Battling elusive identity theft: Interview with Betsy Broder, assistant director, U.S. Federal Trade Commission

They want to steal your name, your credit card numbers, your reputation, your money, and your life. Betsy Broder and her FTC team have one mission: to keep you from being another identity theft statistic. She encourages fraud examiners to help her in the fight.  

As a veteran litigator at the U.S. Federal Trade Commission (FTC), Betsy Broder once led the investigation and civil prosecution of telemarketing boiler rooms, Internet pyramid schemes, and business and franchise scams in courts. But, as she says, it was a far cry from the complex world of identity theft she now visits daily.

As an assistant director in the FTC's Division of Planning and Information, she oversees the agency's identity theft program including the collection and analysis of consumer-related data, coordination with criminal law enforcement, outreach to industry, and consumer education. Broder has testified before Congress and made numerous appearances in the national media as an expert on identity theft and consumer fraud. She formerly was assistant director of the FTC's Division of Marketing Practices where she supervised consumer fraud litigation in federal court. She has also served as an advisor to the FTC's Director of the Bureau of Consumer Protection. Prior to her work with the FTC, she was a New York State assistant attorney general, handling appellate litigation.

Broder spoke to Fraud Magazine from her office in Washington, D.C.

Can you describe your duties and responsibilities in tackling ID theft?
I work with a talented, motivated and creative group. Together, we aim to reduce ID theft, support criminal enforcement efforts, and help victims to recover. The FTC's ID Theft Team is composed of attorneys who focus on policy and legal issues, an investigator who assists law enforcement, and data analysts who comb through our data to detect trends and clusters of fraud. Beyond our immediate team, we have the support of an award-winning consumer education shop that has produced "Take Charge: Fighting Back Against Identity Theft" (formerly called "ID Theft: When Bad Things Happen to Your Good Name") and that continues to develop new ways to reach consumers and businesses. Also, the Consumer Sentinel team, Consumer Response Center, and information technology colleagues enable us to gather hundreds of thousands of consumer complaints in a system that is available to law enforcement throughout the United States.

My job is to enable all of these talented professionals to work toward our common goal of reducing ID theft and making it easier for victims to recover.

If there is such a thing, what's a "normal" day for you?
In the ever-changing landscape of ID theft and consumer fraud only one thing remains constant, and that is change. So, there is nothing routine in my day. That keeps my job engaging and challenging.

The theft of valuable information from credit and banking accounts and social security cards has been with us for some time. The Internet notwithstanding, why is this "near-perfect" crime appearing to grow?
While identity fraud is clearly a major problem, costing our economy over $50 billion a year, some measures show that ID theft is leveling off. Having said that, there are certain conditions that continue to make ID theft attractive to criminals. Information is plentiful, as is credit. Although many companies have improved security, we know from recent events that crooks are resourceful and often patient. Dumpster diving and wallet snatching are fairly easy to obtain consumer's information. ID thieves also can hide in the virtual shadow of the Internet. The absence of face-to-face contact with their victims and the ability to vanish into cyberspace make identity frauds further appealing to crooks.

What part does the Internet play?
Just look at the growth of phishing, online trickery to obtain consumers' financial information. The next wave appears to be pharming, which does not require the consumer's cooperation and provides another stealth form of ID snatching. Electronic storage of vast amounts of data enables thieves to work efficiently. It may be easier to steal a laptop than dig through someone's garbage, looking for bank statements and insurance forms.

Once the ID thief obtains consumer information, he can use that same information to make credit card purchases via the Internet (where, of course, there is no need to have the actual credit card), withdraw funds from accounts, or open new credit accounts.

Although the Internet may facilitate certain types of identity theft, there is no hard evidence that consumers face a higher risk of identity theft by conducting business online. We know that a lot of ID theft is still conducted the old fashioned way, such as stealing wallets, rummaging through trash, and through corrupt employees. In both online and offline transactions, consumers can minimize their risk by following good information security practices.

Is there a typical identity thief?
We can speak only about those ID thieves who have been caught. As to that group, some researchers say that they tend to be insiders. But I don't think we know enough about this group to draw any firm conclusions.

