Office of Statewide Prosecution

STATEWIDE GRAND JURY REPORT

IDENTITY THEFT IN FLORIDA
IN THE SUPREME COURT OF THE STATE OF FLORIDA
Case No: SC 01-1095
FIRST INTERIM REPORT
OF THE
SIXTEENTH STATEWIDE GRAND JURY
January 10, 2002
(This document has been re-formatted for the Internet)

I. INTRODUCTION

Identity theft has been recognized as one of the fastest growing crimes in the nation, and as such the members of the Sixteenth Statewide Grand Jury were empaneled by the Florida Supreme Court at the request of Governor Jeb Bush to investigate and address associated issues as they occur in Florida.

In the course of our investigation, we heard testimony from:

  • representatives of the Department of Highway Safety and Motor Vehicles, Division of Driver License;

  • investigators from the Florida Department of Law Enforcement;

  • the Florida Highway Patrol;

  • the Social Security Administration, Office of the Inspector General;

  • the Florida Department of Professional Regulation, Division of Alcohol and Tobacco;

  • representatives from the banking industry, credit card industry and the credit reporting industry;

  • and victims of identity theft

During our term, we returned eight indictments on charges of Racketeering, Conspiracy to Commit Racketeering, Organized Fraud, Grand Theft, Money Laundering, Criminal Use of Personal Identifying Information, Insurance Fraud and Driver License Fraud; charging 33 defendants with 419 counts. Additionally, since the beginning of our term, our legal advisors have charged 23 defendants with 150 counts.

These cases involved identity thieves who obtained personal identifying information and in turn used that information to secure fraudulent driver licenses, credit cards, bank accounts, automobile loans, automobile insurance, government benefits and identity takeovers in the State of Florida. These cases not only involved the theft of vast amounts of money, but in essence destroyed the good name of the victims. We are shocked and outraged by the ease with which these crimes are committed and the enormity of the difficulties faced by victims in recovering from these acts.

In an effort to understand the nature and scope of this problem, we analyzed the efforts of Florida's public officials, State agencies, law enforcement, and the private sector to curb identity theft. We learned that Florida is in fact doing a great deal about the scourge of identity theft. Yet, in our view, there remains much to be done.

We wish to commend the vision and leadership of Governor Jeb Bush; the 1999 and 2000 Florida Legislatures; the Florida Cabinet; the judiciary; and the heads of state, local, and federal law enforcement agencies who are working together to solve the identity theft crisis. We are also gratified that private industry and government entities have joined together in a partnership to prevent identity theft in the first place and to address the serious problems faced by identity theft victims. An outline of the steps taken to date is attached to this Report as Appendix A.

Clearly the horrific and tragic events of September 11, 2001, catapulted the issue of identity theft to the forefront of the public's consciousness. As a result of those events, a multitude of government agencies and private entities are working together to strengthen our domestic security. One of the key issues being evaluated after September 11th is the state issued driver license and identification card process. As a result, many of the issues we have considered in the context of identity fraud in commercial situations are now being addressed because of public security concerns. We applaud those security efforts, and urge their implementation across the board wherever possible in order to deter identity theft in all of the various forms we have witnessed.

The costs associated with identity theft are enormous. It is estimated that the nationwide cost is $2.5 billion and is projected to grow by 30% per year reaching $8 billion by the year 2005. The average loss to the financial industry is approximately $17,000 per compromised identity.

For criminals, identity theft is an attractive crime. An identity thief can net $17,000 per victim, and they can easily exploit numerous victims at one time, with relatively little risk of harm. By comparison, the average bank robbery nets $3,500 and the criminal faces greater risk of personal harm and exposure to a more serious prison sanction if convicted.

We learned that the average time between the occurrence of the crime and discovery by the victim is 12.7 months, with almost 10% of cases taking in excess of 60 months before discovery. We learned that while the elderly population is not specifically targeted, they are particularly vulnerable. Based on their status in life, the elderly population is less likely to engage in credit dependent transactions on a frequent basis and therefore are less likely to become immediately aware that they are the victims of an identity thief. Most individuals become aware of their victimization when an application for credit is declined due to fraudulent information being contained within their credit reports or after they have been contacted by a bill collector attempting to collect a debt that they did not incur.

We did not fully appreciate the magnitude of the problem before we heard about issues of easy access to personal identifying information, the ease with which false identification documents are obtained and created, how these documents are relied upon by the private sector to establish the identity of the person presenting them, the public safety concerns, and the huge monetary losses.

We learned of the many crimes that can grow out of identity theft. Among them are:

  • credit card fraud, where credit cards are opened in the victim's name or unauthorized charges are made to an existing credit card;

  • receipt of unauthorized phone or utility services, where the identity thief established a new telephone, cellular phone or other utility service in the victim's name;

  • bank fraud, where the identity thief opened bank accounts, wrote checks or performed unauthorized withdrawals from existing accounts;

  • fraudulent loans, where personal property and loans to purchase vehicles, real estate and merchandise were obtained;

  • fraudulent receipt of government benefits, i.e., welfare, disability and tax refunds;

  • various forms of insurance fraud

In addition to these and other crimes, identity theft has other consequences as well. Among these are:

  • victims having criminal records based on an identity thief using the victim's name during an arrest;

  • identity thieves obtaining employment in the name of the victim;

  • medical insurance or medical services obtained in the name of the victim

Identity fraud presents enormous public safety concerns. Law enforcement is unclear as to the true identity of the person with whom they are dealing. Identity thieves can successfully mask their true identity and criminal history for various nefarious purposes. The identity thief can endanger public safety by masquerading as an individual with special qualifications such as a doctor, lawyer, or other trained professional. In addition, the identity thieves have represented that they possess driving qualifications such as those conferred by a commercial driver license when in fact they are not qualified.

