And Where Are We Going

PRIVACY

AND

IDENTITY THEFT:

WHERE WE ARE NOW

AND WHERE ARE WE GOING

IN THE FUTURE . . . .

Huggins v. CitiBank, et.al.: A Case Study

Stephen P. Groves, Sr., Esquire

Member

NEXSEN PRUET, LLC

205 King Street, Suite 400

Charleston, South Carolina 29401

Telephone: 843.720.1725 Telecopier: 843.720.1777

Toll Free No. 1.800.926.6757

E-Mail: Web Address:

Everyone recognizes that “identity theft” is a significant problem and all financial institutions strive every day to prevent its spread. In fact, just two weeks ago, on September 3, 2003, Howard Beales, director of the Federal Trade Commission’s Consumer Protection Program announced that “[m]ore than 27 million Americans have been victims of identity theft in the past five years . . . .”[1] Moreover, over 1/3 of that number, some “9.9 million people were victims of identity theft [during the last twelve months].”[2] This information came from a survey commissioned by the FTC and prepared by Synovate.[3]

Seems like every newspaper, news magazine, consumer publication, or news cast contains some discussion of one or most aspects of identity theft.[4] The current information shows that it costs the average victim of identity theft more than $1000.00 and 25 hours to “right the wrongs” to their credit accounts and their reputation. “Credit card fraud was the most common form of identity theft [in 2002], accounting for 42% of the complaints to the FTC [with] phone or utility fraud [second at 22% and] bank fraud [third] at 17%.”[5]

A.What Is Identity Theft?

The authorities note that “[i]dentity theft occurs when a person steals another person's name, address, social security number, or other identifying information in order to commit fraud.”[6] Thereafter, the “criminal then uses this information to open a new credit card account for his own use, take out loans in the victim's name, steal money from the victim's bank accounts, illegally secure professional licenses, drivers licenses, and birth certificates.”[7]While the “criminal process is quite simple, . . . results can be [seemingly and realistically] devastating [to the consumer].” “Identity thieves first seek out creditworthy consumers with high incomes[ and] [o]nce a consumer is identified, the identity thief seeks important identifying information about the individual.”[8]

Some of the more commonly known means through which criminals obtain personal information for “identity theft are as follows:

1.They get information about other people from businesses or institutions by:

a.stealing records from their employer,

b.bribing an employee who has access to the records,

c.conning information out of employees, or

d.hacking into the organization's computers.

2.They rummage through individual’s trash, the trash of businesses, or dumps in a practice known as "dumpster diving."

3.They obtain credit reports by abusing their employer's authorized access to credit reports or by posing as a landlord, employer, and/or someone else who may have a legitimate need for and a legal right to the information.

4.They steal credit and debit card account numbers as an individual’s card is processed by using a special information storage device in a practice known as "skimming."

5.They steal wallets and purses containing identification and credit and bank cards.

6.They steal mail, including bank and credit card statements, pre-approved credit offers, new checks, and/or tax information.

7.They complete a "change of address form" to divert mail to another location.

8.They steal personal information directly from an individual’s home.

9.They scam information from an individual by posing as a legitimate business person and/or government official.[9]

Interestingly, prior to the recent Synovate survey commissioned by the FTC

The actual harm an individual suffers from identity theft has been difficult to determine because the individual victim [generally] does not bear the initial financial burden of identity theft. Federal law limits a consumer's liability for credit card fraud to $50[.00] per credit card account. Financial institutions are viewed by law as the primary victims of identity fraud and their direct financial loss tended to be viewed as the only loss involved. Federal laws that criminalize the conduct integral to identity theft did not recognize consumers as victims.

Creditors, unlike individuals, can write off losses they incurred from identity theft, or they pass them off to consumers in the form of higher interest rates, fees and costs. As a result, the creditors rarely pursued prosecution of identity thieves. And, even when they did refer such cases to law enforcement agencies, the cases did not meet the dollar threshold of $50,000[.00] warrant prosecution. And, although identity theft victims were seldom held liable for the crime, the creditors were not obligated to clear the consumer's credit record if no criminal charges were brought. To the extent that creditors passed off the cost of identity theft in the form of higher fees and costs to customers, all consumers were harmed, whether they have been victimized directly or not.[10]

Instead of consumer “victims” pursuing state law remedies, the authorities note that the “recourse [of] these victims . . . against the ongoing nightmare [of] identity theft . . . lies largely in the Fair Credit Reporting Act.”[11] Moreover, the FCRA specifically and “expressly preempts state common law or statutory remedies . . .[and, therefore,] provides the primary recourse for victims of identity theft.”[12]

B.Huggins v. Citibank, et.al.

Sometime prior to April 18, 2002, Montgomery Ward/MGBA; FACS/Rich, Inc.; Citibank (South Dakota), N.A.; Capital One Bank; Premier Bankcard, Inc.; and Dillard National Bank, N.A., issued credit cards to an individual which had identified himself to those companies as “P. Kenneth Huggins, Sr.” This John Doe was not Mr. Huggins and fraudulently represented himself to those banking institutions. It is not known how John Doe obtained Mr. Huggins’ personal information, but, as previously noted there were many avenues open to John Doe.