Have federal law enforcement agencies pinpointed various identity theft crime rings around the U.S. and the world or is the situation just changing too quickly?
Recent news stories show that identity theft rings do exist and that they cross borders. Our criminal investigative partners - the U.S. Secret Service, the U.S. Postal Inspection Service and the FBI - have each committed resources and energy into working these cases. In fact, the FBI has analysts working with us at the FTC to develop case leads from our data, and support ongoing investigations.

You've said that young people under the age of 29 years old have become the number one demographic target for identity thieves. It would seem that the older, established, more affluent person would be the best target. Why the under-29 group?
Anyone can be a target for ID theft, regardless of age, income, or gender. Our 2003 nationwide survey showed that 20 percent of all victims were less than 29 years old. So it is not at all clear that younger consumers are disproportionately affected. Some reporters have focused on the self-reported data in our annual reports that show a somewhat higher percentage of victims under 29, but we believe the survey best reflects the current prevalence of ID theft.

What are the basic procedures citizens can use to protect themselves against ID theft?
I generally say that consumers cannot fully protect themselves from ID theft, but there are many steps people can and should take to minimize their risk. They all come down to being careful with how one makes information about themselves available. We urge consumers to shred all critical financial documents before disposing of them, to use proper firewall programs to protect electronic data, to carry only necessary identification in their wallets, and to refrain from providing personal information unless you know why the information is needed and how it will be used.

Under federal law, consumers are now entitled to a free copy of their annual credit report from each of the credit reporting agencies upon request. (By September of 2005, consumers throughout the country can get a free annual report.) By checking your credit report, you can detect misuse of your information and will be able to limit the damage done by identity thieves.

What are the first steps citizens must take if they suspect they're victims of ID theft?
First, contact the credit reporting agencies, so they can flag your file with a 90-day fraud alert. Under federal law, consumers need contact only one of the three major credit reporting agencies, and that agency will send your information to the other two. After placing an alert, you will be able to obtain one free copy of your credit report from each of the three agencies, Equifax, Experian and Trans Union, to look for signs of fraud. Look for the reporting agencies' contact information on our Web site, www.ftc.gov/bcp/conline/pubs/alerts/infocompalrt.htm.

Second, report the misuse of your information to the police. This is important for several reasons. First, ID theft is a crime and should be reported. Moreover, the police report will enable you to exercise additional rights such as blocking fraudulent accounts on your credit report; obtaining fraudulent applications and transaction reports related to the identity theft; extending an initial, 90-day fraud alert to a seven-year alert; and stopping creditors and others from reporting fraudulent debts to the credit reporting agencies. (Victims may need additional supporting documentation to exercise some of these rights.) A full discussion of these rights can be found in our publication "Take Charge: Fighting Back Against Identity Theft." (www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf)

The third step is to contact the creditors where the information was misused. Dispute the accounts in writing, using the standard affidavit which is available at www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf. It is essential that you keep thorough and complete records.

Finally, consumers should report the ID theft incident to the FTC, on our online complaint form at www.consumer.gov/idtheft, or through the toll free number at 1-877-ID-THEFT. This complaint data becomes part of our ID Theft Data Clearinghouse, which we make available to more than 1,300 law enforcement agencies through our Consumer Sentinel system. Instead of seeing one or two complaints that may come across their desks, law enforcement officers, from local detectives to federal agents, can use the Clearinghouse to get the big picture, linking complaints together to reveal rings or clusters of fraud.

Those hit by identity theft may be liable for credit card charges over $50 but how about money lost from invaded bank accounts?
Remedies for money lost from bank accounts vary state by state. Most states have laws that protect consumers against fraud committed with paper documents like checks. And there are special rules for electronic fund transfers under the Electronic Fund Transfer Act. Whatever the case, the consumer should contact their bank promptly to determine how the fraud occurred and how best to minimize the loss.

The FTC's 2003 identity theft survey suggested that almost 3.25 million Americans discovered that their personal information had been misused in 2002. Have you seen that number increasing since then or has it moderated possibly because of increased interest and publicity?
Our 2003 survey indicated that close to 10 million Americans experienced some form of identity theft in the preceding year. Of those, almost 3.25 million consumers had new accounts opened in their name. A more recent survey conducted by Javelin Research indicates that the prevalence and cost associated with ID theft have been roughly level with the rates reflected in the 2003 FTC survey. We would like to think that better consumer awareness and increased security on the business side have contributed to a slowing down in the growth of ID fraud.

