IDENTITY THEFT IN SOUTH CAROLINA

Marti Phillips, Esq., CIPP/US Director, Identity Theft UnitSouth Carolina Department of Consumer Affairs

This presentation is not meant to serve as a substitute for reading

various laws discussed, seeking legal counsel or otherwise requesting

Department guidance and/or interpretations. The presentation

merely serves as an introduction and overview.

Roadmap

• SCDCA Identity Theft Unit• SC Statistics

• FTC Consumer Sentinel• ID Theft Overview• Steps for Victims

• FIFITPA (SC Law)• PII Definitions

• TIPS

SCDCA

• Licenses several types of businesses – such as pawn shops, mortgage brokers, consumer credit counselors, physical fitness facilities, athlete agents

• Handles complaints for family, household or personal goods or services

• 300 - 400 consumer complaints processed monthly

• Online complaint system

Commission on Consumer Affairs

Administrator

Council of Advisors

Consumer Services & Education

Administration

Advocacy

Legal

Public Information

Identity Theft Unit

SCDCA Organizational Structure

SCDCA Identity Theft Unit

EducationProvide education and outreach to SC consumers across the state; increase awareness and knowledge about identity theft & the steps to protect against id theft; and what to do if a victim.

Guidance

Provide ongoing guidance to SC id theft victims throughout the process of resolving their particular identity theft situation and mitigating negative effects.

EnforcementHandle administration and enforcement of SC’s FIFITPA and other identity theft-related consumer protection laws, including receipt of security breach notifications and ensuring reporting and notification requirements are met.

SCDCA Identity Theft “Toolkit”

www.consumer.sc.gov

2014 Consumer Sentinel Data Book

https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-january-december-2014/sentinel-cy2014.pdf

Consumer Sentinel – SC SC Stats: ID Theft Complaints:

• 2014 – 20th • 2013 – 17th • 2012 – 17th • 2011 – 20th • 2010- 29th

• 2009- 28th• 2008- 29th

• 2007- 30th • 2006- 32nd • 2005- 36th

January 1 – December 31, 2014

What is Identity Theft?

Generally, Identity Theft is the unlawful use of personal information of someone else, to pose as that person in order to:

fraudulently obtain goods or services in the other person’s name (the id theft victim) from private and/or public institutions

OR conceal their true identity from authorities or

others who perform background checks.

Types of Identity Theft• Financial

• New (Wireless Phone)• Existing (Credit Cards)

• Medical• Government Benefits/Documents• Employment• Tax-related ID Theft• Fraudulent Utility Accounts• Criminal• Business-related (used to perpetuate scams)• CHILD!

HOW? “Old-fashioned” Identity Theft

• YOU! • Lost or stolen wallets• Theft by family or friends• Dumpster diving – (pre-approval offers)• Stolen mail • Purchased from a corrupt insider at a bank, hotel, car rental agency, or other business

14

“Old-fashioned” Identity Theft cont…Dishonest Employees cont:

• Retail Stores• Banks• Drs.’ office

Pretexting/Phishing• Pretending to be Bank of America, etc. & need personal info• Wachovia-Wells Fargo – “verify accounts”

Changing Your Address. They divert billing statements to another location by completing a change of address form.

SCAMS!

High-tech Identity Theft

• Skimming

• Phishing• SMiShing

• Data breaches

• SCAMS!

Skimming

• The copying of electronically transmitted data on the magnetic strip of a credit card, to enable valid electronic payment authorization to occur between a merchant and the issuing financial institution.

• ID thieves steal credit/debit card numbers by using a special storage device when processing your card.

• The copying of electronically transmitted data on the magnetic strip of a credit card, to enable valid electronic payment authorization to occur between a merchant and the issuing financial institution.

• ID thieves steal credit/debit card numbers by using a special storage device when processing your card.

Cameras to view password entry

Card electronic strip readers

Keystroke Capturers

SKIMMING - Electronic card strip readers

Data Security Breaches

Breaking/hacking into computer systems Intruders need find only the weakest link:

• Vulnerable system• Unsecured network• Disgruntled or corrupt insider

• Once inside, often free to search and steal data

Lost/stolen laptops (a breach is not always due to a hacker!)

Data Security Breaches cont.

• SCDCA must be notified of data security breaches when more than 1,000 consumers affected.

