Not many people count paying their taxes as one of their favorite activities. The fact of the matter is citizens have a legitimate reason to complain about taxes and the IRS given the statistic that the government issues approximately $4 billion a year in fraudulent refunds to identity thieves.

Fortunately, new legislation is pending that will work to not only cut down on the fraud, but to keep citizens’ personal data safe from hackers and data breaches as well. What originally began the Congressional process as the Tax Refund Theft Prevention Act of 2014, introduced by Senate Finance Committee Chairman Orrin Hatch (R-Utah) and Ranking Member Ron Wyden (D-Ore.) last year, the legislation will now move on to the markup stage where committee members can introduce new provisions, debate the bill’s merits, and engage in further discussion.

“Tax refund fraud is a one-two punch for taxpaying individuals,” Hatch said. “Millions of taxpayers’ identities are compromised, and all taxpayers have their tax dollars wasted.  Our bill aims to address such fraud by enhancing the IRS’s capabilities in detecting fraud and by giving victims the assistance and safeguards they need to repair the damage done by tax theft criminals.  In order to further deter this crime, we make tax refund fraud a specific category of a felony offense and enhance security features for filers.  Hard-working American families deserve a government that protects both their tax dollars and their sensitive taxpayer information.”

As Senator Hatch originally stated when the bill was introduced last year, tax refund fraud is especially problematic for citizens. Not only do they not receive their legitimate refunds in a timely way, their identities have been compromised in the process of the fraud. That means the same thief who filed a fraudulent return in their names can then go on to commit countless other related crimes like benefits fraud, medical identity theft, and the opening of new lines of credit in the victim’s name. Of course, this issue works in reverse as well; someone who’s identity has been stolen and used for other purposes can find himself becoming the victim of tax refund fraud the next time tax season rolls around.

Unfortunately, this type of identity theft is so easy to commit that criminals of all types and levels—from petty street thugs to organized crime bosses—are turning to tax refund fraud, often to bankroll other criminal activities. Even notorious street gangs whose criminal activities have included drug dealing, prostitution, black market gun sales, and gun-related violence have turned to their computers to commit tax-related identity theft crimes, largely due to the massive potential payout with minimal physical risk. One California gang, Long Beach’s Insane Crips, netted over $3.3 million dollars of an attempted $11 million dollars in tax fraud before a sting operation brought them down.

The markup process of Senators Hatch and Wyden’s bill will begin on Wednesday, September 16th. Many of the original provisions are expected to remain in place, while new provisions may be added to ensure better citizen protection and fraud reduction.

If you’ve had to fill out any forms to send your kids back to school this year, you might have noticed one lengthy-looking form in particular: the Family Educational Rights and Privacy Act (FERPA) form.

FERPA is the latest piece of legislation aimed at protecting your kids’ privacy and their identifying information while it’s in the school’s hands.

Why the need for new legislation? Because even children are victims of identity theft. While the majority of those children reportedly are victimized by a close friend or family member, schools have also been the source of a large number of data breaches that compromised student information. The reason for this is in the sheer amount of information that schools collect on students—including Social Security numbers—and the lack of trained IT experts or expensive security protocols to protect that information once it’s gathered.

Of course, FERPA is taking your child’s privacy even further. It’s not limited to who can look up your child’s address or see his Social Security number (if you chose to provide it to the school, which you are not required to do). Instead, FERPA also addresses the security of your child’s report cards, transcripts, behavior records, and more. In most (but not all) cases, the school is required to get your consent in writing before sharing your child’s records, and that can even include sharing his record with you; parents have the right to review their children’s records after they request it in writing, but not necessarily to have copies of them.

One other issue that FERPA addresses is the sharing of your child’s information in a directory format. This Act simply streamlines the guidelines so that all schools are on the same page about what is allowable to share. Generally, any information that can’t be used to steal your child’s identity can be shared about your students, from his basic personal contact information to his hobbies, clubs, awards, and even his height and weight for athletic team participation.

It’s worth noting that once your child turns eighteen, the information contained in his academic and behavioral record becomes his property, not yours. You no longer have the right to access it, although the student can release the information by requesting it. The school may still release it to you if your child is listed as a dependent on your taxes, and may share anecdotal information about what they know without providing documentation, but for the most part, your child takes ownership of his data once he becomes a legal adult.

