The President’s Identity Theft Task Force ... · The President’s Identity Theft Task Force...

The Presidents Identity Theft Task Force

April 2007

Combating A Strategic PlanIDENTITY THEFT

iii

COMBATING IDENTITY THEFT A Strategic Plan

Table of ContentsGlossary of Acronyms .................................................................v

Identity Theft Task Force Members ............................................... vii

Letter to the President .............................................................. viii

I. Executive Summary .............................................................. 1

A. Introduction.................................................................................. 1

B. TheStrategy.................................................................................. 2

II. The Contours of the Identity Theft Problem ............................. 10

A. PrevalenceandCostsof IdentityTheft......................................... 11

B. IdentityThieves:WhoTheyAre.................................................. 12

C. HowIdentityTheftHappens:TheToolsof theTrade................... 13

D. WhatIdentityThievesDoWiththeInformation TheySteal:TheDifferentFormsof IdentityTheft........................ 18

III. A Strategy to Combat Identity Theft ....................................... 22

A. Prevention:KeepingConsumerDataoutof the Handsof Criminals..................................................................... 22

1. DecreasingtheUnnecessaryUseof SocialSecurityNumbers........................................................ 23

2. DataSecurityinthePublicSector.......................................... 27

a. Safeguardingof InformationinthePublicSector............... 27

b. RespondingtoDataBreachesinthePublicSector.............. 28

3. DataSecurityinthePrivateSector.......................................... 31

a. TheCurrentLegalLandscape........................................... 31

b. Implementationof DataSecurityGuidelinesandRules..... 32

c. RespondingtoDataBreachesinthePrivateSector............. 34

4. EducatingConsumersonProtecting TheirPersonalInformation..................................................... 39

B. Prevention:MakingItHardertoMisuseConsumerData.............. 42

C. VictimRecovery:HelpingConsumersRepairTheirLives............. 45

1. VictimAssistance:OutreachandEducation........................... 45

2. MakingIdentityTheftVictimsWhole..................................... 49

3. GatheringBetterInformationontheEffectivenessof Victim RecoveryMeasures................................................................ 51

iv

D. LawEnforcement:ProsecutingandPunishingIdentityThieves.......... 52

1. CoordinationandIntelligence/InformationSharing................ 53

a. Sourcesof IdentityTheftInformation................................ 54

b. FormatforSharingInformationandIntelligence................ 55

c. MechanismsforSharingInformation................................ 55

2. CoordinationwithForeignLawEnforcement......................... 58

3. ProsecutionApproachesandInitiatives................................... 62

4. StatutesCriminalizingIdentity-TheftRelated Offenses:TheGaps................................................................ 65

a. TheIdentityTheftStatutes................................................ 65

b. Computer-RelatedIdentityTheftStatutes......................... 66

c. Cyber-ExtortionStatute.................................................... 66

d. SentencingGuidelinesGoverningIdentityTheft................ 67

5. Trainingof LawEnforcementOfficersandProsecutors........... 69

6. MeasuringSuccessof LawEnforcementEfforts...................... 70

IV. Conclusion: The Way Forward ............................................. 72

APPENDICES

AppendixA:IdentityTheftTaskForcesGuidanceMemorandum onDataBreachProtocol................................................................... 73

AppendixB:ProposedRoutineUseLanguage.......................................... 83

AppendixC:Textof Amendmentsto 18U.S.C.3663(b)and3663A(b)................................................... 85

AppendixD:Textof Amendmentsto18U.S.C.2703,2711and3127, andTextof NewLanguagefor18U.S.C.3512................................ 87

AppendixE:Textof Amendmentsto18U.S.C.1028and1028A.......... 91

AppendixF:Textof Amendmentto18U.S.C.1032(a)(2)...................... 93

AppendixG:Textof Amendmentsto18U.S.C.1030(a)(5),(c), and(g)andto18U.S.C.2332b......................................................... 94

AppendixH:Textof Amendmentsto18U.S.C.1030(a)(7).................... 97

AppendixI:Textof AmendmenttoUnitedStatesSentencing Guideline2B1.1............................................................................ 98

AppendixJ(Descriptionof ProposedSurveys)......................................... 99

ENDNOTES ......................................................................................101

TABLE OF CONTENTS

v


Glossary of AcronymsAAMVAAmericanAssociationof MotorVehicleAdministrators

AARPAmericanAssociationof RetiredPersons

ABAAmericanBarAssociation

APWGAnti-PhishingWorkingGroup

BBBBetterBusinessBureau

BINBankIdentificationNumber

BJABureauof JusticeAssistance

BJSBureauof JusticeStatistics

CCIPSComputerCrimeandIntellectualPropertySection(DOJ)

CCMSICreditCardMailSecurityInitiative

CFAAComputerFraudandAbuseAct

CFTCCommodityFuturesTradingCommission

CIOChief InformationOfficer

CIPCustomerIdentificationProgram

CIRFUCyberInitiativeandResourceFusionCenter

CMRACommercialMailReceivingAgency

CMSCentersforMedicareandMedicaidServices(HHS)

CRAConsumerreportingagency

CVV2CardVerificationValue2

DBFTFDocumentandBenefitFraudTaskForce

DHSDepartmentof HomelandSecurity

DOJDepartmentof Justice

DPPADriversPrivacyProtectionActof 1994

FACT ActFairandAccurateCreditTransactionsActof 2003

FBIFederalBureauof Investigation

FCDFinancialCrimesDatabase

FCRAFairCreditReportingAct

FCU ActFederalCreditUnionAct

FDI ActFederalDepositInsuranceAct

FDICFederalDepositInsuranceCorporation

FEMAFederalEmergencyManagementAgency

FERPAFamilyandEducationalRightsandPrivacyActof 1974

FFIECFederalFinancialInstitutionsExaminationCouncil

FIMSIFinancialIndustryMailSecurityInitiative

FinCENFinancialCrimesEnforcementNetwork(Departmentof Treasury)

FISMAFederalInformationSecurityManagementActof 2002

FRBFederalReserveBoardof Governors

FSIFinancialServices,Inc.

