Credit Scores and Credit Reports, by Evan Hendricks

Chapter 7

Identity Theft Basics

Who steals my purse steals trash:           
'Tis something, nothing;           
Twas mine 'tis his           
and has been slave to thousands.           
But he that filches from me my good name           
Robs me of that which not enriches him,           
And makes me poor indeed.           

- Othello, III, iii, 157-61 (Iago) 

Studies released in 2003 supported what experts had been warning for some time: identity theft is reaching epidemic proportions. The Federal Trade Commission survey estimated in 2003 there were 9.9 million victims of identity theft, up from an estimated 6.9 million victims in 2002 and 3.4 million victims in 2001.⁷³ (For more details on these and other surveys, see Chapter 10).

⁷³ www.ftc.gov/os/2003/09/synovatereport.pdf

This chapter is designed first and foremost to help those who have become, or fear they have become, victims of identity theft. Later, we'll examine the nature of the crime and a few individual cases.

For the vast majority of people who are not victims of identity theft, the best thing to do is to check your credit report regularly, focusing on two categories:

• Unfamiliar Accounts (tradelines). Is there a new credit card or debt listed on your report that you've never heard of?


• Inquiries From Unfamiliar Entities. Here, we are talking about the "first-section" inquiries, meaning those that result from you apply for credit, not from pre-approved promotional or account review inquiries. If you live in Ohio and there's an inquiry from a car dealer in Arizona, or an electronics store in Florida, chances are something is wrong; you should investigate immediately, following the steps listed below.

In addition, the three major credit bureaus sell subscription services that are supposed to alert you via e-mail if there is significant new activity on your credit report that could signal identity theft. These services range from $10.95 per month to $119 per year. These services have not yet been independently audited to ensure they work the way they should. If they do, they should serve as an effective - though a bit pricey - method of learning of a threat to your personal data before the damages begin to compound.

What To Do If The Nightmare Happens To You

Several groups, including the Privacy Rights Clearinghouse, Identity Theft Resource Center, Identity Theft 911, and the Mari Frank Law Office, have done an excellent job of listing the steps that victims should take to contain the damage from identity theft. (See Footnote 2 for their Web site URLs).⁷⁴

Activity Log/Recordkeeping. In Chapter 6, we told you to keep an activity log and folders to track progress on your disputes to the credit bureaus. This becomes even more important when fighting off identity theft, for several reasons. First, you typically must deal with three credit bureaus, several creditors, and a law enforcement official (local police, detective, Secret Service, etc.). You will want to document your communications with these and any other entities. Second, you need to keep track of the time you spend on these chores, as well as any out-of-pocket expenses (folders, certified postage, long-distance phone calls, etc.). If some entity does not meet its legal obligations, you will want to be able to quantify your damages. Accordingly, you might also want to keep a diary, noting when and how your identity theft-related chores are causing you emotional distress or affecting your work performance or personal relationships. In addition, your time and expenses might be tax-deductible in certain circumstances (consult an accountant).

Law Enforcement. Here are the authorities you should notify in order to file a formal report. Remember to include all fraudulent accounts in the report, as the credit bureaus say that enables them to promptly remove the disputed accounts from your credit report. Keep a copy and the report number. Contact:

• Your local police department


• FTC (800) 438-4338 - 800-ID THEFT; www.consumer.gov/idtheft


• For the FTC uniform affidavit: www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf

⁷⁴ Privacy Rights Clearinghouse, www.privacyrights.org, has excellent fact sheets for identity theft, credit reports, and a myriad of other privacy issues. Mari Frank, www.identitytheft.org, is an attorney and author of the quite helpful Identity Theft Survival Kit, From Victim To Victor, and Safeguarding Your Identity. The leading group is the ID Theft Resource Center: www.idtheftcenter.org; also see www.identitytheft911.com

Credit Bureaus (CRAs). Here's the checklist of immediate steps to take with the credit bureaus.

• Notify at least one of the CRA's fraud units that you are a victim of identity theft. They are responsible for notifying the other two CRAs. (Experian: 888-397-3742; Equifax: 800-525-6285; Trans Union: 800-680-7289)


• Ask the CRAs to flag your file with a fraud alert (lasts 3-6 months). When you receive your credit report, follow the instructions to extend the fraud alert for 7 years. You can cancel at any time.


• Ask the CRAs to send you a free copy of your credit report. (In California, state law entitles you to one free report per month for 12 months.)


• Once you read the report, send a dispute letter, accompanied by police report and/or FTC fraud affidavit specifying which accounts are fraudulent


• Consider subscribing to the CRAs' monitoring-alert services (see CRA Web sites)


• Ask CRAs for contact info of creditors with whom fraudulent accounts have been opened.


• Consider putting a "security freeze" on your credit report so nobody can access your account unless you lift the freeze, a right Californians and Texans have under state law.

