Identity Theft and Fraud: Evaluating and Managing Risk

Chapter 5: The Nature and Scope of Identity Theft and Fraud

76 “The difficulty lies, not in the new ideas, but in escaping from the old ones, which ramify, for those brought up as most of us have been, into every corner of our minds.” —John Maynard Keynes, The General Theory of Employment, Interest and Money, 1935 This chapter is a detailed discussion of the characteristics of identity theft, including its definition, how it may occur, how identity thieves physically acquire identity information in various ways, and the nature of criminal social engineering activities like certain types of phishing. The electronic acquisition of identity information is also described, where profiles of identity thieves underscore how this type of criminal activity continues to grow like a cancer in society and the sensitivity and value of the personal information that can be stolen. Data breaches are a rapidly growing form of identity theft, and this is discussed in considerable detail, including how these breaches may or may not be connected to fraudulent activities, the growing pressure for public notification when they occur, and their direct and/or intangible cost to consumers and organizations. Identity Theft Identity theft is the unauthorized collection, possession, transfer, replication or other manipulation of another person’s personal Chapter 5 The Nature and Scope of Identity Theft and Fraud The Nature and Scope of Identity Theft and Fraud | 77 information. It is the first step in the identity theft and fraud process model that was discussed in Chapter 2. The problem of identity theft is the problem of safeguarding people’s personal information. All individuals are responsible for safeguarding their information when it is in their possession. We cannot live in today’s society, however, without entrusting our personal information to others. As discussed in Chapter 4, this information is collected , transmitted and stored by numerous government agencies, financial institutions, businesses and other organizations. There are always risks of unauthorized access and use of the information , but we trust that these organizations are keeping our personal information secure and not releasing it without appropriate authorization. As we have defined identity theft and identity fraud, identity theft can occur without identity fraud. There are generally three types of victims of identity theft: 1. Victims who are unaware that an identity theft has occurred; 2. Victims who are aware that their personal information has been accessed, but who have not yet been victims of an associated fraud; and 3. Victims of identity fraud (who often are not aware of the identity theft before the fraud occurred). Victims who are unaware that an identity theft has occurred may have had their personal information taken by someone, such as a family member, roommate, neighbour, contractor or employee, with access to the information while it was in their possession. However, the overwhelming number of victims in this category has had their information accessed through a data breach within an organization that was entrusted with this information. People whose information has been compromised as part of a data breach will know that there is a problem only if they are notified by the organization responsible for its security or if a subsequent fraud 78 | Identity Theft and Fraud occurs that brings the theft to their attention. Legislation requiring organizations to notify individuals of breaches has been introduced in almost all US states. In Canada, voluntary guidelines that deal with breaches were published in 2007 by the federal privacy commissioner—but these guidelines are not legally enforceable. The province of Ontario’s Personal Health Information Act (PHIPA), however, enacted in 2004, has mandatory data breach notification—and Alberta has required data breach notification through its updated Personal Information Protection Act (PIPA) since 2010. The Canadian government introduced Bill C-29 in May 2010, which if enacted would update its Personal Information Protection and Electronic Documents Act (PIPEDA) to include data breach notification. The proposed PIPEDA changes were relatively weak in that organizations have the right to determine whether even to disclose a breach based on the type of information stolen, the number of customers affected and whether the organization believes that there is a real risk of significant harm to the individuals affected. A later section in this chapter discusses data breaches and notification laws in detail. A Canadian consumer survey in 2008 asked individuals if they were aware of any case where there had been unauthorized access to their personal information without a subsequent fraud. This is the second type of victim. At...