Features - Identity Theft: Outline of Federal Statutes and Bibliography of Select Resources

Sara R. Paul, Reference Librarian, New York City District Attorney’s Office


Identity theft is an increasingly common crime in which a criminal obtains a victim’s Personal Identifying Information (PII) to commit fraud or other crimes. The daily news is full of these stories, ranging from anecdotal tales of an individuals’ stolen identity to lapses in security surrounding sensitive consumer data.

Researching the topic can be a daunting task. Indeed, the recent proliferation of materials, along with the fact that case law is growing exponentially, means that there is a rather large body of literature. In addition, the actual act of identity theft is dynamic and constantly evolving, thus any technical materials are being continually revised.

The following bibliography outlines the pertinent federal statutes and resources for researching Identity Theft. Included is a list of newsletters and blogs that can be used to keep abreast of new developments, such as a bill introduction or a major security breach.

Table of Contents

I. Federal Statutes
A. Identity Theft Statutes
B. False Identification Statutes
C. Statutes Governing Privacy and the Use of Personal Data
D. Federal Credit Laws
II. Sources for Further Research
A. Legal Reference Materials
B. Select Treaties
C. Websites
D. Resources for Keeping Current
III. Topical List of Selected Articles and Publications
A. Identity Theft in General
B. Phishing and Other Forms of Cyber ID Theft
C. Credit Law and Credit Bureaus
D. Data Brokers and Breach of Security
E. Resources for Law Enforcement
F. Civil Liability and Risk Management

 

I.  Federal Statutes

A wide range of federal laws relate to identity theft. Laws can be grouped into four main categories: Identity theft specific laws, false identification laws, privacy and personal data laws, and credit law. Identity theft specific laws are those that were designed and enacted to criminalize the act of identity theft. False Identification laws deal specifically with fraud in connection with personal identifying documents. Privacy and personal data laws can help prevent identity theft by regulating how personal identifying information (PII) is collected and disseminated. Laws regarding credit directly impact victims of identity theft, as those individuals must restore their credit ratings and limit their liability for unauthorized debts. In particular, the following statutes are frequently cited in the literature regarding identity theft.

A.  Identity Theft Statutes

1. Identity Theft and Assumption Deterrence Act of 1998
P.L. 105-318
Enacted H.R. 4151, October 30, 1998
112 Sat. 3007, codified at 18 U.S.C § 1028
  • The Identity Theft and Assumption Deterrence Act of 1998 was the first piece of federal legislation to deal directly with identity theft. For the first time, ID Theft became a named federal crime, making it somewhat easier for law enforcement to prosecute. The Act established the Federal Trade Commission (FTC) as the government entity charged with establishing “procedures to ... log and acknowledge the receipt of complaints by individuals", as well as educate and assist potential victims. The term “means of identification" is described as a person’s "name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number." (18 U.S.C. § 1028(d)(7)). The U.S. Sentencing Commission is directed to incorporate the crime of ID theft into the United States Sentencing Guidelines Manual (United States Sentencing Commission, Identity Theft: Final Report)

2.  Identity Theft Penalty Enhancement Act
P.L. 108-275
Enacted H.R. 1731 / S.153, July 15, 2004
118 Stat. 831, Added 18 U.S.C. § 1028A