One of the most taken-for-granted pieces of government documentation has got to be the poor, misunderstood Social Security card. While it has always been designed to be physically counterfeit-proof, the card itself offers no proof that the bearer is actually who he says he is.

It’s the information contained on the face of the card itself that is so valuable. But if it doesn’t tell anyone who you really are, what’s it good for?

According to Carolyn Puckett of the Office of Research, Evaluation, and Statistics, Office of Retirement and Disability Policy, Social Security Administration, “The original purpose of the SSN was to enable the Social Security Board to maintain accurate records of the earnings of individuals who worked in jobs covered under the Social Security program. The card was never intended to serve as a personal identification document… However, the simplicity and efficiency of using a unique number that most people already possess has encouraged widespread use of the SSN by both government agencies and private enterprises.”

Unfortunately, the widespread use of the SSN as an identifier has contributed to the growing crime of identity theft. Criminals need only access a few pieces of sensitive information in order to open new accounts, establish lines of credit, file fraudulent tax returns, and more.

But a new bill, the Identity Theft and Tax Fraud Prevention Act of 2015, introduced this past March by Sen. Bill Nelson, D-FL, includes some dramatic steps that are designed to minimize the threat to consumers. One of the very first items that can help protect individuals from losing their information in data breaches (either intentional or accidental) is to limit the uses of the Social Security number, specifically in the healthcare system.

“Use of the SSN as a convenient means of identifying people in large systems of records has increased over the years and its expanded use appears to be an enduring trend… Generally, there are no restrictions in federal law precluding the use of the SSN by the private sector, so businesses may ask individuals for an SSN whenever they wish (Streckewald 2006),” explained Puckett in a document for the Social Security Administration.

While it’s not illegal for an agency or a place of business to request your Social Security number, it’s also not required that you provide it. You don’t have any legal recourse, though, if a business like a doctor’s office refuses to treat you if you don’t provide it. What is more unfortunate about the use of SSNs as an identifier is the fact that many places will request it as standard procedure without even really knowing why they’re asking for it. It’s as if we’re so accustomed to handing it over on a form or during a registration process that we do it without even thinking about it.

The bill, which has garnered a lot of support from lawmakers, would eventually halt the practice of using your Social Security number in healthcare settings. This would be good news for consumers in that a number of hacking events and internal data breaches have occurred through healthcare and insurance offices, like the recent Anthem Healthcare breach. The bill would also increase the penalties for certain identity theft practices, like tax refund fraud or distributing stolen personal data. Finally, the bill does a lot to upgrade the current IRS practices of reporting and correcting tax refund fraud.

One of the more frustrating aspects to consumer protection from identity theft, data breaches, and cybercrime is the current state-by-state basis that our legal system uses to address this type of crime.

Consumers and businesses alike are subject to different laws, depending on where they’re located. But a new bill that has already come up for committee vote in Congress is working to establish a federal mandate for cybercrime, specifically in how businesses must respond to a hacking event or data breach.

The House bill—the Data Security and Breach Notification Act—which was put through by the Energy and Commerce Committee on April 15th, is already coming under fire and receiving some dissenting viewpoints from members of Congress. Even the chairman of the committee, Fred Upton (R-MI), openly stated that the bill isn’t ready yet. But there are some preliminary ways that the legislation seeks to protect consumers.

One thing it’s working to do is to mandate how and when a business must inform consumers that their information was accessed. The bill states that businesses only have to tell customers about a hacking event if it results in financial harm, but as the industry knows from medical data breaches, getting control of someone’s credit card number isn’t the only avenue to financial damage. Right now, some states have a rule in place that a business has to tell its customers about a hacking event regardless of the outcome, while other states have mandated the requirement to inform consumers only after a certain number of customers were affected. Still, some information is better than none, and this bill would require consumers be kept up to date on some data breaches.

Other sources of contention included the cap of $1,000 that businesses could be penalized (per consumer) for failing to inform customers of a breach; the original penalty was $11,000. A major issue for those who voted against this bill—which included all of the Democrats on the committee, including the original bill’s co-sponsor—is the broadening of the requirements for businesses to comply. The bill removed the very specific steps businesses must take in order to prevent the loss of consumers’ private information, and instead requires them to only use “reasonable security measures and practices.”