We learned that an individual whose identity has been compromised faces an enormous, emotional and frustrating task to clear their good names. The Federal Trade Commission's Identity Theft Clearing House estimates that victims spend, on average, almost 3 months of their lives and over $800 out of their own pockets to remove the information added to their reports as a result of the identity theft. Victims are faced with a bureaucratic quagmire from the various financial institutions and credit reporting agencies that they are forced to deal with in removing the charges and entries incurred by the identity thief. A serious problem faced by the victim is the inconsistency of requirements that the various financial institutions impose to remove the fraudulent data. There are instances where victims are arrested as a result of crimes committed by the identity thief in their names, and the removal of the arrest from their record is oftentimes an insurmountable task since the victim was actually arrested and the report of that arrest would be considered accurate information. To further frustrate the victim, general confusion exists as to which law enforcement agency to report the crime to, since jurisdictional questions are present in each investigation.

We now have a clear sense that in the past few years, Florida has devoted legislative efforts and, in turn, investigative and prosecutive efforts to combat the problem of identity theft. In spite of these efforts, the Federal Trade Commission reports that identity theft complaints are on the rise and, in turn, the difficulties in the investigation and prosecution of these cases would necessarily follow.

To that end, we have detailed our work to the extent authorized by law, and documented our several suggestions and recommendations of specific action points for consideration by the various stakeholders in this issue - but most importantly, as a crime prevention message to the people of this great State.

II. SCOPE OF THE INQUIRY

We began this undertaking after listening to testimony and evidence in identity theft related cases. At first we intended this report to be wide ranging and comprehensive. But the events of September 11th have overtaken our work to some extent, in some ways delaying our work, in other ways accelerating the timetable for our efforts to be completed. Many of the issues we considered had already been recognized by private and governmental entities and the shock of last September's events sent ripples throughout our country that caused everyone to likewise accelerate their efforts and institute needed changes and reforms on an expedited basis. In many ways this has made our work all the more complicated in that the landscape changes on an almost daily basis, yet we are gratified that so much has already been done. With that in mind, we focused our report on three areas we believe still need more attention; security of Florida's driver license, security of our private information, and the treatment of identity theft victims.

At the inception of our inquiry we quickly became concerned that these illegal activities were not limited by geographical area. We also became concerned at the lack of infrastructure and support for victims of identity theft who are forced to go it alone in the difficult, daunting and sometimes crippling task of rebuilding their credit and lives. And we especially became concerned that identity thieves appeared to be utilizing information in the hands of the government.

In response to our factual inquiry this is what we found.

III. FINDINGS

A. FLORIDA'S ENFORCEMENT EFFORTS
1. The Florida Department of Law Enforcement

The Florida Department of Law Enforcement has put in place a task force of specifically dedicated investigators to combat identity theft. Operation LEGIT (Law Enforcement Getting Identity Thieves) has 5 Special Agents throughout the State assigned full time to the investigation of identity theft cases.

In addition to the investigation of identity theft related cases, Operation LEGIT agents conduct educational seminars on the investigation of identity theft related cases for various law enforcement audiences.

The investigation of identity theft related cases is not limited to Operation LEGIT, however, and the full complement of FDLE special agents are available to perform these investigations.

2. The Florida Highway Patrol

The Florida Highway Patrol (FHP) has the responsibility to conduct criminal investigations into suspected driver license (DL) fraud. The FHP has implemented a special task force based in South Florida to investigate suspected DL fraud. Aside from this special task force, the FHP has 12 investigators statewide who perform, among other duties, the investigation of driver license fraud.

The Florida Highway Patrol has assigned a top ranking law enforcement officer to consult with the Division of Driver License administrators and liaison with external law enforcement agencies in order to assist in identifying fraud and security issues in the driver license process that are of particular interest to the law enforcement community.

In addition to the FHP, the Department of Highway Safety and Motor Vehicle, Division of Driver License has implemented a fraud unit whose primary duty is to perform a civil investigation into suspected DL fraud. There are currently only eleven people assigned to this unit.

3. The Department of Business and Professional Regulation

The Department of Business and Professional Regulation, Bureau of Alcohol and Tobacco, has a specialized unit to train law enforcement in document identification and identification of fraudulent driver licenses. The Division additionally seeks to assist retailers in preventing underage access to alcohol and tobacco by training them on the identification of false IDs. The Division has reviewed over 20,000 counterfeit and questionable identification documents in the year 2001 alone.

This Training Unit is nationally recognized for its expertise and routinely provides educational seminars for various law enforcement agencies and driver license administrators throughout the country.

4. County Sheriffs and Municipal Law Enforcement Agencies

The various county sheriffs and municipal law enforcement agencies, including local State Attorneys, are dealing with the investigation of identity theft related cases through their economic crimes units and are developing the expertise and skills necessary to conduct effective investigations of identity fraud cases. These agencies are generally the victim's first point of contact when reporting an identity theft related case.

5. Federal Involvement

In addition, there are several federal agencies which undertake the investigation of identity theft and identity fraud related cases. Among these are the Federal Bureau of Investigation, the Secret Service, the U.S. Postal Inspection Service, the Federal Trade Commission and the Social Security Administration.

We learned that the Federal Bureau of Investigation, as part of their renewed mission statement, has announced that they plan to minimize their involvement in fraud related cases. This leaves the other mentioned federal agencies as well as state and local law enforcement as the primary venue for the investigation of identity theft related cases.

B. SECURITY OF DRIVER LICENSES

The Department of Highway Safety and Motor Vehicle, Division of Driver License (DDL) has the responsibility of issuing and maintaining the records of all Florida issued driver licenses and identification cards. The DDL currently maintains records and information on 14 million Florida Driver Licenses and several million identification cards.

Florida law allows the various county tax collectors to enter into a contract with DDL so that the tax collector can deliver driver license services. It is our intent that recommendations that are made to and regarding the DDL also apply to the contracted county tax collectors.

The Division of Driver License employs 900 driver license examiners working throughout the State. The minimum requirements to be a driver license examiner are a high school diploma and one year of experience dealing with the public. The average driver license examiner makes approximately $20,000 per year. The DDL is currently in the process of enhancing their driver license examiner selection process by development of examiner standards and requiring a polygraph, background check, fingerprinting and drug testing of applicants.

The Division of Driver License sets forth the rules and procedures to be followed in the issuance of a DL or ID card. This is done in concert with the statutes that set forth what information can be required from the applicant and what information can be retained.