After John Doe fraudulently obtained the several credit cards, he used them to purchase various items and/or to receive cash advances from merchants and/or automatic teller machines. Moreover, John Doe did not pay any of the outstanding purchase and/or cash advance balances for the credit cards. Due to these action, Mr. Huggins’ credit standing was damaged and he was contacted by various collection agencies.

In April 2002, Mr. Huggins sued Montgomery Ward/MGBA; Richs; Citibank; Capital One; Premier Bankcard; and Dillard National Bank in Federal Court. Mr. Huggins asserted claims for negligence relating to the issuance of credit cards in his name to an unknown third-party who, in turn, used the credit cards to make purchases for which Mr. Huggins was billed. Mr. Huggins argued three separate, but somewhat related, positions:

(1)the financial institutions were, as a matter of public policy, responsible for any damages caused to him by John Doe because the financial institutions were the issuer of the credit cards and, in turn, were in the best position to ensure that John Doe should not have been able to obtain the credit card;

(2)even in the financial institutions did nothing wrong, they should bear the loss since they issued the credit card to John Doe; and

(3)the fact John Doe committed a crime by obtaining the credit card was immaterial since the financial institutions could have reasonably foreseen and anticipated his actions and their result.

Mr. Huggins requested the District Court to recognize a new cause of action in South Carolina: Negligent Enablement Of Imposter Fraud. The defendants moved to dismiss and the District Judge certified the issue to the South Carolina Supreme Court.

On appeal, the Supreme Court noted that Mr. Huggins’ negligence claims arose from the following allegations:

1)“issuing the credit cards without any investigation, verification, or corroboration of [John] Doe's identity;

2)failing to adopt policies reasonably designed to verify the identity of credit card applicants;

3)adopting policies designed to result in the issuance of credit cards without verifying the identity of applicants; and

4)attempting to collect [John] Doe's debt from [Mr.] Huggins.”[13]

In South Carolina, a plaintiff asserting a claim for negligence, is required to show “1) a duty of care owed by the defendant to the plaintiff, 2) a breach of that duty by negligent act or omission, and 3) damage proximately caused by the breach.”[14] One of the most critical elements to a negligence claim is the “existence of a legal duty of care owed by the defendant to the plaintiff [since, if] there is no duty,” then there is no valid and legal claim.[15] In this State “[d]uty arises from the relationship between the alleged tortfeasor and the injured party.”[16] Moreover, “[i]n order for negligence liability to attach, the parties must have a relationship recognized by law as the foundation of a duty of care.”[17] Importantly, “[i]n the absence of a duty to prevent an injury, foreseeability of that injury is an insufficient basis on which to rest liability.”[18]

Our Supreme Court, even though well-known for being on the forefront of consumer protectionism, declined to recognize a new and distinct cause of action for Negligent Enablement Of Imposter Fraud. The Court acknowledged that it was

greatly concerned about the rampant growth of identity theft and financial fraud in this country [and recognized that it was ] certain that some [of the thousands of instances of] identity theft could be prevented if credit card issuers[, themselves,] carefully [and/or more carefully] scrutinized credit card applications [in the first instance].[19]

Nevertheless, the Supreme Court, looking to, Polzer v. TRW, Inc.,[20] a 1998 New York Appellate Division case, concluded the “relationship, if any, between credit card issuers and potential victims of identity theft [was] far too attenuated to rise to the level of a duty between them.”[21] The New York Court, in Polzer v. TRW, Inc., had stated:

. . . the defendant credit card issuers ‘had no relationship either with the imposter who stole the plaintiffs' credit information and fraudulently obtained credit cards, or with plaintiffs, with whom they stood simply in a creditor/debtor relationship.’[22]

Equally important to our Supreme Court’s decision was the current existence of several statutory remedies for credit card fraud/identity theft victims which are already in place. The Court stated:

we note that various state and national legislation provides at least some remedy for victims of credit card fraud. . . . While these regulations may not fully compensate victims of identity theft for all of their injury, we conclude the legislative arena is better equipped to assess and address the impact of credit card fraud on victims and financial institutions alike.[23]

In conclusion, the Supreme Court stated that “[s]ince there is no duty on the part of credit card issuers to protect potential victims of identity theft, we answer the certified question negatively: South Carolina does not recognize the tort of negligent enablement of imposter fraud.”[24]

There are numerous other decisions from across the country in which the particular court or particular jurisdiction has refused to recognize a claim by a victim of identity theft against the financial institution involved.[25] There are a few, however, jurisdictions which have arguably recognized a claim and/or permitted a complaint to proceed forward past the summary judgment stage against a financial institution under these or similar circumstances.[26]

C.Available Laws To Combat Identity Theft

(1)Criminal Laws

John Doe’s actions in Huggins v. Citibank, as do the nefarious efforts of all such John Does, are violations of both South Carolina criminal laws[27]and Federal criminal laws.[28] Such John Does routinely lie to the involved financial institutions when they apply for credit cards and falsely represent themselves as someone else. Such John Does lie to the various merchants where they use the credit cards issued in another person’s name. Such John Does lie in passing themselves off as other people commercial businesses. These people are criminals, nothing more than liars, cheats, and thieves.

