According to the Bureau of Justice Statistics, “[a]pproximately 16.6 million persons, or 7% of all U.S. residents age 16 or older, were victims of one or more incidents of identity theft in 2012. Among identity theft victims, existing bank (37%) or credit card accounts (40%) were the most common types of misused information.” Of that number, approximately 2.5 million fraudulent accounts are based on the personal information of deceased persons established by identity thieves. Notably, approximately 800,000 accounts a year, or 2,200 a day, are intentionally targeted based on the individual’s deceased status. The remaining accounts are stolen as a result of a random selection of numbers that happen to be an exact match to a decedent. This is known as "ghosting," and because it can take six months for financial institutions, credit-reporting bureaus, and the Social Security Administration to receive, share, or register death records, thieves have ample time to perpetrate fraud. Given the number of victims of identity theft, it is notable that, under the American Bar Association’s Model Rules of Professional Conduct and many state codes of professional conduct, attorneys may be found guilty of ethical violations if their conduct was the proximate cause of the identity theft.

Under Illinois law (720 ILCS 5/16-30, formerly cited as 720 ILCS 5/16G-15; 720 ILCS 5/16G-20; 720 ILCS 5/16-30), identity theft is defined as follows:

(1) using another person’s personal identification documents to fraudulently obtain credit, money, goods, services, or other property;

. . .

(3) obtaining, recording, possessing, selling, transferring, purchasing, or manufacturing any personal identification information or personal identification document of another with intent to commit any felony;

(4) using, obtaining, recording, possessing, selling, transferring, purchasing, or manufacturing any personal identification information or personal identification document of another knowing those materials were stolen or produced without lawful authority;

. . .

(6) using any personal identification information or personal identification document of another to portray himself or herself as that person, or otherwise, for the purpose of gaining access to any personal identification information or personal identification document of that person, without the prior express permission of that person;

(7) using any personal identification information or personal identification document of another for the purpose of gaining access to any record of the actions taken, communications made or received, or other activities or transactions of that person, without the prior express permission of that person.

Several court cases have involved a multitude of different circumstances and techniques by which individuals committed or attempted to commit identity theft. For instance, in People v. Boyd, 2012 IL App (3d) 100803-U, the defendant stole the purse of Assistant State's Attorney (ASA) from a courtroom. The court affirmed a trial court ruling that the defendant committed identity theft when he subsequently used the ASA’s Visa card for a personal purchase, and also when he transferred the card to an associate with the intent to commit, aid, or abet his associate in fraudulently obtaining items from a Target store. In People v. Elcock, 396 Ill. App. 3d 524, 919 N.E.2d 984 (Ill. App. Ct. 2d Dist. 2009), the court affirmed a trial court decision that found the defendant committed identity theft when the amount stolen totaled more than $100,000 between two victims who possessed a common interest in money and credit. More specifically, the defendant called two individuals over the age of 60, identified herself as an agent of the United States Treasury Department, and received the driver’s license numbers of both individuals. Using this information, the defendant was able to transfer money from the victims’ bank accounts before depositing the funds into pre-paid debit cards. Further, in People v. Ferguson, 2012 IL App (2d) 110825-U, the defendant, an employee of the United States Department of Veteran Affairs (VA), had attempted to use her position to commit identity theft and fraud through forgery. The appellate court held that the trial court properly found the defendant guilty, as she had the ability and the authority to create travel vouchers for veterans and used that authority to forge the signature of Peter Seiler, a 69–year–old veteran, in an attempt to defraud the VA by seeking to exchange the false documents for cash.

These cases serve as warning for those charged with securing personal information of others. As practitioners often require or are entrusted with personal information and documents by clients, attorneys should take reasonably thorough steps to prevent the possibility of identity theft as remedial measures and costs related to an attorney’s liability can be costly. Nevertheless, attorneys are not required to implement identity theft protection by law. For instance, Congress did not grant the Federal Trade Commission (FTC) authority to regulate lawyers as creditors under Fair and Accurate Credit Transactions (FACT) Act. As held in Am. Bar Ass'n v. F.T.C., 636 F.3d 641 (D.C. Cir. 2011), the FACT Act did not seek to eliminate all types of identity theft, but rather identity theft in the credit industry involving "financial institutions" and "creditors" and their "customers" and "account holders." Because these concepts do not exist in regard to attorney-client relationships, lawyers engaged in the practice of law are usually not "creditors" within the meaning of the FACT Act. Additionally, disregarding potential ethics violations, most states do not require that attorneys establish identity theft protection procedures either. As such, properly securing client information is more accurately considered a matter of best practices which can serve to promote positive attorney-client relationships. Further, attorneys who are title agents have additional obligations to the parties to a real estate transaction to keep their personally identifiable information secure, and ATG strongly recommends following the guidance of the American Land Title Association’s Best Practice #3 in this regard.

