The Colorado Attorney General maintains a comprehensive website dealing with identity theft. It can be accessed here. Learn about how identity thieves obtain and use your personal and financial information, review tips on preventing identity, and consult a step-by-step guide should you become a victim of identity theft. The site also provides links to relevant laws and to other resources dealing with identity theft.
“Pharming” is the illegal practice of redirecting an individual's web request to another location. For example, if an individual with an infected computer conducts online business with a specific bank, that person will type the bank link into the address bar, but will be redirected to a designated phishing site that looks very similar to the authentic site but is, in fact, fraudulent. The goal of these identity thieves is obtain your personal or financial information. See “Identity Theft” in this Resource Guide.
“Phishing” is the illegal practice whereby identity thieves who simulate a legitimate organization and use e-mails to persuade people to share their personal and private financial data. This scam is accomplished by sending out email messages with return addresses, links, and branding which appear to come from well known banks, insurance agencies, retailers or credit card companies. Consumers are directed to phony websites where they are asked to disclose personal and financial information, such as social security numbers, passwords, and account numbers.
Never respond to an unsolicited email message or pop-i[ advertisement that warns you of problems with an account and then seeks your personal or financial information. Your real bank, Internet service provider or other legitimate business will never ask you for this information.
See “Identity Theft” in this Resource Guide.
Protecting the safety and security of your personal and financial information is an important consideration, especially with electronic mail and Internet commerce. See “Identity Theft,” “Phishing,” and “Pharming” in this Resource Guide. There are a number of laws addressing how businesses treat your personal and financial information, some of which are described briefly below. However, there are a couple of important rules to follow when shopping on the Internet:
- Before providing any personal (e.g., social security number, date of birth, etc.) or financial information (bank account or credit card number, password, etc.) make sure you are visiting a secure site. The website URL may begin “https” and your should see a small golden padlock in the lower right corner of the site.
Fair Credit Reporting Act
This federal law was designed to protect consumers from the disclosure of inaccurate informtion held by “consumer reporting agencies” (such as credit bureaus). The Act limits the purposes for which information collected by these agencies can be disclosed to third parties. Generally, information can be disclosed for: (1) credit, employment or insurance evaluation; (2) in connection with the grant of a license or other government benefit; and (3) for any “legitimate business need.” Recent amendments to this Act have made it easier for consumers to correct inaccurate information in their credit report and to place a “fraud alert” on their account if the event they have been a victim of identity theft.
This Act regulates the privacy of nonpublic, personally identifiable, financial informtion collected by financial institutions. Specifically, it restricts the disclosure of such information to non-affiliated third parties. Financial institutions (banks, insurance companies, and a host of other businesses) are required to provide written and electronic notice to consumers, the type of information collected, the persons the information will be disclosed to, and the consumers’ right to opt-out of having their information disclosed. The Act also requires financial institutions to establish safeguards to protect the safety of such information.
Health Insurance Portability and Accountability Act (HIPAA)
HIPPA governs the confidentiality of health information in electronic form. Rules adopted under HIPPA require doctors and hospitals to give patients notice of their privacy rights and explain how they intend to use their health information. In general, HIPPA rules require the written consent of the patient before any health information can be disclosed, except where information is shared with another doctor’s office for treatment purposes. HIPPA rules include some specific patient rights, including:
- Right to notice of how a Covered Entity will use and disclose protected health information.
- Right to request restrictions on the uses and disclosures of their protected health information for treatment, payment and health care operations (for which only a general consent is required).
- Right to request restrictions on the uses and disclosures for which neither a consent nor authorization is required.
- Right to access, inspect and copy their health information.
- Right to request an amendment to their health information.
- Right to receive an accounting of all disclosures made for purposes other than treatment, payment and health care operations.
Children’s Online Privacy Protection Act
This Act requires commercial Internet sites directed at children 12 and under to provide parents with notice of their information practices and to obtain parental consent prior to the collection of personal information from children. Parents have the right to review and correct information collected about their children on these websites.