Creditors (New & Existing Accounts). The identity thief has opened up new accounts in your name. You must contact these creditors immediately, by phone and in writing. Their contact data should be listed on your credit report.

• Notify each creditor of the identity theft, specifying the fraudulent account. They will ask you to send a fraud affidavit. (Note everything in your activity log.)


• Fill out and send the FTC uniform fraud affidavit, which most creditors accept. www.ftc.gov/bcp/conline/pubs/credit/affidavit.pdf


• Ask them to send any application, transaction, or other records documenting the fraudulent activity that occurred in your name.⁷⁵


• If the thief committed fraud using your existing credit cards or checks, get replacement cards and numbers and specify that you want the "accounts closed at customer's request," as opposed to "card lost or stolen," which some could construe to be your fault.


• Add passwords to all accounts. (Store passwords so you can find them when you forget them later.)

Debt Collectors. Debt Collectors may come after you for unpaid bills generated by the identity thief. If they call you:

• Ask the debt collector for his or her name, company's name, address, and phone number. Advise him that you are noting the time and date of the conversation in your activity log.


• Inform him that you are a victim of identity theft and not responsible for the debt.


• Ask for the name and contact information of the referring credit issuer.


• Be ready to provide the FTC uniform fraud affidavit.


• Follow up with a letter to the collector, stating that you do not owe this debt and that the account has been closed.
• Request in writing confirmation that the account is being closed and noted as fraudulent, and that any and all reference to the debt in your credit files will be removed.

⁷⁵ Required first by California Penal Code 530.8, and later by the 2003 Amendments to the FCRA (FACT Act)

Checks. If the thief used your checks, put stop payments on all remaining checks, cancel your checking and savings account, and obtain new account numbers. Put a password on your account. Notify the following check verification companies (remember, keep track of your time.)

• CheckRite: (800) 766-2748


• Chexsystems: (800) 428-9623


• CheckCenter/CrossCheck: (800) 843-0760


• Certigy/Equifax: (800) 437-5120


• International Check Services: (800) 526-5380


• SCAN: (800) 262-7771


• TeleCheck: (800) 710-9898

Other Things To Watch For

• ATM Cards (cancel and change PIN)


• Fraudulent change of address - Postal Inspector www.usps.gov/websites/depart/inspector


• Local or cellular phone service


• Social Security number misuse www.ssa.gov


• Drivers license number misuse


• Passports www.travel.state.gov/passport_services.html

Why Has Identity Theft Increased?

Identity theft is:

1. a relatively low-risk crime,


2. with a potentially very high payoff,


3. that can be relatively easy to pull off,
4. with enforcement is uneven, at best, despite


5. the potentially devastating impact on the victim.

It wasn't officially declared a crime until 1998 when Congress and some states began passing laws to that effect. (For more on the history and evolution of identity theft, see Chapter 10.)

Throughout much of the 1990s, many victims of identity theft had trouble convincing the police that they were victims of a crime at all. The police often would say that the credit card company or bank was the victim because they, and not the consumer, lost money to the thief. Some victims could not even convince authorities to write a police report. Other victims faced jurisdictional problems because the thief resided in a different city or state.

In the early days, identity theft was more of a one- person-at-a-time crime. But in recent years, it's gone "wholesale." Thieves target organizations where they can filch personal data on dozens, if not hundreds or even thousands of people at a time. Methods of attack include bribing or placing a "mole" in auto dealerships, personnel departments of major corporations, or government agencies like the Social Security Administration, or hitting multiple mailboxes at large apartment or housing complexes. The document that the identity thief covets most is the credit report. It's the best road map for committing the crime or invading privacy in other ways.

One notable case involved Philip Cummings, a 10-month employee of Teledata Communications Inc (TCI), a company that facilitates large companies' use of credit reports. From 1999-2002, Cummings allegedly was able to electronically masquerade as the Ford Motor Company and other major companies, pull credit reports in their names, and sell the data to a Nigerian fraud ring. Even after Cummings left TCI and moved out of state, he was able to continue using passwords that allowed him, from February to May 2002, to pull 6,000 reports, 100 at a time, in the name of Washington Mutual Bank.

As recently as September 2002, long after the Ford Motor Company incident had been well publicized, the Cummings ring ordered 4,500 credit reports through Central Texas Energy Supply. When a company did change its password, it temporarily stumped the ring member's laptop on which Cummings had downloaded passwords. But after being arrested, the ring member later cooperated with prosecutors and told them that Cummings had an ample list of additional passwords that still worked.