The stakeholders in a federal bill of this kind are still working to formulate a plan that can address the needs of both consumers and businesses. Even Committee Chairman Upton conceded, “I would confess that it’s not quite ready and probably won’t be quite ready when we get to final passage early this afternoon.” From here, the bill will move on to the House floor for debate, which will likely include strong mention of the National Cybersecurity Protection Advancement Act of 2015, a bipartisan effort to create an information sharing process to prevent cybercrime.

As if telephone, mail, and online scamming of the public weren’t awful enough, specific scammers actually that target the elderly now. These individuals’ inherently trusting nature, the stereotype that many senior citizens are unfamiliar with newer technology, and the very specific fears associated with things like having their utilities shut off or needing a better price on healthcare or medicine make the elderly a particularly ripe target for scammers and fraudsters.

But a new bill at work in the Ohio state legislature may impose greater consequences on scammers who go after senior citizens, as well as fund support centers for people who think they may have been the victim of a scam. One key measure will be to provide a mechanism for bankers, notaries public, and other offices that oversee financial transactions with a way to report suspected fraud or scams that affect their clients. Such covered examples might be a senior citizen who wants a new will or an odd bill of sale notarized, or a bank employee who notices multiple withdrawals from a customer’s account that are suddenly taking place.

Interestingly, the bill bridges the gap between “mandatory reporting” and providing protection from lawsuits if the reports of suspected elder scamming prove unwarranted. Mandatory reporting under this bill would require people in a position of oversight over elderly citizens’ finances to report any strange behaviors that could indicate a scam, but then would also protect those mandatory reporters from civil suits arising from their reports.

This type of protection is important for helping state officials and corporate employees take elder scams seriously, and to know they are supported for doing the right thing. The bill has now passed the Ohio state House and has gone on to the Senate, and its supporters are excited about the first piece of legislation to enact protection specifically of the elderly in more than 25 years. While there have been supports in place for elderly victims to turn to, they’ve often fallen under the state’s attorneys general to oversee, meaning each new successive person in that position is tasked with keeping it up to date on the most current information.

Rather than leave anything to chance, this bill would establish protections and support that stands on its own as a state government office.

The Identity Theft Resource Center and the Federal Trade Commission routinely conduct focused research on the impact of identity theft in order to get a clear picture of the nature and aftermath of this crime. For the fifteenth year in a row, the number one consumer complaint to the FTC is identity theft, and targeted efforts are being made to help develop a broader picture of what identity theft really entails in order to establish the protocols that will lead to better prevention.

Join us on Wednesday, March 18 at 9:00AM (EDT) for a live event to discuss this important issue, along with the release of Identity Theft Resource Center’s research whitepaper – Identity Theft: #1 FTC Consumer Complaint 15 Consecutive Years. The keynote speaker for this event will be Terrell McSweeny, Commissioner of the FTC, who will speak on the data findings that have led to this top consumer concern. A panel of experts will discuss the issues surrounding populations heavily affected by identity theft and what all stakeholders can do to better understand and assist them.

Event Details

Wednesday, March 18


Google – Washington, D.C.

25 Massachusetts Avenue NW, 9th Floor

Washington, DC 20001

*See map below

The event is free, but space is limited. To RSVP, click the registration button below, or go directly to the invitation information page: Identity Theft:  #1 FTC Consumer Complaint 15 Consecutive Years.

For those who cannot attend the live event in person, live tweeting of the keynote and the panel discussion will take place. Use the hashtag#IDTheftImpact to join the conversation where we will be sharing statistics and facts from the findings on Twitter. Be sure to add the hashtag to your own comments or questions in order to display them publicly with regard to this event.

It is important to realize that all of our constituents, customers, and citizens need tools that are specifically designed to assist their needs. By bringing policy makers, regulatory officials, industry specialists and advocacy groups into this discussion we hope to come away with new ideas and strategies, as well as collaborative opportunities.