  • The Identity Theft Penalty Enhancement Act, passed in July 2004, established penalties for aggravated identity theft. This includes instances when identity theft has been used as one step in a process of more serious crimes, such as terrorist acts, immigration violations, and firearms offenses. The Act directs the U.S. Sentencing Commission to amend the Federal sentencing guidelines so that individuals who gain access to the information used to commit identity theft at their place of employment face increased penalties. The amendments set fourth by the United States Sentencing Commission, implementing sections 2 and 5 of the Identity Theft Penalty Enhancement Act were published in the May 11, 2005 Federal Register.  The Fair and Accurate Credit Transactions Act of 2003.
3.  The Fair and Accurate Credit Transactions Act of 2003
P.L. 108-159
Enacted H.R. 2622 / S. 1753, December 4, 2003
117 Stat. 1952, U.S.C. § 1681 et seq.
  • Section 5 of the Fair and Accurate Credit Transactions Act (FACTA), an amendment to the Fair Credit Reporting Act, specifically addresses identity theft and related consumer issues. Victims of identity theft are granted the ability to work with creditors and credit bureaus to remove negative information in their credit report resulting from identity theft. FACTA also created requirements to prevent identity theft, such as requiring merchants to truncate credit card numbers on receipts, and enabling consumers to request that a credit bureau truncate their Social Security number when disclosing their credit report (15 U.S.C. § 1681g(a)(1)(A)). Individuals can also order a copy of their credit report free of charge once every year (15 U.S.C. § 1681j). In an effort to give credit bureaus time to comply with these new regulations, the FTC created a rolling effective date, based on the state of the consumer's residence (Effective Dates for the Fair and Accurate Credit Transactions Act of 2003, 16 CFR Part 602). FACTA also enabled consumers to place three different types of fraud alerts intended to stop credit grantors from opening any new accounts. An individual who suspects they are, or are about to become, the victim of ID theft, can place an "initial alert" in their file. If an individual has been a victim of ID theft, and has filed report with a law enforcement agency, they can then request an “extended alert.” After an extended alert is activated, it will stay in place for seven years, and the victim may order two free credit reports within 12 months. For the next five years, credit agencies must exclude the consumer's name from lists used to make pre-screened credit or insurance offers. Finally, military officials are enabled to place an "active duty alert" when they are on active duty or assigned to service away from the usual duty station (15 U.S.C. § 1681c-1).

<Table of Contents>

B.  False Identification Statutes

1. False Identification Crime Control Act of 1982
P.L. 97-398
H.R. 6946, December 31, 1982
96 Stat. 2009, Added 18 U.S.C § 1028 & 18 U.S.C. § 1738

  • The False Identification Crime Control Act of 1982 was passed to prohibit fraud in connection with identification documents. The act added two new statutes, "Fraud and related activity in connection with identification documents" (18 U.S.C. § 1028) and "Mailing private identification documents without a disclaimer” (18 U.S.C. § 1738, since repealed by P.L. 106-578). Violators face fines and/or imprisonment for producing or transferring an identification document known it to be false or stolen. The Act also prohibited producing, transferring, or possessing a document-making device with the intent to produce false identification documents. However, the usage of the word “document” indicated that a defendant would have to actually possess the physical identification.


2.  Internet False Identification Act of 2000
P.L. 106-578
Enacted S. 2924, December 28, 2000
114 Stat. 3075, Codified at 18 U.S.C 1001, 1028

  • The Internet False Identification Act of 2000 amended the False Identification Crime Control Act of 1982 to encompass computer-aided false identity crimes. Essentially, the Act expanded the scope of the fraudulent identification document crime to include document transfer by electronic means. Indeed, one of the main goals of the act was to end the distribution of counterfeit identification documents over the web. According to the FDIC, the Act closed “a loophole left by the ID Theft Act, [enabling] law enforcement agencies to pursue those who formerly could sell counterfeit social security cards legally by maintaining the fiction that such cards were "novelties" rather than counterfeit documents” (Putting an End to Account-Hijacking Identity Theft, FDIC). As a result, the statute now accounts for computer-facilitated crimes of false identity and prohibits the possession, production, or transfer of false identification documents or identification documents that were not legally issued to the possessor (18 U.S.C. §§1028 (a)(1), (2)). It also prohibits the production, transfer, or possession of any "document making implement" that is intended for use manufacturing false identification documents (18 U.S.C. §§1028 (a)(5)).

C. Statutes Governing Privacy and the Use of Personal Data

1.  Privacy Act of 1971
P.L. 93-579
Enacted S.3418, December 31, 1974
88 Stat. 1896, Codified 5 U.S.C. § 552a

  • The 1974 Privacy Act was implemented to give individuals more control over the government's collection and use of personal identifying information. Under the act a government agency can collect only information that is relevant and necessary to accomplish the particular agency functions (5 U.S.C. § 552a(e)(1)). Federal agencies are also limited in the extent to which they can disclose records. An individual must consent in writing, a court order must be placed, or the disclosure must fall within one of the exceptions provided in the statute. Regarding the usage of social security numbers as an identifier, the Privacy Act requires any federal, state or local government agency to tell you if the number is required, what will be done with it, and what will happen if you refuse to provide it (U.S.C. § 552a). The Privacy Act failed to address personal information collected by private parties, such as data brokers, collection agencies or consumer credit groups.
2.  Drivers Privacy Protection Act of 1994
P.L. 103-322 (Title XXX), amended by 106-69
Enacted, as amendment to H.R. 3355, September 13, 1994
108 Stat. 2099, 18 U.S.C. §§ 2721-2725
  • Congress passed the Driver's Privacy Protection Act (DPPA) as an amendment to the Omnibus Crime Act of 1994. Prior to passage of the DPPA, anyone could pay a couple dollars, and obtain a driver’s full name, address, birth date and license number. The DPPA limited the use of a driver's motor vehicle record to certain purposes (18 U.S.C. § 2721). Essentially the act was passed to make it more difficult to obtain an individual’s PII. After being challenged by a South Carolina court alleging that the Act violated principles of federalism, the Supreme Court upheld the constitutionality of the Drivers Privacy Protection Act under Congress’s authority to regulate interstate commerce within the Commerce Clause (Reno v. Condon, 528 U.S. 141 (2000)).