• From July 2008 – present (law eff. 7/1/09), SCDCA rec’d:

•196 breach notices affecting 7,544,666 South Carolina residents.

• Security Breach Report

Keep an “open mind” about scammers/identity thieves!

• Phone calls• Direct mailer• Text messages• Email• Fake Website• In-person!

No matter the method, the ultimate goal of a scam is to separate you from your money and/or to compromise your personal information!

Actual Amount Lost to Scams* Potential Loss*

$938,983 $709,362

*Amounts based on information reported to SCDCA by consumers during FY15

Scams

Identity Theft

Data Breaches

True Statements:•But they had a Docket Number! (debt collection scam)

•He had a clipboard.(in-home solicitation scam)

•They gave me a claim number.(lottery scam)

• I knew better/I probably shouldn’t have/I thought it might be a fake email…

• I don’t care about identity theft, I have bad credit anyway.

What if you’re a victim?

4 Steps Most ID Theft Victims Need to Take:1. Contact Consumer Reporting Agencies

Fraud Alert Security Freeze Review your reports

2. Contact Companies (or Agencies) with affected accounts

3. File a Complaint with the FTC – it will generate an “ID Theft Affidavit” for victim’s use

4. File a Police Report (maybe) – combined with FTC ID Theft Affidavit = “Identity Theft Report”

Fraud Alert vs. Security Freeze

• One call• Creditors must take

“reasonable steps” to verify identity

• Less effective• 90 days (renewable) or 7 years (if victim & fill out ID Theft Report)

•free credit report(s)• FREE• Federal law

• Notify each bureau to place/get PIN

• Credit report cannot be accessed w/out consumer’s permission

• More effective - PREVENTITIVE

• Effective until removed

• FREE (SC law)

Filing A Police Report• Maybe (victim = reluctant if family member involved)• Call the local police as soon as possible

• Request copy of official police report/Identity Theft Report

• May need to ask for “information only” or a report• Police Report + ID Theft Affidavit (FTC) = Identity Theft

Report to submit to CRAs

• SC law requires police to write reports for identity theft victims

• A map of states with such laws available: www.idsafety.org/map

Filing a Police Report cont…• § 37-20-130 (emphasis added)

A person who learns or reasonably suspects that the person is the victim of identity theft may initiate a law enforcement investigation by reporting it to a local law enforcement agency that has jurisdiction over the person’s actual legal residence. The law enforcement agency shall take the report, provide the complainant with a copy of the report, and begin an investigation.

Amended in 2013 to delete language allowing referral of the matter to the law enforcement agency where the crime was committed fore investigation.

Identity Theft Report

Victims May Assert Rights Under Federal Civil Laws

• Fair Credit Reporting Act (FCRA)

• Fair Credit Billing Act (FCBA)

• Electronic Fund Transfer Act (EFTA)

• Fair Debt Collections Practices Act (FDCPA)

FIFITPA Legislative Background

• Bills ~ Comprehensive Result = S. 453, Act 190-2008

▫ Amends several different Code Sectionswww.consumer.sc.gov

• Effective Dates▫ December 31, 2008 & July 1, 2009 (Security Breach Portion)

• 2013 Amendments: H. 3248 & Proviso 117.136 (FY14)▫ Definitions & Security Breach Portion

• 2015 Budget Proviso 117.110 (FY16)

Financial Identity Fraud and Identity Theft Protection Act (FIFITPA)

• The Act provides several protections for consumers in the areas of security freezes (including protected consumer freeze), credit reports, records disposal, security breaches and more.

• The Act also places requirements on businesses and public bodies with regard to the collection, maintenance and disposal of consumers’ personal information.

FIFITPA Effective Dates

Eff. December 31, 2008:

• Consumer Identity Theft Protection § 37-20-110, et seq.• Police Reports § 37-20-130

• Personal Identifying Information Privacy Protection §30-2-300, et seq.

