RealTime IT News

Identity Theft Law Hits Back at 'Phishers'

President Bush signed into law Thursday legislation creating stiffer criminal penalties for identity theft.

The Identity Theft Penalty Enhancement Act establishes the new crime of aggravated identity theft, which is defined as the use of a stolen identity to commit other crimes. As part of the legislation, convictions carry a mandatory two-year prison sentence in addition to any penalties for the related crime.

Convictions for aggravated identity theft to commit an act of terrorism carries an additional five-year prison term on top of the penalties for the terrorist act itself.

The signing of the bill comes as Congress seeks to crack down on a number of online practices that dupe individuals into revealing their identities. Last week, Sen. Patrick Leahy (D-Vermont) introduced an additional measure that would penalize the practice of "phishing" by up to five years in prison and a $250,000 fine.

E-mail spoofing or "phishing" is becoming extremely expensive for the enterprise. A recent Gartner Research study said bogus attempts at getting passwords, credit card information and other personal data cost $1.2 billion in damage to U.S. Banks and credit card issuers last year.

"The law I sign today will dramatically strengthen the fight against identity theft and fraud," Bush said in a White House signing ceremony. "Prosecutors across the country report that sentences for these crimes do not reflect the damage done to the victim. Too often, those convicted have been sentenced to little or no time in prison. This changes today."

The new law prohibits a court from placing on probation any person convicted of aggravated identity theft, reducing any sentence for the related felony to take into account the aggravated identity theft conviction or providing for concurrent prison terms.

"The crime of identity theft undermines the basic trust on which our economy depends. When a person takes out an insurance policy, or makes an online purchase, or opens a savings account, he or she must have confidence that personal financial information will be protected and treated with care," Bush said.

The law also calls for mandatory prison sentences for employees who steal data that is then used in identity theft crimes. A recent Michigan State University study estimates about half of all identity crimes were the result of personal information being stolen from corporate databases.

Last month, an America Online employee was arrested for allegedly stealing millions of AOL subscriber screen names which were later sold to spammers.

Aggravated identity theft is defined in the new law as the wrongful use of an individual's Social Security number to obtain federal benefits. Last year, a University of Texas student who had access to the school's database stole 55,000 Social Security numbers.

The new law allows for the aggregation of stolen Social Security payments. Without the aggregation of the payments the enhanced penalties would not apply, since most monthly Social Security payments are less than $1,000.

"This law also raises the standard of conduct for people who have access to personal records through their work at banks, government agencies, insurance companies and other storehouses of financial data," Bush said. "The law directs the United States Sentencing Commission to make sure those convicted of abusing and stealing from their customers serve a sentence equal to their crimes."