The State Bar of Wisconsin has suggested the following procedures for securing client information:

Tips for Securing Physical Client Files

Some practical suggestions for maximizing the physical security of client files include the following:

• Invest in locking file cabinets, and if you use keyed locks instead of combination locks, ensure that the keys are kept in a separate area and are not readily accessible.
• If you have a lot of in-and-out traffic through your firm, security cameras strategically placed at entrances and exits can serve as a deterrent to a would-be thief.
• Keep incoming and outgoing mail away from public access, not in a basket on a reception desk or similar location.
• Keep files containing sensitive client information in access-controlled locations whenever possible.
• Affix locking cables to stationary computer equipment to prevent easy removal in the event of a burglary.
• Ensure that phone calls during which staff might discuss sensitive information with clients are conducted outside of publicly accessible areas such as a reception area. Even merely repeating a credit card number out loud can trigger a theft.
• Ensure that the physical layout of the office is such that nonemployees have limited or no access to work space containing client files.

Tips for Securing Digital Client Files

Some practical suggestions for maximizing digital security of client files, suggested by Leon Chambers, an information systems specialist with the U.S. Postal Service, include the following:

• Use software programs (such as SecureDoc, for example) to encrypt passwords and protect workstations from unauthorized log-ons. Choose a program that locks out the attempted user after a limited number of attempts and protects a physical hard drive from being accessed with external devices.
• Encrypt all thumb drives or flash drives used by employees to store any sensitive information.
• Encrypt all emails containing personal identifiers, and when reassurance is needed that data has not been altered, use a PDF format for attached files.
• Lock workstations when they are not in use, and power them down at the end of the day.
• Back up data onto an encrypted external hard drive and store it in a separate, secure location.
• Limit access to sensitive data based on employees’ need to know and level of responsibility.
• Limit employees’ personal use of and access to public websites to reduce the likelihood of threats such as viruses or “key loggers” who can gain unauthorized access to terminals.
• If employees are allowed to gain remote access to the firm’s network, ensure that VPN tokens or specific means of remote access are properly encrypted.
• Periodically check on the firm’s computers to ensure that security has not been compromised, viruses inadvertently downloaded, or unauthorized access obtained.
• Stop terminated, retired, and deceased employees’ access to computer systems as quickly as possible.

Additionally, clients should be informed immediately of any security breaches or physical information (e.g., client files and other secure information) theft that could lead to identity theft.

Regarding the identities of deceased persons, the following preventative steps are recommended by Identity Theft Resource Center (ITRC) and the Internal Revenue Service (IRS), regardless of age.

Note: The following rules are more generally applicable to executors of the estate, although families and those entitled to take legal action on the part of the deceased should be advised to take these steps as well.

• Credit extending entities and organizations holding personal accounts should be notified by telephone and followed-up in writing. Mail all correspondence certified, return receipt requested. Keep photocopies of all correspondence, including letters that you send.
• Obtain at least 12 copies of the official death certificate when it becomes available. In some cases you will be able to use a photocopy, but some businesses will request an original death certificate. Since many death records are public, a business may require more than just a death certificate as proof.
• If there is a surviving spouse or other joint account holders, make sure to immediately notify relevant credit card companies, banks, stock brokers, loan/lien holders, and mortgage companies of the death.
• The executor or surviving spouse will need to discuss all outstanding debts and how they will be dealt with. You will need to transfer the account to another person or close the account. If you close the account, ask them to list it as: “Closed. Account holder is deceased.”
• Contact all credit reporting agencies (CRA), credit issuers, collection agencies, and any other financial institutions that need to know of the death using the required procedures for each one. The following are general tips:
• Include the following information in all letters:
  • Name and SSN of deceased
  • Last known address
  • Last five (5) years of addresses
  • Date of birth
  • Date of death
  • To speed up processing, include all requested documentation specific to that agency in the first letter
• Send all mail certified, return receipt requested.
• Keep copies of all correspondence, noting date sent and any response(s) you receive.
• Request a copy of the decedent’s credit report. A review of each report will let you know of any active credit accounts that still need to be closed, or any pending collection notices. Be sure to ask for all contact information on accounts currently open in the name of the deceased (credit granters, collection agencies, etc.) so that you can follow through with those entities.
• Request that the report is flagged with the following alert: “Deceased. Do not issue credit. If an application is made for credit, notify the following person(s) immediately: (list the next surviving relative, executor/trustee of the estate and/or local law enforcement agency- noting the relationship).”
• Send the IRS a copy of the death certificate; they use this to flag the account to reflect that the person is deceased.
• Send copies of the death certificate to each credit reporting bureau asking them to put a “deceased alert” on the deceased’s credit report.
• Review the deceased’s credit report for questionable credit card activity.
• Avoid putting too much information in an obituary, such as birth date, address, mother’s maiden name or other personally identifying information that could be useful to identity thieves.
• Other groups to notify:
  • Social Security Administration
  • Insurance companies – auto, health, life, etc.
  • Veteran’s Administration – if the person was a former member of the military
  • Immigration Services – if the decedent is not a U.S. citizen
  • Department of Motor Vehicles if the person had a driver’s license or state ID card; make sure  any vehicle registration papers are transferred to the new owners
  • Agencies that may be involved due to professional licenses – bar association, medical licenses, cosmetician, etc.
  • Any membership programs – video rental, public library, fitness club, etc.

