IDENTITY THEFT POLICIES
Identity theft per se is fraud which take on many forms. As discussed in this
paper, identity theft may be more appropriately termed as personal identity theft, which
Hoffman and McGinley (2010) defines as “the use of an individual’s personal identifying
information without his or her knowledge and with the intent to aid or abet any unlawful
activity such as fraudulent obtaining of services, merchandize, money, and / or credit” (p.
2). The President’s Identity Theft Task Force Report simply defines identity theft as the
“misuse of another individual’s personal information to commit fraud” (in Biegelman,
2009, p. 2).
Roberson (2008), however, observed that the terms “identity theft” and “identity
fraud” are often used interchangeably, but maintained that the aforementioned terms are
legally distinct. The former has something to do with taking something directly from the
victim without consent, whereas the latter involves deception or scam by the perpetrator
in the process of taking something from the usually unsuspecting victim.
Identity theft is not an aftermath of the digital age, but rather, an act which
evolved with the passing of time. For instance, Hoffman and McGinley (2010) considers
the term “identity theft” as “a modern name for an ancient crime” (p. 1). It may be
recalled from the Bible that Isaac’s son Esau sold his birthright to his brother Jacob for a
bowl of stew (Genesis 25: 29-34, New King James Version [NKJV]). Later, with the aid
of goat’s skin and the birthright, Jacob deceived his dying father Isaac into blessing him
instead of the first-born Esau (Genesis 27: 1-39, NKJV). This could well be the earliest
account of identity theft on record.
1
� In the United States (US), the very first victim of identity theft in the modern
world was Hilda Schrader Whitcher, secretary in a wallet company, whose Social
Security card facsimile was used in the 1930s as an insert in the wallets as a marketing
strategy to show that the card actually fits into the wallet. As of 1943, close to six
thousand other individuals were found to have been illicitly using Withcher’s Social
Security number and to date 40,000 people were reported by the Social Security
Administration to have used her number (Hoffman and McGinley, 2010; Biegelman,
2009; Ritchie, 2006; Hamadi, 2005). Biegelman (2009) considers Nigerian fraud
activities which became rampant during the early 1970s as a significant boost for credit
card fraud in the US. The term “identity theft”, however, is of recent origin, having been
first used in 1991 by The Boston Globe in the US; although a similar term, “identity
thief” was used much earlier by The Athens Messenger, a newspaper in Ohio, US in
1966.
Extent of Identity Theft in the US
At the dawn of the new millennium, deceitful use of credit cards by persons other
than their lawful owners accounted for one half of reported identity theft complaints
(Biegelman, 2009). According to the latest available statistics, close to ten million
American fell prey to identity theft perpetrators in just a year (Kim, 2009). Surprisingly,
as revealed in Kim (2009), even with the influx of new technology, low-tech methods are
still very popular among identity thieves, with 43 percent of all identity theft facilitated
by stolen wallets and other physical documents.
2
� Based on complaints lodged with the Federal Trade Commission (2007), credit
card fraud make up the biggest chunk of all identity theft committed at 26 percent. Credit
card fraud is committed when a person other than the owner of a credit card acquires
through any means, a credit card number and uses this information to make a purchase.
Figure 1 shows a pie chart of the different methods by which identity theft is committed.
Figure 1. Types of identity theft
As shown in Figure 1, the second biggest method of committing identity theft is
utilities fraud at 18%. Bank fraud follows at 17%, whereas employment fraud is
committed in 12% of the reported cases. In 5% of the reported identity theft cases, loan
fraud is committed, while government fraud is reported in 9% of the cases. Other forms
of identity theft are committed in the rest of the complaints (“2009 Identity Theft”, 2009).
The above percentages, however, do not display the costs incurred in resolving
identity theft cases, Citibank (2007) alone indicated that more than a billion dollars were
paid by consumer-victims in reported cases of identity theft. Hence, identity theft is a
scourge among consumers, as it is among credit card companies and similar institutions.