The FTC survey says that only 25 percent of victims who participated said they reported the crime to local police. Only 43 percent of the victims with the more serious "New Accounts and Other Frauds" form of ID theft had reported their experiences to local police. And only 22 percent of ID theft victims said they had notified one or more credit bureaus. Why do you think that many victims are hesitant to report the crimes to the authorities?
It is not clear if victims are hesitant to report the crime, if they see no advantage in doing so, or if they do not know to whom it should be reported. Whatever the reason for the low reporting, it is a situation that needs improvement. Because many of the new rights for ID theft victims are dependent on an ID theft report, which could include a police report, we expect to see an increase in reporting.

What are some ways the FTC is trying to convince victims to report the crimes? Why is it important for victims to file a complaint with the FTC?
We have always encouraged ID theft victims to report their incident to their local police departments. The International Association of Chiefs of Police passed a resolution further encouraging police to take reports in the jurisdiction in which the victim resides, and several states have laws requiring police to take reports on ID theft incidents. We are supporting IACP's efforts to develop a standard police report for ID theft. A standard report should make it easier for victims to report the crime and more efficient for police departments to take the report.

With a valid and complete police report, ID theft victims can exercise important new rights including the ability to block fraudulent trade lines on their credit reports, obtain copies of the documents used to open or access accounts, and extend their fraud alert for seven years. A consumer would also need a police report to rescind the extended fraud alert.

How does the FTC coordinate its ID theft initiatives with law enforcement agencies and federal departments plus industry and consumer groups?
We are no different from any other organization - we have a big mandate and limited resources. Partnerships are therefore essential. Examples of successful joint efforts include our training initiative with the U.S. Department of Justice, U.S. Secret Service, the Postal Inspection Service, the American Association of Motor Vehicle Administrators and others. Together we have conducted almost 20 law enforcement training sessions around the country for first responders. Many organizations, both private and public, link to our Web site at consumer.gov/idtheft, and reprint our many publications. We have ongoing communication with consumer and industry groups to identify new challenges and coordinate efforts. What we all appreciate is that the solution to ID theft will depend on a mix of consumer education, law enforcement, and improved business practices.

Local law enforcement must be inundated with ID theft complaints. I understand the FTC offers anti-ID theft training to law enforcement. What does the training involve? In what other ways is the FTC working with law enforcement to fight this crime?
Our training draws on the expertise of our co-trainers. How to spot fake credentials - including drivers' licenses, - how to support ID theft victims, the tools to investigate identity fraud - including the FTC's ID Theft Data Clearinghouse - and the value of working collaboratively through multi-jurisdictional task forces are but some of the key issues we cover in these training sessions. We try to draw on local expertise as well, and invite local judges and prosecutors to discuss efforts already underway to combat ID theft.

Because the FTC does not have criminal jurisdiction, we work closely with the other federal agencies that have such authority. An FBI analyst spends part of every week working from FTC headquarters where she has direct access to the ID theft data. We also participate in the Department of Justice's White Collar Crime Working Group to share information and coordinate efforts.

There are a number of ID theft-related laws and pending bills but the Identity Theft and Assumption Deterrence Act of 1998 appears to be the seminal law on which all is built. Can you give a general overview of the Act, how it helps victims, and penalties?
The 1998 law criminalized ID theft on the federal level, and further expanded the term "means of identification" to include information that is linked to a specific individual, and not just documents. For example, use of account or social security numbers, and not just misuse of the cards themselves, now constitutes identity theft under federal law. These changes represented not only a change in law, but also a change in outlook. Prior to the Act, consumers whose information was misused were not seen as victims of a crime. The 1998 Act changed that.

The 1998 law also put the FTC front and center in the ID theft world. Congress directed the FTC to develop the nation's central repository of ID theft complaints, which we house in our Consumer Sentinel system, and to provide assistance to victims of ID theft, which we offer through our Web site at consumer.gov/idtheft as well as our toll-free number, 1-877-ID THEFT. Since the passage of the Act, we have seen an increase in joint prosecutorial task forces, increased penalties and greater overall awareness of this troubling crime.

