Bill Introduced to Congress Would Allow ID Theft Restitution

verybadradio writes with an article at News.com about a bill introduced into Congress that would allow citizens who have been victimized by identity theft to seek repayment for the money and time spent repairing their credit history. The bill was introduced by Democrat Patrick Leahy of Vermont and Republican Arlen Specter of Pennsylvania. "Last year, 8.4 million Americans were victims of identity theft, and many were left with a bad credit report, which takes months or years to repair, the lawmakers said ... The bill would also eliminate a requirement that the loss resulting from damage to a victim's computer must exceed $5,000 for prosecution; make it a felony to use spyware or keyloggers to damage 10 or more computers; and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer."

Hmm

[orclevegam]

It all sounds good except this line makes me a bit nervous:

and expand the definition of cybercrime to include extortion schemes that threaten to damage or access confidential information on a computer.

Would threatening to expose a security flaw in a server or website unless it was patched open you up to prosecution under cybercrime laws then? I know that's already fairly shaky ground from a legal standpoint, but would this make it even worse?

New laws really necessary?

[RandoX]

So are you telling me that no other laws actually forbid any of these things already? What's wrong with those laws?

Usually

[evanbd]

My usual reaction to identity theft laws is "Aren't existing fraud laws sufficient?"

At least at first glance, however, this bill seems to be doing more, and doing it in a useful manner -- not solely a "well, let's make it more illegal!" type of bill.

The nature of the identity theft crime...

[Bill the Cat]

...cries out for an approach similar to the combating of piracy back in the 1700 and 1800's, eg) issues of letters of marque, allowing private citizens to capture or do damage to the criminals.

Re:why can't we get what the RIAA gets?

[orclevegam]

If they set the damage levels anything near what the RIAA got in their last downloading lawsuit, that would put the brakes on ID theft right quick.

Oh yes, because those Chinese, Russians, and others located outside the US are so mortally afraid of being sued for a hojillion dollars. The one good thing this law is doing is allowing the victim to recoup some of the loss, and maybe might act as incentive for the credit card companies to actually do something to reduce identity theft. The problem till now is it was always the victims eating the costs of identity theft, not the credit card and credit reporting agencies.

Re:The nature of the identity theft crime...

[kilo_foxtrot84]

...until the system is abused. Actually, a quick check shows that the US Congress is empowered by the Constitution to issue letters of marque to private citizens. I wonder if they're issued all that often now...

Can we sue the credit reporting agencies?

[140Mandak262Jamuna]

For slander or defamation?

Basically, someone impersonates me. Some bank/merchant/credit card company extends credit without verification. The impersonator defaults. They report me as the deadbeat. That is the scenario. The creditor who mistakenly reported me should be liable for slander. The credit reporting agencies should be considered accessory after the fact. So the real culprits are the people who extend credit without verification and people who report me as a deadbeat without justification. Normally if they have to face full consequences of their action, they will clean up their act and we would not need any special laws for identity theft.

But congress in its infinite stupidity holds the impersonator the responsible for my ruined reputation. The impersonator is liable for lying, cheating, committing forgery and is responsible for all the damage caused to the credulous creditor. And if they call me a deadbeat without proper verification whoever reported me as the deadbeat is responsible for the damage caused to my good name.

As usual it is a credit reporting agency liability protection act being sold to the public as an anti-ID theft law.

Re:Wow...

[pburdine]

The problem with this is that it only addresses 1 of the 5 known forms of identity theft. Financial Identity theft is estimated to be less than 26% of all ID theft crimes. For reference the other 4 are: 1) Drivers License - Someone can get using your DL # and you may have moving violations or points on your record that you don't know about it. This can happen in other states and it will take years to get back to you since the DMV's don't communicate all that well. Try fighting that. 2) Medical - Someone has procedures performed or gets checkups in your name. How would you like it if your insurance rates shot up because someone tested positive for HIV on your medical history. How about they change what you are allergic to and next time you go in they give something and you have an allergic reaction. Or maybe change your blood type. This can kill you and no one will know. 3) Character - Do you have outstanding arrest warrants in you name for crimes someone else committed? This can keep you from getting employed or you can lose your security clearance through no fault of your own. 4) Social Security - Has your SSN number been stolen and used by other people and reported to the IRS for tax reasons? You could be liable for a very large tax bill on income you didn't receive. The IRS doesn't care since most of the time they can force people to pay even though it wasn't them. Unfortunately congress doesn't seem to pay attention to the rest of these. Until they address all of them, we are all in trouble. --Peter

Re:Funny, I thought we had a mechanism for that...