Your social security number (“SSN”) is the most frequently used personal identifier and record keeping number in America. Because of that, it is also highly sought after by identity thieves looking to steal from your existing bank and credit card accounts or to establish new credit in your name. Consumers are constantly being asked to provide their SSN when cashing checks, opening new accounts, and for other purposes. Here is some basic information on who can require your SSN.
Who can require my SSN?
Many people assume that they are required to give their SSN whenever and by whoever asked. That is not true. Here is who may require your SSN:
- Government tax and welfare agencies, including the IRS, other federal agencies (for health benefits and other entitlements), state/local tax or revenue agencies;
- State professional/occupational/recreational licensing agencies;
- Other governmental agencies -- under federal law, they must tell you why your SSN is needed, whether giving your SSN is mandatory or voluntary, and how your SSN is to be used;
- Employer – You employer can require it for wage/tax purposes, but NOT from a job applicant;
- Banks and securities brokerages -- under the USA Patriot Act, 31 U.S.C. § 5318, financial institutions are required to establish minimum standards for properly identifying their customers opening new accounts (include checking, savings, loans, safe deposit boxes, and/or investments). Under federal regulations adopted in May 2003, banks, savings associations, credit unions, securities broker-dealers, futures commissions merchants, and mutual funds were required to have Customer Identification Programs (“CIPs”) in place by October 1, 2003. Information required to identify customers under a CIP includes name, date of birth, address, and a social security or federal tax identification number; and
- State motor vehicle departments – the may collect your SSN but Colorado law prohibits the recording of your SSN on your drivers license or state identification card.
Requests by businesses
Federal law does not prohibit a merchant or other business from requesting your SSN. However, there is no state or federal law that requires you to provide your SSN to any entity not authorized by law to require it. Businesses, private agencies, etc. are free to request your SSN and use it for any purpose that does not violate state or federal law.
For example, retail stores, prospective landlords, prospective employers, utility companies, and other service providers often ask your SSN, but they do not need to and you are not required to give it. They can do a credit check or ID their customers by alternative means. Remember that you are under no obligation to provide your SSN to any merchant or other business. However, the merchant or business is free to decline your business if you refuse to disclose your SSN. Consider asking these questions:
- Am I required by some law to provide my SSN?
- Why do they need my SSN?
- How will they use my SSN?
- Will they share my SSN with other businesses or agencies?
- What happens if I refuse to give them my SSN?
- Are there alternative means of identification they will accept?
Important Colorado laws relating to your SSN
In an effort to address identity theft, and to protect the open dissemination of your SSN, the Colorado General Assembly has adopted several laws in the past few years, including:
- Merchants are prohibited from recording your SSN or credit card number when either or both are requested to verify a check. The merchant may look at your SSN or credit card number, but he may not record those numbers on the check or anywhere else. See C.R.S., § 4-3-506.
- The Colorado Secretary of State is required to remove SSN’s from all publicly accessible records of all financing statements in the custody of the Secretary that were filed between April 6, 1989 and July 1, 2001. See C.R.S. § 4-9-531.
- Beginning January 1, 2006, you may request your insurance company to reissue an insurance identification card or proof of insurance card that does not display your SSN. Upon issuance or renewal of an insurance policy, insurance companies doing business in Colorado may not issue any insurance identification card.
- As of July 1, 2004, postsecondary institutions in Colorado shall not use a student's social security number or part of a studnet's social security number as the student's primary identifier. See C.R.S. § 23-5-127.
- No public entity shall issue a license, permit, pass, or certificate that contains the applicant’s social security number, unless the issuing authority determines inclusion of the social security number is necessary to further the purpose of the license, pass, or certificate or inclusion is required by federal or state law. See C.R.S. § 24-72.3-102.
- No public entity shall request a person's social security number over the phone, internet, or via mail unless the public entity determines receiving the social security number is required by federal law or is essential to the provision of services by the public entity. See C.R.S. § 24-72.3-102.
- As of May 28, 2002, the Colorado General Assembly signed into law requiring the Colorado Secretary of State's office to redact all social security numbers on financing statements that were filed between April 6, 1989 and July 1, 2001 from the data base. See HB 02-1014.