Florida law currently requires the driver license or identification card applicant to provide their full name, gender, social security number, residence and mailing address. Proof of date of birth and identity satisfactory to the department must also be provided. Florida law says that proof of identity must include a certified copy of a US birth certificate, a valid US Passport, an alien registration receipt card (green card), an employment authorization card issued by the United States Department of Justice, or proof of non-immigrant classification provided by the United States Department of Justice, in order to secure an original license.

In the review of all of the acceptable documents, an examiner has only experience and memory to consult to evaluate the legitimacy of the documents presented . There is no requirement that a second examiner confirm that the documents are in order. Copies of the documents presented are not retained. The DDL has recently been provided with training by the Immigration and Naturalization Service on the identification of the various INS documents.

The DDL indicates that they conduct over 30,000 transactions a day. The enormous workload that most DL offices and examiners face, pressures from long lines of impatient customers, along with the multitude of documents the examiner is presented with, and the amount of discretion granted to each examiner, creates the opportunity for a harried or dishonest examiner to claim that proper identification documents were provided when they were not.

The applicant is also required to disclose if they have previously been licensed to drive and, if so, when and by what state, and whether any such license or driving privilege has ever been disqualified, revoked or suspended, or whether an application has ever been refused. The applicant must also sign a consent form authorizing the State of Florida to obtain the applicant's driving record from the original issuing state. The examiner only has access to a nationwide "problem driver database" that contains information from states that are members of the American Association of Motor Vehicle Administrators, AAMVA. The "problem driver database" only lists those drivers who have had their driving privileges revoked or suspended by one of the member states. The examiner does not have access to digital images or other identifying information from these other states to verify that the person who is representing themselves as a licensed driver from another state is truly that person.

Currently, Florida law does not require an applicant for a driver license or identification card to submit a fingerprint. Since no fingerprint is submitted, subsequent fraud investigations are hampered as is the ability of a victim of identity theft to conclusively prove that their identity was stolen.

Florida law also sets forth the validity period of a driver license. An original issue driver license is good for six years and renewable for periods of four years or six years depending on the driver's driving record. The renewals are achieved by affixing a sticker to the DL issued by the DDL, or in cases of a digital image type DL, the mailing of a renewed license. The driver need not appear in person to accomplish the renewal. The license can be renewed by this method on two occasions. As a result a driver can retain the same license and outdated photograph for up to 18 years. Due to the extreme longevity of the driver license and identification card, the protections afforded by driver license security features are only as good as the technology of the oldest license still in circulation.

Additionally, security of the driver license itself is only effective as long as the technology and the stock that is used to generate the card is protected from theft and misappropriation by the DDL. We have learned that within the past month, a driver license office was burglarized and all of the hardware equipment necessary to create a Florida driver license or identification card was stolen.

We were outraged to learn through a recent case that driver license examiners have participated in the fraudulent issue of driver licenses and identification cards. In that case, nearly an entire DDL office participated in this fraud. Although the DDL has standard operating procedures in place that should have prevented this behavior there were numerous deviations from the standard operating procedures.

The fraud was able to be committed in that case because the corrupt examiners were able to take an applicant for a driver license through the full application and issuance process. We learned that persons wanting to secure a fraudulently issued driver license or identification card were routinely referred to the particular, corrupt examiner.

During identity theft and driver license fraud investigations, it is often difficult if not impossible for the investigator to determine what identifying documentation was provided by the applicant since there is no copy of the document retained by DDL. The examiner may or may not indicate on the application what document was provided. Although not currently being utilized by DDL, technology exists to electronically scan all identification documents presented and retain them in digital form with the application. We further understand that the DDL has identified this as being an area of concern and is in the process of taking steps to implement procedures that would allow for the scanning and retention of these documents.

We heard testimony that during identity theft and driver license fraud investigations the address provided by the applicant is often an invalid address. The invalid address does not give the investigator a starting point for their investigation.

We learned that under Florida law, an applicant for a driver license or identification card does not have to be a resident of the state of Florida, and currently there is no procedure in place to verify the validity of the address provided by the applicant.

We understand that there are times when an applicant for a driver license does not possess all of the required documents, or that the possessed documents are of such a nature that they do not lend themselves to immediate authentication and verification. We recognize that the applicant may have a pressing need to secure the legal authority to operate a motor vehicle. The DDL has told us that they recognize this as an area of concern as well and is currently implementing a procedure to issues a temporary driving permit, that is not valid for identification, to foreign nationals, until their documents can be verified.

We learned and recognize that some citizens of the State of Florida wish to protect themselves from identity theft and fraud and are willing to endure some additional inconvenience. Currently, there is no provision to allow for citizens to voluntarily increase their security features such as a personal identification number or other form of password protection.

We recognize that any security feature that is afforded to the new driver license or identification card will not be effective while the older versions of the driver license or identification card are still in circulation. As new security features are implemented and deployed, the identity thief or counterfeiter could simply resort to using an older version of the driver license or identification card that is still valid.

We learned that the current media (card stock and laminates) that is being used for the driver license and identification card is not difficult to alter, fabricate, unlawfully duplicate and is subject to erasure and other modifications.

We recognize that any single security feature can be compromised. Effective security is achieved when various features are layered. There are many security features available, that prevent or thwart erasure and tampering, such as embossed or imbedded lettering. Other security features available are a two dimensional bar code with sufficient authentication information, including the ability to hold a digital image of the licensee, and is able to be scanned by law enforcement. Further security features are the use of magnetic stripe or other like technology that would be useable by merchants and the financial industry; smart chips and other smart card technologies; unique font, ink color and multi-color arrangement to alleviate fraud; micro printing which has proven effective against counterfeiting; high quality ultraviolet ink on the front and rear of the license has proven highly effective against counterfeiting; ghost imaging, or a secondary photograph of the holder in an alternative location on the card and multiple-layered holograms, including those that are 3 D in nature.

During the course of our term numerous examples were presented to us in which the identity thief had multiple licenses with their photographs under different names, issued by the DDL. The identity thief is currently not discouraged from this behavior since no protocols are in place to routinely search the DDL database for duplicate digital images. The DDL requires an applicant for a driver license or identification card provide their social security number. Currently a would-be identity thief can provide a made up social security number or one that belongs to another person and the DDL would not know. We learned that online verification of social security numbers is possible through a contractual relationship and subsequent interface with the Social Security Administration. This interface would allow the DDL to automatically validate the social security number provided by the applicant, determine validity and to whom assigned.

