Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dataloss] Using stolen SSN isn't criminal impersonation, court says

From: Jake Kouns (jkounsopensecurityfoundation.org)
Date: Sun Nov 21 2010 - 00:08:39 CST


This head-scratcher happened a couple of weeks ago but hasn't gotten
anywhere near the attention it deserves.

The Colorado Supreme Court by a vote of 4-3 has overturned the
conviction of a man who used a woman's Social Security number to apply
for a car loan. The action did not constitute criminal impersonation,
says the court's majority, because the man provided his real name,
address and place of employment, in addition to the purloined Social
Security number.

>From a story in the Greeley (Colo.) Gazette:

In the decision the court ruled, "The defendant (Felix
Montes-Rodriguez ) did not assume a false or fictitious identity or
capacity," and that he "did not hold himself out to be another person
when he used another person's social security number to obtain an
automobile loan."

During the trial, representatives from Hajek Chevrolet testified a
social security number was required as part of their application
process in order to conduct a credit check.

The court ruled that was irrelevant as it was a lender requirement,
not a legal requirement. They stated that even though Montes-Rodriguez
may have "lacked the practical capacity to obtain a loan ...because
they could not check his credit without a social security number" he
did not lack the legal capacity to receive a loan. The court went on
to state there is "no evidence a social security number is a legal
requirement to obtain a loan."

Justice Nathan Coats, writing in the dissent, said, "The defendant's
deliberate misrepresentation of the single most unique and important
piece of identifying data for credit-transaction purposes" was
"precisely the kind of conduct meant to be proscribed as criminal."
Coats went on to say that an individual's credit history is often only
available through their social security number and when a person is
using someone else's social security number that person is assuming
the other's credit history.

That would seem to be as clear as the digits on my Social Security card.

As might be expected, the majority's ruling is not getting a lot of
support among experts in the fields of law, privacy and common sense.
Writes Adam Levin, co-founder of Credit.com and Identity Theft 911:

So while the defendant walks away a free man, after knowingly using a
Social Security number that was not his own to obtain credit, Colorado
consumers, ironically enough, wind up feeling less free.

While I understand the narrowness of the majority's viewpoint, you
can't make the case that a man using a Social Security number that
belonged to someone else wasn't engaging in what Colorado law cites as
"criminal impersonation". More so, I categorically reject the notion
that Social Security numbers should take a back seat to any piece of
personal financial information when seeking to establish credit, as
the court suggests. On the contrary, the Social Security number is the
most critical piece of data when obtaining a loan, far more important
than a name or address.

Another expert noted that when it comes to identity theft, a Social
Security number can be the "key to the kingdom:"

The Colorado ruling highlights an underlying misunderstanding about
identity theft, criminal impersonation and the ease with which
criminals can access and exploit Social Security numbers, (attorney
and information privacy expert Mari) Frank says, who adds that several
of her clients have had their Social Security numbers stolen,
including a 7-year-old victim.

"He is 21 now, and last year he tried to get a car loan from his
credit union; but they did not want to give it to him," she says. "His
credit union purchased a Social Security search from Experian and
found that three other people were using his credit and his Social
Security number." Frank later learned from credit bureau Experian
Information Solutions Inc. that her client's Social Security number
had been used by those three individuals to build individual credit
profiles. In each case, the Social Security number was affiliated with
a separate individual's name.

The good news is that Colorado's laws against the misuse of Social
Security numbers have been stiffened since this case was initiated,
according to this report.

(Hat tip to DataLossDB.org.)
Dataloss Mailing List (datalossdatalossdb.org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works