PROTECTING PERSONAL INFORMATION IN THE ERA OF IDENTITY THEFT: JUST HOW SAFE IS OUR PERSONAL INFORMATION FROM IDENTITY THIEVES?

Identity theft has become one of the fastest growing white collar crimes in the world. It occurs when an individual's personal information such as inter alia his or her name, date of birth or credit card details is used by another individual to commit identity fraud. Identity theft can be committed via physical means or online. The increased use of the Internet for business and financial transactions, social networking and the storage of personal information has facilitated the work of identity thieves. Identity theft has an impact on the personal finances and emotional well-being of victims, and on the financial institutions and economies of countries. It presents challenges for law enforcement agencies and governments worldwide. This article examines how identity thieves use the personal information of individuals to commit identity fraud and theft, and looks at legislative solutions introduced in South Africa, the United States of America, the United Kingdom and India to combat identity theft crimes. The article examines measures introduced by the respective governments in these countries to counteract such crimes. Finally, the article will propose a way forward to counteract such crimes in the future. The study reveals that identity theft is a growing and evolving problem that requires a multi-faceted and multi-disciplinary approach by law enforcement agencies, businesses, individuals and collaboration between countries. It is advocated that businesses and institutions should take measures to protect personal information better and that individuals should be educated about their rights, and be vigilant and protect their personal information offline and in cyberspace.


Introduction
The Internet has introduced instant and cheap communication across the globe and it has transformed commerce by making it easier for individuals to transact across a multitude of jurisdictions. 1 However, the introduction of the Internet has brought with it resultant risks and dangers and it has become vulnerable to cyber-attacks. 2 Sophisticated criminal networks are using cyberspace 3 to commit new criminal behaviours against gullible and vulnerable computer users who use the Internet to conduct their daily activities, such as sending e-mails, purchasing goods and chatting on social networking sites.The speed of the Internet also challenges the ability of law makers to regulate it effectively.The anonymity of the Internet has also facilitated cybercrimes such as identity theft. 4This occurs when a person's personal information such as an identity document is wrongfully obtained and thereafter used to commit theft or fraud. 5Identity theft can be committed without technical means via physical * Fawzia Cassim.BA (UDW) LLB (UN) LLM LLD (UNISA).Associate Professor, Department of Criminal and Procedural Law, UNISA and admitted attorney and conveyancer.Email: cassif@unisa.ac.za.The term "cyberspace" refers to a unique medium or space that has no specific geographical location but it can be available to anyone anywhere in the world who has access to the Internet (as defined in Renor v ACLU US 844, 851 (1997)).See Kim, Newberger and Shack 2012 Am Crim L Rev 485.It also refers to a virtual, borderless world where computer programmes function visà-vis the physical world where human beings live and function.See Cassim 2012 PER 381.   4   The term "cybercrime" refers to any crime carried out primarily by means of a computer on the Internet.A computer may be the "object" of a crime when there is theft of computer hardware or software, or it may be the "subject" of a crime when it is used as an instrument to commit traditional crimes such as theft, fraud or new types of criminal activity such as identity theft or child pornography.For further discussion about cybercrimes, see Cassim 2009 PER 36-37;  Goodman and Brenner 2002 IJLIT 144-145; Lane and Sui 2010 GeoJournal 44.
The term "theft" is defined by Professor CR Snyman as "the unlawful and intentional appropriation of movable, corporeal property belonging to or in possession of another person with the intention to permanently deprive such person of such property", whereas the term "fraud" is defined as "the F CASSIM PER / PELJ 2015(18)2 71 available sources of personal information. 15Identity theft is a breach of the security which is essential to the Internet and e-commerce transactions. 16It undermines ecommerce transactions. 17An increase in the use of new communication technologies has thus seen a resultant increase in the commission of identity theft as vulnerabilities in computer networks are exposed and breached. 18Identity theft disrupts the lives of thousands of people each year. 19entity theft has been described by some as the "fastest growing white collar crime". 20It cost the US economy about $ 24.7 billion during 2012; the cost to the British economy is reported to be £ 1.3 billion annually; whilst it has cost the South African economy about R1 billion a year. 21Identity theft crimes present complex challenges for victims, law enforcement officials (police) and legislators. 22The spate of identity thefts also highlights the need for adequate laws mandating tighter security by businesses and organisations that store and trade personal information. 23vernments have responded to the increase in identity theft incidents by enacting laws to reduce its occurrence and severity.The article examines the effect of identity theft crimes on the personal information of individuals, the occurrence of identity thefts by traditional offline methods and in cyberspace, the impact of identity theft According to a 2013 Microsoft Computing Safety Index (MCSI) involving 20 countries, including India, the United Kingdom and the United States, 15% of respondents were found to be victims of phishing attacks, 13% experienced damage to professional reputation and 9% reported that their identity had been compromised.It should be noted that a detailed discussion on data privacy laws and personal information laws is beyond the scope of this article.Rather, the article will address how identity thieves use the personal information of individuals to commit identity fraud or theft.This section will address the definition of identity theft, the link between personal information and identity theft crimes and the different ways in which identity theft crimes occur.fraudulently obtain medical services (medical identity theft). 27Other forms of nonfinancial identity theft include tax identity theft, where the identity thief uses the victim's personal information to obtain government documents or benefits in the victim's name or to commit utilities fraud. 28ese criminal acts can be committed without the assistance of technical means as well as involving the impersonation of a computer user's information online. 29Anyone can become a victim of identity theft and one's personal information can be obtained by identity thieves through situations such as misplacing one's wallet or smartphone or from sophisticated scams such as email phishing or by criminals going through victims' trash bins or accessing information through unsecure websites. 30The identity theft will make the victim vulnerable to crime. 31e identity thief obtains vital information such as identity numbers (social security can assist the offender to avoid verification processes such as the use of biometric information as an identification tool. 33entity theft is also considered to incorporate phishing. 34Phishing refers to the use of emails to trick victims into disclosing their personal and financial information. 35ishers use information obtained via their scams to commit identity theft and fraud. 36entity thieves have also diverted their attention to social networking sites and they may eavesdrop into communications conducted over networks.The worldwide annual cost of identity theft and phishing is said to be $5 billion and the cost of repairing damage to people's reputation online is $6 billion.See Waugh 2014 to an identity theft incident is also extensive. 43Financial institutions pass on the losses to consumers with the result that consumers end up paying higher interest rates. 44entity theft has the potential to break down traditional spatial barriers for crime and it involves multiple jurisdictions. 45The increase in identity theft offences following hurricane Katrina in the United States demonstrates that the location of a major catastrophe and changes in human conditions can directly affect crime patterns. 46sses suffered by victims encompass pain and suffering, psychological damage, financial losses, harassment from debt collectors and creditors, the rejection of applications for loans and mortgage bonds from financial institutions, damage to reputations and possible arrest for the identity thief's other crimes. 47Victims suffer harm to their reputations as a result of criminal activities committed in their names. They don't typically discover the crime until after some time has passed, and it may take the victims a long time to clear their names and credit history. 48They are usually uncertain as to how their personal data was stolen or who stole their personal information.The fraud usually goes undetected as the victims rarely report the crime to law enforcement agencies. 49nancial institutions are also reluctant to report such crimes as they are worried about bad publicity, the loss of their reputations and the loss of public confidence. 50This reluctance is disconcerting as authorities and law enforcement agencies should be timeously informed about such attacks on company IT systems in order to aid their understanding of and preparation against criminal activities on the Internet.The difficulty regarding proper forms of online identification has also compounded the verification of users over the Internet.Sophisticated identification tools such as F CASSIM PER / PELJ 2015(18)2 biometric information are considered to be costly and are not widely used. 51The availability of tools to commit cybercrime has also made identity theft easy and profitable for offenders. 52