We learned that wanted persons routinely transact business at the various driver license offices. These individuals can do so with impunity since there is no procedure in place to allow for the real time electronic sharing of information between the driver license database and FDLE.

During case presentation we learned that private driving schools are often utilized in obtaining fraudulent driver licenses and fraudulent issue commercial driver licenses. Some of these schools would provide all of the necessary documentation, test results and fraudulent medical examination for anyone willing to pay the required fee to secure a commercial driver license. Although federal law mandates state regulation of these schools, there are currently only 8 individuals statewide to inspect and monitor the 126 schools located throughout the state.

Currently there are no uniformed law enforcement officers routinely assigned to the driver license offices. We heard testimony that individuals (brokers) prowl the parking lots of driver license offices ready to provide fraudulent documentation to would-be identity thieves.

We learned that while merchants or financial institutions have the ability to read the magnetic stripe on the driver license and identification card, there currently is no procedure that allows for these merchants or financial institutions to verify the information. Merchants and financial institutions do not have access to any database maintained by or contributed to by DDL that contains verifying information.

We recognize that all of the recommended security features and procedural changes may add to the cost of issuing a driver license or identification card. We have learned that Florida currently charges $10 for a replacement driver license while it costs $10.50 to produce. This fee is among the lowest in the nation.

C. SECURITY OF PERSONAL INFORMATION

As an investigating body examining evidence in criminal cases, our inquiry naturally included questions concerning the source of the information used to compromise someone's identity. This is generally what we learned.

Florida has one of the most open public records laws in the country. Virtually all of our government documents and information are available to the general public for the asking. This information, subject to some exclusions, contains virtually all of the information an identity thief would require to compromise someone's identity.

Additionally, a great deal of personal identifying information is gathered by the government in day to day operations that may not be necessary and vital to the integrity of the transaction. Social Security numbers for example are requested on everything from applications for a driver license to school volunteer forms.

Once this information comes into the hands of the government it then, with some exceptions, becomes public record. This information is gathered by computer database search companies and approximately 500 consumer reporting agencies, and is used by, among others, business people, attorneys and investigators to verify and gather information on customers, clients, debtors and persons who are the subject of various investigations. This information can also be used by the identity thief to develop a full dossier on their next victim. For example, on-line access to court records, driver license records, motor vehicle registration information, applications for state jobs, travel vouchers of state employees, traffic accident reports and reports of crimes by victims are readily available. These documents contain names, dates of birth, social security numbers, home addresses of the individual and potentially their family members, credit card information, and other potentially valuable personal information.

The private sector also gathers a great deal of information on their customers and clients. Recent privacy policy notices sent to customers, in compliance with federal legislation, indicate a presumption on the part of the private sector that once the customer's personal information is in the possession of the private sector, it is theirs to use as they please unless the customer actively objects, or "opts-out". Medical service providers routinely request the social security numbers of their patients and insurance companies routinely request the social security number and other personal identifying information of their customers. This information is gathered and placed into other documents and files that then find their way into the stream of commerce.

We have identified that the government and business take in much more information than necessary to conduct business. For example health clubs require members to disclose their social security numbers on applications for membership; video rental stores ask for social security numbers on applications; and life insurance companies ask for social security numbers of beneficiaries; local governments ask for social security numbers on routine transactions. We were distressed to learn from the Interim Project Report by the Committee on State Administration and Committee on Information Technology that 96.3% of state agencies do not even have a written policy relating to the collection of social security numbers. This same report indicates that 63% of these agencies disclose social security numbers on some public record requests.

Medical service providers and insurance companies routinely substitute social security numbers for patient or policy numbers, unnecessarily exposing this sensitive information to scrutiny on such documents as health and insurance cards. Unsecured mailboxes and trash containers provide thieves with easy access to this personal information.

Last year Congress recognized the issue of consumer privacy by passing the Graham-Leach-Bliley Act in recognition of the importance of the privacy of our citizens. That act essentially gave citizens the right to prevent their private information from being disclosed to third parties and mandated notices to that effect be sent to all consumers. While protecting citizens from the sale of personal information in the private sector, it did not address the collection and dissemination of personal information by our government. Government secures personal and private information from citizens in countless ways. While this information may be necessary and appropriate for government to perform its functions, we don't see the necessity of government freely disseminating or worse, selling it back to the public.

Florida, along with many other states has a long history of keeping government records in the sunshine. Open government laws such as Florida's Sunshine laws serve a valuable and important purpose by allowing citizens as well as the press to perform its watchdog functions. We do not suggest that government should withhold information that its citizens need to ensure that government carries out its role in a fair and efficient manner. However, there is a vast difference between information documenting what the government is doing on the one hand, and private and personal information that government has collected from its citizens for a specific and limited purpose on the other. Unlike transactions in the private sector, citizens do not have the ability to opt out of government sharing or disclosure of their private information.

Florida public records law trace their roots back to the turn of the century when anyone who wanted to check a public record had to drive his horse and buggy to the county seat, check in with the custodian of records and laboriously pore over large dusty volumes. This slow and painstaking process was a built in check against abuse of the system. No electronic copies, no computers, and no Internet searches.

We must balance the value of the oversight of government with the privacy rights of citizens.

The Fifteenth Statewide Grand Jury addressed the issue of private information in government hands in the context of PIP Fraud. Finding that ambulance chasers were gleaning personal information from traffic accident reports in order to perpetrate fraud, the Grand Jury recommended exempting traffic reports from the public records statute for 60 days. A recommendation that Florida's Legislature, to its credit, immediately embraced and codified into Florida Statute 316. Over the years the legislature has created over 700 exemptions to the Public Records Law in an effort to strike this balance. We are also aware that the legislature is continuing to look into further exemptions, and that there are bills pre-filed addressing the issues of collection and dissemination of social security numbers. We commend the Florida Legislature for its vision and strongly encourage these efforts in this regard.

We suggest that rather than assuming everything government collects is automatically a public record unless otherwise exempted, we believe the presumption should be reversed. That is, private information collected from citizens should be presumed confidential and non-disclosable unless there is a statutory ground for its release. We are not convinced that doing so would violate the spirit and intent of the First Amendment.