Terrell McSweeny Headshot

Terrell McSweeny

Commissioner of the Federal Trade Commission






Eva Velasquez, ITRCModerator: Eva Velasquez


Identity Theft Resource Center

Eva Velasquez is the President/CEO at the Identity Theft Resource Center, a non-profit organization which serves victims of identity theft. Velasquez previously served as the Vice President of Operations for the San Diego Better Business Bureau and spent 21 years at the San Diego District Attorney’s Office.  Eva has a passion for consumer protection and privacy issues and is constantly striving to educate the public about these important topics.  She is recognized as a nationwide expert on identity theft and has been featured in numerous news outlets.


John Breyault, National Consumers LeagueJohn Breyault

VP of Public Policy, Telecommunications and Fraud

National Consumers League

John joined the National Consumers League — America’s oldest consumer organization — in September 2008. John’s focus at NCL is advocating for stronger consumer and worker protections before Congress and federal agencies on a range of issues including telecommunications and technology policy, fraud, and consumer financial protections. In addition, John directs NCL’s anti-fraud education and advocacy campaign.

John has served on numerous Boards and advisory committees including the Federal Communications Commission’s Consumer Advisory Committee, the Commodity Futures Trading Commission’s Technology Advisory Committee, and the Board of the Arlington-Alexandria Coalition for the Homeless.


Andy Bucholtz, LexisNexisAndy Bucholz

VP of Market Planning

LexisNexis® Risk Solutions

Andy Bucholz is the Vice President of Market Planning for LexisNexis® Risk Solutions, where he is responsible for the strategy and product development of identity-based solutions within the LexisNexis Government division. In this capacity, he helps federal, state, and local governments stop fraud and recover revenue by leveraging the availability of public records data. Mr. Bucholz is a recognized expert and frequent speaker in the field of data aggregation technology as it is used to uncover fraud — an area in which he holds several patents. Prior to joining LexisNexis, he founded G2Tactics, Inc., a startup that built the first portable mobile license plate reader.


Lisa Schifferle, FTCLisa Schifferle

Attorney, Division of Consumer and Business Education

Federal Trade Commission

Lisa Weintraub Schifferle is an attorney in the Federal Trade Commission’s Division of Consumer & Business Education. At the FTC, she regularly speaks on identity theft and senior scams, training advocates across the country. Before arriving at the FTC, Ms. Schifferle spent eight years at the Maryland Legal Aid Bureau, as a Staff Attorney and Supervising Attorney. She received her B.A., summa cum laude, from Yale College and her J.D. from the University of Virginia Law School.


Shawn Tiller, IRSShawn Tiller

Director, Refund Crimes

Internal Revenue Service Criminal Investigation

Shawn Tiller is the Director, Refund Crimes, IRS Criminal Investigation and reports directly to the Deputy Chief, Criminal Investigation. Mr. Tiller was named to this position in August 2014 and is responsible for guiding the activities of the Refund Crimes headquarters staff and employees in four Scheme Development Centers sites across the United States.

The Office of Refund Crimes is responsible for the detection of refund fraud, questionable refund schemes and return preparer fraud. The staff coordinates those activities with internal and external stakeholders to ensure a fair and balanced administration of the tax refund system.



About the ITRC

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization which provides victim assistance and consumer education through its toll-free call center, website and highly visible social media efforts.

It is the mission of the ITRC to: provide best-in-class victim assistance at no charge to consumers throughout the United States; educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation; and, serve as a relevant national resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams, and other issues.


We’ve come a long way from the days when identity theft first became a widespread problem, back when law enforcement officials didn’t quite know how to address it. It was such a new, unheard of issue even as recently as the 1980s that victims, the financial sector, and the judicial system alike often felt lost. The end result back then was often a lengthy nightmare for the individuals who were trying to clear their names.

Now, the scope of this type of crime is more fully understood, and states around the country have mechanisms in place to track down guilty parties and prosecute. But as thieves and scammers become craftier, the legislation often has to play catch up in order to stay on top of it. That’s why states around the country adopted new legislation in 2014 to address the problem.

One of the most notable changes was in the way children’s identities are being viewed. Several states passed legislation that works to prevent the fraudulent use of children’s personally identifiable information, a crime which is often committed by a parent or relative. It became easier in many states to put a freeze on a child’s credit report, meaning the child’s identity could not be used to initiate a new line of credit or an account of some kind.