3.  Health Insurance Portability and Accountability Act of 1996 (HIPAA)
P.L. 104-191
Enacted H.R. 3103, August 21, 1996
110 Stat. 1936, codified 42 U.S.C. 1320

  • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare providers and insurers to create and maintain electronic patient records, in order to improve confidentiality and efficiency. The confidentially provisions limit the way doctors, health plans, pharmacies, hospitals and medical providers use patients' medical information. HIPAA protects “individually identifiable health information,” meaning any data "created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse" relating to a patients physical or mental condition or care (42 U.S.C. § 1320d(4)). HIPAA requires health providers to send a privacy notice that states their policies for sharing individually identifiable health information without consent. Only when a patient gives consent, may a provider disclose individually identifiable health information. In effect, HIPAA implies a duty to disclose security breaches to affected individuals.


4.  Gramm-Leach- Bliley Act of 1999
P.L. 106-102
Enacted S. 900, November 12, 1999
113 Stat. 1338, 15 U.S.C. § 6801, et seq.

  • The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of consumer financial information. The financial privacy provisions of GLBA are located in subchapter 1, “Disclosure of Nonpublic Personal Information” (15 U.S.C. § 6801-6809), and subchapter 2, “Fraudulent Access to Financial Information” (15 U.S.C. § 6821-6827). Both contain specific prohibitions against gathering or disclosing consumer’s financial information under false pretenses. GLBA specifically makes it a crime to obtain customer information by means of false or fraudulent statements to an officer, employee, agent or customer of a financial institution (15 U.S.C.6821, 6823). Gramm-Leach- Bliley instructs eight federal regulatory agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule, to ensure that financial institutions prevent unauthorized disclosure of consumer financial information, including fraudulent access, by implementing appropriate policies, procedures and controls.


5.  Social Security Number Confidentiality Act of 2000
P.L. 106-433
Enacted H.R. 3218, November 6, 2000
114 Stat. 1910, 31 U.S.C. § 3327

  • The Social Security Confidentially Act of 2000 prohibits displaying social security numbers on unopened checks or other Treasury issued drafts.


<Table of Contents>

D. Federal Credit Laws

1. The Fair Credit Reporting Act
P.L. 91-508 (Title VI § 601)
October 26, 1970
84 Stat. 1128, 15 U.S.C. § 1681 to 1681u

  • The Fair Credit Reporting Act (FCRA) regulates consumer reports and consumer reporting agencies (15 U.S.C. § 1681 et seq.). Since the original FCRA’s passage in 1970, various amendments have altered the standards used for the collection and dissemination of credit information. The Consumer Credit Reporting Reform Act of 1996, amended the FCRA to expand the ability of companies to share consumer reports among affiliates if it is clearly disclosed to the consumer, and the consumer has had a chance to opt-out, prior to the actual disclosure. The next major overhaul was the Fair and Accurate Credit Transactions Act of 2003 (see above).

2. Truth in Lending Act
P.L. 90-321 (Title I § 104)
May 29, 1968
82 Stat. 147, 15 U.S.C. § 1601

  • The Truth in Lending Act limits liability for fraudulent credit card charges to $50.00, in most situations. It also requires "meaningful disclosure" of key information in any consumer credit transaction (15 U.S.C. § 1601).

3.  Electronic Fund Transfer Act
P.L. 95-630 (Title XX § 2001)
November 10, 1978
92 Stat. 3728, 15 U.S.C. § 1693 et seq.

  • The Electronic Fund Transfer Act provides a basic framework of the rights, liabilities, and responsibilities of parties involved in making electronic fund transfers. It grants consumers protections when using a credit or debit card for financial transactions (15 U.S.C. §1693).