D. VICTIMS OF IDENTITY THEFT

Identity theft victims are treated as if they rank low on the totem pole. Though much progress has been made by law enforcement and prosecutors, problems for victims of this crime persist.

These problems can take many forms. For many victims, the problems start with the initial contact with law enforcement agencies. Despite the explosive growth in these types of cases, this is still a non-traditional crime and many officers do not have first hand experience with this crime. As a consequence, many law enforcement agencies still express reluctance to even take reports much less investigate.

Too often they believe the issues raised in identity theft cases to be a civil matter, better handled by lawsuit than arrest. Jurisdiction too plays a complicating part in that many of these crimes concern activity occurring far from where the victim lives, sometimes even out of state and well outside of the traditional jurisdictional boundaries. Not enough officers or law enforcement agencies are acting on Florida's recently enacted statute, Florida Statutes 817.568(8), which allows law enforcement to investigate and prosecute identity theft cases where the only contact with their jurisdiction is the residence of the victim.

Victims of identity theft are usually attempting to prove that they are not responsible for a certain debt or charge, or that they are not responsible for a crime committed in their name. Much of their contact with law enforcement involves at least one of these scenarios. It is understandable then, that their claims are sometimes viewed with skepticism. Certainly law enforcement cannot be faulted for not readily accepting a claim that they have the wrong suspect in custody. Claims of mistaken identity have long pre-existed ID theft cases. So, too are creditors reluctant to walk away from their money on a bare claim of stolen identity. Somewhere between suspicion and skepticism on one side, and gullibility on the other, we must find a middle ground where all the law abiding parties can continue to function without the interference of identity thieves.

Victims of identity theft can lose a lot more than money. Often the immediate and direct consequence of ID theft is the destruction of someone's credit record. A negative credit history can cost someone the opportunity to secure a job or purchase a home, opportunities that may not return for victims in the near future. A negative credit history can also lead to lost business opportunities or even bankruptcy. Unexplained credit cards and numerous unauthorized charges can lead to suspicion and discord in a familial relationship. Perhaps the worst thing that can happen to a victim of an identity theft is to be arrested for crimes committed by the impersonator. A person's dignity, good name and reputation in the community can be destroyed by a callous and indifferent identity thief. Once destroyed, a victim may spend years attempting to recover. While Florida has made significant progress in the detection and prosecution of identity theft cases, little has been done to directly address the staggering costs imposed upon the victims of these crimes. Florida must commit to enhancing and even restructuring the system in place as it relates to victims of identity theft. Changes need to be made in how law enforcement treats the victims. The judicial system has to make changes in how it goes about restoring victims to their previous status. The entire financial industry, credit card issuers, banks and merchants have to not only strengthen their procedure to avoid this fraud in the first place, they have to commit their customer service resources to helping victims of identity theft, ultimately their customers, restore their credit and good standing. None of these changes will come easy nor will they be cheap, and certainly any changes wrought will carry with it the risk of new complications and perhaps new types of fraud. Whatever the difficulties however, we must come to realize that the situation faced by tens of thousands of victims of identity theft is not only unfair, but unacceptable and we can no longer remain satisfied by the status quo.

Factual Findings

With this as the backdrop, we heard from numerous victims of identity theft whose primary obstacle in overcoming their victimization was repairing the damage to their credit report caused by the identity thief. The credit reporting industry operates within the confines of the Fair Credit Reporting Act (FCRA), and utilizes it as both a shield and a sword in their dealings with consumers.

The FCRA authorizes the release of the information maintained by the consumer reporting agencies for limited purposes. Among these are employment, housing, licensure, and credit worthiness. The consumer reporting agencies are also authorized to release a consumer report for transactions that are not initiated by the consumer, or for offers of insurance or credit. A consumer may elect to have their name and address excluded from these types of transactions by notifying the consumer reporting agency. This is referred to as an "opting out."

The FCRA sets forth the procedure that a consumer must follow in order to dispute the accuracy of information reported on their credit report. The FCRA does not, however, dictate what documentation the consumer reporting agency must accept in order to determine that the information is inaccurate or a result of fraud.

If a consumer disputes information on their consumer report they must send notice to the consumer reporting agency. Upon receipt of this notice, the consumer reporting agency is obligated to indicate this fact upon the consumer report. A consumer reporting agency, once notified of a dispute, is required to "reinvestigate" the status of the disputed information or delete the item from the file within 30 days. The consumer reporting agency is required to send a notice to the provider of the disputed information within 5 business days requesting information that will allow the agency to "reinvestigate" the information. The consumer reporting agency is required to remove any information found by them to be inaccurate or incomplete, or that cannot be verified. If, after a "reinvestigation," the credit reporting agency determines the information is accurate and complete, the consumer has the right to add a statement to their consumer report disputing the accuracy or completeness of the information.

A consumer is entitled to request a copy of their own credit report, for a fee (currently up to $8.50) or receive one for no charge if the consumer has been subject to some negative action based upon the credit report. Additionally, as allowed by the FCRA, some states have enacted legislation that allows consumers to receive one or two consumer reports per year at no cost to them. Florida has not enacted such legislation.

If a consumer believes that they have been the victim of fraud, The FCRA allows the consumer to have a fraud alert placed upon their consumer report. The fraud alert acts as a notice to the extender of credit that this credit file has been subject to fraudulent activity in the past and that they should make contact with the consumer prior to extending any credit or benefits. There is currently no requirement that the extender of credit act on the fraud alert.

The FCRA also sets forth the responsibilities of the providers of information to consumer reporting agencies. The Act prohibits the providers of information from reporting information with actual knowledge that it is in error or after being notified that information relating to a consumer is inaccurate. A provider of information has a duty to correct and update the information they provide once they become aware that the information is incomplete or inaccurate. Additionally, the provider of disputed information must notify the consumer reporting agency that such information is disputed by the consumer. Once notified by a consumer of a dispute, the provider of the information must conduct an investigation with respect to the disputed information; review all information provided by the consumer; report the results of the investigation to the consumer reporting agency and if the information is found to be incomplete or inaccurate, report those results to all consumer reporting agencies.