Other legislation in a few states worked to combat the flip side of this problem, which is identity theft or scamming of an elderly person in the criminal’s care; again, it’s sad to say, but the elderly are often targeted by identity thieves, and too often it’s someone the victim knows. Florida, who has a large retiree and senior adult population, took it a step further and clarified what is admissible in court as a sworn statement by an elderly individual, as well as tightened up the laws regarding theft of property. It is no longer only physical property theft that’s considered exploitation of a senior citizen, for example, since there are other ways to defraud an individual.

Regarding both child and elderly identity theft cases, some states increased the penalty for these types of crimes, required government entities to report suspicious activity involving these citizens’ data, and initiated some forms of mandatory checking on Social Security numbers. Several states also allowed for the freezing of a minor’s or incapacitated adult’s credit if there is cause to believe someone may be after that individual’s identity.

Another running theme throughout these new laws is consumer protection, namely that some states now have strict requirements for reporting suspected data breaches and informing consumers who may have been affected. Until recently, many states had no mandatory requirement for this timeframe; of the record number of data breaches in 2014—the highest year so far for data breaches, in fact—many involved companies that waited months to inform their customers that their information had been stolen.

One of the stronger pieces of legislation involves the mere possession of stolen personal data. Identity theft can be hard to track down and trace, especially in cases where the original thief sold the information online. That’s a booming business in the world of black market e-commerce, so the person who accessed your information may not be the person who actually used it. There were numerous arrests in 2014 in which the suspect had personal information, stacks of prepaid debit cards, and other identity theft tools of the trade, but until now there was a shortage of strong legislation that made that illegal. Now, some states have passed laws stating that even possessing someone’s personally identifiable information without cause is a crime.

It can be overwhelming to try to stop identity theft and its related crimes when the laws vary in so many states, and efforts like those from 2014 have created a more uniform environment for preventing and prosecuting this crime. Be sure to read up on the laws in your state and know what protections are in place to keep your identity safe.

A Florida case involving a drug dealer may have changed the face of individual privacy in this country. The police in the case used a few different methods to locate and apprehend the suspect without obtaining a warrant, methods that the Florida Supreme Court has now declared illegal.

In the 2007 case of Shawn Alvin Tracey, the police had a warrant to track the activity on his phone as it pertained to incoming and outgoing phone calls in order to tie in more individuals to Tracey’s drug activity. What they didn’t have permission to do was track Tracey himself via the phone’s connection to various cell phone towers.

They relied on the practice of tracking an individual via his cell phone. The phone, which pings different cell phone towers as it connects even if it’s not in use, then provides a fairly accurate location marker, one that is precise enough to locate someone in a specific apartment in a building the suspect was in. The police accessed this additional information from the telecom company without obtaining a warrant from a judge, which the court has now ruled was a violation of the suspect’s Fourth Amendment right preventing unreasonable search and seizure.

What has come to light due to this case—the first of its kind in the US—is just how widespread the use of a law enforcement device known as a “stingray” has become, with police offices around the country allegedly using the device to skirt telcom restrictions and judges’ orders. This device can operate without requiring permission from the company that owns the cell phone tower and without the service provider even knowing about it; unfortunately, it has also come to light that police have lied to judges and defense attorneys in the past about where the tracking information came from, stating that it was simply provided by a “confidential source” rather than a piece of technology.

There is no argument that the police have an incredibly difficult job to do, and that criminals are constantly coming up with newer, more creative ways to stay one step ahead. But that doesn’t mean that citizens forfeit their rights to privacy and must incriminate themselves. According to the Florida court’s ruling, the use of the technology is still within the police’s power, they just have to obtain a warrant before gathering and using any data provided by a cell phone tower. They must be able to justify to a judge why they are tracking an individual, and will no longer be able to pick someone up in order to do their investigating.

It’s easy to think this isn’t a problem that everyday citizens have to worry about. After all, if you don’t want the police tracking you, then don’t break the law. But that’s not exactly the extent of the privacy issue in this case; after all, if the police can track you, what stops a criminal from tracking you through the same kind of technology? This issue, however, is about our individual rights, and the forfeiture of those rights is a matter that all citizens must take seriously. As our use of technology expands and the understanding of how that technology can and cannot be used expands along with it, we have more need than ever to protect our rights.