The result was that some 30,000 individuals had their good names used for fraud - with initial losses pegged at $2.7 million, but rising well beyond that.⁷⁶

The Key Moment

Of course, identity theft is profitable because the thief is able to get credit in someone else's name. That's where the credit report comes into play. The key moment occurs when the credit reporting agency (CRA) discloses the innocent victim's credit report in response to a thief's fraudulent application for credit. The credit report "validates" the thief and starts him on his "credit joyride." As we will explore in greater detail in a later chapter, the CRAs' rather loose algorithms have benefited identity thieves by allowing for disclosure of victims' credit reports even when the imposters' applications are filled with discrepancies.

⁷⁶ TCI and other breaches were the subject of April 3, 2003 hearing of the House Financial Services Subcommittees on Financial Institutions & Consumer Credit, and Oversight and Investigations, "Fighting Fraud: Improving Information Security," at which this author testified. http://financialservices.house.gov/hearings.asp?formmode=detail&hearing=202. Also see the excellent reporting on security breaches, identity theft, and more by MSNBC's Bob Sullivan www.msnbc.com/news/839678.asp

Victims

A book could be filled with the horrifying stories of identity theft victims. To help illustrate their plight, we will offer only a few.

On November 5, 2001, retired Army Captain John Harrison, a Connecticut resident, received a call from a detective in Beaumont, Texas who was investigating a Harley-Davidson motorcycle that had been purchased using Harrison's name and SSN. The detective tracked Harrison down through his credit report. Harrison took all the steps that were recommended by experts (and the above pages in this chapter): He ordered his three credit reports, initiated fraud alerts, contacted creditors immediately, received and reviewed his credit reports, and filed a police report with the Army's Criminal Investigation Division.⁷⁷

The crook, Jerry Wayne Phillips, was caught on his Harley in North Carolina about a month later. Phillips said it was easy to convince Army officials at Fort Bragg, N.C. to issue him identification in Harrison's name and SSN.

'Joyriding'

From July to December 2001, Phillips used Harrison's identity to acquire goods, services, and cash in his name. The acquired items were valued at over $260,000. Staying away from Harrison's home state of Connecticut, Phillips bounced from Florida to Virginia, and on to Texas, opening at least 60 fraudulent accounts: credit accounts, personal and auto loans, checking and savings accounts, and utility accounts. He purchased two trucks through Ford Credit valued at over $85,000, and a Harley-Davidson motorcycle for $25,000. He rented a house in Virginia and purchased a time-share in Hilton Head, South Carolina. He bounced over 100 checks on his Army and Air Force Exchange Service (AAFES) checking account. Phillips was indicted on federal charges in Texas, pled guilty to one count of identity theft, and was sentenced to 41 months in a Minnesota federal prison.

⁷⁷ Statement of Capt. John C. Harrison, U.S. Senate Committee on Banking, Housing and Urban Affairs, "The Growing Problem of Identity Theft and Its Relationship to the Fair Credit Reporting Act," June 19, 2003. Harrison filed suit under the FCRA. He was represented by Chris Kittell, of Webster Gresham & Kittell, Clarksdale, Miss. http://banking.senate.gov/index.cfm?Fuseaction=Hearings.Testimony&HearingID=43&WitnessID=177

But that did not end the damage to Harrison. One of the more difficult aspects was the 20-month struggle with credit bureaus and creditors. While Experian and Trans Union did a "fair job," he charged that Equifax failed to obey the FCRA.

"It took eleven months and three dispute letters to get a second report from Equifax. Further, I found the report they sent to me was not the same report they were sending to creditors. Both reports that Equifax has in their system still contain as many as fifteen fraudulent accounts," Harrison told Congress in June 2003. On his credit report, he had 17 different addresses, six different phone numbers, and a changing date of birth, he said.

"Credit bureaus hide behind the fact that they are only reporting what creditors tell them, while at the same time, victims are repeatedly sending affidavits, police reports, and detailed dispute letters proving the creditors are wrong. That is why it takes identity theft victims years instead of months to recover from this crime."

"I've invested over 1,100 hours of my time defending myself and working to restore my credit and banking histories. I've filled eight notebooks with over 1,500 pages of documentation. I can account for about $1,500 in out-of-pocket expenses directly related to my identity theft. Higher interest rates have cost me over $4,000. I've been unknowingly sued by at least one of the creditors. I've had my military retirement garnished. I'm not credit worthy enough to open any new accounts and bad checks reported in my name prevent me from opening any deposit accounts with banks."

Harrison said the toughest part might be the emotional distress he suffered. He was diagnosed with Post Traumatic Stress Disorder (PTSD) and given medication. He lost his job. Harrison has filed an FCRA lawsuit, which is still pending.

"Sadly, even as I look back over the last twenty months and retrace my steps, I can't identify a single thing I could have done differently that may have prevented the situation I'm currently in," Harrison said.

Once Again, With Feeling

Malcolm O. Radcliffe, Jr. also filed suit against three credit bureaus after he became a victim of identity theft in 1997. In November of that year, Radcliffe, an Indiana resident, received a phone call from a man who said he would soon be at Radcliffe's house to repossess his Toyota. Problem was, Radcliffe didn't own a Toyota.