4.  Fair Credit Billing Act
P.L. 93-495 (Title III)
October 28, 1974
88 Stat. 1511, 15 U.S.C § 1666 et seq.

  • The Fair Credit Billing Act establishes procedures for resolving billing errors on credit card accounts when the consumer reports such unauthorized activity within certain time frames (15 U.S.C. § 1666)

<Table of Contents>

 

II.  Sources for Further Research

A. Legal Reference Materials

  • Best, R. A. (2004). Identity Theft: A Legal Research Guide. Buffalo, NY: William S. Hein & Co.

  • Manz, W. H. (2005). Federal Identity Theft Law: Major Enactments of the 108th Congress. Buffalo, NY: William S. Hein & Co.

  • Menninger, K. (2005). Identity Theft and Other Misuses of Credit and Debit Cards. American Jurisprudence Proof of Facts 3d, 81:113.

  • Newton, M. (2004). The Encyclopedia of High-Tech Crime and Crime-Fighting. New York, NY: Checkmark Books.

    B. Select Treatises

  • Fischer, L.R. The Law of Financial Privacy. Austin, TX :A.S. Pratt & Sons.

  • Law of Internet Security and Privacy. New York, NY: Aspen Law & Business.

  • Cronin, K.P. & Weikers, R.N. Data Security and Privacy Law: Combating Cyberthreats. St. Paul, Minn: Thomson/West.

  • Consumer Credit Guide. Chicago, Ill: CCH.

    C. Websites

    1. Non-Profit Groups
    Non-profit organizations produce a large quantity of work on identity theft. Consumer advocates and privacy groups have a special interest in the protection of an individual’s good credit and financial information.

  • American Association of Retired Persons: Credit and Debit

  • Call For Action: Identity Theft

  • Consumers Union: Money: Identity Theft

  • Electronic Privacy Information Center

  • Identity Theft Resource Center: A Non- Profit Organization

  • NCJRS: Identity Theft Spotlight

  • National Association of Consumer Advocates

  • Privacy Rights Clearinghouse: Identity theft

  • Public Interest Research Group (PIRG): Credit Report and Identity Theft

  • 2. Federal Government Agencies
    There are 5 main federal non-judicial agencies that have a role in deterring or prosecuting identity theft. Since all five agencies have significant statutory mandate in this area, they maintain websites that contain information for citizens, statistical reports and other materials.

    a) Federal Trade Commission
  • FTC: Identity Theft

  • Consumer Sentinel

  • b) Social Security Administration

  • Identity Theft and Your Social Security Number

    c) The Department of Justice

  • Identity Theft and Identity Fraud

  • National Criminal Justice Reference Service: In the Spotlight: Identity Theft

  • d) The Department of the Treasury

  • Identity Theft Fact Sheet

  • The Many Faces of Identity Theft

  • e) Postal Inspection Service

  • US Postal Inspection Service: Identity Theft

  • f) Other Federal Resources

  • FDIC: Consumer Alerts - Identity Theft

  • Better Business Bureau: Identity Theft
  • US Department of Education: Reduce Your Risk
  • Office for Victims of Crimes: Identity Theft

  • FBI & NWCC: Internet Fraud Complaint Center

  • National Crime Prevention Council
  • 3. Statutes and Pending Legislation

    a) Statutes

  • Identity Theft: A Bibliography of Federal, State, Consumer and News Resources (LLRX)
  • Identity Theft: State Statutes (National Conference of State Legislatures)
  • Outline of State Consumer Notification Laws (Gibson Dunn) and
    Accompanying article, Security Breach Notifications: a State and Federal Law Maze
  • States Tackle Identity Theft (The Council of State Governments: Eastern Regional Council)
  • States with Security Freeze Laws (Consumers Union)
  • Summary of State Security Freeze and Security Breach Notification Laws (State PIRG)
  • b) Resources for Tracking Proposed Legislation

  • Security Breach Bills in the State Legislatures Plus New York City (Virtual Chase)
  • Increased Social Security Number Legislation (National Conference of State Legislature)
  • Financial Privacy Legislation (National Conference of State Legislatures)
  • States with Security Freeze Bills (The Consumers Union)
  • <Table of Contents>

     