Legislation addressing identity theft
The increase in identity theft crimes has led to the promulgation of specialised legislation to address the challenges they pose.Adequate preventative measures are needed to respond to identity theft crimes. 53The following section will examine the introduction of legislative solutions in selected jurisdictions to address the increase in incidents of such fraud and the theft of personal information.

South Africa
There has been an increase in identity theft crimes in South Africa with identity thieves using stolen identities to open credit accounts, run up debts and claim false tax refunds from the South African Revenue Service ("SARS"). 54It has been recently reported that retailers, banks, cell phone stores and travel agents are carelessly discarding clients' sensitive personal information in trash bins at shopping malls. 55This constitutes "easy pickings" for identity thieves who can use the information to open bank accounts, buy goods, illegally apply for credit and access medical aids in their victims' names.
The South African Banking Risk Information Centre ("SABRIC") has warned South African consumers against a new scam that is designed to trick people into compromising their personal information. 56 computer stores. 57The South African Department of Home Affairs is presently implementing the Home Affairs National Identification System ("HANIS"), which aims to replace the current paper system with a digital database and thus address identity theft committed by the stealing of identity documents. 58A partnership has also been established between SABRIC and the Department of Home Affairs to grant banks access to HANIS for the verification of the identity of prospective and current bank customers.This is commendable.
In South Africa, identity theft is prosecuted in terms of the common law. 59A person guilty of identity theft may be found guilty of fraud, forgery and uttering a forged document, and this depends on the circumstances of each case.Certain minimum sentences are imposed in terms of the Criminal Law Amendment Act for the offences of fraud, forgery and uttering a forged document, ranging from imprisonment for 15 years to 25 years depending on the amount involved and the type of offender. 60The Southern African Fraud Prevention Service ("SAFPS") is tasked with combating fraud in society by protecting consumers against impersonation and identity theft. 61e Cybersecurity Policy Framework was passed by the South African Cabinet on 11 March 2012.The aims are inter alia to promote cyber security online; to co-ordinate government actions on cyber security and to ensure co-operation between the government, the private sector and civil society in addressing cyber threats; to examine areas of responsibility for government departments and to task the State Security Agency with overall accountability for the development and implementation of cyber security measures. 6257 The victims are advised that their systems are faulty or compromised and that they need urgent remedial action.They are tricked into divulging their personal information and into unknowingly installing or accepting malware on their computers during the telephonic conversation.Anon 2013 http://www.fin24.com/Economy/Beware-new-software-identity-theft-scam-20130408.The policy has yet to be fully implemented.A need also arises to develop more robust Computer Emergency Readiness Teams (CERTs) to respond to cyber incidents, to provide technical It is submitted that the following legislations may be used to stop the abuse of personal information in South Africa and to prevent identity theft.

