Legal Requirements to Prevent Identity Theft

Posted on July 9, 2009 by Michelle Lind, Esq.

Updated May 2016

Identity theft occurs when a person fraudulently uses a victim’s personal identifying information to access the victim’s bank account, obtain a loan or credit card, purchase goods or services, or use the victim’s name in illegal activities or if arrested. Identity thieves obtain a victim’s personal information in a variety of ways, such as searching through trash for discarded information, using a data storage device to capture credit or debit card information at point of purchase, email scams, hacking into computers or bribing an employee for access to business records. Identity theft is a class 4 felony (A.R.S. §13-2008).

In 2008, Arizona had the highest per capita rate of reported identity theft complaints in the nation according to the Federal Trade Commission (FTC) with 149 complaints per 100,000 population. The FTC top 50 metropolitan areas for identity theft complaints in 2008 include the following Arizona cities: Flagstaff (18), Yuma (28), Phoenix-Mesa-Scottsdale (38), Lake Havasu-Kingman (41), Prescott (47), Tucson (48), Sierra Vista-Douglas (50). (FTC Consumer Sentinel Network Data Book for 2008:

Due to the widespread threat of identity theft, there are numerous state and federal laws designed to address the problem. Real estate brokers and agents should be aware of these laws and ensure that their business practices comply to protect themselves and their clients.

“Shredding” Law
A.R.S. §44-7601 commonly referred to as the “shredding law” prohibits an entity from knowingly discarding or disposing of documents that contain a person’s first name/initial and last name in combination with the person’s:

  • social security number
  • credit card, charge card or debit card number
  • retirement account number
  • savings, checking or securities entitlement account number
  • driver license number or non-operating identification license number
    without redacting the personal information or destroying the documents.

The law may be enforced by either the county attorney or the Attorney General. The civil penalty for each violation of improper discarding or disposal of records or documents is $500 for a first violation, $1,000 for a second violation, and $5,000 for a third or subsequent violation.

The legislation specifies that an entity will be deemed in compliance if it maintains and complies with its own procedures that are consistent with the requirements of this law. Therefore, brokers should consider adding such procedures to their policy manuals. To read the law in its entirety, go to

Notification of Unauthorized Access to Computerized Personal Information
A.R.S. §44-7501 requires that a person conducting business that owns or licenses unencrypted computerized data that includes personal information, who becomes aware of an incident of unauthorized acquisition of the data, conduct an investigation to promptly determine if a breach of the security system has occurred. “Personal information” is defined as a person’s first name/ initial and last name in combination with any one or more of the following, when the data element is not encrypted, redacted or secured by any other method rendering the element unreadable or unusable:

  • social security number
  • driver license or non-operating identification license number
  • financial account number or credit or debit card number in combination with any required security code that would permit access to the individual’s financial account

If the person determines that there has been a breach in the security system, the person must notify the individuals affected.

Additionally, a person that maintains unencrypted computerized data that includes personal information that the person does not own, must notify and cooperate with the owner or the licensee of the information following any breach of the security of the system. The person that owns or licenses the computerized data is then obligated to provide notice to the individuals affected. The person that maintained the data under an agreement with the owner or licensee is not required to provide notice to the individuals affected, unless the agreement stipulates otherwise.

Brokers that own or license unencrypted personal computerized data should consider a policy to comply with these notification requirements. This law may only be enforced by the attorney general. The attorney general may bring an action to obtain actual damages for a willful and knowing violation and a civil penalty of up to $10,0000 per breach of the security of the system. To read this law in its entirety, go to:

Other Identity Theft Laws
A.R.S. §44-1698 allows a person to request that consumer credit reporting agencies place a security freeze on the person’s credit report or credit score. If a security freeze is in place, a consumer reporting agency may not release the person’s credit report or credit score to a third party without the person’s prior express authorization. A.R.S. § 44-1698.01 specifies that a person who does not use a credit report in connection with the approval of credit, may not lend money or extend credit without taking reasonable steps to verify the consumer’s identity and confirm that the application for an extension of credit is not the result of identity theft.

Other identity theft related laws include:

  • SPAM Law A.R.S. §44-1372
  • Retailer Use of Personal information A.R.S. §44-7701
  • Judicial Determination of Innocence due to Identity theft A.R.S. §12-771-773; 13-4440

These laws are available at:

Federal Red Flag Law
The FTC, along with several other federal agencies, issued final rules implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). These rules are referred to as the “Red Flag Rules.” A real estate broker or agent that uses credit reports, provides credit or regularly arranges for credit to be extended may be subject to some of the requirements.

The National Association of REALTORS® (NAR) has resources discussing the Red Flag rules, including a Q&A specific to real estate agents, which are available For more information:

Protect Clients and Customers from Identity Theft
Brokers and agents may receive personal information from clients and customers in connection with a real estate transaction that should be protected. The Phoenix Police Department gives the following guidance:

  • Keep all documents containing personal information of your clients, customers and employees under lock and key.
  • When personal information is held within a computer, ensure that it can only be accessed and tracked by authorized personnel using passwords and is protected with an appropriate level of security/fire walls. When the information has been transferred to the computer, any handwritten information should be shredded.
  • Shred customer personal or account information and receipts before discarding them. Consider keeping shredders within reach of those employees who handle personal/account information on a regular basis.
  • Create policies to restrict the handling of customer information to a limited number of employees.
  • Customer personal information, such as credit applications and sales receipts/carbon copies, should not be temporarily kept within reach of the casual observer. This will help to deter theft by criminals or corrupt employees. Provide a secure receptacle for employees and citizens to throw out applications/receipts or provide informational signs advising them not to carelessly discard these documents.
  • Learn more at

As Arizona’s Attorney General stated: “Identity theft is a crime of convenience. Together we can make it inconvenient for identity thieves to operate in Arizona.”

FROM NAR (83/09):
FTC Extends Red Flag Rule Compliance Date for Low-Risk Entities to November 1, 2009.

The FTC announced on July 29, 2009 that it will extend, until November 1, 2009, the date for financial companies and creditors to comply with the FACT Act’s identity theft red flag rule. Included in the definition of “creditor” is one who “arranges for credit” and NAR has argued that the usual activities of real estate agents do not typically include arranging for credit. The latest extension will allow FTC staff to finalize further guidance for “low risk entities” such as real estate agents. In addition, the FTC will create a special link on the FTC website for small businesses and low-risk entities to assist them in achieving compliance. NAR staff continues to be in contact with the FTC as further guidance is being developed for low risk entities.

FTC announcement on compliance extension
FTC Red Flag Rule FAQs

Melanie Wyne
 202-383-1234, Scott Rinn 202-383-7508, Ken Wingert 202-383-1196

Tags: ,

Michelle Lind


AAR Chief Executive Officer Michelle Lind is a State Bar of Arizona board-certified real estate specialist and the author of "Arizona Real Estate: A Professional’s Guide to Law & Practice." This article is of a general nature and may not be updated or revised for accuracy as statutory or case law changes following the date of first publication. Further, this article reflects only the opinion of the author, is not intended as definitive legal advice, and you should not act upon it without seeking independent legal counsel.