The following are illustrations of what some of the victims related to us as difficulties they faced in dealing with credit grantors:

  • One victim's bank required her to fill out a separate fraud affidavit for each check passed.

  • Another victim reported a retail chain required a separate set of paperwork for each store where fraudulent transactions occurred.

  • Many victims reported that fraud alerts that had been placed on their credit reports were disregarded by subsequent lenders.

  • Another victim reported that a major utility insisted on the following laundry list of requirements, three forms of identification, a written statement from her attorney handling her case, a lease agreement that showed that she lived at a different address, a written statement from her employer and a written statement from the Post Office that she was not living at the address where the services were provided, before removing a fraudulent account.

  • Victims of identity theft are required to deal with three major credit reporting companies to resolve each fraudulent account.

  • Another victim had to make multiple phone calls just to locate the correct office of a national retail chain to report a fraudulent account.

  • Another victim whose identity thief opened a deferred billing account (90 days same as cash) did not become aware of the fraud until six months after the account was opened when she was contacted by a collection agency.

  • One out of state victim who was defrauded by an identity thief in Florida was told that he would have to travel to Florida and petition the Florida Court to have the fraudulent account removed from his credit file.

    The victims' problems go beyond financial.

  • We learned that one victim of identity theft nearly had his marriage destroyed when the identity thief, posing as the victim, was in an automobile accident in another state with a member of the opposite sex as a passenger.

  • Another victim reported being detained in County Jail for four days pending extradition to Florida as a result of warrants issued for crimes committed by the identity thief.

The State of California recently enacted legislation that gives consumers a right to be able to "freeze" their consumer report. In essence, if a consumer freezes his report, no new transaction that relies on the consumer report, i.e., extension of credit, issuance of life insurance, pre-employment screening, etc., could be conducted without the consumer removing this freeze. In order to facilitate the freeze, the consumer is required to notify the consumer reporting agencies by certified mail instructing the reporting agency not to release the consumer's report for new transactions until further notice by the consumer. Once the consumer reporting agency receives this request from the consumer to freeze, they must provide the consumer with a Personal Identification Number (PIN) which would allow the consumer to request their report be unfrozen for either a specific period of time or for a specific business or lender. This legislation was signed into law in September of 2001, and gives the consumer reporting agencies until the year 2003 to implement the technology and procedures required to come into compliance with the legislation. We are unable, at this point, to determine if the potential to eliminate identity theft is outweighed by the negative commercial consequences reported to us by the credit reporting industry. Nevertheless, we believe Florida's citizens should have this same protection and security. We urge the legislature to study this issue to determine if similar legislation in Florida is needed.

III. SUMMARY OF RECOMMENDATIONS

SECURITY OF DRIVER LICENSES
  • Finding: a driver license or identification card can be obtained using identifying (breeder) documents that have been counterfeited or that do not belong to the person presenting them and the breeder documents are not properly validated

  • Recommendation: DDL employ all techniques necessary to properly validate these documents not only to establish that they are government issue but that they belong to the person who is presenting them as their own. In order to accomplish this, access to various online verification systems and better document analysis training is needed.

  • Finding: certain driver license examiners have participated in the fraudulent issue of driver licenses and identification cards

  • Recommendation: DDL enforce policy that more than one examiner be involved in the driver license or identification card issuance process

  • Finding: corrupt driver license examiners were sought out by identity thieves in order to secure a fraudulent driver license or identification card

  • Recommendation: DDL enforce a policy requiring DL Examiners to rotate stations periodically during the day so they do not have the ability to take the applicant through the process from start to finish.

  • Finding: the Florida Highway Patrol currently has only 12 investigators assigned to, among other things, the investigation of driver license fraud

  • Recommendation: FHP expand their investigative unit and assign more investigators to the investigation of driver license fraud

  • Finding: during identity theft and driver license fraud investigations, it is often difficult if not impossible for the investigator to determine what identifying documentation was provided by the applicant since there is no copy of the document retained by DDL.

  • Recommendation: DDL photocopy or scan all identification documents presented and retain them with the application.

  • Current Status of Recommendation: the DDL has identified this as being an area of concern and is in the process of taking steps to implement this recommendation

  • Finding: address provided by the applicant intent on committing fraud is often an invalid address.

  • Recommendation: implement address verification by requiring documentary proof from the applicant or through online database verification of the address provided

  • Current Status of Recommendation: DDL has recognized this as being an area of concern and has included it in their Strategic Plan.

  • Finding: DDL's current address change procedures are susceptible to fraud

  • Recommendation: DDL send a letter to the last address on file confirming the address change.

  • Finding: DDL does not require a fingerprint be placed on the initial application for a driver license or identification card so that fingerprint verification could be performed on subsequent transactions. The lack of fingerprints hampers the investigation of identity theft complaints and hurts the victim's efforts in clearing their good name.

  • Recommendation: DDL begin requiring a fingerprint from the applicant and retain the print electronically with the DL Record

  • Finding: Some applicants do not possess all of the required documents, or that the possessed documents are of such a nature that they do not lend themselves to immediate authentication and verification at the time of application

  • Recommendation: that DDL issue a temporary driving permit that is not valid for identification, to an applicant with questionable documentation until documents are able to be provided and verified or other questions are resolved.

  • Status of Recommendation: DDL is currently implementing a limited version of this recommendation in that they have begun issuing a 30 day driving permit for foreign nationals to allow for additional time to validate their provided documents

  • Finding: Supervisor involvement is not mandated when questionable documents are presented

  • Recommendation: DDL mandate supervisor intervention and approval on transactions where questionable documents or applications are placed in front of the examiner

  • Finding: Some citizens of Florida wish to have more control over their DL for the prevention of identity theft and fraud and are willing to endure additional restrictions in order to safeguard their information

  • Recommendation: DDL allow an applicant to place a password or PIN number on their DL file for future use and verification. If a license holder has activated this feature on their driving record, any subsequent transaction conducted by that license holder would require the entry of their PIN number or password. PIN or password should not be encoded on the driver license or identification card itself.

  • Finding: excessive longevity of the driver license compromises the ability of new security features to be effective

  • Recommendation: driver license and identification card renewal process should be limited to two renewals every 3 years. The first three year renewal can be conducted via the mail or the Internet, however, the subsequent renewal should require the holder to appear at a driver license office and secure a new driver license or identification card.

