Identity theft

57.176 In this Inquiry, the ALRC examined whether credit reporting regulation should provide expressly for the problem of identity theft—the theft or assumption by a person of the pre-existing identity of another person.[183] For example, credit reports might be permitted to contain information that the individual concerned has been the subject of identity theft.[184]

57.177 In the US, under the Fair Credit Reporting Act 1970 (US), an individual may, in defined circumstances, require that a credit reporting agency insert a ‘fraud alert’ on a credit information file. A fraud alert is a statement that notifies prospective users of a credit report that the individual concerned ‘may be a victim of fraud, including identity theft’.[185] Credit reports in the United Kingdom are also permitted to indicate that the individual has been the subject of identity theft.[186] Some stakeholders supported the suggestion that similar provisions be implemented in Australia.[187]

57.178 In some jurisdictions,[188] legislation allows for a court certificate to be issued to a victim of identity crime[189]—on the court’s own initiative or on application by either the victim or the prosecutor. Such certificates do not compel others to take action—for example, to correct an individual’s credit reporting information—but provide ‘a means to present the outcome of a court’s decision in a way that may be used by the victim’.[190] One such use might be to substantiate an individual’s claim to have been the subject of identity theft. The Australian Government has proposed that all jurisdictions be empowered to ‘issue certificates to victims of identity crime to help them establish their credit histories’.[191]

57.179 In DP 72, the ALRC proposed that the new Privacy (Credit Reporting Information) Regulations should provide for the recording, on the initiative of the relevant individual, of information that the individual has been the subject of identity theft.[192]

Submissions and consultations

57.180 This proposal received support, at least in principle, from industry and consumer stakeholders.[193] Questions were raised, however, about what evidence of identity theft should be required in order for a notation to be made.[194] It was also suggested that credit providers should be under some obligation to list identity theft information and to notify the individual about it.[195]

57.181 Stakeholders confirmed that making notations may have limited practical effect where credit reporting information is processed electronically.[196] Veda Advantage noted:

Almost no credit provider ever sees a physical credit report. Rather, credit reporting information is provided as a data stream to a credit provider, which normally processes it in an automated system.[197]

57.182 For this reason, Veda Advantage stated that providing for the recording of information about identity theft would be ineffective. A number of stakeholders, including Veda, considered that permitting an individual to put a ‘freeze’ on credit reporting information would be a better way to address concerns about identity theft.[198] Such a mechanism would allow an individual to make his or her credit reporting information inaccessible to any credit provider, making it more difficult for anyone to open a credit account in the individual’s name.

57.183 In the US, 39 states and the District of Columbia have enacted laws requiring credit reporting agencies to enable individuals to protect their credit files with a security freeze. In addition, the major credit reporting agencies offer such a mechanism voluntarily in the states that have not yet adopted security freeze laws.[199] The US Federal Trade Commission is considering whether a federal security freeze law would be appropriate.[200]

57.184 ARCA stated that in Australia the security freeze mechanism should ‘allow a consumer who fears they have been subject of identity theft to freeze and unfreeze their credit file at their request, preventing fraudsters obtaining access to credit’, and suggested that the issue should be dealt with in the credit reporting code.[201]

57.185 National Legal Aid supported the introduction of a security freeze mechanism, provided that ‘credit providers who do not access the credit report before assessing an application for credit should not be able to list a default, if the account has been frozen and they are unable to prove that the debt was incurred by the named debtor’.[202] Similarly, Legal Aid Queensland stated that a freeze would be a ‘good solution’ but that it

does not deal with credit providers who do not check credit reports prior to extending credit, but only use reports to report default information. If the ALRC accepted the industry’s recommendation that consumers could freeze the account to prevent fraud then we propose that any creditor who extends credit during the freeze, should not be able to default list.[203]

57.186 Dun and Bradstreet considered that reform should not be limited to implementing a freeze mechanism because this would create a ‘burden for consumers to unfreeze’.[204] The Cyberspace Law and Policy Centre stated:

We would need to see more detail of this proposal before forming a view as to whether it is an adequate substitute for a flag that can (and in our view) should be taken into account while the file continues to be in use. The extent to which it is appropriate for the file to remain in use will depend on the type of crime and stage of response to it.[205]

ALRC’s view

57.187 There is concern that identity theft is becoming more prevalent due to developments in information and communications technology.[206] The idea that individuals should have the right to prohibit the disclosure by a credit reporting agency of credit reporting information about them without their express authorisation (that is, to ‘freeze’ disclosure) received significant support from both consumer and industry stakeholders. The ALRC recommends that the new Privacy (Credit Reporting Information) Regulations should provide for such a right.