Stana (2004) revealed that credit issuing banks suffer losses from 18% to 42% of their
respective overall fraud figures from fraudulent applications and account takeovers. The
National Institute of Justice (2010a) reported that the two largest credit card companies
3
�have estimate losses from aggregated identity theft cases in their domestic operations of
114 million dollars, but went on to add that credit card companies do not include such
cases as lost / stolen cards, cards which were never received by the rightful owner,
counterfeit cards, mail order fraud and telephone order fraud in their list of identify theft
related losses. This suggests that losses from identity theft may actually more than the
figures on record.
Identity Theft Policies of Selected Credit Card Issuing Companies
Notwithstanding the loss of valuable assets due to identity theft, credit card
companies chorus on the significant increase of privacy and information security during
the second half of this decade, which may be attributed in part to the imposition of
various policies to safeguard consumers against identity theft. Such increase in security
and privacy is believed to have spawned from the efforts of the respective institutions as
mandated in the Gramm-Leach-Bliley Act (GLBA) enacted in 1999 “to reform the
banking industry and establish safeguards for customers’ non-public personal information
stored by financial institutions” (American Bar Association, 2007, p. 23). The standards
specified in the GLBA are meant to uphold the integrity of financial data from the clients
and guarantee that client information is protected against unauthorized access.
The following paragraphs review such pertinent policies of five credit card
companies to afford protection for their clients against identity theft. The policy review is
intended to help visualize how current policies and procedures against identity theft may
be improved to better ensure the protection of client information and privacy. The
4
�following companies were selected for this paper: Citibank, Hongkong and Shanghai
Banking Corporation (HSBC), Capital One, JP Morgan Chase and Bank of America.
Identity theft policies of Citibank
Citibank offers its client both preventive and corrective measures against identity
theft. It is a matter of policy for Citibank to uphold the privacy of client information by
sustaining physical, electronic and procedural standards based on existing legislation.
Citibank employees are trained well to prepare them to handle personal information
under the strictest conditions of confidentiality. Citibank only conducts business with
other business organizations which take responsibility in safeguarding the client
information that such companies need in providing services for Citibank.
Clients are given an updated copy of the Citibank Privacy Notice applicable to
each type of credit card account when the account is opened and every year thereafter
that the account is active. Clients are also welcome to request for a copy anytime by
calling the toll free Customer Service number. Information collected from Citibank
clients which may be disclosed to affiliates and non-affliliated third parties include: (1)
clients’ name, address and telephone number, (2) transaction information such as account
balances, payment history and account activity, and (3) information from consumer
reporting agencies, credit bureau report and client credit score.
Citibank consumers are given the freedom to dictate how their personal
information may be used and shared. Hence, clients can request Citibank to limit the
disclosure of personal information1 by simply filling out the Privacy Choices Form or
calling Customer Service. Citibank does not share information provided by the consumer
or by third parties, such as the credit bureau, with their affiliates, unless such disclosure is
1
Citibank (2010a) defines personal information as information which personally identifies the client.
5
�permitted by law. However, Citibank’s privacy policy is very clear that it has the
prerogative to utilize client information to facilitate business processes and to gain insight
about the spending behavior of consumer – as long as the information disclosed does not
personally identity the clients. It was observed that California and Vermont have stricter
information disclosure requirements than the rest of the states, as shown by a special
provisions in the bank’s privacy statement (Citibank 2010a).
If a client becomes a victim of identity theft, Citibank offers corrective measures
described collectively as the Citi® Identity Theft Solutions. Services under the Citi®
Identity Theft Solutions include: (1) assistance in the identification of any other
compromised accounts, (2) client education and assistance regarding the procedure in
resolving the problem, (3) work with the client in placing fraud alerts to the three major
credit reporting agencies, (4) assistance in contacting other creditors which have
fraudulent accounts, (5) advisory on the filing of police reports, (6) sending of necessary
information to help resolve the identity theft case, (7) monitoring the client’s credit
bureau until the case has been resolved, (8) support and follow up until resolution of the
case, etc. (Citibank, 2010b)
Identity theft policies of HSBC
The Hongkong and Shanghai Banking Corporation ([HSBC] 2010) makes use of
electronic, physical and administrative standards to ensure that the personal information
of their clients are properly safeguarded. HSBC employs only carefully trained
professionals and involves only respectable and trustworthy companies to help serve their
clients and makes sure that only these professionals and companies gain access to client
6
�information. The bank meticulously maintains security measures in compliance with
applicable federal standards.