  • Finding: Current card stock and laminate (media) used for the DL and ID card is susceptible to erasure and other modifications

  • Recommendation: the media used for the creation of the driver license and identification card should be of such a nature that it is extraordinarily difficult to alter, fabricate, or unlawfully duplicate.

  • Finding: no security feature is effective if the technology and media used to produce the card is not protected from theft and other forms of compromise

  • Recommendation: security features and inventory controls must be implemented and enforced to protect the card stock, laminates and other equipment and technology needed for the production of driver licenses and identification cards.

  • Finding: no single security feature can act as a panacea to prevent fraud

  • Recommendation: DDL implement multiple security features to deter compromise. Such as:

    • embossed or imbedded lettering to prevent erasures or tampering;

    • two dimensional bar code with sufficient authentication information contained therein for scanning by law enforcement;

    • use of magnetic stripe or other like technology that would be accessible by merchants and the financial industry;

    • use of smart chips and other smart card technologies;

    • use a unique font;

    • ink color and multi-color arrangement of text;

    • continued use of micro printing;

    • use of high quality ultraviolet ink on the front and rear of the license;

    • use of ghost imaging, or a secondary photograph of the holder;

    • use of a multiple-layered holograms, preferably 3 D, with embedded image of driver

    • unique card stock that is subject to regulation

  • Finding: identity thieves were able to secure from the DDL multiple licenses with their photographs under different names,

  • Recommendation: employ technology to automatically scan database for duplicate digital images on different DLs or ID cards to immediately identify individuals who hold multiple licenses or identification cards under different names

  • Finding: the required Social Security number is not subject to validation by DDL

  • Recommendation: conduct online verification of social security number via an electronic connection with the Social Security Administration

  • Status of Recommendation: the DDL currently has a contract pending approval by the SSA to provide online access for verification

  • Finding: wanted persons routinely transact business at the various driver license offices unbeknownst to DDL or law enforcement

  •  Recommendation: implement a procedure to allow for the electronic sharing of information between the driver license database and the FDLE so they can then compare this data with the various state and federal criminal information databases to check for warrants and alert law enforcement when a wanted person or suspected terrorist applies for or obtains a driver license or identification card.

  • Finding: some private driving schools and third party testers for commercial driver licenses are committing fraud by falsifying documentation

  • Recommendation: new procedures be developed with regard to private driving schools and commercial driver license schools to subject them to stricter state regulation and routine audit and investigation.

  • Finding: Driver License Offices are not routinely assigned uniformed law enforcement

  • Recommendation: assign law enforcement to the driver license examination offices to provide security for people and property and to act as a deterrent to fraud.

  • Finding: current magnetic stripe on DL and ID card is being underused by law enforcement and the private sector:

  • Recommendation: DDL publicly encourage both law enforcement and the private sector to secure the necessary card readers in order to read the magnetic stripe and the provided information.

  • Finding: Private sector has no access to any online verification provided by the DDL to validate the provided ID or DL

  • Recommendation: develop and deploy limited access to the DDL database that would allow for a merchant or financial institution to verify the driver license information

  • Finding: Florida has one of the lowest driver license fees in the nation and, in fact, charge below cost for a standard driver license issuance. Necessary security enhancements to the DL and ID card will increase the cost of a new license

  • Recommendation: pass on the cost increase of the new security features to the user of the services, the DL and ID card holders, by raising the license fees to cover the costs.

SECURITY OF PERSONAL INFORMATION

  • Finding: personal identifying information received by financial industries is treated as the property of the recipient

  • Recommendation: change business practices to reflect that the mere act of providing personal identifying information as a condition of obtaining credit or services should not be presumed as granting the recipient the right to sell or disclose it for an unrelated purpose.

  • Finding: the financial industry routinely sells and discloses personal identifying information of the customer unless the customer affirmatively objects

  • Recommendation: the financial industry be prohibited from selling or disclosing personal identifying information without the express permission of the customer

  • Finding: Personal identifying information is being collected by government agencies and disseminated pursuant to public records law, and the citizen has no right to object.

  • Recommendation: amend Chapter 119, Florida's Public Records Law, to exempt, absent consent of the citizen, a court order or a compelling need, personal identifying information of citizens, including but not limited to social security numbers, birth dates, driver license numbers, phone numbers, mother's maiden name, bank account numbers, and credit card numbers.

  • Finding: Personal identifying information is being disseminated without accountability as a part of a public record even though it is now subject to some exclusion or protection.

  • Recommendation: amend Chapter 119 to hold an agency or individual accountable for releasing exempted personal identifying information along with a public record

  • Finding: The public and private sectors routinely use and rely on the consumer's social security number for use as an identifier and an account number

  • Recommendation: prohibit the use of social security numbers for independently generated identifiers to track customers, patients, policies, etc., unless required by law.

  • Finding: The DDL currently sells and makes available driver license information unless the driver specifically asserts to DDL that they do not want their information shared. In spite of this "opting out", Florida Statutes still lists 19 entities that can get the information

  • Recommendation: Florida law be changed so that DDL can only share information if the driver specifically grants their permission to do so and the list of 19 entities that are still entitled to the information be examined and unless a compelling reason exists to grant them access to the information, they be eliminated from the list.

VICTIMS OF IDENTITY THEFT

  • Finding: some law enforcement agencies are reluctant to take identity theft complaints and do not generate reports in some cases

  • Recommendation: all law enforcement agencies be required to generate a report on identity theft complaints regardless of their subsequent decision on whether or not they will investigate the case

  • Finding: there is no centralized location to which Florida victims of identity theft can report the crime to

  • Recommendation: create and fund a statewide clearing house for identity theft complaints or expand the existing database created by the Strike Force on Fraudulent Entities (SAFE) initiative to accomplish this goal.

  • Finding: very few law enforcement officers receive specific training in the recognition and investigation of identity theft cases

  • Recommendation: each department should have officers specially trained on how to recognize and investigate identity theft cases

  • Finding: many victims of identity theft do not know what to do to clear their names after their identity is stolen,

  • Recommendation: a standardized victim brochure be provided by law enforcement to the victim to give victims a checklist of procedures to follow after filing the police report

  • Finding: Consumer education is highly effective in minimizing identity theft

  • Recommendation: that every government agency work together to develop and disseminate public service announcements on practical ways to deter identity theft.