Protection of Personal Information Act 4 of 2013 ("POPI")
POPI seeks to give effect to section 14 of the Constitution of the Republic of South Africa, 1996 ("Constitution").Section 14 provides that everyone has a right to privacy. 63The preamble to POPI provides that the right to privacy includes the right to protection against the unlawful collection, retention, dissemination and use of personal information.POPI was signed into law during November 2013.It promotes inter alia the protection of personal information processed by private and public bodies; provides for the protection of the rights of persons regarding unsolicited electronic communications; provides for the introduction of certain conditions so as to establish minimum requirements for the processing of personal information and regulates the flow of personal information across the borders of South Africa. 64The purpose of POPI is inter alia to regulate the manner in which personal information may be processed by establishing conditions prescribing minimum standards for the lawful processing of personal information. 65Key terms are defined in chapter 1 of POPI.It defines personal information as "information relating to an identifiable, living natural person and where applicable, an identifiable, existing juristic person". 66The term "data subject" is defined in POPI as the "person to whom personal information relates". 67It should be noted that the term "processing" refers to any operation or activity or set of operations, whether or not it takes place by automatic means, relating  It should be noted that the term "electronic communications" refers to any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient's terminal equipment until it is collected by the recipient.See ch 1 of POPI.
It should be noted that the term "data" is not defined in POPI.It is submitted that the term "personal data" may refer to electronic representations of personal information.A "data collector" could refer to the "operator" who processes the personal information of the natural or juristic person in terms of a contract or mandate.For further information regarding definitions of key terms, see ch 1 of POPI.
to personal information, and it includes inter alia the collection, receipt, recording, storage, retrieval or use of information, whilst the term "record" refers to any recorded information regardless of the form or medium. 68Thus, it may be argued that POPI (which protects personal information) may be used to address identity theft, which involves inter alia the perpetration of fraud whereby the identity thief uses the personal information of the individual to open bank accounts, to obtain credit, to purchase goods and services in the individual's name or to achieve nefarious dealings such as illegal immigration, espionage or terrorism.
The Act places obligations on companies to process personal information responsibly. 69Such companies also cannot collect personal information without the prior consent of the individuals and they cannot divulge or sell personal information to other companies for marketing purposes. 70POPI requires data collectors to register with the Information Protection Regulator. 71Individuals can now request companies to provide information free of charge as to whether or not they hold the personal data of the individual and to whom such data was disclosed. 72Companies will have to implement appropriate, reasonable and organisational measures to prevent the unauthorised use of personal information and invest in new technologies such as encryption and access control. 73Section 21 places an obligation on companies to notify the individual of any unauthorised use or disclosure of personal information to afford the individual an opportunity to take protective measures. 74 the Act. 75POPI allows for fines of up to R10 million or imprisonment of up to 10 years if companies do not respect personal information and handle it with the utmost care and responsibility. 76Data subjects whose personal information has been breached have recourse to civil remedies in terms of section 99 of the Act. 77 stated earlier, identity theft occurs when a person's personal information such as an identity document is wrongfully obtained and thereafter used to commit theft or fraud. 78It is submitted that as POPI protects personal information, it will assist in addressing identity theft crimes.It will end the abusive and negligent use of personal information and unscrupulous information practices by companies by requiring companies to implement appropriate reasonable measures to prevent the unauthorised use of personal information. 79Companies will have to invest in new technologies (such as encryption and access control) to prevent the unauthorised use of personal information.POPI also seeks to balance the right of privacy against economic and social progress.It will be interesting to see how POPI is interpreted by the courts in future cases.

The Electronic Communications and Transactions Act 25 of 2002 ("ECT")
The main aim of the ECT is to "provide for the facilitation and regulation of electronic communications and transactions in the public interest".The object of the ECT is set out in chapter 2, which recognises inter alia the importance of electronic communications and transactions to benefit South Africa and the need to develop a safe and secure environment for the consumer, business and the government to use electronic communications. 80It should be noted that the term "data" refers to 75 See s 55 in ch 5 of POPI regarding the duties and functions of such officers.The Information Protection Regulator may pursue civil actions for damages for a breach of POPI's provisions, and a court hearing the matter, may award a just and equitable amount including the payment of damages as compensation for patrimonial and non-patrimonial loss suffered by the data subject.The term "consumer" refers to any natural person who enters or intends to enter into an electronic transaction with a supplier to receive the goods or services offered by the supplier.See ch 1 regarding definition of key terms.The object of the ECT is to protect the public (consumers, business and the government) who use electronic communications.electronic representations of information in any form, whilst the term "electronic communication" refers to a communication by means of data messages. 81According to section 85 of the ECT, the term "access" includes the action of a person who after considering any data becomes aware of the fact that he or she is not authorised to access that data, but nevertheless continues to access that data. 82The computer may become the "subject" of a crime when it is used as an instrument to commit traditional crimes such as theft, fraud or new types of criminal activity such as identity theft. 83us, identity theft can be regarded as an example of a cybercrime.
Cybercrime is addressed in Chapter 13 of the ECT, which contains the following: Anticracking (or anti-thwarting) and hacking law, which prohibits the selling, designing or the production of security circumventing technology has been introduced in sections 86(4) and 86(3); 84 e-mail bombing and spamming are regulated in sections 86(5) and 45 respectively; 85 and computer-related extortion, fraud and forgery are addressed in section 87. 86It is a criminal offence to intentionally access or intercept any data without authority or permission in terms of section 86(1) of the ECT. 87The criminal provisions are contained in section 89. 88Section 89 prescribes a fine or imprisonment not exceeding five years.It is submitted that more stringent penalties are required to 81 It should be noted that the term "data message" refers to data that is generated, sent or received or stored by electronic means and includes voice used in an automated transaction and a stored record.This means that a person who after accessing data (the electronic representation of information in any form) becomes aware that he or she does not have any legal authority or permission to access that data, nevertheless continues to access that data, then that person is guilty of an offence in terms of s 86 the ECT.Also see s 85 of the ECT regarding the definition of "access".deter crafty and sophisticated cyber criminals such as online identity thieves, who may use the personal information of individuals without permission or authority to commit identity fraud or theft.
In instances where the offender uses a skimming device 89 to breach certain security measures, and he or she uses the data enclosed within the magnetic strip of a debit or credit card illegally or unlawfully, then the offender has contravened sections 86 or 87 of the ECT.Similarly, offenders may infringe the common law offence of fraud because they are guilty of committing fraudulent transactions by using the cloned debit or credit card.It is noteworthy that the ECT does not address the crime of identity theft per se.However, as identity theft may involve Internet fraud, it may conceivably fall within the ambit of sections 86 and 87 of the ECT.
The following section will examine legislation that has been introduced in the United States, the United Kingdom and India to address identity theft incidents or crimes.To this end, the promulgation of identity theft legislation and the protection of personal information legislation in these jurisdictions will be examined.The above jurisdictions were chosen for the comparative study because they have valuable experience addressing identity theft crimes and protecting personal information, and they have made concerted efforts to address identity theft crimes (as the following discussion will demonstrate).The aim of the comparative study is to ascertain whether South Africa can learn from the experiences or approaches in these jurisdictions.