(a)South Carolina Law

While the criminal laws of South Carolina, such as forgery,[29] various larcenies,[30] financial transaction card fraud,[31]etc., generally apply to “identity theft”, there are some specific provisions which alone address the problem.[32]

For example, the Personal Financial Security Act, adopted in 2000, makes “identity theft” a specific crime in South Carolina. The pertinent statute provides:

(B)A person is guilty of financial identity fraud when he, without the authorization or permission of another person and with the intent of unlawfully appropriating the financial resources of that person to his own use or the use of a third party:

(1)obtains or records identifying information which would assist in accessing the financial records of the other person; or

(2)accesses or attempts to access the financial resources of the other person through the use of identifying information as defined in subsection (C).

(C)Identifying information includes, but is not limited to:

(1)social security numbers;

(2)driver's license numbers;

(3)checking account numbers;

(4)savings account numbers;

(5)credit card numbers;

(6)debit card numbers;

(7)personal identification numbers;

(8)electronic identification numbers;

(9)digital signatures; or

(10)other numbers or information which may be used to access a person's financial resources.

(D)A person who violates the provisions of this section is guilty of a felony and, upon conviction, must be fined in the discretion of the court or imprisoned not more than ten years, or both. The court may order restitution to the victim pursuant to the provisions of [S.C. Code Ann. §] 17-25-322.[33]

Nothing in S.C. Code Ann. § 16-13-510 prevents and/or applies to for following:

(1)the lawful acquisition and use of credit or other information in the course of a bona fide consumer or commercial transaction or in connection with an account by any financial institution or entity defined in or required to comply with the Federal Fair Credit Reporting Act, 15 U.S.C. [§] 1681, or the Federal Gramm-Leach-Bliley Financial Modernization Act, 113 Stat. 1338;

(2)the lawful, good faith exercise of a security interest or a right to offset exercised by a creditor, agency, or financial institution; or

(3)the lawful, good faith compliance by a party when required by a warrant, levy, attachment, court order, or other judicial or administrative order, decree, or directive.[34]

The Legislature is currently considering adopting the “Consumer Identity Theft Protection Act”, as codified in Senate Bill 222, pending before the House Labor, Commerce, and Industry Committee. This proposed act (to be codified at S.C. Code Ann. §§ 37-20-110, et. seq.), among other things, requires the following of financial institutions which issue credit cards:

S. C. Code Ann. § 3720130(A).A seller or lender credit card issuer that mails an offer or solicitation to receive a credit card and, in response, receives a completed application for a seller or lender credit card listing an address that is substantially different from the address on the offer or solicitation shall verify the change of address by contacting the person to whom the solicitation or offer was mailed, or by using other reasonable means of verifying the account holder’s identity.

S. C. Code Ann. § 3720130(B)Notwithstanding another provision of law, a person to whom an offer or solicitation to receive a seller or lender credit card is made is not liable for the unauthorized use of a credit card issued in response to that offer or solicitation if the credit card issuer does not verify the change of address pursuant to subsection (A) before the issuance of the seller or lender credit card, unless the credit card issuer proves that the offeree actually incurred or knowingly benefited from the charge on the credit card.

S. C. Code Ann. § 3720130 (C)When a seller or lender credit card issuer receives a written or oral request for a change of the cardholder’s billing address and within a period not to exceed [30] days after the requested address change receives a written or oral request for an additional credit card, the credit card issuer may not mail the requested additional credit card to the new address or activate the requested additional credit card unless the issuer has verified the change of address.

The proposed new law also allows an actual and/or suspected “identity theft” victim to report the “crime” to law enforcement and to authorize law enforcement to initiate an investigation.[35] In addition, there are provisions for expedited “judicially clearing” of a identity theft victim’s name when and if the “identity thief” is convicted or the victim’s name is associated
with a criminal conviction record.[36] Finally, the proposed legislation requires SLED to create an “identity theft victim” database available solely to the victim and law enforcement agencies.[37]

(b)Federal Law

In 1998 the United States Congress adopted the Identity Theft and Assumption Deterrence Act of 1998,[38] which makes it a violation of federal criminal law for whoever:

(1)knowingly and without lawful authority produces an identification document, authentication feature, or a false identification document;

(2)knowingly transfers an identification document, authentication feature, or a false identification document knowing that such document or feature was stolen or produced without lawful authority;

(3)knowingly possesses with intent to use unlawfully or transfer unlawfully five or more identification documents (other than those issued lawfully for the use of the possessor), authentication features, or false identification documents;

(4)knowingly possesses an identification document (other than one issued lawfully for the use of the possessor), authentication feature, or a false identification document, with the intent such document or feature be used to defraud the United States;

(5)knowingly produces, transfers, or possesses a document-making implement or authentication feature with the intent such document-making implement or authentication feature will be used in the production of a false identification document or another document-making implement or authentication feature which will be so used;