When he got his credit report, Radcliffe discovered that numerous accounts, totaling $57,000, had been opened in his name by an imposter. Radcliffe spent hours writing and calling credit bureaus and creditors to dispute the fraudulent trade lines, but his credit report remained marred by inaccuracies not of his making. In some cases, the credit bureaus would verify the fraudulent data as accurate. In other cases, they would agree to delete it, only to reinsert it later. After at least 65 interactions with the credit bureaus and creditors, Radcliffe filed suit under the FCRA. In November 1999, he reached a confidential settlement with Experian, Trans Union, and CSC Credit Services.<sup>78

78</sup> Malcolm O. Radcliffe, Jr. v. CSC Credit Services, Inc., et al.: U.S. Dist. Ct. - Southern Dist. of Indiana (Evansville) - No. 3:03-CV-00082. Radcliffe was represented by John Waller, of Wooden & McLaughlin, Indianapolis.

Less than a year later, however, more fraud-generated data had returned to his credit report. Many of the "returns" were collection accounts stemming from the original fraudulent accounts that were removed in the 1997 settlement. So by mid-August, Radcliffe called Experian, which again corrected his report. In late September 2000, Radcliffe informed Experian that his credit report still listed a fraud-related SSN, date of birth, and misspelled name. In October, Experian again corrected the mistakes.

In July of 2002, Radcliffe discovered that fraud-generated data was again on his credit reports. He tried calling Experian's 800-number, but after being on hold for 45 minutes, he grew frustrated and gave up.

In February 2003, because of more bad data on his credit reports, Radcliffe was denied credit after making in-store applications at Banana Republic and in Parisien, a Saks store. One of the accounts on his February 2003 Experian report was a Filene's Basement account, which was first reported in 1999 and removed as part of the settlement.

In May 2003, at the age of 69, Radcliffe sued again, this time adding Equifax as a defendant, along with Experian, Trans Union, and CSC Services Corporation. It's typical for credit industry attorneys to tell a FCRA plaintiff that they really don't "have much in the way of damages." John Waller, Radcliffe's attorney, did not agree with them. But he and Radcliffe knew they had a long road ahead of them to get his case before a jury. In February 2004, the 70-year-old Radcliffe finalized his second settlement. He said he hopes it's his last.

Studies Confirm The Anecdotes

In the next chapter, we will discuss in more detail a series of studies about identity theft. At this point, we will mention only a few of the findings.

A 2003 study by the FTC found that the longer it took to discover the identity theft, the greater the damages.

While 63% had no out-of-pocket losses, victims reported a wide range of problems, including wrongful bank and credit card charges, harassment by collectors, loan or insurance rejection, cut-off of utilities, civil lawsuits, and criminal investigations.⁷⁹

Among those victims who contacted a credit bureau, 58% said they were either "very" or "somewhat" satisfied, while 29% said they were somewhat dissatisfied and 9% said they were very dissatisfied. Of those consumers who contacted all three major credit bureaus, 49% said they were satisfied with all three, 20% said they were satisfied with some of them, and 31% said they were dissatisfied with all three. That reflects a significant level of dissatisfaction.

Also in September 2003, the Identity Theft Resource Center (ITRC) published its survey of 173 victims, showing that the damage suffered by identity theft victims was escalating on all fronts. It found that fraudulent charges averaged more than $90,000 per name used and that the average time spent by victims is about 600 hours, an increase of more than 247% over previous studies. It found that it was taking far longer than before to eliminate negative information from credit reports.⁸⁰

John Harrison, the retired Army Captain and identity theft victim, said an "evaluation system" and other incentives had to be created to get CRAs to fight identity theft.

⁷⁹ Federal Trade Commission - Identity Theft Survey (Sept. 2003) www.ftc.gov/os/2003/09/synovatereport.pdf
⁸⁰"Identity Theft: The Aftermath 2003," Identity Theft Resource Center (Sept. 2003); http://www.idtheftcenter.org/idaftermath.pdf

"I don't want to make unfounded accusations," Harrison said, "but it is my belief through common sense that credit bureaus do not lose money as a result of identity theft; they make money. Over a hundred inquiries have been made to my credit reports as a result of fraudulent accounts. These are inquiries the repositories are paid for what would not otherwise have been made. Additionally, with the public becoming more informed about the seriousness and growth of identity theft, I'm certain that sales of credit monitoring systems are doing quite well also. Monetarily speaking, there is not much incentive for the repositories to be aggressive about preventing identity theft or correcting inaccurate reports resulting from identity theft."⁸¹

Winds of Change?

If, in the future, victims of identity theft begin to get a bit more respect from the Big Three CRAs, they might want to thank an Oregon man for providing the motivation.

