Bush signs bill toughening penalties for identity theft

WASHINGTON -- President Bush signed a tough new identity theft bill into law Thursday, legislation passed by Congress in response to evidence that the problem is growing rapidly as more Americans use the Internet to shop and manage their personal finances.

The Identity Theft Penalty Enhancement Act adds two years to prison sentences for criminals convicted of using stolen credit card numbers and other personal data to commit crimes. Violators who use that data to commit "terrorist offenses" would get five extra years.

"Like other forms of stealing, identity theft leaves the victim poorer and feeling terribly violated," Bush said Thursday at a White House signing ceremony. "The criminal can quickly damage a person's lifelong effort to build a good credit rating."

Rep. John Carter, R-Texas, the bill's sponsor, said the signing is "one of the shots taken in a battle that we've got to win. ... It's a crime that we need to address and address seriously both for the protection of the credit of American citizens and for the protection of homeland security."

Identity theft topped the list of consumer fraud complaints to the Federal Trade Commission in 2003, accounting for more than half of all the complaints tracked by the agency. The FTC recorded 214,905 cases of identity theft in 2003, up from 161,836 in 2002.

In a report published last September, the FTC estimated that identity theft claimed 9.9 million victims in 2002, costing businesses and consumers $53 billion. The report, based on a telephone survey of more than 4,000 adults, estimated that as many as 27.3 million Americans fell victim to identity theft in the last five years.

"Phishing" victims alone lost $1.2 billion to identity theft-related fraud between April 2003 and April 2004, and were three times more likely than the average American to have their identities stolen, according to an online survey of 5,000 people conducted in May by Stamford, Conn.-based firm Gartner Research. One of the newest, most virulent forms of ID theft on the Internet, phishing scams involve online thieves who dupe consumers into entering personal data on counterfeit banking and e-commerce Web sites.

Boost to prosecutors

The law will make it more likely that thieves are prosecuted, said Betsy Broder, assistant director for the FTC's Division of Planning and Information. "A prosecutor is less likely to bring a case if they're not going to get any serious jail time when they get a conviction," she said.

The new law could help ferret out larger criminal enterprises because identity thieves often work in groups, said Jim Vaules, vice president and fraud expert at Dayton, Ohio-based archival firm LexisNexis.

"These are networks and often you only have one small tentacle of it in a courtroom," Vaules said. "If [prosecutors] have a tool that changes the sentencing guidelines from probation to a prison sentence, it could have significant results in people cooperating with the government and exposing larger parts of the criminal network."

The law also orders the U.S. Sentencing Commission to consider increasing the penalties for employees who steal sensitive data from their own companies.

Michael Wolfe, the co-founder of Vontu Inc., a San Francisco Calif.-based security software company that focuses on preventing internal fraud, said this is an important focus of the law. He said Congress may have to pass legislation requiring companies to take basic steps to protect consumers' personal data.