57.188 Providing for notations in credit reporting information that the individual has been the subject of identity theft[207] may not achieve the desired result for the individuals concerned. The first problem is that such notations may have no effect where credit reporting information is processed electronically. Secondly, even where seen by a credit provider, it is unclear what the practical effect of such a notation would be. While it may be expected that the credit application would be declined—at least until further inquiries are undertaken by the credit provider—this may not necessarily be the case. In contrast, the right to freeze the disclosure of credit reporting information recommended by the ALRC should prevent credit being advanced.

57.189 The ALRC agrees that, in addition, a credit provider that advances credit during the period an individual has frozen his or her credit reporting information should not be able to list information—and, in particular, default information—concerning that credit, except with the consent of the individual.

Recommendation 57-5 The new Privacy (Credit Reporting Information) Regulations should provide individuals with a right to prohibit for a specified period the disclosure by a credit reporting agency of credit reporting information about them without their express authorisation.

[183] See Australasian Centre for Policing Research and Australian Transaction Reports and Analysis Centre Proof of Identity Steering Committee, Standardisation of Definitions of Identity Crime Terms: A Step Towards Consistency (2006), 15.

[184] Australian Law Reform Commission, Review of Privacy—Credit Reporting Provisions, IP 32 (2006), Question 5–23.

[185]Fair Credit Reporting Act 1970 15 USC § 1681 (US) § 1681c–1.

[186] Experian Asia Pacific, Submission PR 228, 9 March 2007.

[187] Australian Finance Conference, Submission PR 294, 18 May 2007; Queensland Law Society, Submission PR 286, 20 April 2007; Office of the Privacy Commissioner, Submission PR 281, 13 April 2007; N Waters—Cyberspace Law and Policy Centre UNSW, Submission PR 277, 3 April 2007; Australian Privacy Foundation, Submission PR 275, 2 April 2007; Consumer Action Law Centre, Submission PR 274, 2 April 2007; Institute of Mercantile Agents, Submission PR 270, 28 March 2007; Banking and Financial Services Ombudsman Ltd, Submission PR 263, 21 March 2007; Min-it Software, Submission PR 236, 13 March 2007; Experian Asia Pacific, Submission PR 228, 9 March 2007; Australian Institute of Credit Management, Submission PR 224, 9 March 2007.

[188]Criminal Law (Sentencing) Act 1988 (SA) s 54; Criminal Code (Qld) s 408D.

[189] Australian Finance Conference, Submission PR 294, 18 May 2007.

[190] Model Criminal Law Officers’ Committee of the Standing Committee of Attorneys-General, Discussion Paper—Identity Crime (2007), 28.

[191]T Allard, ‘New Laws to Fight Identity Theft’, Sydney Morning Herald (Sydney), 27 March 2008, 3.

[192] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 52–1.

[193] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Australian Collectors Association, Submission PR 505, 20 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australian Credit Forum, Submission PR 492, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Insurance Council of Australia, Submission PR 485, 18 December 2007; HBOS Australia, Submission PR 475, 14 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007; Mortgage and Finance Association of Australia, Submission PR 344, 19 November 2007.

[194]Australian Credit Forum, Submission PR 492, 19 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007.

[195]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Financial Counsellors Association of Queensland, Submission PR 371, 30 November 2007.

[196]Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007.

[197]Veda Advantage, Submission PR 498, 20 December 2007.

[198] GE Money Australia, Submission PR 537, 21 December 2007; Uniform Consumer Credit Code Management Committee, Submission PR 520, 21 December 2007; Consumer Action Law Centre, Submission PR 510, 21 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; National Australia Bank, Submission PR 408, 7 December 2007; Australian Finance Conference, Submission PR 398, 7 December 2007; Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[199]Consumers Union, Consumers Union’s Guide to Security Freeze Protection (2007) <www.
consumersunion.org/campaigns/learn_more/003484indiv.html> at 5 May 2008
.

[200] United States Federal Trade Commission, Prepared Statement Before the Maryland Task Force to Study Identity Theft (2007).

[201]Australasian Retail Credit Association, Submission PR 352, 29 November 2007.

[202]National Legal Aid, Submission PR 521, 21 December 2007.

[203]Legal Aid Queensland, Submission PR 489, 19 December 2007.

[204]Dun & Bradstreet (Australia) Pty Ltd, Submission PR 401, 7 December 2007.

[205]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[206] See Ch 12.

[207] As proposed in Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 52–1.