In January 2000, Matthew S. Kirkpatrick, a Portland finish carpenter and father of two young children, was surprised to learn that he had been denied a mortgage loan. He understood the importance of good credit and maintained a FICO score around 750. But it turned out that someone in Coeur d'Alene, Idaho, had stolen his name and SSN to take out credit in his name, thereby polluting his credit report with late payments and collection accounts. Kirkpatrick began the arduous task of notifying those who had been defrauded that he was not responsible. He specifically recalled Equifax advising him to have the defrauded creditors notify Equifax directly. In fact, by the fall of 2000, two of creditors had done so. Kirkpatrick thought the problem had been resolved and that his FICO score would be restored to 750. He also put a "fraud alert" on his credit report.

Soon thereafter, Kirkpatrick's wife, Lisa, became pregnant with their third child. He quickly made plans to construct a new bedroom, and would do most of the work himself. Wishing to get started right away, he borrowed money from Lisa's retirement account - knowing there would be no penalty as long as the money was repaid by April 15, 2001, still several months away.

⁸¹ Harrison, op. cit.

In February 2001, however, Kirkpatrick discovered that his credit report was polluted with more than a dozen collection accounts stemming from the ongoing activities of the Coeur D'Alene fraudster, including accounts involving creditors who already had informed Equifax that he was not responsible. His FICO score had plummeted to 580, well below sub-prime. Even though the local branch was familiar with him, it rejected his home improvement loan application, as the underwriters would never permit credit to be granted to someone with such an abysmal credit history.

You Can't Find It?!

Once he overcame his shock, Kirkpatrick set out to compile a dispute package that would clear up the mess quickly. The package he sent to Equifax in late February 2001 included:

• Coeur d'Alene and Portland police reports confirming that Kirkpatrick was not responsible for the fraud


• Letters from two defrauded creditors confirming that he was not at fault


• A copy of his Social Security card w/ signature


• A copy of his driver's license with his photo and current home address in Portland


• A cover letter explaining that he was a victim of identity theft.

But there was no response. Bank of America told him that his loan had been rejected again, as there had been no changes in his Equifax report. Kirkpatrick called Equifax, but the operator ("Lori") said they didn't have his dispute package. The operator grew impatient with him, essentially telling him to either do an oral dispute with her, or hang up.

Kirkpatrick wondered how Equifax could investigate properly without his supporting documentation, but finally relented, disputing 19 fraudulent accounts on his report. He also re-sent the entire dispute package on March 22, 2001.

The same day, Kirkpatrick received a letter from Equifax (dated March 13), advising him that his dispute package "had been shredded," without explaining why.

Kirkpatrick really started to worry. The deadline for returning the borrowed money to his retirement account was fast approaching, and there was no resolution in sight. He called again, this time talking with "Lynn Hamilton."⁸² On March 24, he sent a third dispute package. He called again on April 6, but "Sue" told him the package was nowhere to be found. On April 11, "Julie" and "Patty" reiterated that they could not find the package. Four days later, the bank assessed a penalty against the Kirkpatricks for not repaying the retirement account by the deadline.

Kirkpatrick kept trying. He talked to "Sue" again on April 20. Again, no package. But he followed her advice, sending a fourth package with the U.S. Postal Service's "return receipt requested." On April 30, the Postal Service delivered the signed card proving that Equifax had received his fourth package.

But incredibly when he called on May 7, "Marlene" amazingly insisted there was no dispute package. A week later, he spoke with "Dale," and supervisor "Aaron." Aaron essentially told him that if he wanted his credit report corrected, he needed to do it himself by contacting all of the defrauded creditors. This wasn't the first Equifax operator to be rude to him; it wouldn't be the last.

Coincidentally, he received Equifax's response to his March 20 phone dispute. Equifax and the defrauded creditors had "verified" that he was responsible for many of the fraudulent accounts. Accordingly, they would remain on his credit report. Kirkpatrick felt defeated.

⁸² It was possible that some of the names given to Kirkpatrick were aliases.

Meanwhile, the new addition to Kirkpatrick's house remained unfinished, since he could not get the necessary financing. The unfinished work posed potential safety problems for his young children, as well as fire hazards.

The white construction paper known as Tyvek, which typically envelopes unfinished homes, was exposed for so long that it began to come loose. When the late autumn winds blew at night, the Tyvek paper would flap eerily against the walls. When the new baby came, the Kirkpatricks were forced to crowd into a space even smaller than what they had before the remodeling began. The stress compounded as time went by.

Hoping to complete the construction, Kirkpatrick in early 2002 tried to find a lender that used a CRA other than Equifax, as Trans Union and Experian had managed to remove the fraudulent accounts by then. He tried again with Bank of America, but 11 fraudulent accounts - all related to Coeur d'Alene - remained. In addition, information on other unknown consumers was creeping into his credit report.

