Rent to Own Companies and Identity Theft; Tips To Protect Sensitive Customer Information

Rent to Own companies collect personal information from their customers, including names, bank account numbers, income and credit histories, and Social Security numbers. The most common security breach in the rent to own industry is improper disposal of customer applications and other records containing sensitive information. While these incidents are rare and the most likely consequence of improper disposal is harm to the industry's reputation if discovered - the possibility of identity theft is real and systems should be put in place to insure proper disposal of sensitive customer information.

The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of this type of information. Many states have specific legislation dealing with identity theft protection - see list of states with links to legislation below.

A sensitive information disposal system must be verified on a regular basis to be considered effective. Consider monitoring compliance by randomly checking trash cans and dumpsters as part of your standard store audit. This is certainly not a glorious exercise, but considering the consequences, a necessary one.

As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. But safeguarding customer information isn't just the law. It also makes good business sense. When you show customers you care about the security of their personal information, you increase their confidence in your company. Download the entire Identity Theft Safeguard Rule from RTO Online here.

WHO MUST COMPLY?
The definition of "financial institution" includes many businesses that may not normally describe themselves that way. In fact, the Rule applies to all businesses, regardless of size, that are "significantly engaged" in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

HOW TO COMPLY
The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:

The requirements are designed to be flexible. Companies should implement safeguards appropriate to their own circumstances. For example, some companies may choose to put their safeguards program in a single document, while others may put their plans in several different documents — say, one to cover an information technology division and another to describe the training program for employees. Similarly, a company may decide to designate a single employee to coordinate safeguards or may assign this responsibility to several employees who will work together. In addition, companies must consider and address any unique risks raised by their business operations — such as the risks raised when employees access customer data from their homes or other off-site locations, or when customer data is transmitted electronically outside the company network.

SECURING INFORMATION
The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.

Depending on the nature of their business operations, firms should consider implementing the following practices:
Employee Management and Training. The success of your information security plan depends largely on the employees who implement it.