HSBC also practices responsible information sharing. This implies that if
circumstances require in consideration of benefits for the client such as in fraud control or
for general business purposes, information is shared among HSBC family of Affiliates.
Moreover, responsible information sharing is made possible by allowing choices for the
clients to allow or disallow HSBC to share their information.
HSBC collects demographic information, such as name, address, and social
security number, as well as credit information Once a client visits the HSBC website,
certain information about internet usage are also collected. Such information will not be
shared in violation of applicable legislation. Client information is shared within the
HSBC family of companies for general business purposes or for endeavors which are
considered beneficial to the client as long as disclosure of such information is in violation
of applicable laws.
Meanwhile, sharing of client information with non-HSBC affiliates are allowed in
most states to allow trusted companies to make special offers which are believed to be
beneficial for the client. For California and Vermont residents, however, where existing
laws require permission from the client for disclosure of information with non-affiliates,
it has become HSBC policy not to share client information to companies outside the
HSBC family of companies.
Identity theft policies of Capital One
Capital One normally sources out their information about their clients through application
forms, questionnaires, transaction records, communications, credit bureau reports, census
7
�data, real estate records, and telephone calls made by clients. This information is used to
further improve services and to protect clients from identity theft and fraud. To protect
vital client information Capital One employs security and safety measures on all
buildings and facilities by placing secure areas. Electronic security measures include the
use of passwords and encryption. Procedural security measures consist of customer
identification procedures aimed at preventing identity theft and fraud. Only authorized
employees are allowed access to client information and this is strictly for business
purposes. Employees are trained on security procedures and security awareness, with
regular audits performed to ensure compliance. Whenever third party companies are hired
to perform a specific business function, Capital One employs a rigid selection and
monitoring process to ensure that all client information is secured and utilized within the
parameters set by the company. (Capital One, 2010a) Capital One also utilizes firewall
systems, intrusion detection software and 128-bit Secure Socket Layer (SSL) data
encryption. Furthermore, the company employs international security and authentication
standards in conjunction with guidance provided by the federal government. (Capital One
2010b)
Identity theft policies of JP Morgan Chase
At JP Morgan Chase, information may be disclosed to any person or entity with
the client’s consent and when the company is required by law. Transmittal, transfer and
processing of client information anywhere in the world is performed when the company
deems it appropriate or necessary. The company has put in place safety measures that
encompass the physical, electronic and procedural aspects of information security. Based
on existing legal parameters, JP Morgan Chase has created compliant procedures which
8
�prevent unauthorized individuals and entities from gaining access, utilizing the data,
performing modifications and removal of client information. The client information
collected, utilized and retained by JP Morgan Chase is limited to certain companies
within the group and may be shared with affiliates and business units as permitted and
required by law. This also includes disclosure of information as requested by regulatory
authorities and law enforcement agencies. For certain circumstances that JP Morgan
Chase would provide client information to other companies, it is agreed that security of
the information will be ensured at all times and will only be used according to the
purposes specified by JP Morgan Chase. In compliance with Section 236 of the Patriot
Act, JP Morgan Chase requests clients opening new accounts to provide identification
information and pertinent documents. JP Morgan Chase also provides its clients several
choices regarding how their information is shared between affiliates and third parties. (JP
Morgan Chase, 2010a). Chase Bank, the consumer banking division of JP Morgan Chase,
offers three choices namely: (a) third party sharing, (b) affiliate sharing, and (c) affiliate
marketing. The third party sharing option allows the client to decline sharing their
information with non-financial companies outside the JP Morgan Chase group. Affiliate
sharing on the other hand, allows the client to disallow sharing of their information
between companies inside the JP Morgan Chase group. The affiliate marketing option
allows the client to limit the marketing efforts of JP Morgan Chase companies when they
do not have any business or accounts with them. For clients with Vermont clients,
accounts will be automatically set with the three privacy choices in effect. In case
information will be shared with other financial institutions with a joint marketing
agreement with JP Morgan Chase, only the client’s name, contact information and
9
�transaction information will be disclosed. For clients in California, information will not
be shared with third party non-financial companies regardless whether or not the first
privacy choice was selected. Also, client information will not be disclosed to companies
within and outside JP Morgan Chase unless privacy choices are provided or permitted by
California law. (JP Morgan Chase, 2010b)
Identity theft policies of Bank of America
The Bank of America sums up its identity theft policies in its four-pronged
privacy commitment to its consumers: (1) protection of customer information, (2) client
notification on the use of their information, (3) freedom of choice for the client on how
information provided may be used; and (4) respectful and lawful procedures in the
collection, usage and processing of client information.
