Identity Theft and Its Prevention: Personal Reflections and Professional Obligations
Testimony of
Dr. Edward C. Papenfuse, State Archivist and Commissioner of Land Patents
before the
Task Force to Study Identity Theft
September 18, 2007
1 p.m.
Senator Kelley, Delegate Lee, members of the Identity Theft Task Force,
Over a decade ago my identity was stolen and our bank accounts
raided for a total of $13,915.18. The thief was a 5' 10"
trim African American male weighing about 145 lbs, aged 47. At
the time I was 53, not so trim at about 200 lbs, and a public servant
charged with maintaining the integrity of Maryland's historical
records. He and his girl friend accomplice (a telemarketer
operator whose
offices were said to be at BWI, now Thurgood Marshall BWI, Airport)
did not use the internet to defraud us. He
stole our mail from a mail truck and from our
mail box on our porch. She helped him forge my signature on three separate items: a state reimbursement
check;
an unsolicited access check which the bank clerk suggested be
drawn against our home equity account; and a state credit union
withdrawal check. He
secured the state credit union withdrawal check by forging a stolen
withdrawal slip. He then called the State Employees Credit Union to determine
when the check would be delivered, and impersonated a mail carrier to steal it
from our front porch mailbox. His female accomplice was
persuaded with
the promise of
leniency to testify against
him when he was finally caught after a high speed chase. She did not
serve any time for her part in the
crime. He was sentenced to 105 months in prison after I and
another victim testified at his sentencing hearing before
Federal Judge Blake in 1998. Dateline with Tom Brokaw
interviewed the U.S Attorney, now Court of Appeals Judge Lynne
Battaglia, and me about the crime in August 1998, and the next
year Bill Kurtis's
Investigative Reports
featured the case, which included a prison interview with the defendant
as "Harold" with his face hidden from the camera. Both interviews
are on the CD accompanying these remarks. I also have included on
the CD two newspaper articles (#1 and
#2) about the crime, which provide accurate details about the court
proceedings, his plea agreement, and the indictment.
My impersonator is now in Federal prison in Elkton, Ohio (BOP
ID# 08321-071) and is scheduled to be released on August 8, 2008.
He is there, not for what he did to us, but for violating
his supervised release from Federal prison. I have not yet been
able to determine how much of the 105 months he served before his
supervised release, but in March of 2006 he was arrested again for
identity theft and credit card fraud at a Sears store on Security
Boulevard where his accomplice used the stolen identity of a woman from
South Carolina, including a forged license and her credit card, in an attempt to
purchase $6,600 worth of goods (#3 and #4).
He was tried and convicted in Maryland District Court, sentenced
to 10 years in State Prison, with all but five years suspended from May
2, 2006. He appealed and is currently seeking post conviction
relief. In the meantime, Federal officials caught up with him
for violating his supervised release, and he was transferred to Elkton
Federal Prison in Lisbon, Ohio, where he is awaiting release next
summer. What happens then is not clear, but if he goes free, I
have no doubt, based upon his public record of past performance, that he will strike
again.
With regard to our case, I have nothing but praise for the Federal
Officials who dealt with us, from the Postal Inspector who spent much
of his own time hunting the impersonator down, to the U. S. Attorney's
office which successfully prosecuted the impersonator, and the Federal
judge who meted out the maximum sentence permitted under sentencing
guidelines.
What concerns me was the unquestioning laxness on the part of the
branch banks and credit union when it came to verifying who the
person was, who was cashing the checks in my name. If the
bank teller's routine had been to verify the ID tendered with the check
(for example, simply being able to see if there were a Maryland and/or
Arizona license in my name and view it on screen) none of the three
checks would have been cashed in the first place. The
largest of the three checks was a withdrawal from the State Employees
credit union for $9500, and should not even been issued, if the
slightest attention had been paid to my signature card by someone
trained to compare signatures. Make the banks and credit
institutions accountable with sizable penalties if they are not.