[jhantin]

#include <not_lawyer.h>

The bank was the fraud victim, you're collateral damage. Er, um, no pun intended...

After the fraud uses your personal information to take money from a third party creditor, said creditor unfairly trashes your reputation, since that's the easiest recourse they have. Actual damages inflicted by the creditor in what looks to me like a defamation case might well be difficult to demonstrate, but not impossible: that nasty little clause in your credit card agreements that makes everything go to 31.99% APR if anything derogatory appears on your credit report means the defamation is costing you actual cash.

Re:Usually

[evanbd]

It's not just at a national level, and it's not just the current administration. Much as I dislike them, I don't think the current administration is all that much worse than previous ones in this regard, and a lot of the fault rests with Congress, not the Executive branch.

I recently served on a grand jury handling general local level stuff. A typical indictment for ID theft would include fraud, atm card fraud (a special law! I'm sure making it super-extra-illegal helped), identity theft (yep, specifically illegal, even though it's hard to see what makes it ID theft instead of just, well, fraud), and usually a couple others.

Re:Oh Not This Again

[suv4x4]

2. The bill in question is the wrong way to address the issue. The card associations have a solution to the problem except they won't implement it because it cuts into their fraud revenue and the costs are much higher per-card than dumb plastic/mag-stripe. The standard is called EMV. It solves 98% of fraud issues. Today. The other 2% I'll blame on bad coding.

For e-commerce it's even simpler. In our country (Bulgaria) 10 years ago we suffered from too many teen hacker wannabes for whom the greatest fun in the world was stealing credit card info and ordering books for it.

Not only people abroad suffered, but also local citizens. So, for online commerce, the solution is dead simple, when a transaction is carried out, a confirmation link is sent to your email, and you need to click that link to make money move.

Why is this better than the majority of credit cards nowadays? Well.

With mastercard or visa, I input all the information that's required to complete the purchase in the form. No secret remains mine. If this info leaks, anyone can order from my card.

With the email confirmation, I still have the password on my card account which I never input anywhere, where the email is specified. I never enter the password to my email anywhere either.

Second benefit is I get real time notification in my email when someone tries to order with my card. With regular credit card, I only see this 10 days later on my bank statement.

So I guess it's true: the credit card providers DO want the fraud to continue, since they don't implement basic confirmation techniques, despite it's neither complicated nor costly (fine, maybe it'll be costly NOW with so many merchants to update their business process, but common sense wasn't invented yesterday, what were they doing ALL THOSE YEARS..?).

Agree 100%

[Joce640k]

Re: Identity theft

People need to be notified whenever an application is made for a drivers license, bank loan, etc. Until the rightful owner of the SSN responds (eg. via telephone with a PIN), the application cannot proceed.

If people are dumb enough to carry their PIN in their wallet then they should be liable for all losses.

Re: credit cards:

I'd like to see:

a) No storage of credit card numbers by *anybody* other than the card issuer (ie. online merchants like must not store your card numbers anywhere, you need to type it in for each transaction).

b) Any credit card transaction over $100 requires secondary verification (eg. PIN, token ID).

c) More than (say) five credit card transactions in a single day triggers a verification requirement (talk to credit agency on phone, give password, say everything is Ok).

This sort of thing will never happen until the credit card companies become liable for losses. When it is done then the liability can be shifted to the people who didn't look after their PIN, etc.

PS: You can carry PINs securely - I had an account with a bank which gave you a little card with a grid of colored squares on it. The idea was to write the digits of your PIN in positions you'd remember then fill the rest of the grid with random digits. It worked beautifully - I could safely carry my PIN in my wallet and I never forgot where the PIN was. There's no reason why something like this couldn't be printed as standard on the back of all credit cards instead of the stupid signature strip which is too small to sign properly and nobody ever looks at anyway.

FICA contributions

[GPS Pilot]

If a person uses a stolen Social Security number to get a job, I would like to see all FICA contributions made by the employee and employer to remain credited to the identity theft victim, even after the fraud is discovered.

That the victim will someday receive larger Social Security checks would be some consolation.

[Yes, this measure would have a negative impact on the illegal immigrant population, because few other groups have any reason to use stolen Social Security numbers when applying for a job.]

Re:Agree 100%

[unitron]

a) No storage of credit card numbers by *anybody* other than the card issuer (ie. online merchants like must not store your card numbers anywhere, you need to type it in for each transaction).

How about instead of telling fuzzysandals.com "Here's my credit card number. Tell MasterCard's computer to give you 40 of my dollars.", you connect to MasterCard.com and tell them "Give 40 bucks to fuzzysandals.com on my behalf. Here's their transaction serial number for my order." ?