1985 Investigation order; identity theft  

  • PENNSYLVANIA PUBLIC UTILITY COMMISSION

    Investigation Order; Identity Theft

    [34 Pa.B. 5997]

    Public Meeting held
    July 23, 2004

    Commissioners Present: Terrance J. Fitzpatrick, Chairperson; Robert K. Bloom, Vice Chairperson; Glen R. Thomas; Kim Pizzingrilli; Wendell F. Holland

    Investigation In Re: Identity Theft; Doc. No. M-00041811

    Investigation Order

    By the Commission:

       By this order, the Commission is initiating an investigation, under sections 331(a), 501(a) and 1501 of the Public Utility Code, 66 Pa.C.S. §§ 331(a), 501(a) and 1501, to examine identity theft and its impact on utility companies and consumers in this Commonwealth.

       Identity theft is a growing problem that plagues millions Nationwide. Identity theft takes place when one person uses another's personal information such as name, Social Security number, credit card number or other identifying information to commit fraud or other crimes.1 The Federal Trade Commission (FTC) reports that nearly 10 million people have been victims of some form of identity theft.2 In fact, the FTC estimates that identity theft has resulted in nearly $48 billion in losses to businesses and nearly $5 billion in losses to its victims.3

       Recent FTC reports indicate that, in 2003, ''phone or utilities fraud'' accounted for 21% of the types of identity theft reported in this Commonwealth.4 Phone or utilities fraud is second only to credit card fraud reported in this Commonwealth.

       In response to this growing National problem, Congress has enacted legislation to address identity theft. The Fair and Accurate Credit Transactions Act of 2003 (FACT),5 in part, amended the Fair Credit Reporting Act (FCRA) to enhance the consumer's ability to resolve problems caused by identity theft. In further recognition of the serious nature of identity theft, Congress passed the Identity Theft Penalty Enhancement Act6 on July 15, 2004, to prescribe more severe penalties for those persons committing identity theft and fraud.

       While the Commission's ruling in a recent proceeding7 addressed the issue of one consumer's problem involving identity theft, the issue of identity theft as it relates to utilities and utility regulation warrants a more comprehensive review. Indeed, on a yearly basis, thousands of citizens in this Commonwealth apply to utilities and energy suppliers in this Commonwealth to initiate or transfer utility service. The Commission's current rules and regulations governing billing and credit policies8 were enacted long before identity theft became a National concern and the aforementioned federal legislation and FTC initiatives9 addressing this problem were adopted.

       Identity theft results in losses for both the customer and the utility company. For the victims of identity theft, the recovery from damage and the tainting of one's financial reputation may be a slow, arduous and time-consuming process. Often, repair to a victim's credit reputation and financial condition takes years. For the utility company, identity theft frequently results in uncollected charges for service as well as increased expenditures of company resources to collect unpaid bills. Without question, it is in the public interest that the Commission examine whether existing regulations and processes provide adequate protections against the problem of identity theft in this Commonwealth. Accordingly, with this order, the Commission directs an investigation be initiated.

       Additionally, under our authority under sections 501, 504, 505 and 506, 66 Pa.C.S. §§ 501, 504, 505 and 506, all major jurisdictional fixed utility companies, as well as telecommunications service providers, electric generation suppliers and natural gas suppliers, are directed to file written responses to the questions presented in Appendix A. Recognizing the sensitive nature of information requested, we will direct that the responses be filed under seal and that access to these documents be limited to Commission staff members. 52 Pa. Code § 5.423 (relating to orders to limit availability of proprietary information). Note that because this proceeding is presently limited to gathering relevant information, this is not a contested proceeding. Accordingly, the Commission's ex parte rules do not apply. See 66 Pa.C.S. § 334.

       Also, we invite all interested parties to file written comments on the problem of identity theft relating to utility service and to propose solutions to address the problem, including proposed amendments to the Commission's regulations relating to credit and billing procedures. The information provided will allow the Commission to determine the impact of identity theft on utilities, suppliers and their customers, and to formulate and adopt measures to better provide for identity verification and thereby reduce identity theft in the initiation, transfer and use of utility service; Therefore,

    It Is Ordered That:

       1.  An investigation docket be opened to examine the impact of identity theft on consumers and utilities, and whether existing Commission rules, regulations and policies adequately protect consumers and utilities from the effects of identity theft.

       2.  All major jurisdictional fixed utility companies, telecommunication service providers, electric generation suppliers and natural gas suppliers are directed to file written responses to the questions presented in Appendix A. An original and ten copies of the written responses and one diskette containing an electronic version of the written responses shall be filed no later than 20 days after the date of publication of this order in the Pennsylvania Bulletin. Responses shall be addressed to James J. McNulty, Secretary, Pennsylvania Public Utility Commission, P. O. Box 3265, Harrisburg, PA 17105-3265. Responses shall be marked as proprietary and filed under seal. Access to these documents will be limited to Commission staff.