No matter how hard we tried to prevent our bank from sending access
checks (despite letters ordering them not to) the checks are still
coming. We all probably need to learn to face the consequences
of spending beyond our means, but we also need to curtail unsolicited
efforts to ensnare us into more, largely unsecured, debt which in turn
can easily be used by someone else intent on stealing our
identity. Stealing mail today for the purposes of identity theft
is still a big business as witnessed by the fairly recent case of large
quantities of mail stolen from BWI/Marshall airport. In the case
of our stolen access check which we did not want in the first place,
the
teller indicated that it could not be cashed at that branch, but that
we had a home equity account with the bank.
I am still not clear how it happened, but the teller apparently
suggested depositing the access check to our home equity account and
writing a check on that account which she then cashed for the thief.
If there had been any kind of customer ID system at the bank
with
a photograph of me as their long-time customer, the impersonator would
have been caught. As it was,
he walked away with $3500. In addition, in only one of the three
branch banks where the checks were cashed were the surveillance cameras working,
Ultimately the impersonator was caught, but even though we spent weeks
attempting to find out what was going on, and were required to write
reams of letters, sign several affidavits, and refinance our house,
we were not considered victims in the eyes of the law.
Because the Bank and the Credit Union ultimately had to pay back
the money to us, they were considered the victims despite considerable
personal anguish and uncompensated labor necessary on our part to
re-establish our credit. Even though I testified under oath at the
impersonator's sentencing hearing, until yesterday, I was not listed as
a victim, and thus did not receive any information about the fact that
he had been freed. Surely there should be a central register of
such identity terrorists that combines Federal and State conviction
data. Such a database is maintained by the FBI (NICS) for
background checks for gun purchases. Why couldn't the same
be done for convicted identity thieves? At the time
of purchase, ATM withdrawal, or check cashing, a finger/thumb scan
could be required to effect the transaction, and not be completed until
it
was verified against a national databank. The technology exists.
Laws need to be written to require its implementation.
Give the victims of identity theft the means to track and
prosecute their impersonators quickly and with ease, and to
significantly penalize the public and private institutions when they
fail to act responsibly in protecting personal identity.
Dedicate any fines collected to a special fund to support
improvements in the technological care and secure management of
personal data in a permanent public electronic archives.
At all levels of government, we can better manage the
records containing personal information to prevent their abuse by the
likes of my impersonator.
It would appear that the State courts need to communicate better with the Federal courts
with regard to the identity and records of individuals charged within
both systems, and be required to maintain an integrated, web-based information system
similar to http://casesearch.courts.state.md.us. I get the
impression that the State's Attorney's office was not aware of the
extensive Federal record that our impersonator already had when he was
charged and convicted most recently in Maryland District Court.
If they were, it is puzzling why the sentence proved to be so light for such a repeat offender? I have been told
that the State sentence he just received last year (10 years with five
years suspended, really means only serving 2 1/2 years). Why
don't we have laws and sentencing that mean what they say and say what
they mean? Http://casesearch.courts.state.md.us
indicates that upon
release he is to serve 3 years supervised probation. Does that
mean that next August he should have a State Probation officer assigned
and be carefully watched for another three years? According the
Federal prison authorities in Ohio, there is no State detainer on his
file, which suggests to me that somehow the State has washed its hands
of a sentence that on surface of it should at least have his behavior
supervised until 2011 by a State Probation officer. Any
concerned citizen, let alone a bank or credit union, should be able to
answer such questions easily from readily accessible public information
on line that clearly explains what is going on and what the punishment
consequences of the conviction actually entail. In this case the
record implies one thing and the reality seems to be quite different.
In this era of the internet and widespread concern about identifying those
who would do this nation harm, it is equally important that we
manage
well the public records that not only help us track and identify
criminals, but also those which establish our identities and our
reputations. While the recordation of personal information is
easy to find on the internet, the internet makes it equally easy
to protectively house that information in a secure environment.
Deleting, hiding, or failing to collect private information does not
protect us; holding public agencies, banks, credit unions, and
all custodians of identity information accountable for its use and
abuse does.