In a matter that has frustrated both individuals and open internet advocates, Google is slowly making its way through the mountain of requests that have flooded their offices since the EU ruled earlier this year on the Right to Be Forgotten. The ruling gives citizens the right to request certain webpages be removed from linking to them through search engines if the information is false or outdated. Under some countries’ laws, the request process actually allows for guilty individuals to have mentions of their crimes removed if enough time has passed and the sentence has been fulfilled.

Right to be ForgottenSince the spring ruling, Google has already removed more than 170,000 links to pages that contain content that users found associated with them, which was almost 42% of the requests submitted. Of those requests, the majority of pages removed came from Facebook, while other social media sites including Profile Engine and YouTube followed closely behind.

Interestingly, Google has been put in the precarious position of playing judge and jury in this situation, as users submit requests for page removal and then Google is tasked with deciding if the page link should come down. Requests are either approved or denied based on employees’ perceptions of the content as it pertains to the individual’s request.

As for being a time consuming process, that doesn’t even scratch the surface. Across the EU, close to 150,000 people have submitted requests to have a total of almost 500,000 webpage links removed. Those pages have to be carefully scrutinized and then judged as to whether or not they should come down. In an interesting twist, the page doesn’t disappear entirely, but is instead replaced with a message that the content was removed under the Right to Be Forgotten law, which really only tells future viewers that something on that page was at one point incriminating. Moreover, the content doesn’t necessarily come down either, but instead no longer links back to the individual’s name for search purposes.

According to an article for CNBC, one individual in Italy submitted requests for around twenty links that gave details about his arrest, and his requests were denied; a different individual from Germany submitted requests for around fifty links that gave details of an embarrassing public incident, and those requests were approved. An article from The Guardian also described how a doctor has requested links to news of malpractice accusations be removed; some of the requests which were approved and some were left standing.

Opponents of this measure have cited censorship concerns, while supporters have pointed out that the “nothing is ever deleted from the internet” nature of online information creates a world where no one can ever move on from their mistakes. In truth, a generation ago, a convicted individual who served out his sentence could at least expect to be able to move on with a fresh start, but that’s not quite as feasible in today’s climate of online data storage. Either way, with an average of 1,000 requests per day coming in from across Europe, the process won’t get faster any time soon.

California Governor Edmund Brown, Jr., signed proposed ID theft legislation into law on September 30th, marking a significant step in protecting citizens from data breaches and the resulting fraud. The bill, AB 1710, will take effect on the first day of the new year, and will go a long way towards helping consumers recover from large-scale data breaches.

Unfortunately, the original content of the bill wasn’t accepted in its entirety, but supporters say that the approved measures are a good first step. One of the provisions that did not make it to the governor’s desk include making breached businesses pay for the cost of issuing new credit cards to affected consumers, a cost that currently falls to the credit card companies. Another measure that was struck from the final piece of legislation would have required companies to delete much of the stored information that gets breached in these events, such as payment details, Social Security numbers, driver’s license numbers, and birthdates. Also, companies that gather and store that information were going to be required to notify affected consumers of a breach within fifteen days, as opposed to the ambiguous “timely manner” that current legislation requires; that measure also did not pass.

As an expert close to the bill explained, there are always a number of factors in any piece of legislation that get reduced before the final approval. A surprising number of organizations opposed the original, stronger content of the bill, including the state’s Chamber of Commerce and The Internet Association. Much of the reason for the opposition to the stronger terms stemmed from the fact that there are so many different industries involved in using consumers’ information that making broad, one-size-fits-all mandates for all of them would have been impossible.

There is some good news for California citizens, though, as some of the protections in the bill will make an impact on the outcomes of future data breaches. One of the first measures was a mandatory credit monitoring coverage for all consumers affected by a data breach in which information like Social Security numbers was accessed; this offer is usually extended by large corporations in the event of a breach as a show of good faith effort, but the new law will make it required for all companies. Also, the healthcare industry—a common source of identity theft and personally identifiable information loss—will be required to follow not just the existing HIPAA privacy regulations for data breaches, but also this new law.

While the new law may not have the same protective strength that the original creators and advocates had hoped, it is a good experimental move in helping ensure more protection for individuals who are devastated by identity theft. Hopefully, as the effects of the law are seen and understood, stronger safeguards can occur in the near future.