Criminals who use stolen identities in the commission of felony crimes will face tougher sentences under new legislation signed into law by President Bush on Thursday.
The Identity Theft Penalty Enhancement Act also mandates additional jail time for people who steal data on the job, a problem highlighted last month when a former America Online employee was indicted for stealing the e-mail addresses of every AOL member. And it adds a mandatory 5-year enhancement for use of stolen identities in connection with terrorism.
The law creates a new class of federal crime, aggravated identity theft, defined as identity theft used in the commission of a felony. Convictions for aggravated ID theft carry a mandatory tack-on penalty of two years in a federal prison.
The act also orders the U.S. Sentencing Commission, which sets federal sentencing guidelines, to enhance penalties for insiders who steal data that is then used in identity theft crimes.
'Undermines basic trust'
The law is an important step in combating a type of crime that had 10 million U.S. victims last year, the president said in a signing ceremony at the White House.
He said identity theft “undermines the basic trust on which our economy depends,” robbing its victims of nearly $50 billion in fraudulent transactions.
Identity thieves “can steal a victim’s financial reputation” by running up bills that hurt the victim’s credit rating, Bush said. The legislation is meant to take away judges’ ability to give probation, reduced sentences or concurrent sentences for identity theft linked to felony crimes. It was approved with bipartisan support, with lawmakers such as Sen. Dianne Feinstein, D-Calif., saying prosecutors need better tools to punish identity theft, especially when it is used to commit terrorist acts.
Rep. John Carter, R-Texas, who authored the bill, said the insider identity theft provision was generated largely from an infamous incident in Texas last year, when a student employee at the University of Texas allegedly stole 55,000 Social Security numbers.
"People who get their identity stolen, they feel personally violated," Carter said before the bill was signed. "(Criminals) will realize that if they steal your identity, we can add more time spent in prison. Enhanced punishments do deter crimes."
Industry experts and consumer advocates welcomed the new law, suggesting it would attract more attention to a problem that has reached epidemic proportions. A Federal Trade Commission study last year revealed that 10 million people had been victims of identity theft in the prior 12 months.
The insider provision is important, experts said, because nearly two-thirds of identity theft cases begin with an employee who steals raw data needed to commit crimes.
"It used to be that shrinkage (theft) was the biggest cost to employers after payroll and healthcare. Today what we have to think about, in the information age, is employees stealing information," said Michigan State professor Judith Collins, who recently finished a study of insider identity theft. "Why steal merchandise when they can steal data and get money?"
Companies also should be held liable, critic says
The bill doesn't go far enough, said Michael Wolfe, co-founder of computer security firm Vontu Inc.
"This is an important first step, but it still seems to me that it lets off the hook the companies who are the source of the problem," Wolfe said.
The real problem, he said, is that companies are sharing customer data with branch offices and partners around the world, often with little attention to security. Wolfe advocates increased corporate liability for customer data leaks.
"I'm still not seeing where the corporation itself has much more incentive to protect the data."
Linda Foley, founder of the Identity Theft Resource Center, added that the law applies only to federal cases, and many identity theft criminals are prosecuted a the state level. Stiffer penalties must be imposed around throughout the judicial system, she said.
"We need judges throughout the nation to take this crime just as seriously and to impose strict penalties on these criminals. All too frequently identity thieves just get probation and community service," she said.
The law also doesn't address the fact that many identity theft crimes never get even that far. A Gartner study published last year estimated that only 1 in 700 identity theft crimes are prosecuted.
Carter said enhanced criminal penalties were only a first step, and that he would consider legislation that penalized companies that didn't protect consumer data.
"That's another thing we've got to take a look at. I'm not saying I'm through or Congress is through," Carter said. "This crime is growing at such a rapid pace and we have to start looking at the responsibility of people who are getting (this information) and not taking care of it."
The Associated Press contributed to this story.