United States of America
The increasing use of foreign call centres such as Indian call centres by American companies has resulted in an increase in identity theft incidents in the United States. 9089 A skimming device refers to a special storage device that is used to steal a credit or debit card number when a person's card is being processed for payment at a retail store.The information encoded on the cards may be valuable to identity thieves, who may use the information to make telephonic or electronic purchases.See Ardé Saturday Star Personal This practice, whereby foreign companies are hired to perform a business transaction, is called "outsourcing". 91This enterprise has led to Indian outsourcing firms having increased access to the private financial information of American citizens. 92This raises the question of whether American consumers whose personal information is subject to this transnational data flow are adequately protected.
There has also been a surge in tax identity theft 93 in the United States.Tax identity theft is usually discovered when there is a dispute regarding the income that is reported to the Income Revenue Service ("IRS") and a filing of multiple returns arises. 94Victims of tax identity theft are encouraged to report the theft to law enforcement agencies or to file a report with the Federal Trade Commission ("FTC") in the United States, which monitors identity theft nationwide. 95The IRS has also established a special unit called the IRS Identity Protection Specialised Unit which assists taxpayers with tax identity issues. 96Taxpayers are encouraged to avoid becoming victims by becoming aware of IRS practices and safeguarding their personal information on laptops, computers, smartphones and similar devices. 97Thus a need arises for appropriate measures to be taken to effectively and speedily control this type of fraud.

Identity theft laws
Identity theft has become one of the fastest growing crimes in the United States, and it has been described as the top consumer complaint since the year 2000. 98The the collection, reporting and use of such consumer data. 105The FACT Act is aimed at reducing consumers' vulnerability to identity theft and consumer fraud and minimising the harm once the theft or fraud has occurred.The FACT Act places responsibilities on businesses to co-operate fully with consumers through enhanced communication and more accurate recordkeeping. 106The FACT Act has been commended for the increased power it provides to consumers regarding credit reporting and it calls for co-operation between the credit bureaus and the FTC to define and communicate to consumers a statement of their rights in the event that a theft or fraud occurs. 107 However, the FACT Act has also been criticised for not preventing the occurrence of identity theft in the first place, for not imposing sufficient restrictions and sufficient penalties on businesses and companies that violate the law, and for doing little to combat identity theft and fraud. 108It has been reported that the judiciary has generally rejected victims' tort claims against businesses that are accused of creating opportunities for identity thieves, with the state of Alabama being an exception. 109In Patrick v Union State Bank 110 it was held that a bank owes a duty of reasonable care to the person in whose name and upon whose identification an account is opened, to ensure that the person opening the account and to whom cheques are given is not an imposter.However, other courts have held that consumer protection matters should be addressed by legislators rather than judges, such as in Huggins v Citibank NA,111 where it was held that the legislative branch is better equipped to assess and address the impact of fraud on victims and financial institutions.Arizona the first state to do so in 1996. 112However, the types of laws that have been introduced differ according to the types of identity theft, the different punishments imposed, and the level of assistance that is rendered to victims.Some states such as California offer consumers an option to place an "anti-identity theft freeze" or "security freeze" on their credit record that will prevent organisations from examining their credit history and offering credit based on their record. 113The security freeze provides greater protection by preventing any creditor from accessing any part of a consumer's credit history; however, it may create procedural difficulties and costs for those consumers who require the lifting of the freeze. 114Identity theft insurance is also offered to some consumers. 115However, these services have been criticised for benefiting the banks rather than consumers, and for their inability to alert the consumer or protect the consumer from criminal identity theft. 116e case of United States v Rose 117 illustrates the problem of synthetic identity theft.
Synthetic identity theft occurs when the offender uses the victim's Social Security Number ("SSN") with a fake name, thus creating a new "synthetic" identity, or an offender can create a new identity using fabricated information, and this can be used to apply for credit. 118The Rose case illustrates that individuals who become victims of synthetic identity theft may not suffer direct financial loss; however, they may suffer non-monetary loss such as reputational harm, emotional distress, and wastage of time and resources as a result of the debtor attempting to recover funds associated with the synthetic identity's account. 119 CASSIM PER / PELJ 2015(18)2 88 clients in other states. 125The CDPA has been punted as a step in the right direction as it requires the disclosure of data breaches and allows for private causes of action. 126 It is also noteworthy that some American courts have found that the illegal use of personal information is foreseeable, and have imposed duties on businesses to protect personal information from illegal activity. 127 should be emphasised that the United States has not adopted uniform data There is a lack of practical control or enforcement that EU citizens can exert over American companies who have received their personal information.Very few American companies also comply with EUDPD principles.Luck 2014 De Rebus 45.
scam in which 7000 fake identities were invented to obtain thousands of fraudulent credit cards. 130The role of the FBI in addressing identity theft crimes is commendable.