It was then that Kirkpatrick re-read the "Statement of Consumer Rights Under the FCRA" attached to each of his credit reports. There it was, in black and white: It was Equifax's responsibility to investigate and correct disputed information, not his. He contacted his uncle, an attorney in Washington State, who said he'd try to find a lawyer who knew something about the FCRA.

Kirkpatrick tried applying for credit, but banks and credit unions kept rejecting him, usually citing the Equifax report. Visibly changed and increasingly morose, Kirkpatrick reluctantly accepted a small personal loan from an insistent family friend.

He tried disputing again in April of 2002, but six weeks later, Equifax advised him that it had again "verified" fraudulent accounts - meaning that they would remain on his credit report. Moreover, new fraudulent accounts from collection agencies, phone companies and department stores had appeared on his account.

After yet another round of disputes failed to clear up his credit report, Kirkpatrick in June 2002 filed suit under the Fair Credit Reporting Act in federal court in Portland. Nonetheless, Equifax still did not correct the errors.⁸³

In January 2005, Kirkpatrick finally got his day in court. He described years of frustration, as Equifax simply would not respond in any meaningful way to his numerous disputes. Due to time zone differences and his work schedule, Kirkpatrick usually tried to phone Equifax dispute operators at 6 a.m. Because of the difficulty in getting through, this became a stress-inducing, pre-dawn ritual.

"I would have shortness of breath, like it was hard to breathe. That was just the dread that I had of having to call."

'Embarrassed' & 'Sorry'

At trial, Equifax admitted it had failed Kirkpatrick. Alicia Fluellen, head of Equifax's dispute-handling department,⁸⁴ said she couldn't explain the breakdowns.

"It appears to me to be the Murphy's law of all dispute handling. I have truly never seen that. Every last opportunity that we had to get it right, we just - it was missed or wasn't taken."

In her pre-trial deposition, Fluellen denied that Equifax had violated even one provision of the FCRA⁸⁵. But at trial, five years after his ordeal began, Kirkpatrick finally got an apology when the soft-spoken Fluellen, facing him from the witness stand, said, "I am completely and utterly embarrassed by the errors, very disappointed that we made so many errors on one particular consumer's credit file. This is my very first time coming into contact with Mr. Kirkpatrick. I really do believe he deserves an apology and I really would like to say that I am very, very sorry in the way we handled your disputes. I truly am."

⁸³ Kirkpatrick was represented by Michael Baxter and Robert Sola of Portland. Equifax's lead counsel was Mara McRae, of Atlanta's Kilpatrick & Stockton. The author was an expert for plaintiff.
⁸⁴ Fluellen's title was director of consumer customer care.
⁸⁵ That portion of the deposition was read at trial.

Equifax had reason to show remorse. Under the FCRA, the jury could assess monetary damages to compensate Kirkpatrick for the harm he suffered. Moreover, the jury could hit Equifax with punitive damages to deter it from doing to others what it did to Kirkpatrick. Given the long list of seemingly inexcusable mistakes, Equifax's position was akin to that of actor John Cleese in the movie "A Fish Called Wanda," when he was being dangled upside down from a window by actor Kevin Kline, with Kline demanding an apology.⁸⁶

While Fluellen apologized for the mistakes, she did not apologize for Equifax's system. She insisted that Equifax had good procedures in place, but that its employees failed to follow them.

One of these was the "verified victim policy" — meaning, Fluellen explained, that "if one credit grantor verified that the consumer was a victim of fraud, then regardless of what all the other credit grantors say, (Equifax) will remove all disputed accounts from the credit file."

Another "recurring human error" was the operators' failure to remove addresses that Kirkpatrick had disputed as fraudulent. Fluellen could not explain why the "maintenance reviewers," who oversee the operators, never caught any of these failures.

To avoid a repeat of the Kirkpatrick debacle, Fluellen testified that Equifax increased its "refresher training" for all agents. It also implemented some new "prompts," so that "if a consumer disputes an account as fraud, the system will ask the agent a series of (reminder) questions … so we're not depending on the agent to remember a great deal of information (about policies and procedures)," she said.

⁸⁶ Cleese's classic apology: "All right, all right, I apologize. I'm really, really sorry. I apologize unreservedly. I offer a complete and utter retraction. The imputation was totally without basis in fact and was in no way fair comment and was motivated purely by malice, and I deeply regret any distress that my comments may have caused you or your family, and I hereby undertake not to repeat any such slander at any time in the future.

In 2001, Fluellen said, Equifax received anywhere from 10,000-30,000 letters a day - mainly consumer disputes and consumer requests for their own credit reports, but also some credit grantor responses. Most consumer disputes, including those with attachments, were outsourced to lower-paid operators in Jamaica. The exceptions were consumer disputes accompanied by police reports or fraud affidavits; those stayed with Equifax employees in Atlanta, she said.