Links to states with identity theft legislation
State:	Bill Summary:
Arizona	H.B. 2116 Signed by governor 4/19/04, Chapter 109 States that a person commits criminal possession of a forgery device if the person makes or possesses any material, good, property or supply designed or adapted for use in forging written instruments or with the intent to aid or permit another person to use it for the purpose of forgery. Expands the definition of taking the identity of another person to include purchasing, manufacturing, recording or transmitting any personal identifying information to include entities and real or fictitious persons/entities. Requires a peace officer to take a report on the request of any person or entity whose identity has been taken. Allows prosecutors to file a complaint charging multiple identity theft violations in the county where the greatest number of violations are alleged to have occurred. States that it is unlawful for a person to intentionally or knowingly make or possess with the intent to commit fraud anything specifically designed or adapted for use as a scanning device or reencoder. Adds to the definition of personal identifying information any written document or electronic data that provides information concerning a signature, electronic mail address or account, tax identification number, employment information, citizenship status, alien identification number, personal identification number, photograph, DNA or genetic information or other financial account number. Clarifies that beginning on January 1, 2005, it is illegal for a person or entity to print a number that is known to be an individual's Social Security number. States that if a number is received from a third party, there is no duty to determine if the number is an individual's Social Security number. The number may be printed on materials mailed to the individual, unless the person or entity mailing the number knows that it is the individual's Social Security number. States that beginning on January 1, 2009, no person or entity may knowingly print any sequence of numbers contained in an individual's Social Security number on any card required for the person to receive service or products or materials that are mailed to the individual.
California	A.B. 1776 Chaptered by secretary of state 9/21/04, Chapter 629 Specifies that a foreign corporation's irrevocable consent to service of process includes service of search warrants in addition to those already specified for information concerning applications or accounts in the name of a victim of identity theft. States that the irrevocable consent to service of process for all these specified means of gathering records extends to records located both inside and outside of the state.
	A.B. 1950 Chaptered by secretary of state 9/29/04, Chapter 877 Requires a business, other than specified entities, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification, or disclosure. Requires a business that discloses personal information to a non affiliated third party, to require by contract that those entities maintain reasonable security procedures, as specified. Provides that a business that is subject to other laws providing greater protection to personal information in regard to subjects regulated by the bill shall be deemed in compliance with the bill's requirements, as specified.
	A.B. 2611 Chaptered by secretary of state 9/29/04, Chapter 886 Under existing law, with respect to theft, embezzlement, forgery, fraud, or identity theft perpetrated against an elder or dependent adult by certain persons, the applicable fine or imprisonment is determined based on whether the money, labor, goods, services, or real or personal property taken or obtained exceeds a value of $400. Makes technical changes to these provisions. Raises the $400 threshold amount to $800, only if A.B. 2705 is enacted and becomes effective on or before January 1, 2005. Provides that in any case in which a person is convicted of violating these provisions the court may order, as a condition of probation, that the defendant be placed in an appropriate counseling program. Requires the defendant to pay the expense of his or her participation in the counseling program, as specified. Existing law includes provisions relating to the award of attorney's fees and costs, and damages to a plaintiff, when it is proven by clear and convincing evidence that a defendant is liable for physical abuse, neglect, or financial abuse, and the defendant has also been guilty of recklessness, oppression, fraud, or malice in the commission of the abuse. Revises these provisions to change the standard of proof for the commission of financial abuse to a preponderance of the evidence, but to permit additional recovery where there is clear and convincing evidence of recklessness, oppression, fraud, or malice.
Colorado	H.B. 1134 Signed by governor 6/4/04, Chapter 365 Creates the Motor Vehicle Investigations Unit in the Department of Revenue to investigate and prevent the fraudulent issuance and use of driver's licenses, identification cards, motor vehicle titles and registrations, and other motor vehicle documents, and to assist victims of identity theft. Authorizes a criminal who wrongfully uses another's identify to be charged in the jurisdiction where a government agency issued identity documents. Sets standards and procedures for a court to determine that a victim's identity has been mistakenly associated with a crime.
	H.B. 1274 Signed by governor 4/26/04, Chapter 205 Requires a creditor or charge card company that offers credit or a charge card by mail, and that receives an acceptance of an offer that lists an address for the applicant that is different from the address where the offer of credit or a charge card was sent, to verify that the person accepting the offer is the person to whom the creditor or charge card company made the offer of credit or a charge card. Allows for a private right of action against a person who uses the personal identifying information of another to commit fraud-type crimes.