The FTC also enforces at least three laws that restrict the disclosure of consumer information and require companies to ensure the security and integrity of the data in particular contexts: the Fair Credit Reporting Act, the Graham-Bleach-Bliley Acts, and the FTC Act. Can you briefly describe how these three laws protect consumers?
The Fair Credit Reporting Act (FCRA) is designed to ensure complete and accurate consumer reports. Chief among its features is the right of consumers to see and correct erroneous information on their reports. Under the newly enacted Fair and Accurate Credit Transactions Act (FACTA Act) amendments to the FCRA, consumers have important new ID theft rights. For example, ID theft victims can block fraudulent information on their credit reports. The FACT Act also requires debt collectors to provide victims who ask certain information about the debt that was fraudulently incurred.

Graham-Leach-Bliley is a far-ranging law affecting financial institutions. One section directed the FTC and the bank regulatory agencies to develop safeguards for financial institutions to follow when dealing with customer information. The safeguards require these companies to have reasonable measures and systems in place to ensure the security of the customer information. Gramm Leach Bliley also requires financial institutions to give their customers the ability to opt-out of information sharing their information with unaffiliated third parties.

Our underlying statute, Section 5 of the FTC Act, which prohibits unfair and deceptive acts and practices, also provides standards for security. We have sued companies that fail to deliver on their promises of security and privacy. We have also brought an action against a company for failing to implement reasonable security for credit and debit card information collected at its stores. We will continue to use all the tools in our enforcement arsenal to ensure that consumer information is treated with the care and security it deserves, and that it stays out of the hands of crooks.

The President signed the Identity Theft Penalty Enhancement Act in 2004. How will this bill further help you in your fight against ID theft?
By increasing the penalties for the most serious forms of ID theft, the Penalty Enhancement Act provides greater deterrence for would-be ID thieves, and makes it more likely that criminals will be prosecuted. Although the FTC does not have the jurisdiction to prosecute these crimes, we do support measures like this that increase the likelihood of meaningful prosecutions and penalties.

Which of the pending ID theft-related bills introduced into the U.S. House and Senate seem worth watching?
We have seen a flurry of legislative activity this session. We are watching all of the bills and have testified on recent events. FTC testimony is posted at our home site, ftc.gov.

As you say, the Identity Theft and Assumption Deterrence Act of 1998 spawned the FTC's toll-free telephone center (1-877-ID-THEFT). What are the current call rates and the percentage of those calls that are related to ID theft?
Actually, we had a toll-free number before the ID theft act, dealing with general consumer issues. In 1999, we launched our ID theft line. We now handle about 30,000 contacts each week, including phone, Web, and mail contacts involving both identity theft and other consumer issues. These include both complaints and requests for information. In 2004, nearly 250,000 complaints involved ID theft.

And any other pertinent calling statistics? How does the FTC use the information provided by victims?
Our complaint data serve two functions: First and foremost the data help support law enforcement develop case leads, spots trends, and find suspects or witnesses. The 800,000 plus complaints also give us a sense of what types of problems ID theft victims encounter. Because the data are self-reported, we do not look at our annual statistics as necessarily reflecting the overall trends in ID theft. However, by tracking the numbers year by year we are able to see certain trends. For example, we have seen a decline in the number of complaints about new credit accounts being opened in consumers' names.

How can local law enforcement use the FTC's Identity Theft Data Clearinghouse (the database derived from consumer complaints) and other FTC resources? Has the Clearinghouse been popular with law enforcement?
The Clearinghouse is a cost-free tool that every law enforcement office should take advantage of. Using a secure Web-based application, law enforcement officers, both criminal and civil, can log in to check the prevalence of a certain type of fraud within their jurisdiction. Whether searching by Zip code or suspect location, the officer can produce reports that help pinpoint areas of fraud and assist in investigations.

We know, too, that victims may first turn to their local police for assistance. Our Web site, at consumer.gov/idtheft, links to numerous resources and has been a great tool for local law enforcement. Many police departments have downloaded and printed our comprehensive consumer assistance booklet, "Take Charge: Fighting Back Against Identity Theft," the ID theft affidavit, and other helpful tools, and make them available to crime victims as well as members of the public during public awareness campaigns.

