ID theft is a nasty little crime that can wreck your life-or even cripple your business. Here’s what direct response marketers should know.

By Jack Gordon

Identity theft is a triple threat to direct response marketers. As individuals, of course, they are potential victims, vulnerable to the crime just like anyone else. As merchants who gather personal data from buyers over the phone or via the Internet-such as names and addresses tied to credit card numbers-they must reassure consumers who grow more wary every day about divulging that information. And if the security of their customers’ records is breached, their businesses face serious consequences.

Consumer nervousness is fanned not just by media reports on the havoc that identity theft can wreak but by crusaders like John Sileo, author of the 2005 book “Stolen Lives: Identity Theft Prevention Made Simple.” Sileo, president of Thinklikeaspy.com of Denver and himself a victim of identity theft, speaks to groups around the U.S., urging them to guard their personal information as a precious asset under attack by thieves and spies. “Your identity can represent your entire net worth and your whole credit rating,” he warns.

And woe to the business that is careless with customer data it acquires. “You can get shut off by Visa or MasterCard,” cautions Michael Petitti, senior vice president of AmbironTrustWave of Chicago, which provides data-security and compliance services to merchants that handle credit card information. Credit card associations also can impose fines on businesses that fail to comply with their security standards, he says. “And if an [identity theft case] is deemed to be something you could have prevented, you can be held accountable by your bank.”

That’s not to mention what Petitti calls “the stink” on your brand. “When you make the newspapers with a data-security breach, that’s hard to shake,” he says. “Consumers will shop with your competitors instead.”

KNOW THE ENEMY
The Federal Trade Commission (FTC) says that identity theft accounted for 255,000 (37 percent) of more than 686,000 fraud complaints filed in 2005 with the FTC’s Consumer Sentinel database. Credit card fraud was the most common form of reported identity theft, followed by phone or utilities fraud, bank fraud and employment fraud. The most frequent type of bank fraud involving identity theft was electronic fund transfers. From all types of fraud, the FTC says, consumers reported losses totaling more than $680 million.

Sileo insists that data compiled by the Better Business Bureau and Javelin Strategy and Research of Pleasanton, Calif., is more comprehensive and accurate than the FTC’s. According to Javelin, 8.9 million people were victimized by some type of identity theft in 2005. That number is down from a 2004 estimate of about 10 million. The average fraud damage per case increased, however, to $6,383, up from $5,249 in 2004, for a total cost of $56.6 billion (see chart).

Those figures include credit card fraud, by far the largest subcategory of identity theft and a crime that can be as simple as stealing someone’s card for a one-time shopping binge. Most experts distinguish credit card fraud from “full-blown” identity theft.

As described by the FTC and other sources, the list of horrors that full-blown identity thieves can perpetrate is long and scary. With enough of your personal information, thieves can change the billing address on your accounts so that it may be months before you know you have a problem. They can take out new credit cards in your name, with delinquent accounts assigned to your credit report. They can apply for auto loans and mortgages, get jobs, and file fraudulent tax returns, all in your name. They can open bank accounts and write bad checks on those accounts. Or, they can authorize electronic transfers that drain your real bank accounts. They can file for bankruptcy in your name. They can get a driver’s license in your name, and present it to the police when they’re arrested for committing some other crime. If they don’t show up for court after making bail (as you), a warrant is issued for your arrest.

When you attempt to dig your way out of the ensuing misery, experts say, the burden of proving that the perpetrator of all this was someone else falls entirely on you.

How can a thief steal your identity or the identities of your customers? That’s another long list. Computer hackers can breach the security of records and databases using spyware or other means. Internet “phishing” scams send people to bogus web sites that mimic the sites of reputable companies, there to reveal personal information, including passwords to online accounts. “Skimming” devices can be attached to card-swipe machines at retail outlets or to automatic teller kiosks (ATMs), capturing data from credit or debit cards. Crooked employees of a business can steal customer records and sell them to identity-theft rings. Honest employees can be conned into revealing information.

