The criminal identity theft laws are tightly related to and directly deal with the identity theft issue. Identity Theft and Assumption Deterrence Act This act is also known as the "Identity Theft Act" and deals directly with the identity theft issue. This law makes it a federal crime when someone: "knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." Identity Theft Penalty Enactment Act This law was passed on July 15, 2004 when President Bush signed a law requiring tougher punishment for criminals convicted of identity theft. This law increases existing penalties for the identity theft crime, identifies aggravated identity theft as a criminal offense, and establishes mandatory penalties for aggravated identity theft. Privacy and Information Security These identity theft laws relate to certain government agency and private organization responsibilities with regards to personal information privacy and protection: Red Flags Rules The Red Flags rules are the set of identity theft laws that financial institutions and creditors must follow to implement the necessary controls to prevent, detect and respond to identity theft. Driver's Privacy Protection Act of 1994 This law puts limits on disclosures of personal information in records maintained by departments of motor vehicles. Family Education Rights and Privacy Act of 1974 This law puts limits on disclosure of educational records maintained by agencies and institutions that receive federal funding. Gramm-Leach-Bliley Act This law requires the FTC, along with the Federal banking agencies, the National Credit Union Administration, the Treasury Department, and the Securities and Exchange Commission, to issue regulations (to be codified at 16 CFR Part 313) ensuring that financial institutions protect the privacy of consumers' personal financial information. Such institutions must develop and give notice of their privacy policies to their own customers at least annually, and before disclosing any consumer's personal financial information to a nonaffiliated third party, must give notice and an opportunity for that consumer to "opt out" from such disclosure. Health Insurance Portability and Accountability Act of 1996 Also known as HIPAA, this privacy rule regulates the security and confidentiality of patient information. It took effect on April 14, 2001, with most covered entities (health plans, health care clearinghouse and health care providers who conduct certain financial and administrative transactions electronically) having until April 2003 to comply. It requires standards for privacy of individual identifiable health information. Payment Card Industry (PCI) The PCI Data Security Standards (DSS) are explicit guidelines for securing credit card information. MasterCard, Visa, American Express, JCB, and Discover created these standards. These new rules affect any U.S. organization regardless of size that processes, stores, or transmits credit card data. The bank that processes the organization’s transactions may fine an organization that fails to comply with the PCI standards and suffers a data breach. Nonprofit organizations are not exempt.