The United Kingdom
Banks in Britain are also facing e-commerce threats.Identity crimes have become one of the fastest growing types of fraud in the United Kingdom. 131The UK's Fraud Prevention Service ("CIFAS") provides the UK's most comprehensive database of confirmed fraud data and an extensive range of fraud prevention services using the latest technology to protect organisations from the effects fraud. 132It comprises about 300 organisations from public and private sectors, such as banks, credit card bureaus, asset finance sectors, telecommunications and online retail sectors which share fraud information via the CIFAS.The aim is to prevent further fraud.British consumers are encouraged to contact the CIFAS to apply for protective registration.
A new cyber reserve unit or force has also been created to strengthen national security by protecting computer networks and sensitive data, and to launch attacks and counter strikes against fraudsters. 133The Ministry of Defence will also recruit reservist computer experts to work with regular armed forces to counter attacks in cyberspace. 134An organisation called Action Fraud also investigates Internet crime in the UK, and consumers are urged to report phishing attacks and identity fraud to this organisation. 135 Unit is working with the FBI to investigate phishing attacks in the UK. 136This illustrates the importance of alliances to fight identity theft and phishing crimes.
The use of phishing scams to extract confidential account details from customers has proved costly to British banks according to recent reports. 137However, the banks are stepping up their efforts to help consumers protect themselves from online scams and threats with the launch of a new website banksafeonline.org.uk. 138Typically phishing attacks and identity scams have encompassed scam emails posing as security check emails from well-known banks, which attempt to trick users to hand over their account details and passwords.The details are then used to create fraudulent transfers.Most of the fraudulent activity is said to originate from Eastern Europe. 139The aim of this site is to provide a one-stop advice shop for consumers and small businesses.It should be noted that UK banks rather than their customers bear the loss encountered as a result of phishing attacks and identity scams.It has been mooted that banks should educate their customers about the risks of transacting online and banks should employ more advanced data protection technology. 140There have been some successful prosecutions: an American fugitive, Douglas Havard, was sentenced in 2005 to six years in a British prison for his part in a multi-million dollar international phishing scheme. 141In a recent incident, a British couple faced a huge demand from German tax authorities for unpaid vat when the husband's passport was stolen. 142The matter was eventually resolved.rights regarding online fraud and measures to prevent and respond to identity theft. 167chnical solutions are seen as a positive response to address vulnerabilities in computer networks.Organisations and Internet service providers should also educate users regarding safe browsing and make safety packages available to their users. 168 has been mooted that there should be mandatory public reporting of identity theft cases by financial institutions and that they should report regularly to a financial regulator. 169It is proposed that such reporting will improve our understanding of identity theft and enable policymakers to enact adequate preventive measures to respond to the severity and methods of the crime. 170It is submitted that technical solutions and/or education should form part of legislative interventions to address identity theft crimes.
Criminal law should be effectively utilised to ensure that procedural or technical obstacles do not obstruct the prosecution of the online fraudster. 171Financial institutions should also publicly report on identity theft incidents without infringing on the rights of the consumer, and this will create a market for identity theft prevention.
They should also offer safe products that will help consumers make informed choices.
Businesses should not only adopt the business practices required under legislation such as the FACT Act and POPI, but should also focus on emerging practices that might further protect consumers against identity theft.There is also a need for legislation to be enacted to provide consumers and businesses with weapons to preempt the damage and prevent the occurrence of the identity theft.Businesses must also use more advanced technology to combat security weaknesses in our current technological environment.Our technology industry also has to ensure that our system of data protection is coherent and that it conforms to current technological practices.
It is also important to remember that "computers do not steal identities… but people do". 172Therefore, a better understanding of the offenders and transgressors will also F CASSIM PER / PELJ 2015(18)2 97 aid in slowing the progress of identity theft.The importance of alliances between different government law enforcement agencies to combat identity theft across different jurisdictions is acknowledged, as demonstrated by the co-operation between the UK's Hi-Tech Crime Unit and the FBI. 173The International Criminal Police Organisation also facilitates co-operation between law enforcement agencies to investigate online crimes. 174Identity theft is a growing and evolving problem existing in the physical and virtual worlds, and it requires a multi-faceted and multi-disciplinary approach by law enforcement agencies, businesses, consumers and collaboration between countries.
It has been mooted that the following steps 175 should be taken to respond to identity theft:


Raise businesses' awareness of their responsibility to protect employee and client records (such as the enactment of GLB/Gramm-Leach-Bliley Act and the FACT Act in the US, which require certain businesses or institutions to protect information better, and POPI in South Africa).


Educate individuals and consumers about protecting their personal information (offline and online).


Form alliances between different law enforcement agencies to combat identity theft in different jurisdictions (as illustrated by the co-operation between the UK's Hi-Tech Crime Unit and the FBI).


Create collaboration between governments and other service organisations to protect personal information of private individuals and public bodies.