	H.B. 1311 Signed by governor 6/4/04, Chapter 393 Prohibits the display of a person's Social Security number on a license, pass, or certificate, issued by a public entity, unless it is necessary to further the purpose of the pass or required by state or federal law. Proscribes a public entity from requesting a person's Social Security number over the phone, via the Internet, or by mail unless it is required by federal law or is essential to the public entity's service. Requires public and private entities to develop a policy for disposal of documents containing personal identifying information. Considers a public entity that is compliant with the state archives act to have met its policy development obligation. Exempts trash haulers from having to verify that documents have been destroyed or properly disposed. Allows an insured to require that an insurance company not display the insured's Social Security number on the insured's insurance identification card or proof of insurance card. Requires the insurer to reissue the card without the Social Security number, if the insured makes the request. Prohibits an insurance company, after January 1, 2006, from issuing an insurance identification card or proof of insurance card displaying the insured's Social Security number. Makes it a class 1 misdemeanor to possess another's personal identifying information with the intent to use the information, or to aid or permit another to use the information, to unlawfully gain a benefit or to injure or defraud another.
Connecticut	H.B. 5184 Signed by governor 5/21/04, Public Act 04-119 Concerns the nondisclosure of private tenant information in a sale of public housing to a private entity, including the tenant's Social Security number and bank account number.
Delaware	H.B. 442 Signed by governor 8/23/04, Chapter 425 Strengthens existing Delaware law relating to the crime of identity theft. Authorizes enhanced penalties where the victim of the crime is 62 or older, where the aggregate harm caused by the offense exceeds $25,000., or where the offender has been previously convicted of the crime.
District of Columbia	B15-0730 Approved 3/18/04, Act 15-388 Amends, on an emergency basis, due to Congressional review, the District of Columbia Theft and White Collar Crimes Act of 1982 to establish the crime of identity theft, provides penalties for the crime, provides enhanced penalties for persons committing identity theft against persons 65 years of age or older, authorizes the court to provide restitution to the victim and to order the correction of public records containing false information as a result of the identify theft, and requires the Metropolitan Police Department to take reports of identity theft and provide the complainant with a copy of the report.
	PR15-0733 Approved 3/2/04, Resolution R15-477 Declares the existence of an emergency, due to Congressional review, with respect to the need to amend the District of Columbia Theft and White Collar Crimes Act of 1982 to establish the crime of identity theft, to provide penalties for the crime, to provide enhanced penalties for persons committing identity theft against persons 65 years of age or older, to authorize the court to provide restitution to the victim and to order the correction of public records containing false information as a result of the identity theft, and to require the Metropolitan Police Department to take reports of identity theft and provide the complainant with a copy of the report.
Georgia	H.B. 656 Signed by governor 5/5/04, Act 451 Relates to unfair or deceptive practices in consumer transactions, so as to require that credit card issuers take steps to verify a consumer's change of address when a person responds by mail to an unsolicited application for credit and provides an address that is different from the address to which such solicitation was mailed.
Hawaii	H.B. 2674 Signed by governor 5/28/04, Act 92 Exempts disclosure of Social Security numbers from government payroll records that are public information; restricts retail merchant card issuers from requesting personal information except for credit purposes and from sharing cardholder information.
Indiana	H.B. 1197 Signed by governor 3/18/04, Public Law 43 Expands the class of criminal cases in which an individual's statement or videotape may be admissible to include certain crimes committed against an individual who is at least 18 years of age and considered a protected person because of the individual's incapacity to manage or direct the management of the individual's property or to provide or direct the provision of the individual's self care. Provides that a statement or videotape made by the protected person is admissible in certain criminal trials if: (1) the statement or videotape is reliable; and (2) the individual either testifies at trial or is unavailable.
Maryland	H.B. 457 Vetoed by governor - cross-filed bill signed 5/26/04 S.B. 257 Signed by governor 4/27/04, Chapter 109 Authorizes a atate's attorney or the attorney general to investigate and prosecute offenses relating to personal identifying information fraud; authorizes the attorney general to exercise all the powers and duties of a state's attorney to investigate and prosecute specified violations; and establishes that a prosecution for a violation of specified offenses relating to personal identifying information fraud or other crimes based on a violation may be commenced in a county in which an element of the crime occurred or in which the victim resides.
	H.B. 926 Vetoed by governor - cross-filed bill signed 5/27/04 S.B. 513 Signed by governor 4/27/04, Chapter 130 Establishes determinations as to the value of property or services involving specified theft crimes; establishes penalties for theft of property or services with a value of less than $100; establishes that action or prosecution for specified crimes must be commenced within two years.