    D. Resources for Keeping Current

    1) Free Journals and Newsletters

  • BNA’s Internet Law News
  • Crypto-Gram
  • Epic Alert
  • Digital ID World

    2) Subscription Based Newsletters and Journals
  • Consumer Credit Report Summary (CCH)
  • Computer Technology Law Report (BNA)
  • E-Commerce Law Daily (BNA)
  • Electronic Commerce & Law Report (BNA)
  • Financial Privacy Law Report Summary (CCH)
  • Mealey’s Privacy Watch (LexisNexis/Mathew Bender)
  • Privacy & American Business (Center for Social & Legal Research)
  • Privacy & Information Law Report (Glasser LegalWorks)
  • Privacy & Security Law Report (BNA)
  • Privacy Law Watch (BNA)
  • Privacy Journal (Robert Ellis Smith)
  • Privacy Times (Evan Hendricks)
  • 3) Blogs & News Sources with RSS Feeds
    • beSpacific: ID Theft Archives
    Feed URL: http://www.bespacific.com/index.rdf 
    • The Daily Caveat: An Investigator's Perspective
    Feed URL: http://www.caveat.net/blog/atom.xml        
    • PI news Link: Articles of Note for the Investigator
    Feed URL: http://yourpinews.blogspot.com/atom.xml 
    • Computerworld: Security Knowledge Center
    Feed URL: http://www.computerworld.com/news/xml/0,5000,73,00.xml
    • CNET News.com | Security >> Privacy & data protection
    Feed URL: http://news.com.com/2547-1_3-0-5.xml 
    • Consumers Union
    Feed URL: http://www.consumersunion.org/index.xml
    Consumer Union Weblog, The Scribbler
    Feed URL: http://www.consumersunion.org/scribbler/index.rdf
    • ConsumerAffairs.com News Service
    Feed URL: http://www.consumeraffairs.com/rss/feed.xml
    • CIO.com - Cybercrime/Hacking
    http://www2.cio.com/search/rss/feed13.xml 
    • Bank Systems & Technology (part of Information Week Media Network)
    Feed URL: http://www.financetech.com/rss/all_bt.jhtml 
    • Emergent Chaos: Musings from Adam Shostack on security, privacy, and economics
    Feed URL: http://www.emergentchaos.com/index.rdf 
    • Gartner Research: Security and Privacy
    Feed URL: http://www3.gartner.com/research/focus_areas/rss/asset_48267.xml
    • Payments News
    Feed URL: http://www.paymentsnews.com/atom.xml 
    • Privacy.org - The Source for News, Information, and Action
    Feed URL: http://www.privacy.org/index.rdf
    • The Register: Identity News for the world
    Feed URL: http://www.theregister.co.uk/security/identity/headlines.rss 
    • Secure ID: News and Information on Identification Technology
    Feed URL: http://www.secureidnews.com/index.xml
    • Slashdot: Security Stories
    Feed URL: http://slashdot.org/rss/slashdot.rss
    • ScamSafe
    Feed URL: http://www.scamsafe.com/scamsafe/atom.xm l
    • The Virtual Chase: Research News
    Feed URL: http://www.virtualchase.com/RSSFeeds/tvcalert_rss.xml 
    • Techdirt: Scams
    Feed URL: http://www.techdirt.com/techdirt_rss.xml
    • GovTrack.us: Identity Theft
    Feed URL: http://www.govtrack.us/congress/subjects.xpd?type=crs&term=Identity%20theft 

    <Table of Contents>

     

    III. Topical List of Selected Articles and Publications
    A. Identity Theft In General

    Allison, S. F. H., Schuck, A. M., & Lersch, K. M. (2005). Exploring the Crime of Identity
    Theft: Prevalence, Clearance Rates, and Victim/Offender Characteristics. Journal of Criminal Justice, 33(1), 19.

    Gerard, G. J., Hillison, W., & Pacini, C. (2004). Identity Theft: The US Legal Environment
    and Organisations Related Responsibilities. Journal of Financial Crime 12(1) 33.

    Hayward, C. L. (Ed.). (2004). Identity Theft. Hauppauge, N.Y.: Novinka Books.

    Katel, P. (2005). Identity Theft. The CQ Researcher Online, 15(22), 517-540 .
    Retrieved 7/1/2005, from
    http://library.cqpress.com

    Lacey, D., & Cuganesan, S. (2004). Colloquium on Identity Theft: The Role of
    Organizations in Identity Theft Response: The Organization-Individual Victim
    Dynamic. The Journal of Consumer Affairs, 38(2), 244.