• Crime of Dumpster Diving § 16- 11 -725

• Credit/Debit Card Receipts § 16-13-512

• Crime of Financial Identity Fraud § 16-13-510

FIFITPA Effective Dates cont…

Eff. July 1, 2009:

• Breach of Security of State Agency Data § 1 -11 - 490

• Breach of Security of Business Data § 39-1-90

Eff. July 1, 2015 – June 30, 2016 (FY16):

• Budget Proviso 117.110 (Data Breach Notification – State Agency)

FIFITPA cont…•Notable Provisions

• Definitions of Personal Identifying Information

• Records Disposal

• Security Breaches

• Social Security Numbers

• Other (credit report disputes)

FIFITPA Effective Dates cont…

2013 Amendment = H.3248 eff. April 23, 2013

Amends § 16-13-510 • Broadens scope of Financial Identity Fraud; • Revises definition of Personal Identifying Information (PII); • Defines Financial Resources;• Provides Venue for prosecution of identity fraud offense• Conforms language to fin. transaction crime = not a defense

that some acts did not occur in this state or within city/city county, local jurisdiction

Amends § 39-1-90 Breach of Security & Business Data • Revised definition of PII (will discuss)

Security Breaches

S.C. Code Ann. § 1-11-490 et seq.▫ Title 1– Administration of Government

▫ Chapter 11- State Budget and Control Board

▫ Section 490- Breach of security of state agency data; notification; rights and remedies of injured parties; penalties; notification of Consumer Protection Division.

• Effective 7-1-2009

• Budget Proviso 117.110 (Eff. FY16)

Important Definitions

• § 1-11-490(D)(1)- • Agency means any:

• agency, • department, • board, • commission, • committee, or • institution of higher learning

-unchanged by Proviso 117.110

--of the State or a political subdivision of it

What’s the definition of PII? §16-13-510(D)

Crimes & Offenses§ 1-11-490(D)(3)

State Agency BreachNote:

Proviso 117.110(FY16)

§ 37-20-110(11)(a)Consumer ID Theft Protection

Note: “Pers’l Info.” also defined. See §30-2-30(1)

§ 39-1-90(D)(3)Business Breach

§ 16- 13-510(D) (amended by H. 3248 eff. 4/23/2013) Personal identifying information (PII) includes but is not limited to :

• SSNs • DL number or state ID card number • Checking account numbers • Savings account numbers • Credit card numbers • Debit card numbers• PIN numbers• Electronic ID numbers • Digital signatures • Dates of birth • Current or former names* • Current/former addresses when used w/other info in this section• Other #s/pwords/info that may be used to access fin. resources, #s,

or info issued by govt/reg entity that will uniquely identify individual/financial resources

*First + Last; Middle + Last; First, Middle, + Last, but only when the names are used in combination with, and linked to other identifying information provided.

FY16 Budget Proviso 117.110 changes PII definition for state agencies! eff. 7/1/15-6/30/16 PII means:• first name or first initial and • last name• in combination with and linked to any one or more of the following

data elements that relate to a resident of this State, when the data elements are neither encrypted nor redacted or when the data elements are encrypted and encryption also acquired:

1. SSN;

2. Driver's license number or state ID card #;

3. Financial account #, or credit card or debit card # in combination with any required security code, access code, or password that would permit access to a resident's financial account; or

4. Other #s or information which may be used to access a person's financial accounts or #s or information issued by a governmental or regulatory entity that uniquely will identify an individual.

(The term does not include information that is lawfully obtained from publicly available information.)

New SC Legislation: S.148“Protected Consumer Bill”

Credit Report & Security Freezes for Protected Consumers ; Credit Record

• Amends FIFITPA to add a class of protected consumers & provide method of creating credit record for purpose of freezing (preemptive)

• “Protected Consumer” = • Individual under age 16• Incapacitated person w/guardian or conservator

• Signed by Gov. on April 7, 2014 ~ Eff. Jan. 1, 2015

TIPS:• Dispose of sensitive materials appropriately.

• Monitor your financial statements and insurance EOBs regularly

• Don’t disclose personal info to someone you don’t know.• On the phone, Online, Through the mail

• Be cautious when shopping online.

• Don’t carry things like your SS card, birth certificate, all credit cards.

SCDCAIdentity Theft Unit•If you have questions about identity theft or think you may be a victim, contact us:1-800-922-1594www.consumer.sc.gov

Connect with US! Check out our YouTube channel.

Youtube.com/scdcatv

Look to Twitter for recent scam alerts and the latest consumer news. @SCDCA

Visit Facebook for updates and educational materials. Facebook.com/scdca

Marti Phillips803-734-4241mphillips@scconsumer.gov

Toll Free: 1-800-922-1594Fax: 803-734-4229www.consumer.sc.gov