Michigan	H.B. 6168 Passed House 9/29/04 S.B. 792 Signed by governor 12/22/04, Public Act 452 Creates the "Identity Theft Protection Act" to do all of the following: 1) Prescribes a criminal penalty for committing identity theft or obtaining or attempting to obtain another person's personal identifying information in order to commit identity theft or another illegal act. 2) Prohibits denying credit to, or reducing the credit limit of, a person because he or she was a victim of identity theft. 3) Prohibits certain practices regarding offering or extending credit. 4) Allows a law enforcement agency, financial institution, or other person to request copies of a vital record in order to enforce the proposed Act or investigate or prevent identity theft. 5) Allow an identity theft victim to request that the secretary of state suppress information. 6) Creates an Identity Theft Advisory Board to study data from identity theft cases in Michigan. 7) Repeals a prohibition against obtaining another's personal identity information for certain purposes with the intent to use that information unlawfully.
	H.B. 6170 Passed House 9/29/04 S.B. 793 Signed by governor 12/22/04, Public Act 453 Amends the Code of Criminal Procedure to specify that a violation of the Identity Theft Protection Act, or a violation committed in furtherance of or that arose from that same transaction, could be prosecuted in one of the following jurisdictions: Where the offense occurred; where the information that had been used to commit the violation was used illegally; or where the victim resides. Provides that if a person is charged with more than one violation and the violations could be prosecuted in more than one jurisdiction, than any of the above jurisdictions would be considered a proper jurisdiction for all the violations.
	H.B. 6174 Signed by governor 12/22/04, Public Act 459 S.B. 798 Signed by governor 12/22/04, Public Act 455 Amends the Michigan Consumer Protection Act to prohibit as an unfair trade practice the denying of credit or public utility service to, or reducing the credit limit of, a consumer who was a victim of identity theft under the Identity Theft Protection Act (proposed by S.B. 792), if the person denying the credit or utility service or reducing the consumer's credit limit had prior knowledge that the consumer was a victim of identity theft. A person would be presumed to be a victim of identity theft if he or she possessed a valid victim certificate under the Code of Criminal Procedure (as S.B. 794 would provide for).
Mississippi	S.B. 2957 Signed by governor 5/6/04, Chapter 526 Provides a lesser penalty for identity theft in cases involving a lesser amount of money, provides for aggregation of amounts in determining the amount of an offense, authorizes the attorney general to provide assistance to victims of identity theft in clearing their records, and clarifies that perpetrators of identity theft shall pay restitution to their victims; clarifies jurisdiction of offenses occurring in multiple jurisdictions; allows certain funds to be used for the purpose of consumer fraud education; authorizes a victim of identity theft to expunge his record of false charges accrued on account of activities of the perpetrator; authorizes the attorney general to issue "identity theft passports" under certain circumstances; defines identity theft; grants subpoena power to the attorney general in conducting investigations of identity theft; requires aggregation of amounts stolen from the same victim in determining the gravity of the offense of larceny.
Missouri	H.B. 916 Signed by governor 5/10/04 Makes it a class A misdemeanor when the identity theft results in the theft or appropriation of credit, money, goods, services, or other property valued at less than $500. Makes attempted identity theft a class B misdemeanor. Makes identity theft a class D felony when the value of the stolen property is more than $500 but does not exceed $1,000. Makes identity theft a class C felony when the value of the stolen property is more than $1,000 but does not exceed $10,000. Makes identity theft a class B felony when the value of the stolen property is more than $10,000 but does not exceed $100,000. Makes identity theft a class A felony when the value of the stolen property exceeds $100,000. Makes identity theft a class A felony when the identity theft is performed for the purpose of committing a terrorist act. Makes identity theft a class C felony when the identity theft is performed for the purpose of committing an election offense. Makes the identity thief liable to the victim for civil damages of up to $5,000 per incident or three times the amount of actual damages, whichever is greater. Allows the victim to seek a court order restraining the identity thief from future acts that would constitute identity theft. In these actions, the court may award reasonable attorney fees to the plaintiff. Clarifies that the estate of a deceased person may pursue civil remedies when the estate is a victim of identity theft. Sets a limitation on civil suits at five years and clarifies that a criminal conviction is not a prerequisite for a civil claim. Clarifies that identity theft does not include a minor's misrepresentation of age by using an adult person's identification. Clarifies that a criminal prosecution for identity theft may be conducted in any county where a victim or defendant resides, where the stolen property was located, or in any county where an element of the crime was committed. Makes a second offense of identity theft or attempted identity theft a class D felony when the value of the property is less than $500. Creates the crime of trafficking in stolen identities, a class B felony. The crime is committed when a person possesses or transfers any means of identification for the purpose of committing identity theft. Unauthorized possession of a means of identification for five persons will be evidence of such intent. Expands the crime of false impersonation to include the providing of a false identity to a law enforcement officer upon arrest. If the false identity is not discovered until after the person is convicted, the prosecutor must file a motion to correct the arrest records and court records. Allows the court to order the expungement of the false arrest records for the person whose identity was used.