    Leary, T.B. (2005). Identity Theft and Social Security Numbers. Electronic Banking Law
    and Commerce Report 9:10.

    Miller, S. F. (2003). Someone Out There is Using Your Name: A Basic Primer on Federal
    Identity Theft Law. Federal Lawyer 50(1): 11.

    Slosarik, K. (2002). Identity Theft: An Overview of the Problem. Justice Professional
    15(4):329-343.

    Sovern, J. (2003). The Jewel of Their Souls: Preventing Identity Theft Through Loss Allocation Rules. University of Pittsburgh Law Review, 64:
    343-406.

    Stafford, M. R. (2004). Identity Theft: Laws, Crimes, and Victims. The Journal of
    Consumer Affairs, 38(2): 201.

    Sullivan, B. (2004). Your Evil Twin: Behind the Identity Theft Epidemic. Hoboken, NJ:
    John Wiley & Sons.

    Towle, H. (2000). Identity Theft: Myths, Methods and New Law. Rutgers Computer
    and Technology Law Journal 30: 237.

    <Table of Contents>
     



    B. Phishing & Other Forms of Cyber ID Theft

    Brenner, S. (2004). U.S. Cybercrime Law: Defining Offenses. Information Systems
    Frontiers 6:2:115-132.

    Davis, K. (2005). Can You Smell the Phish? Kiplinger's Personal Finance 59(2): 76-80.

    Finch, E. (2003). What a Tangled Web We Weave: Identity Theft and the Internet.

    In Y. Jewkes (ed.), Dot.cons: Crime, Deviance, and Identity on the Internet. Cullompton, England: Willan. Retrieved on 7/29/2005 from http://www.popcenter.org/Problems/Supplemental_Material/identity_theft/Finch_2003.pdf 

    Gomes, L. (2005, Jun 20). Phisher Tales: How Webs of Scammers Pull Off Internet Fraud. The Wall Street Journal B:1.

    Gordon-Murnane, L. (2004). Phishing. BNA’s Web Watch. Retrieved on 8/3/2005 from
    http://www.bna.com/webwatch/phishing.htm 

    Lynch, J. (2005). Identity Theft in Cyberspace: Crime Control Methods and their Effectiveness in Combating Phishing Attacks. Berkeley Technology Law Journal 20 (1):259.

    Rusch, J.J. (2005, Jan). The Compleat Cyber-Angler: A Guide to Phishing.
    Computer Fraud and Security 1:4-6.

    Sisk, M. (2005). A Phish Story. U.S. Banker. Retrieved on 8/2/2005 from

    http://www.us-banker.com/article.html?id=20050201N4N89WK9 

    Smith, M. (2005, Mar 16). Identity Theft: The Internet Connection. Congressional
    Research Service. Retrieved on 7/12/05 from
    http://fpc.state.gov/documents/organization/45263.pdf 

    <Table of Contents>
     


    C. Credit Law & Credit Bureaus

    Consumer Federation of America. (2002). Know Your Score! Retrieved on 7/2/2005
    from http://www.consumerfed.org/pdfs/knowyourscore.pdf 

    Consumers Union. (2004) How Do I Order My Free Annual Consumer Credit Reports?
    Retrieved on 7/2/2005 from http://www.consumersunion.org/creditmatters/creditmattersfactsheets/001624.html    

    Cassady, A. and Mierzwinski, E. (2004, Jun) Mistakes Do Happen: A Look at Errors in
    Consumer Credit Reports. National Association of State PIRGs. Retrieved on
    7/1/2005 from http://uspirg.org/reports/MistakesDoHappen2004.pdf

    Couch, C.P. (2002). Forcing the Choice between Commerce and Consumers:
    Application of the FCRA to Identity Theft. Alabama Law Review 53: 583.

    Electronic Privacy Information Center (2004). Credit Scoring. Retrieved on 7/1/2005
    from http://www.epic.org/privacy/creditscoring/ 

    Gollinger, J. and Mierzwinski, E. (1998, Mar). Mistakes Do Happen: Credit Report
    Errors Mean Consumers Lose. Public Interest Research Group. Retrieved on
    7/1/2005 from
    http://uspirg.org/reports/mistakesdohappen3_98.pdf

    Holt, T. J. (2004). The Fair and Accurate Credit Transactions Act: New Tool to Fight
    Identity Theft. Business Horizons 47(5): 3.

