Updated May 2016

Identity theft occurs when a person fraudulently uses a victim’s personal identifying information to access the victim’s bank account, obtain a loan or credit card, purchase goods or services, or use the victim’s name in illegal activities or if arrested. Identity thieves obtain a victim’s personal information in a variety of ways, such as searching through trash for discarded information, using a data storage device to capture credit or debit card information at point of purchase, email scams, hacking into computers or bribing an employee for access to business records. Identity theft is a class 4 felony (A.R.S. §13-2008).

Due to the widespread threat of identity theft, there are numerous state and federal laws designed to address the problem. Real estate brokers and agents should be aware of these laws and ensure that their business practices comply to protect themselves and their clients.

“Shredding” Law
A.R.S. §44-7601 commonly referred to as the “shredding law” prohibits an entity from knowingly discarding or disposing of documents that contain a person’s first name/initial and last name in combination with the person’s:

• social security number
• credit card, charge card or debit card number
• retirement account number
• savings, checking or securities entitlement account number
• driver license number or non-operating identification license number
  without redacting the personal information or destroying the documents.

The law may be enforced by either the county attorney or the Attorney General. The civil penalty for each violation of improper discarding or disposal of records or documents is $500 for a first violation, $1,000 for a second violation, and $5,000 for a third or subsequent violation.

The legislation specifies that an entity will be deemed in compliance if it maintains and complies with its own procedures that are consistent with the requirements of this law. Therefore, brokers should consider adding such procedures to their policy manuals. To read the law in its entirety, go to www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/07601.htm&Title=44&DocType=ARS

Notification of Unauthorized Access to Computerized Personal Information
A.R.S. §44-7501 requires that a person conducting business that owns or licenses unencrypted computerized data that includes personal information, who becomes aware of an incident of unauthorized acquisition of the data, conduct an investigation to promptly determine if a breach of the security system has occurred. “Personal information” is defined as a person’s first name/ initial and last name in combination with any one or more of the following, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:

• social security number
• driver license or non-operating identification license number
• financial account number or credit or debit card number in combination with any required security code that would permit access to the individual’s financial account

If the person determines that there has been a breach in the security system, the person must notify the individuals affected.

Additionally, a person that maintains unencrypted computerized data that includes personal information that the person does not own, must notify and cooperate with the owner or the licensee of the information following any breach of the security of the system. The person that owns or licenses the computerized data is then obligated to provide notice to the individuals affected. The person that maintained the data under an agreement with the owner or licensee is not required to provide notice to the individuals affected, unless the agreement stipulates otherwise.

Brokers that own or license unencrypted personal computerized data should consider a policy to comply with these notification requirements. This law may only be enforced by the attorney general. The attorney general may bring an action to obtain actual damages for a willful and knowing violation and a civil penalty of up to $10,0000 per breach of the security of the system. To read this law in its entirety, go to: www.azleg.state.az.us/FormatDocument.asp?inDoc=/ars/44/07501.htm&Title=44&DocType=ARS

Other Identity Theft Laws
A.R.S. §44-1698 allows a person to request that consumer credit reporting agencies place a security freeze on the person’s credit report or credit score. If a security freeze is in place, a consumer reporting agency may not release the person’s credit report or credit score to a third party without the person’s prior express authorization. A.R.S. § 44-1698.01 specifies that a person who does not use a credit report in connection with the approval of credit, may not lend money or extend credit without taking reasonable steps to verify the consumer’s identity and confirm that the application for an extension of credit is not the result of identity theft.

Other identity theft related laws include:

• SPAM Law A.R.S. §44-1372
• Retailer Use of Personal information A.R.S. §44-7701
• Judicial Determination of Innocence due to Identity theft A.R.S. §12-771-773; 13-4440

These laws are available at: www.azleg.state.az.us/ArizonaRevisedStatutes.asp.

Federal Red Flag Law
The FTC, along with several other federal agencies, issued final rules implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). These rules are referred to as the “Red Flag Rules.” A real estate broker or agent that uses credit reports, provides credit or regularly arranges for credit to be extended may be subject to some of the requirements.

The National Association of REALTORS® (NAR) has resources discussing the Red Flag rules, including a Q&A specific to real estate agents, which are available at:www.realtor.org/government_affairs/factact_identitytheft. For more information:

• Contact Bill Gilmartin at NAR’s office in Washington, DC at 202-383-1102 or wgilmartin@realtors.org
• Contact FTC Bureau of Consumer Protection, Division Privacy and Identity Protection at 202-326-2252
• Visit the FTC website at: https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags-rule-how-guide-business

Protect Clients and Customers from Identity Theft
Brokers and agents may receive personal information from clients and customers in connection with a real estate transaction that should be protected. The Phoenix Police Department gives the following guidance:

• Keep all documents containing personal information of your clients, customers and employees under lock and key.
• When personal information is held within a computer, ensure that it can only be accessed and tracked by authorized personnel using passwords and is protected with an appropriate level of security/fire walls. When the information has been transferred to the computer, any handwritten information should be shredded.
• Shred customer personal or account information and receipts before discarding them. Consider keeping shredders within reach of those employees who handle personal/account information on a regular basis.
• Create policies to restrict the handling of customer information to a limited number of employees.
• Customer personal information, such as credit applications and sales receipts/carbon copies, should not be temporarily kept within reach of the casual observer. This will help to deter theft by criminals or corrupt employees. Provide a secure receptacle for employees and citizens to throw out applications/receipts or provide informational signs advising them not to carelessly discard these documents.
• Learn more at https://www.phoenix.gov/police/policing-phoenix-stories/id-theft.

As Arizona’s Attorney General stated: “Identity theft is a crime of convenience. Together we can make it inconvenient for identity thieves to operate in Arizona.”www.azag.gov/cybercrime/ID_Theft.html