	H.B. 959 Signed by governor 6/14/04 Makes it a class A misdemeanor when the identity theft results in the theft or appropriation of credit, money, goods, services, or other property valued at less than $500. Makes attempted identity theft a class B misdemeanor. Makes identity theft a class D felony when the value of the stolen property is more than $500 but does not exceed $1,000. Makes identity theft a class C felony when the value of the stolen property is more than $1,000 but does not exceed $10,000. Makes identity theft a class B felony when the value of the stolen property is more than $10,000 but does not exceed $100,000. Makes identity theft a class A felony when the value of the stolen property exceeds $100,000. Makes identity theft a class A felony when the identity theft is performed for the purpose of committing a terrorist act. Makes identity theft a class C felony when the identity theft is performed for the purpose of committing an election offense. Makes the identity thief liable to the victim for civil damages of up to $5,000 per incident or three times the amount of actual damages, whichever is greater. Venue in this type of civil suit is proper in any county where any of the property stolen was located, where the defendant or victim resides, or in any county in which an element of a criminal charge of identity theft was committed. Allows the victim to seek a court order restraining the identity thief from future acts that would constitute identity theft. In these actions, the court may award reasonable attorney fees to the plaintiff. Clarifies that the estate of a deceased person may pursue civil remedies when the estate is a victim of identity theft. Establishes a limitation on civil suits at five years and clarifies that a criminal conviction is not a prerequisite for a civil claim. Clarifies that identity theft does not include a minor's misrepresentation of age by using an adult person's identification. Clarifies that a criminal prosecution for identity theft may be conducted in any county where a victim or defendant resides, where the stolen property was located, or in any county where an element of the crime was committed. Makes a second offense of identity theft or attempted identity theft a class D felony when the value of the property is less than $500. Creates the crime of trafficking in stolen identities, a class B felony, and is committed when a person possesses or transfers any means of identification for the purpose of committing identity theft. Unauthorized possession of a means of identification for five persons will be evidence of the intent.
New Hampshire	S.B. 521 Signed by governor 6/11/04, Chapter 233 Increases the penalty for identity fraud to a class A felony in all cases.
Oklahoma	S.B. 1164 Signed by governor 6/3/04 Authorizes expungement of certain records related to crimes arising from identity theft, creates the Oklahoma Identity Theft Passport Program.
	S.B. 1168 Signed by governor 5/14/04, Chapter 279 Modifies the crime of identity theft.
	S.B. 1503 Signed by governor 5/12/04 Prohibits false or fraudulent statements to financial institutions to obtain certain information; prohibits false or fraudulent documents or documents without lawful authority to obtain certain information or to commit a crime; states penalty; and provides for restitution.
Tennessee	H.B. 3403 Signed by governor 6/8/04, Public Chapter 911 S.B. 3364 Creates Class C felony offense of identity theft trafficking; declares that victim of identity theft is also a crime victim; establishes method for law enforcement to obtain records from public or private entity in cases of identity theft; and establishes standards for destruction of records maintained by private entity that contains personal identifying information concerning a client.
Utah	H.B. 195 Signed by governor 3/15/04, Session Law Chapter 55 Deletes provisions that currently give the Division of Consumer Protection authority to regulate the misuse of personal identifying information.
	S.B. 16 Signed by governor 3/22/04, Session Law Chapter 227 Establishes that the residence of the victim of identity theft in this state is sufficient to establish jurisdiction in this state; permits the prosecution of an identity theft in the county where the identity was stolen or used, or where the victim resides; allows prosecution in any county where the identity was stolen, used, or where the victim resides when the offense occurs in multiple jurisdictions; and establishes that the unauthorized possession of another person's identifying documents is a crime.
Vermont	H.B. 327 Signed by governor 6/8/04, Act 155 Allows a consumer to request that a credit reporting agency place a security alert on the consumer's credit report if the consumer's identity might have been used to fraudulently obtain goods or services and to place a security freeze on the credit report if the consumer has a sworn complaint about the unlawful use of personal information. The consumer credit reporting agency would have to provide a written summary of the rights of the consumer. Establishes the crime of identity theft and penalties for violations.
Virginia	H.B. 872 Signed by governor 4/12/04, Chapter 450 Authorizes the attorney general, with the concurrence of the attorney for the Commonwealth, to assist in the prosecution of the crimes of identity theft (§18.2-186.3) and the use of a person's identity with the intent to intimidate, coerce, or harass (§18.2-186.4). Allows for a conviction under the identity theft statutes when the defendant uses a false or fictitious name. Requires DMV, upon notification from the attorney general that an Identity Theft Passport has been issued to a driver, to note the same on the driver's abstract. Directs child day programs that reproduce or retain documents of a child's proof of identity that are required upon the child's enrollment into the program to destroy them upon the conclusion of the requisite period of retention. The procedures for the disposal, physical destruction or other disposition of the proof of identity containing Social Security numbers shall include all reasonable steps to destroy such documents by (i) shredding, (ii) erasing, or (iii) otherwise modifying the Social Security numbers in those records to make them unreadable or indecipherable by any means.