Client information is shared among company affiliates of the Bank of America in
compliance with applicable laws, including marketing offers. Non-affiliated institutions,
which are engaged to act on behalf of the Bank of America are made contractually bound
to uphold the confidentiality of customer information and to make use of such
information to provide the services they are asked to perform.
Clients of the Bank of America have the option to request for the non-disclosure
of their application information, consumer report information, and information from
outside sources. Information about Vermont clients are not shared even among Bank of
America affiliates, except when authorized by the client. Information about California
clients are not shared with companies outside of Bank of America, except when permitted
by law or with the consent of the client (Bank of America, 2010).
10
� Analysis
Perusal of the identity theft policies of the five selected banks led to an
observation that the banks have very similar policies. This should, however, be readily
explained by the fact that the main law which governs information security and privacy in
the banking industry, the Gramm-Leach-Bliley Act, is being complied with by the
respective banks. However, as maintained by Webber and Webber (2007), “the act is
more descriptive than prescriptive” (p. 17-10). Hence, the legislation leaves up to the
different banks how they would interpret the definition of protecting the security and
confidentiality of client information.
It was also observed that a few states, particularly California, Nevada and
Vermont have stricter information security legislation. Use and sharing of client
information in these three states are very much different from the other states.
Additionally, disclosure of client information is more limited in these three states than the
rest of the other states. Figure 2, however, shows that two of the three states belong to the
top ten states with the most occurrences of identity theft.
Figure 2. Top ten states for ID theft occurrences
As depicted in Figure 2, Nevada and California are on the second and third spot
respectively with 113 and 111 victims of identity theft for every 100,000 population
11
�(Thomas, 2004). These figures suggest that strictly limiting disclosure or sharing of client
information does not necessarily offer greater protection against identity theft.
Recommendations
With all the high tech measures being adopted by practically all credit card
issuing institutions, crafty identity thieves will almost always come up with cunning
tricks and deceptive tactics to lull their prey into a false sense of security. Identity theft
victims, and sometimes even bank personnel or store cashiers fall off-guard to credit card
fraud because there are loopholes in the process which allow defrauders to do their thing.
A simple safeguard of including the credit card legal owner’s clear photograph can aid
cashiers to spot identity thieves trying to use the card they stole or found somewhere to
make a purchase. Not all credit cards contain a photo of the account holder. It may be
helpful against identity theft if all credit cards be issued with the owner’s picture.
Research is a key factor in combating an evolving crime. Yet, as reported by the
National Institute of Justice (2010b), there is a dearth of data regarding indirect costs of
identity theft or the cost-benefit data pertaining to increased security measures. Hence,
research into possible strategies to mitigate the harm from identity crimes are inhibited.
Moreover, even if the Federal Trade Commission maintains a database of complaints
involving identity theft, the law enforcement sector does not keep a national database of
identity theft incidents reported nor a repository of how such incidents were resolved and
how law enforcement became a part of the solution. Information regarding past crimes
can boost research on how the government and the banking sector can join hands in the
battle against identity theft.