Are there ways to encourage banks and credit card companies to limit the amount of mailed applications containing names and addresses that are often used to commit ID theft?
Some consumers already know that they can have their names removed from prescreened credit offers by calling 1-888-5-OPT-OUT. Because not all prescreened offers come from the consumer reporting agencies - alumni or professional organizations also send them out - calling the opt-out number will not eliminate all offers, but it should reduce them substantially. Finally, while many thought that these offers were the cause of new account ID theft, representatives of the credit industry state that they have substantially cut down on fraud caused by the misuse of unsolicited credit offers. Law enforcement, however, report that ID thieves sometimes stake out a consumer's mailbox to first intercept the unsolicited credit offer and then retrieve from the mailbox the actual credit card when it arrives.

Some say that until businesses impose severe internal controls on employees who can be tempted to steal customer information, ID theft will never be reduced. And others say that unless legislation - such as the European Union's Data Protection Act - is passed, businesses won't do what they need to do. What are your thoughts?
Identity theft is a complex crime that can be traced to many roots. Certainly corrupt, or corruptible insiders, pose a substantial threat, and it makes good sense for businesses to protect consumer information from the threat posed from these types of insiders. Many businesses already have controls on their employees, whether through the Safeguards Rules or other restrictions. Congress is considering additional measures that would require businesses beyond financial institutions to further lock down their data. The FTC itself has made legislative recommendations. (See www.ftc.gov/ftc/news for June 16, 2005.) While there is no single silver bullet that will eliminate identity theft, restricting illegal access to valuable consumer data is without a doubt a critical goal.

What are your efforts in working with global governments and agencies?
Because fraud has become global in reach, we have developed strong and ongoing efforts with our sister agencies throughout the world. Indeed, the FTC has created a division within the Bureau of Consumer Protection to focus solely on coordinating efforts with other countries.

Some security consultants say that the trend of consolidating databases into huge centralized files makes it easier to steal identities. They say that instead of the old dumpster diving method, crime rings now are more likely to purchase from insiders names by the thousands to sell to brokers. What are your thoughts on that?
ID thieves, like bank robbers, will go where the money is. So, whether it involves defrauding a data broker, or stealing someone's mail, the ID crooks will find a way to steal information. Because companies that amass large amounts of data are particularly attractive targets, it is incumbent on them to have appropriate security for their information. That includes proper screening and other controls on employees and restricting access to a need-to-know basis.

What can trained Certified Fraud Examiners do to help deter and fight ID theft?
Certified Fraud Examiners can play a key role in encouraging good information security practices and protecting potential victims of fraud. Look out for the signs of fraud, and encourage companies to implement sound and dependable programs to safeguard data that can be used to commit ID theft. When a company's security has been compromised, the company is not the only victim. The consumers whose information has been stolen also face consequences, and they should be alerted if there is a likelihood that their information will be misused.

Do you check your own credit ratings regularly?
I started checking my reports routinely once I began working in the area of ID theft. Now that consumers have access to free annual credit reports, I expect that more people will routinely request copies of their credit reports to look for errors or indications of fraud. Information on how to request a free credit report is available at our Web site: www.ftc.gov/bcp/conline/edcams/credit/ycr_free_reports.htm.

Have you ever been a victim of ID fraud?
Fortunately I have not.

How has your previous education and experience trained you for your current job?
I am a lawyer by training, and have worked in the consumer fraud area since joining the FTC in 1988. But suing telemarketing boiler-rooms and online pyramid scheme promoters is a far cry from the complex world of ID theft. The entire ID theft team has developed expertise in federal sentencing laws, data analysis, privacy and credit-related laws, and outreach to business and consumers, among other things. I have had a fair amount of on-the-job training.

At the end of the day, what personal satisfaction do you receive from your position?
I will end where I began. I am fortunate to work with a devoted team, whose work has a direct and beneficial impact on consumers' lives. Whether counseling a person with a tangled ID theft related issue, assisting a local police department with an ID theft investigation, or collaborating with advocacy groups on new initiatives, the efforts of the FTC's ID Theft team make a real difference. I am immensely proud of what we have accomplished, and look forward to continued successes in our efforts to reduce the impact and occurrence of this crime.

[Some links may no longer be available. —Ed.]

Dick Carozza is editor of Fraud Magazine.