Devise a plan to prevent or minimise the harm of identity theft when large identity databases have been breached.
It is submitted that these steps are commendable and should be followed to combat identity theft and assist the victims.Further steps to curtail identity theft should include a speedier and increased intervention by intermediary parties (such as financial institutions, law enforcement agencies and criminal record departments) between the victim and the identity thief, the use of an identity fraud alert registry, and the increased use of biometric data (such as finger prints, retina scans and hand imaging) to identify individuals. 176Therefore, it is imperative that countries should amend their laws to better address identity theft and the problems associated with it.The challenge is to formulate policies that strike a balance allowing reasonable access to information by people who have a legitimate use for such information (the "collectors"), and at

1
Stevenson 2005 Duke Law and Technology Review 1. 2 Cyber-attacks refer to malicious attacks on information infrastructures or unauthorised access and tampering with computer systems and programmes by criminal elements.It should be noted that the term "criminals" refers to persons who engage in unlawful activities.Nuth 2008 CLSR 437-438; Rubin 1995 International Journal of Law and Information Technology 118; Goodman and Brenner 2002 IJLIT 144, 160. 3

15The
Internet is said to provide identity thieves with easier access to a large amount of personal information.Gercke 2011 http://www.itu.int/ITU-D/cyb/cybersecurity/legislation/html;Lynch 2005 Berkeley Tech LJ 262.16 Sullins 2006 Emory Int'l L Rev 398.17 Sullins 2006 Emory Int'l L Rev 398.18 Lane and Sui 2010 GeoJournal 46.19 It causes inter alia financial hardship and emotional suffering to victims, who spend a great amount of time and money to clear their credit records and names as a result of the identity fraud perpetuated in their names.Lane and Sui 2010 GeoJournal 43.For further discussion on the impact of identity theft on individuals, see the discussion in s 3 below.20 See Hoofnagle 2007 Harv J L & Tech 98; Lane and Sui 2010 GeoJournal 43; Solove 2003 Hastings Law Journal 17.
crimes on victims and the use of legislative solutions to comprehensively address identity theft.It reveals that the increase in identity theft crimes has led to the introduction of specialised legislation addressing such crimes in certain countries.The article looks at legislative solutions introduced in South Africa, the United States of America, the United Kingdom and India to combat or address such crimes.It is advocated that businesses and organisations should protect the information of individuals better.Individuals should be educated about their rights and they should become vigilant and safeguard their personal information from identity thieves.2Understandinghow identity theft occurs24    In the United States, the Identity Theft and Assumption Deterrence Act of 1998 describes identity theft as the process whereby a person knowingly transfers or uses without lawful authority a means of identification of another person with the intent to commit or to avoid or abet any unlawful activity that constitutes a violation of federal law or a felony in terms of any state or local law. 25Identity theft occurs when someone wrongfully obtains the personal information of another individual without their knowledge to commit theft or fraud. 26It involves the use of another individual's personal information for nefarious purposes, such as for economic gain; to facilitate crimes such as illegal immigration, terrorism and espionage; to evade criminal sanctions or apprehension by posing as another person (criminal identity theft) or to 24 2014 http://goo.gl/SvDuXn.However, legislations such as the Protection of Personal Information Act 4 of 2013 and the Electronic Communications and Transactions Act 25 of 2002 may be used to address identity theft crimes in South Africa.For further discussion regarding such legislations, see ss 4.1.1 and 4.1.2below.60 See s 51 read with Part 11 of Schedule 2 of the Criminal Law Amendment Act 105 of 1997.61 For more information, see the website: SAFPS 2014 http://www.safps.org.za. 62 assistance to businesses affected by cybercrime and to avert cyber threats.See, further, Tamarkin 2014 http://goo.gl/pmLxZb;Jones 2014 http://goo.gl/MCVT4c.63 This right is subject to the limitation clause in s 36 of the Constitution.64 See inter alia chs 3, 9 and 11 of POPI.Ch 3 regulates the conditions for the lawful processing of personal information; ch 9 regulates transborder information flows, whilst ch 11 regulates offences, penalties and administrative fines.It should be noted that s 72 specifically regulates the transfer of personal information outside South Africa.See s 2(b) of POPI. 66

78
See the discussion in ss 1 and 2 above.79 See s 19 of POPI.80

82
Section 85 is said to define cybercrime.See Snail 2009 http://goo.gl/QAscPb.83 Cassim 2009 PER36-37; Goodman and Brenner 2002 IJLIT 144-145.84   A person may be guilty of an offence in terms of s 86(4) if he or she designs a programme to overcome copyright protection.See Snail 2009 http://goo.gl/QAscPb.85 S 86(5) of the ECT addresses denial of service ("DOS") attacks, which may cause a computer system to be inaccessible to legitimate users.Spamming is regulated in s 45, which prevents unsolicited commercial communications.Also see Snail 2009 http://goo.gl/QAscPb.86 S 87 of the ECT prohibits actions described in s 86 for the purpose of achieving any unlawful proprietary or pecuniary advantage by trying to blackmail another person or by making a false misrepresentation to obtain a monetary benefit.Forgery refers to the unlawful and intentional making of a false document to the actual or potential prejudice of another person.See Smith 2014 http://goo.gl/SvDuXn.
They have been criticised as not being stringent enough.The Regulation of Interception of Communications and Provision of Communications-Related Information Act 70 of 2002 ("RICA") is said to prescribe much harsher measures than the ECT.See van der Merwe et al Information and Communications Technology Law 75-78.
Section 676 of the Identity Theft and Tax Fraud Prevention Act of 2013 also seeks to combat identity theft.A number of states have introduced identity theft laws with 105 See Keenan 2005-2006 Shidler J L Com & Tech 1 and Lynch 2005 Berkeley Tech LJ 278-281, for a discussion about this Act.


