Home > Uncategorized > The Identity Theft Enforcement and Restitution Act

The Identity Theft Enforcement and Restitution Act

Although identity theft has proliferated considerably over the last decade, legislation that defines this crime and prescribes punishments for it has lagged far behind. Consequently,  the likelihood that identity theft perpetrators are brought to justice has been severely reduced. Recent legislation passed by both branches of the US Congress has, however, provided some reason for optimism. Among the provisions of this legislation is one allowing identity theft victims to sue perpetrators of such crimes for restitution. This legislation abolishes the requirement that a successful identity theft attempt must amount to at least USD 5,000 in damages before criminal charges can be filed against perpetrators. Furthermore, under the provisions of this legislation, installing spyware or malicious code on more than 10 computing systems constitutes a felony. Finally, in sharp contrast to provisions in previous identity theft legislation, identity theft that does not cross interstate boundaries can now under the provisions of this legislation nevertheless be pursued by federal agents. This legislation now needs only be signed by the President before it becomes law.

Assuming that the Identity Theft Enforcement and Restitution Act is signed into law, it will constitute a definite step forward in the war against identity theft, computer-related identity theft in particular. Still, this legislation does not go far enough. Identity theft and weak authentication go hand-in-hand; strong authentication, on the other hand, creates huge obstacles for would-be identity thieves. Legislation that would require banks, merchants and other entities to deploy moderately strong authentication mechanisms in electronic transactions systems would thus in all likelihood constitute an even bigger step forward. Unfortunately, however, although the Identity Theft Enforcement and Restitution Act has significant merits, it is limited in that it is aimed only at tightening loopholes in previous identity theft legislation.

Additionally, the Identity Theft Enforcement and Restitution Act, like so much other cybercrime-related legislation, will not go nearly as far in reducing identity theft as some hope because it is US-specific legislation. The cyber world has no boundaries; it spans almost every country in the world. When identity theft occurs in the US, there is a high probability that the crime was committed while the perpetrator resided in some other country. Consider how little (if anything) the US CAN-SPAM Act has done to reduce the volume of Internet SPAM. Why? The punishments that this legislation calls for have made no difference whatsoever to spammers who have operated outside of the US. The possibility of extradition of foreign identity theft criminals to the US always exists, but the probability of the US even attempting to extradite a suspected computer criminal is small, and even if someone is extradited, the likelihood of the country in which that person resides cooperating with the extradition request is even less. If you are still skeptical, consider the ridiculously drawn out case of accused UK computer break-in expert Gary McKinnon. US attempts to extradite McKinnon for break-ins into a wide variety of US government computing systems began years ago, but McKinnon still remains on UK soil because of a series of elaborate and prolonged legal maneuvers.

The proverbial glass is half full. It is better to have the Identity Theft Enforcement and Restitution Act than to not have it, but legislators still have considerable work to do if they expect legislation to serve as an effective deterrent to identity theft as well as other forms of computer crime.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.