       3.  A person wishing to submit written comments addressing the issues presented in this order shall do so no later than 20 days after the date of publication of this order in the Pennsylvania Bulletin. An original and ten copies of the comments and one diskette containing an electronic version of the comments shall be filed with the Commission's Secretary. Comments shall be addressed to James J. McNulty, Secretary, Pennsylvania Public Utility Commission, P. O. Box 3265, Harrisburg, PA 17105-3265.

       4.  The contact persons for this investigation are Louis Sauers, Consumer Research Analyst Supervisor, Bureau of Consumer Services, (717) 783-6688 lsauers@state.pa.us; Patricia Krise Burket, Assistant Counsel, (717) 787-3464, pburket@state.pa.us; or W. Blair Hopkin, Assistant Counsel, (717) 783-6152, whopkin@state.pa.us.

       5.  The Order and the written comments submitted shall be posted at the Commission's website: www.puc.state.pa.us.

       6.  The Order shall be published in the Pennsylvania Bulletin.

       7.  Copies of the Order shall be served on all major jurisdictional fixed utility companies, all electric generation suppliers, all natural gas suppliers, all telecommunications services providers, the Office of Trial Staff, the Office of Consumer Advocate, the Office of Small Business Advocate and the Office of Attorney General.

    JAMES J. MCNULTY,   
    Secretary

    Appendix A

       All major jurisdictional fixed utility companies, telecommunications service providers, and electric generation suppliers and natural gas suppliers, are directed to file written responses to the following questions on identity theft:10

       1.  Provide the total number of disputes, as that term is defined in Commission regulations,11 in which a customer alleged identity theft for each of the following calendar years:

       (a)  For the year ending December 31, 2000.

       (b)  For the year ending December 31, 2001.

       (c)  For the year ending December 31, 2002.

       (d)  For the year ending December 31, 2003.

       If the company keeps statistics by fiscal year, please provide the above information for the immediate past four fiscal years.

       2.  Describe and provide a copy of company policy and procedures relating to verification of the customer's identity in the application process and the account transfer process. Also, provide information regarding the circumstances under which the company requests that a consumer provide additional sources of personal identification in order to verify that consumer's identity.

       3.  Describe and provide a copy of the company's written policy regarding new applications for service. Provide a copy of rules and regulations from the company's current and effective tariff relating to new applications for service, including circumstances under which written applications are required, and circumstances under which applications for service may be accepted over the telephone. Describe the process employed by the company to verify information provided over the telephone to ensure that the person requesting the service is in fact who he or she represents themselves to be.

       4.  Other than applications for new service, what kind of personal information is required when customers call in regarding their service and seeks to do the following?

       a.  Verify the balance due.

       b.  Transfer the account into another person's name.

       c.  Complain about a service disruption.

       d.  Pay the bill over the phone.

       e.  Ask questions about their bill or service.

       f.  Close an account.

       g.  Any other action not described above.

       5.  Describe and provide a copy of the company's policy relating to the use of an applicant's or a customer's social security, particularly the circumstances under which the company requires that a social security number be provided, and how the social security number is used by the company. Describe and provide a copy of all documents related to security measures that the company uses to protect a customer's social security number. Describe and provide a copy of all documents relating to the company's procedures and policy applicable to situations where a customer refuses or fails to provide a social security number. By way of example only, if the company declines to serve to a new customer, what is the basis for the denial?

       6.  Describe and provide a copy of the company's policies and procedures relating to protecting the privacy of a customer's account information and other personal identification information that may be provided by the customer in conjunction with applying for, or transferring utility service, or paying utility bills. In particular, describe the security measures or procedures that are in place to protect or secure personal information customers provide to the company.

       7.  For the calendar year ending December 31, 2003, provide the following information related to establishing or transferring customer accounts:

       (a)  Total number of new accounts.

       (b)  Total number of transferred accounts.

       (c)  Total number of new accounts for which identity of consumer was verified by:

       i.  Credit history check.

       ii.  Government-issued photograph identification card, such as a driver's license, student identification card, employee identification card.

       iii.  Government issued nonphotograph identification card, such as a library card, voter registration card.

       iv.  Other form of identification, such as credit card, automobile club service card, student identification card, employee identification card.

       (d)  Total number of transferred accounts for which identity of the consumer was verified by:

       i.  Credit history check.

       ii.  Government-issued photograph identification card, such as a driver's license, student identification card, employee identification card.

       iii.  Government issued nonphotograph identification card, such as a library card, voter registration card.

       iv.  Other form of identification, such as credit card, automobile club service card, student identification card, employee identification card.

       8.  Provide the address and hours of operation of each company office that is open to the public where a consumer can establish or transfer a service account in person. The term ''company office'' includes an office that is operated by an agent of the company. Identify each company office that is operated by contracted agents.

       9.  Provide the total amount of costs attributable to identity theft involving customer accounts for each of the following calendar years:

       (a)  For the year ending December 31, 2000.

       (b)  For the year ending December 31, 2001.

       (c)  For the year ending December 31, 2002.

       (d)  For the year ending December 31, 2003.