Work with local banks to encourage credit card bureaus to adopt improved security practices for their clients and or customers.Trackthe delivery of documents to avert the theft of personal information.Workwith identity theft victims to provide assistance and advice regarding their rights.173 Sullins 2006 Emory Int'l L Rev 411-412; Almahroos 2007-2008 J L & Pol'y 601.174 Sullins 2006 Emory Int'l L Rev 411-412.
the same time to afford protection to individuals and/or consumers.Incentives should also be provided to businesses and institutions to exercise reasonable care to prevent the further abuse and negligent disclosure of the personal information of individuals and/or consumers.Identity Fraud on the Rise" Saturday Star (6 September 2014) 3 Ardé Saturday Star Personal Finance Ardé A "Banks Must Up Their Game, or Cough Up" Saturday Star Personal Finance (29 November 2014) 3 Bishop 2006-2007 Shidler J L Com & Tech Bishop DA "To Serve and Protect: Do Businesses Have a Legal Duty to Protect Collections of Personal Information?" 2006-2007 Shidler J L Com & Tech 3-9 Black 2005 JLIS Black P "Phish to Fry: Responding to the Phishing Problem" 2005 JLIS 73-91 Burquest and Wilkinson 2013 Tax Adviser Burquest P and Wilkinson J "Is Tax Identity Theft Becoming an Epidemic?"April 2013 Tax Adviser 223-224 Calman 2006-2007 Rich J L & Tech Calman C "Bigger Phish to Fry: California's Anti-Phishing Statute and Its Potential Imposition of Secondary Liability on Internet Service Providers" 2006-2007 Rich J L & Tech 1-24 Hoofnagle 2007 Harv J L & Tech 98-122; Lynch 2005 Berkeley Tech LJ 260; Newman Identity Theft 1; Lane and Sui 2010 GeoJournal 44.It is submitted that legislations such as the Electronic Communications and Transactions Act 25 of 2002 ("ECT") and the Protection of Personal Information Act 4 of 2013 ("POPI") may be used to address identity theft crimes in South Africa.
See 18 USC s 1028(a)(7).Also see Pierson 2007 CILW 22; FBI 2014 http://goo.gl/TWBoep;threats to the privacy of personal information.Identity theft has also been described as a type of fraud encompassing two categories, namely new account fraud where the offender opens lines of credit using the personal information of another, and account takeover where the offender uses one of the victim's existing financial accounts.For detailed information about these types of frauds, see Hoofnagle 2007 Harv J L & Tech 100-104.