Filtering what is accessible by establishing secure and uniform
guidelines as to when and why personal data can be retrieved is good
public policy. Having a well-managed, on line,
centralized data warehousing of personal data in the custody and shared
control of a single accountable government archival agency from
the moment of its creation, would not only be a cost
efficient means of disaster recovery, but also a single point of
public contact for integrated information retrieval of personal data
from many
different government sources (Federal and State Court Systems,
the MVA,
Vital Records, Parole and Probation, to name a few). Such a
permanent public record electronic archives would severely limit the
abuse of that data through one stop
retrieval and facilitate the apprehending of those who attempt to abuse
that data. For those who rightfully would be concerned about
governmental abuse of such a single public source of personal data, an
independent public records inspector general could be
created by the legislature for a specified term of good behavior to
investigate and prosecute any concerns the public might have with
regard to the misuse of personal information collected by governmental
agencies.
Perhaps you might also pass laws that prevent the sale to private
parties of bulk data containing personal information now sold under the
cloak of the Freedom
of Information Act, but this should only done concurrent with the roll
out of transaction-based web systems that provide public access.
Perhaps you could require that any electronic
records created by government be
scheduled for specified retention periods, transmitted to archival
security storage at the moment of creation, and made
available for
public access through the Archives as the centralized point of public
retrieval. I realize that making such a recommendation treads upon
the turf, and to some degree the special fund income, of some large
government agencies, but in my opinion, the best way to prevent stolen
identities is to make it so easy to catch the impersonators through
information sharing, that it simply is not worth their while to try.
Redacting or shielding data in the public record only makes it more difficult to catch
criminals. Not making the data gathering activities of State
Government uniform and inter operable through programs that search
across data sets, drastically slows the process of establishing
the facts of identity fraud. Just getting the evidence to sustain
an indictment against our impersonator required me to call Comptroller
Goldstein directly and personally request the release of my returned
reimbursement check which the impersonator had cashed. State policy a decade ago was
not to make the originals readily available to the document examiner who needed
to compare the signature on the check with my own.
In sum, it is not the withholding or suppressing of personal
information that will defeat identity theft. It
is in the standardization, preservation and integrated access to
personal information wherever it is collected by government
that will preserve our identities and defeat those who would terrorize
and defraud us by impersonation and identity theft. Too often the
victim is treated like the criminal. When I first
alerted our bank to the check fraud, the bank security person had the
audacity to suggest the criminal was our son who is bipolar, rather
than attempting to sort out what actually happened. It took two
days of strained telephone conversations to turn him around.
In the end, what we have
to pass on to those who come after us is our reputation and our good
name. It should be our charge, both collectively and
individually, to preserve that identity in a safe and secure
public record, not to obscure or to shield it forever from public
view.
I would suggest that your emphasis should be on making financial
institutions more responsible for due diligence on identity
verification and in providing greater scrutiny when dispensing credit,
and that you strengthen the rights of victims to seek reasonable
recourse with reasonable penalties against those institutions when they
fail to comply.
Thank you.
Addenda
Summary of recommendations presented at the hearing:
1) make it clear to victims and thieves alike what the criminal
penalties are for identity theft. Current laws and practices are
unclear and seem insufficiently severe
2) impose stiff fines on those institutions and individuals who fail to perform due diligence on identity verification
3) require greater scrutiny when dispensing credit; prohibit the
sending of unsolicited credit cards and access checks.
4) strengthen the rights and the ease of victims to seek reasonable
recourse with reasonable penalties when financial institutions violate
those rights. The goliaths have stables of lawyers.
Citizens can barely afford any.
5) require standardization, communication, and inter operability among
the personal data gathering functions of state and local
government
6) require that all personal information gathering activities of State
and local government be securely maintained and backed up in an
electronic archives environment operated by the State Archives for
both efficient data recovery/backup and verification
purposes
7) promote inter operability (effective communication) among all
agencies of government, Federal, State, and Local gathering personal
information
8) protect the privacy rights of individuals in all personal data
gathering endeavors of government, but do so with the understanding
that time plays a crucial factor in determining the extent to which
privacy restrictions should apply. Information about the life of
someone born in 1900 is virtually useless to an identity thief, but of
great importance to that person's family genealogist. In making
our current personal records secure from 'Big Brother' and a
prospective identity thief, let's not obliterate our ability to easily
catch the criminal or satisfy our descendants' need to know who we were
and what we did.