       If the company keeps statistics by fiscal year, please provide the above information for the immediate past four fiscal years.

       Explain how the company identifies and tracks costs that can be attributed to identity theft. The term ''costs'' is defined to include all expenditures made in investigating and verifying identity theft claims.

       10.  Provide the total amount of losses attributable to identity theft involving customer accounts for each of the following calendar years:

       (a)  For the year ending December 31, 2000.

       (b)  For the year ending December 31, 2001.

       (c)  For the year ending December 31, 2002.

       (d)  For the year ending December 31, 2003.

       If the company keeps statistics by fiscal year, please provide the above information for the immediate past four fiscal years.

       The term ''losses'' is the dollar amount of uncollected charges for stolen service as a result of identity theft. Explain how the company identifies and tracks losses that can be attributed to identity theft. Also, explain how much of the company's active debt and write-offs, expressed in total dollars and as a percentage of the whole, are directly attributable to identity theft. Please provide figures for the company's gross debt and for gross write-offs for comparison to the percentages attributable to identity theft.

       11.  Provide a copy of the company's current procedures for conducting internal investigations related to alleged customer identity theft by a company employee. Provide a copy of the final report on each internal investigation of alleged customer identity theft by a company employee that was conducted since January 1, 2000. Identifying personal information for the employee and customer must be redacted from each report.

       12.  Provide a copy of the company's current procedures for investigating customer allegations of identity theft relating to a utility service account. Provide a copy of the final report on each such investigation conducted since January 1, 2000. Identifying personal information for the customer must be redacted from each report.

       13.  Provide the total number of internal investigations of alleged customer identity theft by company employee conducted by the company for each of the following calendar years:

       (a)  For the year ending December 31, 2000.

       (b)  For the year ending December 31, 2001.

       (c)  For the year ending December 31, 2002.

       (d)  For the year ending December 31, 2003.

       Indicate the number of internal investigations that are currently in progress.

       14.  Provide the total number of investigations of customer allegations of identity theft conducted by company for each of the following calendar years:

       (a)  For the year ending December 31, 2000.

       (b)  For the year ending December 31, 2001.

       (c)  For the year ending December 31, 2002.

       (d)  For the year ending December 31, 2003.

       Indicate the number of investigations that are currently in progress.

       15.  Identify those Commission regulations that may create an opportunity for identity theft. Explain in detail how each regulation may contribute to the identity theft, and propose amendments to correct the problem.

    Directions for Filing

       An original and ten copies of the written responses and one diskette containing an electronic version of the written responses shall be filed no later than 20 days after the date of publication of the Commission's order in the Pennsylvania Bulletin. Responses shall be addressed to James J. McNulty, Secretary, Pennsylvania Public Utility Commission, P. O. Box 3265, Harrisburg, PA 17105-3265. Responses shall be filed under seal and access thereto will be limited to Commission staff. Reference Docket No. M-00041811.

    [Pa.B. Doc. No. 04-1985. Filed for public inspection October 29, 2004, 9:00 a.m.]

    _______

    1  In the Pennsylvania Crimes Code, the offense of ''identity theft'' is defined as ''. . . the possession or use, through any means, of identifying information of another person without the consent of that other person to further any unlawful purpose.'' 18 Pa.C.S. § 4120.

    2  Prepared Statement of the Federal Trade Commission on Identity Theft: Prevention and Victim Assistance Before the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce, December 15, 2003.

    3  Id.

    4  FTC, National and State Trends in Fraud and Identity Theft, January--December 2003, January 22, 2004. Source: Data from Consumer Sentinel and the Identity Theft Data Clearinghouse.

    5  Pub. L. No. 108-159, 117 Stat. 1952.

    6  Pub. L. No. 108-275.

    7  Donna MacDougall v. Verizon North, Inc., Doc. F-01339719 (Order adopted July 23, 2004).

    8  See, for example, 52 Pa. Code §§ 64.31 et seq.; 52 Pa. Code §§ 56.31, et seq.

    9  The FTC initiated a rulemaking, under authority in FACT, proposing rules that would establish: (1) definitions for the terms ''identity theft'' and ''identity theft report''; (2) the duration of an ''active duty alert''; and (3) the ''appropriate proof of identity'' for purposes of sections 605A (fraud alerts and active duty alerts), 605B (consumer report information blocks) and 609(a)(1) (truncation of Social Security numbers) of the FCRA, as amended by the act. FTC Rulemaking Amending 16 CFR Parts 603, 613, and 614 (Related Identity Theft Definitions, Duration of Active Duty Alerts, and Appropriate Proof of Identity Under the Fair Credit Reporting Act), RIN 308-AA94 (FTC Rulemaking Order). Final FTC action on the proposed regulations is pending.

    10  The offense of ''identity theft'' is defined as ''. . . the possession or use, through any means, of identifying information of another person without the consent of that other person to further any unlawful purpose.'' 18 Pa.C.S. § 4120.

    11  See 52 Pa. Code § 56.2 (definitions) and 52 Pa. Code § 64.2 (definitions).

Document Information