'Standoff'

Fluellen, along with the rest of Equifax's defense, apparently convinced the jury that Kirkpatrick's experience was relatively rare, and that Equifax did not need to be punished. The jury awarded Kirkpatrick $210,000 in actual damages to compensate him for the years of misery. But it declined to award punitive damages.⁸⁷

This meant that Equifax likely would not make any substantive changes in its system for investigating consumer disputes. This system involves an automated exchange of messages between it and the credit grantor, and is designed to reduce costs by minimizing the amount of time employees spend on consumer disputes.

Fluellen testified that it wasn't a problem for its experienced operators to process 100 dispute messages, known as Consumer Dispute Verifications (CDVs), in one hour. "It's not very difficult," she said. "You're looking at the response from the credit grantor and you're matching up ID (i.e., name, address and SSN), and the more you do it, the faster you become. You're certainly not expected to process 100 CDVs an hour day one. You grow to that."

⁸⁷ If Kirkpatrick's attorneys are awarded fees, which is allowed by the FCRA, then Equifax might have to pay another couple hundred thousand dollars.

The problem is that with a complex dispute, like identity theft or a "mixed file," the comparison of identifiers is unlikely to determine the accuracy of the disputed information or the validity of the consumer's dispute. After all, in these kinds of cases, it is the mixing of identifying data that causes the inaccuracy in the consumer's credit report.

(We provide a more detailed examination of credit bureau and credit grantor "reinvestigations" in Chapter 9.)

When all the attorney's fees are tallied, Equifax's bill for the Kirkpatrick case could well reach $1 million. But one wonders what kind of impact that will make on a billion-dollar company like Equifax. Will it view the Kirkpatrick case as just a cost of doing business?

For consumers, the implications could be more severe. The probability that Equifax will continue depending on its automated "CDV-exchange" as its principal means of handling disputes portends more Kirkpatrick-like experiences for unlucky victims of identity theft, mixed files, or other kinds of inaccuracy.

Theft of Choice

One of the most profound cases of identity theft surfaced in February 2005. ChoicePoint, a Georgia-based database company and spin-off of Equifax, became a tool of a fraud ring that was able to filch SSNs, identifiers, and sensitive credit data of at least 145,000 people across the nation. As of March 2005, about 750 individuals had been confirmed as identity theft victims.

When MSNBC's Bob Sullivan broke the story, ChoicePoint initially said it would only send notices to the estimated 35,000 Californians whose data had been compromised. (California was the only state with a law requiring such notice.) But swift public criticism, including a demand letter from dozens of state attorneys general, persuaded the company to send letters to all 145,000. Responding to a request by Sen. Patrick Leahy (D-VT), Sen. Arlen Specter (R-PA), chairman of the Senate Judiciary Committee, announced his panel would hold hearings.

The perpetrators appeared to be a sophisticated Nigerian fraud ring. They certainly knew how to select a target. ChoicePoint was reported to have some 19 billion records on virtually every American adult. It collected information from a wide range of taxpayer-subsidized sources, beginning with local property records showing home ownership and home value, and driver records.

ChoicePoint's Web site offered a long list: boating, pilot and professional licenses, telephone directories, including "reverse directories," credit header data, bankruptcies, liens and judgments, and "physician reports."⁸⁸ (For information on ChoicePoint's auto and home ownership databases, see Chapters 13 & 14.)

According to news reports, the fraud ring created up to 50 fake businesses, including debt collection and check cashing firms, which signed up as ChoicePoint "customers." That enabled the fraud ring to enjoy ongoing access to ChoicePoint's rich trove of personal data.

It wasn't clear precisely how they operated, but it appeared that the ring used ChoicePoint as a portal for obtaining victims' credit report data. This might have enabled the fraudsters to identify those with higher credit scores, and thus, the most productive identities to steal.

A break in the case came in October 2004 when Los Angeles County sheriff's detectives arrested Nigerian Olatunji Oluwatosin. The detectives had set up a sting by requiring Oluwatosin to re-sign a faxed application for a ChoicePoint account sent from a local Kinko's. Oluwatosin was sentenced to 15 months in prison, but would not tell authorities about the wider operations, the media reported.

⁸⁸ Perault Pale, "ChoicePoint Woes Help Competitors," Feb. 26, 2005; www.choicepoint.com/business/public/prds_1.html

Equifax said about 8,000 credit reports it sold to ChoicePoint may have been accessed illegally, according to the Atlanta Journal-Constitution. But Equifax said it had no plans to alter its security system.