37 3 The impact of identity theft
Companies have to appoint Information Protection Officers to ensure compliance with the provisions of 68 It is submitted that the term "processing" may incorporate the use and storage of personal information by traditional or conventional means (such as written format) and electronic means.See ch 1 of POPI for a detailed definition about key terms.The Information Protection Regulator refers to a juristic person established in s 39 of POPI.S 40 sets out the duties and functions of the Regulator, which include inter alia providing education on the Act to private or public bodies and data subjects, monitoring and enforcing compliance by private and public bodies regarding the Act, and handling complaints about alleged violations of the Act.See s 23 of POPI.Also see Luck 2014 De Rebus 45-46 for a discussion about POPI's key features.
71 73 See s 19 of POPI.74To illustrate this, the theft of an employee's computer must be disclosed to every person whose data is at risk.Also see Luck 2014 De Rebus 46.
amended Title 18, US Code, section 1028 to make it a federal crime to "knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law".99 The enactment of the Identity Theft Act made it possible to prosecute the 96Individuals whose accounts are subject to identity theft have also been given identity protection personal identification numbers (IP PINS).Burquest and Wilkinson 2013 Tax Adviser 224.97 Burquest and Wilkinson 2013 Tax Adviser 223.98 Lane and Sui 2010 GeoJournal 43.See Ravin 2008 NJ Law 60; Pierson 2007 CILW 22; Lynch 2005 Berkeley Tech LJ 261; Perl 2003 J Crim L & Criminology 172.ActThe Act established a new crime, namely that of aggravated identity theft; that is, using a stolen identity to commit other crimes.103TheIdentityTheftEnforcement and Restitution Act of 2008 was signed into law by President Bush in 2008.Its aim was to enhance the identity theft laws.This Act applies to online and offline information theft, addresses phishing and identity theft, and authorises restitution to identity theft victims for the time they spend recovering from harm caused by identity theft.104TheFair and Accurate Credit Transactions Act of 2003 ("FACT Act") was enacted inter alia to further address the problem of identity theft and further regulate the use of credit information.The FACT Act also imposes new business practices on companies 103 This Act includes an additional two-year term of imprisonment for identity theft in connection with particular federal violations.See Winmill, Metcalf and Band 2010 DE & ESLR 25.Also see Sullins 2006 Emory Int'l L Rev 413-414 for a discussion about this Act.Feigelson and Calman 2010 J Internet L 17. Also see Kim, Newberger and Shack 2012 Am Crim L Rev 476-477 for a discussion about identity theft legislation and penalties.
protection standards equivalent to the European Union Data Protection Directives of 1995 ("EUDPD").The EUDPD addresses the protection of individuals regarding the processing of personal data and it regulates the free movement of such data.It prevents European businesses from transacting with US companies in terms of article 1, which provides for the economic and social progress of the European Union (EU).128However, the United States Department of Commerce Safe Harbour Privacy Principles of 2000 (Safe Harbour Agreement) allows US businesses to self-certify that they are compliant with the standards of data protection adopted by EU nations through the 128Luck 2014 De Rebus44-45.129 A National Cyber Crime Unit was also introduced in 2013 within the National Crime Agency to tackle cybercrime in the UK.Thus, UK consumers are receiving advice on protecting themselves from identity fraud through organisations such as the CIFAS and Action Fraud.The United Kingdom's National Hi-Tech Crime 130 FBI 2014 http://goo.gl/TWBoep.The FBI has also collaborated with the Justice Department, Secret Service and Postal Service and local, state and international law enforcement agencies to arrest and prosecute identity thieves.Lynch 2005 Berkeley Tech LJ 265.
134Convicted computer hackers may also be recruited to help address the scourge of cybercrime.135 Anon 2014 http://www.actionfraud.police.uk/fraud-az-phishing.For further information regarding the organisation, see Action Fraud 2014 http://www.actionfraud.police.ukaccessed.It should be noted that phishing is considered to be a form of online identity theft.See the discussion in s 2 above.
The identity theft laws in the UK comprise the Theft Act of 1968, the Data Protection Act of 1998, the Identity Cards Act of 2006 and the Fraud Act of 2006.143TheTheftAct of 1968 addresses theft, robbery and burglary.Stealing another person's identity is regarded as stealing a "property".An offender can be convicted of identity theft under this law; hence the Theft Act is relevant to prosecute identity thieves.According to the Data Protection Act of 1998, private information such as a ethnic identity, sexual orientation, religious affiliation, financial records, birth records and family records cannot be divulged.It is a privacy act that requires public entities to closely guard identity information.Agencies that hold mass data on the UK population cannot disclose such data to other entities without explicit consent, and it limits the period of time that a data reservoir can hold information.UK citizens have a right to obtain collected information about them, and organisations that store personal information must ensure that data protection systems are up to date and fully functioning.For further information regarding these laws, see Experian 2014 http://www.experian.co.uk and the website, National Archives 2014 http://www.legislation.gov.uk.Savirimuthu 2008 JICLT 121-122.It is noteworthy that computer-related fraud is addressed in A 8 of the Convention on Cybercrime (2001).designedoradaptedforuse in the course of or in connection with fraud, and intended it to be used to commit, or assist in the commission of fraud.145TheFraudAct is seen as a step in the right direction as it removes deficiencies in the previous regime on fraud and it incorporates principles which conform to the concept of technological Previously, identity theft was not addressed separately in Indian law, but it fell within the ambit of "hacking", which involved the infiltration of a computer resource involving the "alteration, deletion or destruction of the information residing therein, facilitating the crime of identity theft".150TheInformationTechnologyAct of 2000 ("ITA") and the Indian Penal Codes imposed criminal sanctions on thieves who used computers to commit crimes.151Theenforcement of these laws presented many challenges.The ITA did not contain a specific provision to address identity theft.However, it established the Cyber Regulations Appellate Tribunal to adjudicate cybercrimes such as identity theft.During February 2003 a Delhi High Court sentenced a call centre employee for online cheating.152TheITAwassubjecttocriticismduetoitslack of enforcement and few successful prosecutions. 153arose for a more comprehensive response to identity theft by Indian legislators.lakh.156Therefore,anypersonfoundguilty in terms of the ITAA will be subject to imprisonment and a stiff monetary fine.The ITAA has been subject to criticism as a result of its poor drafting, and the lack of a comprehensive provision addressing punishment.157Acomputeremergencyresponseteam(Cert-In) has been established in India to operate as a central access point for the troubleshooting, reporting and detection of crimes related to identity theft and other computer security issues.158Indiadoesnothavemanylawsthatexplicitlyprescribe or prohibit systematic government access to private sector data.159TheInformationTechnologyAmendmentAct of 2008 allows authorised agencies broad reactive access to personal information held by the private sector for investigation purposes.160However,theIndiangovernment'saccess to and disclosure of private sector data has been criticised because it does not adopt principles of natural justice and its practices are susceptible to corruption and collusion.161Theabovediscussiondemonstratesthat the United States, the United Kingdom, India and South Africa are making concerted efforts to tackle identity theft crimes.Legislation in theUnited States, such as the Identity Theft Enforcement and Restitution Act of 2008, the Identity Theft and Tax Fraud Prevention Act of 2013 and the FACT Act demonstrate the government's commitment to combat identity theft.The roles of the FTC and the FBI in investigating and tracking down identity theft cases are also commendable.However, the United States needs to adopt uniform data protection standards similar to the EUDPD Directives in Europe.Simlarly, the promulgation of the Fraud Act of 2006 in the UK, and the role of organisations such as Action Fraud and CIFAS demonstrate the UK's commitment to tackling the scourge of identity theft.The importance of alliances to fight identity theft crimes as by the co-operation between the United Kingdom's National Hi-Tech Crime Unit and the FBI is recognised.Legislation such as the ITAA in India, and POPI and the ECT in South Africa are seen as steps in the right direction in combating identity theft crimes in these countries.The introduction of a Cybersecurity PolicyFramework in South Africa to respond to cyber security threats is lauded, but it needs to be implemented.However, all countries need to ensure that their fight against identity theft does not jeopardise basic human rights and fundamental such as the rights to privacy and access to information. To his end, a balance should be struck between access to information by institutions that have a legitimate use for such information, and respecting the rights of individuals and or consumers.Incentives should also be provided to businesses and institutions to exercise reasonable care to safeguard the personal information of individuals in this technological age.
141 Calman 2006-2007 Rich J L & Tech 10. 142 Mr Richard's passport was stolen in 2003 and his identity was used to conduct business operations in Germany.The German tax authorities have recently confirmed that they are no longer pursuing the unpaid VAT from Mr Richard.Winch 2013 http://goo.gl/vGR0vw;Winch2013 http://goo.gl/DucEgQ.152The accused had stolen an American citizen's credit card information to purchase a colour television and a telephone.Grant 2006 J Tech L & Pol'y 14. 158 See DeitY 2014 http://www.deity.gov.in/content/icert.159See Abraham and Hickok 2012 IDPL 302.160However, they do not establish grounds for access for example, for reasons of national security.Abraham and Hickok 2012 IDPL 305.demonstrated