Stolen database leads to worries of identity theft

March 2, 2006

By Amy Le, Staff Writer

George Gilou arrived at his mortgage office Feb. 6 and discovered the back door had been forced open. It didn't take long before he realized the business he owns, Olympic Funding Chicago, 6308 N. Milwaukee Ave., had been burglarized.

According to police reports, three computer hard drives were stolen, containing clients names, social security numbers, addresses and phone numbers.

A police source close to the investigation said the stolen database was not placed on a secure "port" -- the access point between computers -- and had no encryption software.

But Gilou said the information on the stolen hard drives was protected with a secure password. Gilou said he and his office manager are the only people with the password.

"I have spent over $2,800 in security software to make sure our client's files are well protected," he said.

Gilou said the office has an alarm system, but it wasn't activated while the shop was closed for business over that weekend.

The information contained in the stolen files has not yet been reported in any identity theft cases, police said. Gilou said he has sent letters to his clients alerting them of the security breach.

Companies liable

When dealing with personal and financial records, most consumers today are finding new ways to protect themselves from identity thieves. But what happens when you hand your personal information to a second party, like a mortgage broker or credit card company?

Claudia Bourne Farrell, a Federal Trade Commission spokeswoman, said people should always ask about information security procedures in their workplace or at businesses, doctor's offices or other institutions that collect identifying information.

She advises people to find out who has access to the personal information and verify that it is handled securely, and ask about disposal procedures for those records. Find out if your information will be shared with anyone else. If so, clients should always ask if the information can be kept confidential, she said.

In Illinois, any unauthorized acquisition of computerized data that compromises personal information is a potential violation of state laws, said Melissa Merz, a spokeswoman with the Attorney General's office.

The Illinois Personal Information Protection Act (Security Breach) went into effect in January and is enforced through the Consumer Fraud Act.

"If there is a breach, under the Personal Information Act, (Olympic Funding) must give notice to its customers of the breach," Merz said. The violation is a civil penalty, she said.

The new legislation was a response to an incident in which Georgia-based ChoicePoint Inc. sold the personal information of more than 145,000 people, including 5,000 Illinois residents, to identity thieves who pretended to be legitimate businesses. Even though officials at ChoicePoint were aware of the breach, consumers weren't notified of the situation until months later, when officials, prompted by an existing California law requiring the disclosure of a security breach that puts Californians' personal information at risk, revealed the information.

In January, ChoicePoint Inc. agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers' privacy rights and federal laws.

In addition to state laws, under the Federal Trade Commission Act, financial institutions are required to protect customer information. The Safeguards Rule applies to financial institutions that collect information from their own customers, and also to financial institutions like credit reporting agencies that receive customer information from other financial institutions.

Consumer risk

Identity thieves can open new accounts in other peoples' names and rack up debts on existing accounts using consumers' Social Security numbers, bank account information, addresses, or phone numbers. Victims can spend years and accumulate expensive legal fees to restore their credit histories and clear their names, Bourne Farrell said. And some consumers have even been denied jobs or insurance, or been arrested for crimes they did not commit.

A recent trade commission survey indicates that the dollar volume of identity-theft crimes in the U.S. totaled $52.6 billion in 2004; much of that cost is accrued by businesses.

From credit card to loan frauds, law enforcement officials say that identity-theft crimes are the fastest-growing in the nation. Last year, Chicago ranked 19th out of the 50 major metropolitan areas for identity-theft complaints. As these types of crimes continue to spread, state legislators have moved to better protect consumers.

Last month, State Senator Ira Silverstein, D-8th, passed legislation out of the Executive Committee to tackle a new breed of identity-theft schemes. Senate Bill 2554 has been viewed by many as a way to keep consumer's cell-phone records private by prohibiting the sale of such personal information by brokers, but Silverstein said his legislation will further expand the definition of identity theft. Before the legislation, personal identifying information was defined as a person's name, address, social security number, employment identification number, mother's maiden name, or other related information.

The legislation also would include things such as user names and passwords on the computer, cell-phone records, e-mails, instant messages, and even records of Web site visits that relate to a specific person.

Under the proposal, a person will be committing identity theft when he or she knowingly uses any of the personal information in order to gain access to additional personal information without consent. For example, if a person obtains and uses information from someone's e-mail message in order to obtain cell-phone records, he or she will be in violation of the law, a Class 3 felony.

"This is not only a matter of protecting against identity theft," Silverstein said. "It's also a matter of simple privacy for consumers." Call to get information

Three computer hard drives were stolen last month from Olympic Funding Chicago, 6308 N. Milwaukee Ave.

Anyone who has given personal information to the company and has not received a letter from the company disclosing the recent security compromise are asked to call the State's Attorney's consumer hotline at (800) 386-5438.

[an error occurred while processing this directive]