"It was not a breach on the Equifax system; therefore we don't feel it is necessary to make any changes," Karen Gaston, Equifax's chief administrative officer, told the Atlanta newspaper. What those reports contained remains unclear, Gaston said. The reports would not have included credit card numbers or salary information on individuals, but they could have disclosed what credit cards and loans individuals have and provided other information.⁸⁹

Equifax said it was waiting for ChoicePoint to provide it with names of individuals who may have been affected, she said. But while Gaston said Equifax didn't learn of the security breach until the story hit the media, ChoicePoint's James Lee, disagreed, telling the Atlanta newspaper that the credit bureaus, including Equifax, were "kept fully apprised throughout the whole process."

The Atlanta Journal-Constitution reported that ChoicePoint CEO Derek Smith and President Douglas Curling sold 472,000 shares of company stock worth nearly $21 million 13 days after Oluwatosin's arrest — and more than three months before the problem surfaced publicly.

ChoicePoint's board approved the stock trading plan on Oct. 26, 2004, the day before Los Angeles police, who had been tipped off by ChoicePoint, arrested Oluwatosin.

A company spokesman told the newspaper that the stock sale was part of a routine estate planning and asset diversification, and denied there was any insider trading or other wrongdoing. The week that ChoicePoint's security problems became public in late February 2005, the company's share price fell about 10 percent.

⁸⁹ Robert Luke and Matt Kempner, "ChoicePoint Execs Defend Selling Stock," Feb. 25, 2005. www.ajc.com/business/content/business/0205/26credit.html

The company said it sells data to 40 percent of the nation's top 1,000 companies and has contracts with 35 government agencies, including several law enforcement agencies. In 2004, the company earned $148 million on revenue of $919 million.

One irony of the episode was that ChoicePoint billed self as an expert in authenticating individuals for businesses and government agencies so as to help avoid fraud.⁹⁰

Over There, Over Here

A disturbing trend in identity theft was the increased number of service men and women who had become victims. Those stationed in Iraq, Afghanistan and elsewhere overseas were particularly vulnerable, as they often did not discover they were victims until they returned from a tour of duty.

Theft of service members' identities came in many forms. Enlisted men on a U.S. Navy vessel in the Indian Ocean had their identities stolen by shipmates, who transferred their data to a ring back in the States that committed the fraud. Another ring apparently planted a member inside a credit union at a military base in the United States. This was very strategic positioning, as the ring would know who was stationed overseas and therefore unlikely to discover the identity theft until long after fraudulent credit purchases were made.

After struggling to overcome the theft of his own identity, Naval Commander Franklin D. Mellott became the Military Victim Assistance Coordinator for the San Diego-based Identity Theft Resource Center. Testifying before a House Subcommittee in June 2003, Mellott described his experience.

"I found myself fighting for my financial future and my Naval career. There was jurisdictional finger-pointing just trying to get someone to take a police report. There were countless telephone calls and letters to credit reporting agencies. I spent more than 100 hours working with the IRS and two companies in California trying to resolve income wrongly reported against my taxpayer ID number. Generally speaking, I wasted my valuable time off from the rigors of combat duty fighting with a system that makes it all too easy for a criminal to get credit in someone else's name. The mess was entirely mine to clean up. Unfortunately, it got worse."

⁹⁰ For more on ChoicePoint, read two excellent books: Robert O'Harrow Jr.'s No Place To Hide (Free Press 2004); and Daniel Solove's The Digital Person (NYU Press)

"In February 2002, after I placed fraud alerts on my accounts with all three reporting agencies, my half-brother was able to use my SSN yet again - this time establishing cellular service with AT&T Wireless. To add insult to injury, after I filed my initial fraud notifications, Experian merged my credit history with that of the criminal! They listed his wife's name as my wife, put most of his previous addresses in my file, listed his name as an alias of mine, listed his SSN as an alternate SSN of mine, and listed numerous collection actions from his past on my otherwise spotless file. When I asked how it happened, I was told, 'the computer did it.' I wish I could say this was a singular event, but it was not. I also found the reporting agencies unresponsive. Just a few months ago, after my case was featured in SmartMoney Magazine, I sent all three credit reporting agencies a certified return-receipt letter asking them to incorporate specific wording in my fraud alert. I asked that if they could not (or would not), to inform me why. Not a single one of them incorporated the language. None of them even bothered to reply."

As bad as his experience was, Mellott predicted worse for other service members.

"I am even more concerned for those 19-year-old soldiers, sailors, and their families that are so easily victimized by this crime. Imagine their spouses, new to the ways of the military, trying to balance the day-to-day challenges of a young family with the crippling effects of identity theft and mistakes by the credit industry. Furthermore, I am concerned because I can see how it could be nearly impossible to fight these problems from overseas."

⁹¹ Statement of Commander Franklin D. Mellott, Financial Institutions and Consumer Credit Subcommittee, U.S. House Committee on Financial Services, "Fighting Identity Theft — The Role of the Fair Credit Reporting Act," June 24, 2003.

Continue to Next Chapter  

© 2005 Evan Hendricks and Privacy Times, Inc. All rights reserved.