    Linnhoff, S., & Langenderfer, J. (2004). Identity Theft Legislation: The Fair and
    Accurate Credit Transactions Act of 2003 and the Road Not Taken. The Journal of Consumer Affairs 38(2): 204.

    <Table of Contents>



    D. Data Brokers & Breaches of Security

    Ackerman, L. and Pierce, D. (2005). Data Aggregators: A Study of Data Quality and
    Responsiveness. Privacy Activism. Retrieved on 8/3/2005 from

    http://www.privacyactivism.org/docs/DataAggregatorsStudy.pdf 

    Brooks, N. (2005). Data Brokers: Background and Industry Overview. Congressional
    Research Service. Retrieved on 7/12/05 from
    http://www.opencrs.com/rpts/RS22137_20050505.pdf 

    Burcum, J. (2005, Jul 2). For Sale: Your data. The Cincinnati Post. Retrieved on
    7/2/2005 from
    http://news.cincypost.com/apps/pbcs.dll/article?AID=/20050702/BIZ/507020309/1001  

    ChoicePoint Chronology. Electronic Privacy Information Center. Retrieved on
    7/12/05 from
    http://www.epic.org/privacy/choicepoint/default.html 

    ChoicePoint Data Security Breach: What It Means for You and How to Find Out
    What ChoicePoint Knows about You. (2005, Feb 19). Privacy Rights Clearinghouse. Retrieved on 7/1/2005 from
    http://www.privacyrights.org/ar/CPResponse.htm

    Claburn, T. (2005, Feb 17). Law Requires ChoicePoint To Disclose Fraud.
    InformationWeek. Retrieved on 7/1/2005 from
    http://www.informationweek.com/story/showArticle.jhtml;jsessionid=SP01BJW4XJBX2QSNDBCSKHSCJUMEKJVN?articleID=60401882 

    Gordon-Murnane, L. (2005). Data Security Breaches and Consumer Notification.
    BNA’s Web Watch. Retrieved on 8/3/2005 from
    http://www.bna.com/webwatch/databreaches.htm

    Hildebrand, M. J. & Klosek, J. (2005). Recent Security Breaches Highlight the
    Important Role of Data Security in Privacy Compliance Programs. Intellectual Property & Technology Law Journal, 17(5), 20.

    Pike, G. H. (2005, May 1). Privacy and the Database Industry. Information Today 22:5.

    PriceWaterHouseCoopers. (2005) Identity Theft and security Breach Notifications:
    Reporting on Request. Retrieved on 7/20/2005 from

    http://www.pwc.com/extweb/service.nsf/docid/38D0975DE5CFCC9785256EBA005F49FA 

    Roth, D. & Mehta, S. (2005). The Great Data Heist: Why Can't Corporations Keep
    Their Customers' Personal Data Secure? Fortune, 151(10): 66.

    Rubin Henderson, B. (2004). Hey, That’s Personal: When Companies Sell Customer
    Information Gathered through the Internet. Business Law Today 14:13.

    Sahadi, J. (2005, May 9). Your Identity… for Sale. CNN/Money. Retrieved on 7/2/2005
    from
    http://money.cnn.com/2005/05/09/pf/security_info_profit

    Smith, R.E. (2005, Mar). ChoicePoint: An Ignoble Corporate History. Privacy Journal.
    Retrieved on 7/2/2005 from
    http://www.findarticles.com/p/articles/mi_qa3872/is_200503/ai_n13461335   

    Swartz, N. (2005). Database Debacles. Information Management Journal, 39(3): 20.

    Welborn, A. (2005). Information Brokers: Federal and State Laws. Congressional
    Research Service. Retrieved on 7/12/05 from
    http://www.opencrs.com/rpts/RS22087_20050517.pdf 


    <Table of Contents>


    E. Resources for Law Enforcement

    Collins, J. M., & Hoffman, S. K. (2003). Identity Theft First Responder Manual for
    Criminal Justice Professionals : Police Officers, Attorneys, and Judges.
    Flushing, N.Y.: Looseleaf Law Publications.