Steps to take if the surviving spouse or estate executor suspects that someone is fraudulently using the information of a deceased person:

• Request a copy of the decedent’s credit report.
• Notify the police in the decedent’s jurisdiction if you have evidence of fraud (collection notice, bills, credit report). A suspicion of identity theft is best when backed with concrete evidence.
• Notify any creditor, collection agency, credit issuer, utility company that the person is deceased and date of death. Be sure to include a copy of the death certificate. Request an immediate investigation and that they contact you with the results of the investigation. Insist on letters of clearance, which you should keep with the other estate papers.
• In the event that the thief is a family member or relative, if the family is unable to decide on a course of action, the attorney can provide advice if possible or can recommend that the family consult another practitioner.
• Additionally, the IRS provides a specialized identity theft unit as a service to taxpayers who have been victims of identity theft, and want to notify the IRS. This unit can be contacted at (1-800-908-4490) and works with victims to review their taxpayer accounts and history, and provide guidance on what steps to take to mitigate their identity theft case. Callers have the option of either English or Spanish.

Note: Third parties do not have the same rights as a spouse or executor of the estate. A CRA may not mail out a credit report or change data on a consumer file upon their request. Third parties may write to the CRA and explain the situation and solve the problem.

In conclusion, while the law does not mandate that attorneys develop identity theft protection systems, preventative measures serve to decrease the likelihood of ethics violations resulting from failing to take reasonable steps to secure confidential client information. Further, developing security measures can serve to maintain or increase client goodwill and retention. Therefore, practitioners are advised to take reasonable steps to conform to the practices noted above to guard against potential identity theft stemming from their practice.

REFERENCES

1. Erika Harrell and Lynn Langton, Victims of Identity Theft, 2012, U.S. Department of Justice – Bureau of Justice Statistics (Dec., 2013), http://www.bjs.gov/content/pub/pdf/vit12.pdf.
2. Deceased Taxpayers – Protecting the Deceased from ID Theft, Internal Revenue Service, (last accessed May 19, 2015) http://www.irs.gov/Businesses/Small-Businesses-&-Self-Employed/Deceased-Taxpayers-Protecting-the-Deceaseds-Identity-from-ID-Theft.
3. What the IRS is Doing About Tax Fraud, Identity Theft Resource Center (June 24, 2013), http://www.idtheftcenter.org/Identity-Theft/what-the-irs-is-doing-about-tax-fraud.html.
4. Sid Kirchheimer, Protecting the Dead From Identity Theft, AARP (Mar. 6, 2013), http://www.aarp.org/money/scams-fraud/info-03-2013/protecting-the-dead-from-identity-theft.html.
5. Martha C. White, Grave Robbing: 2.5 Million Dead People Get Their Identities Stolen Every Year, TIME Magazine (Apr. 24, 2010), http://business.time.com/2012/04/24/grave-robbing-2-5-million-dead-people-get-their-identities-stolen-every-year/.
6. Competence, MRPC Rule 1.1
7. Confidentiality, MRPC Rule 1.6, Comments 18-19.
8. Identity Theft Law, HG.org (last accessed May 19, 2015), http://www.hg.org/identity-theft.html.
9. When Someone Allows Your Identity To Be Stolen, Are They Liable?, HG.org (last accessed May 19, 2015), http://www.hg.org/article.asp?id=31662.
10. David G. Ries, SAFEGUARDING CONFIDENTIAL DATA: Your Ethical and Legal Obligations, American Bar Association, July/August 2010 Issue, Vol. 36, No. 4, http://www.americanbar.org/publications/law_practice_home/law_practice_archive/lpm_magazine_articles_v36_is4_pg49.html.
11. Faith N. Mondry, ID Theft: Think It Can’t Happen in a Law Firm?, State of Wisconsin Bar: Wisconsin Lawyer, Vol. 84, No. 5 (May, 2011), http://www.wisbar.org/NewsPublications/WisconsinLawyer/Pages/Article.aspx?Volume=84&Issue=5&ArticleID=2155.
12. How to Prevent After-Death ID Theft, American Academy of Estate Planning Attorneys, (last accessed May 19, 2015) http://www.aaepa.com/2014/11/prevent-death-id-theft/.
13. ITRC Fact Sheet 117 - Identity Theft and the Deceased: Prevention and Victim Tips, Identity Theft Resource Center, (last accessed May 19, 2015) http://www.idtheftcenter.org/Fact-Sheets/fs-117.html.
14. Deceased Taxpayers – Protecting the Deceased from ID Theft, Internal Revenue Service, (last accessed May 19, 2015) http://www.irs.gov/Businesses/Small-Businesses-&-Self-Employed/Deceased-Taxpayers-Protecting-the-Deceaseds-Identity-from-ID-Theft.