12
� References
2009 Identity Theft Statistics (2009). Retrieved 24 July 2010, from:
http://www.spendonlife.com/guide/2009-identity-theft-statistics.
American Bar Association. (2008). Data security handbook. Chicago, IL: ABA
Publishing.
Bank of America. (2010). Bank of America privacy policy for US consumers 2010.
Retrieved 27 July 2010, from: https://www.bankofamerica.com/privacy/
Control.do?body=privacysecur_cnsmr
Biegelman, M. T. (2009). Identity theft handbook: detection, prevention and security.
Hoboken, NJ: Wiley.
Capital One (2010a). Privacy notice. Retrieved 27 July 2010, from:
https://www.capitalone.com/protection/privacy/notice_english.php?
linkid=WWW_Z_Z_Z_PROPR_C1_01_T_PRONE
Capital One (2010b). Security policy. Retrieved 27 July 2010, from:
http://www.capitalone.com/protection/security/index.php?
linkid=WWW_1009_Z_A0B2084C1F86D22A0E1FFBF38F9G1F85_GBLFO_F
3_02_T_FO4
Citibank. (2007). Information security and identity theft [Microsoft Powerpoint file].
Philadelphia, PA: The Ninth Annual SmartPay Conference.
Citibank. (2010a). Privacy. Retrieved 23 July 2010, from:
http://www.citibank.com/us/cards/privacy.htm
Citibank. (2010b). Citi® Identity Theft Solutions. Retrieved 27 July 2010, from:
http://www.citicards.com/cards/wv/detail.do?screenID=700
Federal Trade Commission. (2007). 2006 identity theft survey report. McLean, VA:
Synovate.
Hamadi, R. (2005). Identity theft: what it is, how to prevent it, and what to do if it
happens to you. London: Vision.
Hoffman, S. K. & McGinley, T. G. (2010). Identity theft: a reference hanbook. Santa
Barbara, CA: ABC-CLIO.
HSBC. (2010). Privacy & Security. Retrieved 23 July 2010, from:
http://www.hsbccreditcard.com/ecare/privacy_nli#web_terms6
13
�The Phrase Finder (2010). Identity theft. Retrieved 27 July 2010, from:
http://www.phrases.org.uk/meanings/identity-theft.html
JP Morgan Chase (2010a). Privacy and security. Retrieved 27 July 2010, from:
http://www.jpmorgan.com/pages/privacy
JP Morgan Chase (2010b) Privacy policy. Retrieved 27 July 2010, from:
https://www.chase.com/ccp/index.jsp?pg_name=ccpmapp/privacy_security/
protection/page/privacy_policy
Kim, R. (2009). 2009 consumer identity protection services scorecard: competition
intensifies as vendors aggressively expand offering. Pleasanton, CA: Javelin
Strategy and Research.
National Institute of Justice. (2010a). Identity theft research review: cost of identity theft.
Retrieved 27 July 2010, from: http://www.ojp.usdoj.gov/nij/ publications/id-
theft/cost.htm
National Institute of Justice. (2010b). Identity theft research review: identity issues that
need more research. Retrieved 27 July 2010, from:
http://www.ojp.usdoj.gov/nij/publications/id-theft/research.htm
Ritchie, P. (2006). The credit road map: a practical guide for navigating your way to
good credit. Tempe, AZ: Success Road Map Press.
Roberson, C. (2008). Identity theft investigations. New York: Kaplan.
Stana, R. M. (2004). Identity theft: prevalence and cost appear to be growing. In C. L.
Hayward (Ed.), Identity theft (pp. 17-72). Hauppauge, NY: Nova Science
Publishers.
Thomas, B. (2004). Facts and figures: identity theft. United States House of
Representatives: Ways and Means Committee.
Webber, L. & Webber, F. (2007). IT project management essentials. New York: Aspen
Publishers.
14