Closer to home, a thief can simply steal your mail, including bank statements, tax records and credit card offers. Dumpster divers can do the same thing with mail you threw in the garbage. Somebody could steal your wallet or your purse-and your social security card had better not be in it. An acquaintance or even a family member could steal information right out of your house or your office.

Regarding that last possibility, Javelin Research reports that almost half of all 2005 identity theft victims-47 percent-knew the thief. Usual suspects include your teenager with a drug habit, your shady brother-in-law or your business associates. And Sileo points out that the 47-percent figure counts only victims who ultimately were able to identify the thief. “I’d estimate that more like 90 percent of the victims I talk to somehow know the person who did it,” he says. In his own case, it was a business partner who stole his identity and used it to cover $300,000 in check-fraud crimes. “I spent two years fighting legally against that,” he says. And his $2 million business was destroyed.

Another surprising Javelin statistic-given the attention paid to hackers and phishing scams in many stories about identity theft-is that only 8.3 percent of 2005 cases involved such purely computer-based means. Nine times out of 10, identity theft is either a “paper-based” crime or involves someone inside a company, not a phisher or an outside hacker invading records via the Internet (see chart below).

In other words, if you own a direct marketing business, the likeliest threat to your customers’ personal information comes from people who work for you or your call center-or from employees of companies to which you sell your customer lists.

FIGHT THE ENEMY
Eric R. Drew is founder and executive vice president of KnightsBridge Castle Inc. of Woodside, Calif., which sells services that help individuals find out quickly and respond effectively if their identities have been stolen. He created the company in 2005 after a harrowing case of his own.

In 2003, Drew was admitted to a Seattle hospital for a bone-marrow transplant and other treatments for leukemia. Doctors expected him to die. A hospital worker seized the opportunity to steal his identity, establish new lines of credit, open bank accounts and go on a shopping spree. Drew defied medical expectations and emerged as a fire-breather on the subject of identity theft.

“I’m bitter about what happened to me,” he says. “I point the finger at banks and credit card companies [that claim they're trying to stop identity theft] because they actually profit from it.” When identity thieves don’t pay the bills on their bogus accounts, he says, creditors add stiff late fees and “jack up the interest to a universal default rate of around 30 percent.” Even if the victim can prove over the course of months that his or her identity was stolen, thereby escaping responsibility for the bills, the creditor gets to write off all that interest in addition to the original charge, he says. “Instead of just claiming a $1,000 loss, [the creditor] can write off maybe $1,700.”

Drew finds it “outrageous” that Congress had to pass a law last year requiring the three major credit-reporting companies, Equifax, Experian and TransUnion, to give people free access once a year to their own credit reports. (Go to www.annualcreditreport.com. Some other sites that claim to provide free credit reports actually just try to sell them.)

A direct marketer’s worst nightmare would be to have someone like Eric Drew turn up on a television news show-he has appeared on CNN and NBC’s “Dateline”-to explain how his identity was stolen thanks to that marketer’s carelessness.

Protecting customer data means attending to security on several levels. At the very least, says Ambiron TrustWave’s Petitti, your technical systems should comply with the Payment Card Industry (PCI) data security standard that tells merchants how to protect credit card information.

Beyond that, experts say, do background checks on the people you hire, including the office cleaning staff. Ask your call center about its security practices. Train employees about scams that might be used to con customer information from them. Enforce strict policies regarding access to customer data. “Whoever takes down the credit card number and the number on the back of it has the information, there’s no getting around that,” Sileo says. But having entered that information into the system, does the employee need repeated access to it?

Above all, keep tabs on employees, and tell them you’re watching. “Say, “Here’s how we track what you’re doing and here’s what we’ll do to you if you’re caught,’” Sileo recommends. “Sometimes it’s more effective to tell people you’re monitoring them somehow than actually to do it.”

Jack Gordon is editor at large for Electronic Retailer magazine. We would appreciate your feedback. To submit comments, point your browser to idtheftapr06.marketing-era.com.