  • Finding: the extension of credit normally relies on information contained within a consumer credit report. Credit grantors do not always honor or comply with the instructions or directions given in the fraud alert that has been placed on the report

  • Recommendation: better policies and practices be implemented by credit grantors to honor and abide by the instructions provided to them in a fraud alert

  • Finding: fraud alerts that victims of identity theft place on their credit files are limited to 90 days in duration

  • Recommendation: victims of identity theft be allowed to place permanent fraud alerts on their credit reports

  • Finding: California has recently enacted legislation that would allow a consumer to "freeze" their credit report or consumer report. Consumer Reporting Agencies have until the year 2003 to comply

  • Recommendation: that the credit reporting agencies determine the effectiveness of the new California credit freeze legislation in preventing identity theft and, if effective, grant those same rights to all consumers, regardless of location.

  • Further Recommendation: that the Florida Legislature study the viability of this legislation in Florida.

  • Finding: there is no uniformity among the credit bureaus or consumer reporting agencies as to what documentation is required to remove fraudulent information from the consumer's report

  • Recommendation: credit reporting agencies standardize their procedures as to what documentation and verification a victim of identity theft must provide in order to remove the fraudulent information

  • Status of Recommendation: credit reporting agencies have recently implemented a policy that accepts any police report indicating identity theft as prima facie evidence that the information is fraudulent and blocks that information from disclosure

  • Finding: many individuals become aware that they have been victims of fraud or identity theft by reviewing the information contained within their credit report. The Fair Credit Reporting Act allows states to require the credit reporting industry to provide up to two free credit reports per year to that state's citizens. Florida law does not currently require this

  • Recommendation: the Legislature should require the credit reporting industry to provide citizens of Florida with two free credit reports per calendar year.

IV. CONCLUSION

When we embarked on this inquiry, we had no idea how complex, provocative, and stimulating this subject would become for us. We have deliberated and debated amongst ourselves, called for a great deal of testimony and legal advice, and asked many pertinent and relevant questions.

By the issuance of this report, we urge all Florida's citizens to take the issue of identity theft seriously, to keep their personal information inviolate, to support the work of government officials in limiting the intake and subsequent availability of our personal identifying information, and to foster the necessary relationship between the private financial industry and law enforcement to facilitate the successful investigation and prosecution of cases of identity theft. We, the members of the Sixteenth Statewide Grand Jury, believe that to combat and defeat the identity thief requires a group effort and partnership between the citizenry, the public and the private sector and the devotion of adequate resources to make these investigations and prosecutions successful. We believe that resources, accountability, and cooperation are the keys to success. As we end this part of our inquiry and issue this interim report, we are optimistic that Florida's government officials, private and commercial entities, and ordinary citizens will answer this call.

THIS REPORT IS RESPECTFULLY SUBMITTED to the Honorable Alice Blackwell White, Alternate Presiding Judge of the Sixteenth Statewide Grand Jury, this _____ day of January, 2002.

_________________________________
KEVIN F. MORRIS
Foreperson
Sixteenth Statewide Grand Jury of Florida

I, MELANIE ANN HINES, Statewide Prosecutor and Legal Adviser, Sixteenth Statewide Grand Jury of Florida, hereby certify that I, as authorized and required by law, have advised the Grand Jury which returned this report on this _____ day of January, 2002.

________________________________
MELANIE ANN HINES
Statewide Prosecutor
Legal Adviser
Sixteenth Statewide Grand Jury of Florida

I, OSCAR GELPI, Special Counsel and Assistant Legal Adviser, Sixteenth Statewide Grand Jury of Florida, hereby certify that I, as authorized and required by law, have advised the Grand Jury which returned this report on this _____ day of January, 2002.

_______________________________
OSCAR GELPI
Special Counsel
Assistant Legal Adviser

I, THOMAS A. SADAKA, Special Counsel and Assistant Legal Adviser, Sixteenth Statewide Grand Jury of Florida, hereby certify that I, as authorized and required by law, have advised the Grand Jury which returned this report on this _____ day of January, 2002.

_______________________________
THOMAS A. SADAKA
Special Counsel
Assistant Legal Adviser

ORDER

This Report is ordered sealed until the requirements of Section 905.28, Florida Statutes, have been met. Upon written motion of the Legal Adviser, the Court will address the issue of publication. Further, upon the Legal Adviser's oral motion for disclosure for the purposes of furthering justice, the Legal Adviser is authorized to disclose the testimony and proceedings recounted in the foregoing document in furtherance of the criminal investigative and civil administrative responsibilities of the Sixteenth Statewide Grand Jury.

______________________________________
Alice Blackwell White
Alternate Presiding Judge
Sixteenth Statewide Grand Jury of Florida
Dated: ________________________________


STATEWIDE GRAND JURY REPORT
IDENTITY THEFT IN FLORIDA
APPENDIX A

RECENT AND SIGNIFICANT ACCOMPLISHMENTS
TO COMBAT IDENTITY THEFT IN FLORIDA

  • The creation of the Governor's Privacy and Technology Task Force whose appointed members heard testimony and generated a report in December of 1999 on issues related to privacy and identity theft.

  • The Florida Legislature embraced the recommendations of the Governor's Privacy and Technology Task Force and passed enhancements to Florida's identity theft statute, 817.568, to make it one of the strongest in the country.

  •  The creation of a statewide task force within the Florida Department of Law Enforcement to target identity theft.

  • The establishment of what has become a nationally recognized Identity Theft Prosecution Unit within the Office of Statewide Prosecution.

  • The devotion of resources for the training of Florida prosecutors and law enforcement officers on issues related to the investigation and prosecution of identity theft cases.

  • The legislative appropriation of funds to study and report On Design Methods and Procedures to Make the Florida Driver License and Identification Card More Resistant to Tampering and Counterfeiting.

  • The formation of a multi-disciplined focus group to study security features of the Florida Driver License and Identification Card to make it one of the most secure driver licenses and identification cards in the country.