    Dadisho, E. (2005, Jan.). Identity Theft and the Police Response: The Problem. The
    Police Chief, 72:1. Retrieved on 6/30/2005 from
    http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=493&issue_id=12005   

    Dadisho, E. (2005, Feb). Identity Theft and the Police Response: Prevention. The
    Police Chief, 72:2. Retrieved on 6/30/2005 from
    http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=510&issue_id=22005 

    Dadisho, E. (2005, Mar). Identity Theft and the Police Response: The Investigation.
    The Police Chief, 72:3. Retrieved on 6/30/2005 from
    http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=538&issue_id=32005  

    Dadisho, E. (2005, Apr). Identity Theft and the Police Response: Resources for Police.
    The Police Chief, 72:4. Retrieved on 6/30/2005 from
    http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=567&issue_id=42005 

    Gayer, J. (2003, May). Policing Privacy: Law Enforcement’s Response to Identity
    Theft. California Public Interest Research Group. Retrieved on 7/1/2005 from
    http://calpirg.org/reports/policingprivacy2003.pdf 

    Kerley, K.R. & Copes, H. (2002). Personal Fraud Victims and Their Official Responses
    to Victimization. Journal of Police and Criminal Psychology, 17(1), 19-35.

    Newman, G.R. (2004). Problem Oriented Guides for Police: Identity Theft. U.S.
    Department of Justice Office of Community Oriented Policing Services. Retrieved 8/3/2005 from
    http://www.popcenter.org/Problems/PDFs/Identity%20Theft.pdf

    Sharp, T., Shreve-Neiger, A., & Fremouw, W. (2004). Exploring the Psychological and
    Somatic Impact of Identity Theft. Journal of Forensic Sciences, 49(1), 131-136.

    Schwartz, E. (2005, Mar 7). Cybercrime Crackdown. InfoWorld 27(10): 8.

    <Table of Contents>



    F. Civil Liability & Risk Management

    Baldas, T. (2005, May 12). Identity Thefts Leading to “Fear Factor” Lawsuits.
    The Recorder (American Lawyer Media) 129:92.

    Banks, J. (2005). Identity Theft Suits Gain Popularity with Plaintiffs: General Counsel
    Brace for Increased Liability. Corporate Legal Times, 15: 164.

    Fogarty, S. and Ortiz, D. (2002). Stealing the Self: Identity Theft and Restrictions on
    Using and Disseminating Personal Identifiers. Markle Foundation Task Force on National Security in the Information Age. Retrieved 7/6/2005 from
    http://www.markletaskforce.org/documents/ortiz_082102.pdf

    Franzén, T.G. and Howell, L. (2001). Financial Privacy Rules: A Step By Step Guide to
    the New Disclosure Requirements Under the Gramm-Leach-Bliley Act and the Implementing Regulations. Consumer Financial Law Quarterly Report 55: 17

    Gilbert, F., Kennedy, J. B., Schwartz, P. M., & Practising Law Institute. (2004). Fifth
    Annual Institute on Privacy Law: New Developments & Compliance Issues in a Security-Conscious World. New York, NY: Practising Law Institute.

    Hirsch, R. (2005, Jun 29). Identity Theft Litigation: ChoicePoint and the Future of
    Privacy and Security Class Action Lawsuits. Electronic Commerce & Law Report 10 (26): 659-661.

    Kelleher, C. (2004). The Basics on FACTA: Learn How this New FTC Rule on Document
    Storage and Disposal Could Affect Your Business. Entrepreneur. Retrieved on
    7/2/2005 from
    http://www.entrepreneur.com/article/0,4621,320700,00.html 

    Lepofsky, R. (2004). Preventing Identity Theft. Risk Management, 51(10): 34.

    McKelvey, B. (2001). Financial Institutions’ Duty of Confidentiality to Keep Customer’s
    Personal Information Secure from the Threat of Identity Theft. U.C. David Law Review 34:1077.

    Murphy, M. (2003). Privacy Protection for Customer Financial Information.
    Congressional Research Service. Retrieved on 7/1/2005 from
    http://www.epic.org/privacy/glba/RS20185.pdf

    Oehlers, P. F. (2004). Identity Theft: What You Can Do to Protect Your Clients. Journal
    of Financial Service Professionals 58(1): 20.

    O'Rourke, M. (2005). Data Security in Crisis. Risk Management 52(5):9.

    Tomes, J. P. (2005). Prescription for Data Protection. Security Management 49(4):75.

    Wade, J. (2004). Personal Data Liability. Risk Management 51(5): 9.

    <Table of Contents>