FTCFederalTradeCommission

FTC ActFederalTradeCommissionAct

GAOGovernmentAccountabilityOffice

GLB ActGramm-Leach-BlileyAct

HHSDepartmentof HealthandHumanServices

HIPAAHealthInsurancePortabilityandAccountabilityActof 1996

IACPInternationalAssociationof Chiefsof Police

IAFCIInternationalAssociationof FinancialCrimesInvestigators

IC3InternetCrimeComplaintCenter

ICEU.S.ImmigrationandCustomsEnforcement

IRSInternalRevenueService

IRS CIIRSCriminalInvestigationDivision

vi

IRTPAIntelligenceReformandTerrorismPreventionActof 2004

ISIIntelligenceSharingInitiative(U.S.PostalInspectionService)

ISPInternetserviceprovider

ISS LOBInformationSystemsSecurityLineof Business

ITACIdentityTheftAssistanceCenter

ITCIInformationTechnologyComplianceInstitute

ITRCIdentityTheftResourceCenter

MCCMajorCitiesChiefs

NACNationalAdvocacyCenter

NASDNationalAssociationof SecuritiesDealers,Inc.

NCFTANationalCyberForensicTrainingAlliance

NCHELPNationalCouncilof HigherEducationLoanPrograms

NCUANationalCreditUnionAdministration

NCVSNationalCrimeVictimizationSurvey

NDAANationalDistrictAttorneysAssociation

NIHNationalInstitutesof Health

NISTNationalInstituteof StandardsandTechnology

NYSENewYorkStockExchange

OCCOfficeof theComptrollerof theCurrency

OIGOfficeof theInspectorGeneral

OJPOfficeof JusticePrograms(DOJ)

OMBOfficeof ManagementandBudget

OPMOfficeof PersonnelManagement

OTSOfficeof ThriftSupervision

OVCOfficeforVictimsof Crime(DOJ)

PCIPaymentCardIndustry

PINPersonalIdentificationNumber

PMAPresidentsManagementAgenda

PRCPrivacyRightsClearinghouse

QRPQuestionableRefundProgram(IRSCI)

RELEAFOperationRetailers&LawEnforcementAgainstFraud

RISSRegionalInformationSharingSystems

RITNETRegionalIdentityTheftNetwork

RPPReturnPreparerProgram(IRSCI)

SARSuspiciousActivityReport

SBASmallBusinessAdministration

SECSecuritiesandExchangeCommission

SMPSeniorMedicarePatrol

SSASocialSecurityAdministration

SSLSecuritySocketLayer

SSNSocialSecuritynumber

TIGTATreasuryInspectorGeneralforTaxAdministration

UNCCUnitedNationsCrimeCommission

USA PATRIOT ActUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(Pub.L.No.107-56)

USBUniversalSerialBus

US-CERTUnitedStatesComputerEmergencyReadinessTeam

USPISUnitedStatesPostalInspectionService

USSSUnitedStatesSecretService

VHAVeteransHealthAdministration

VOIPVoiceOverInternetProtocol

VPNVirtualprivatenetwork

WEDIWorkgroupforElectronicDataInterchange

GLOSSARY OF ACRONYMS

vii

Identity Theft Task Force MembersAlberto R. Gonzales, Chairman

AttorneyGeneral

Deborah Platt Majoras, Co-ChairmanChairman,FederalTradeCommission

Henry M. PaulsonDepartmentof Treasury

Carlos M. GutierrezDepartmentof Commerce

Michael O. LeavittDepartmentof HealthandHumanServices

R. James NicholsonDepartmentof VeteransAffairs

Michael ChertoffDepartmentof HomelandSecurity

Rob PortmanOfficeof ManagementandBudget

John E. PotterUnitedStatesPostalService

Ben S. BernankeFederalReserveSystem

Linda M. SpringerOfficeof PersonnelManagement

Sheila C. BairFederalDepositInsuranceCorporation

Christopher CoxSecuritiesandExchangeCommission

JoAnn JohnsonNationalCreditUnionAdministration

Michael J. AstrueSocialSecurityAdministration

John C. DuganOfficeof theComptrollerof theCurrency

John M. ReichOfficeof ThriftSupervision

viii

LETTER TO THE PRESIDENT

Letter to the President

APriL 11, 2007

The Honorable George W. Bush President of the United States The White House Washington, D.C.

Dear Mr. President:

By establishing the Presidents Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal governments efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

Alberto R. Gonzales, Chairman Attorney General

Deborah Platt Majoras, Co-Chairman Chairman, Federal Trade Commission

ix


TheviewsyouexpressedintheExecutiveOrderarewidelyshared.Thereisaconsensusthatidentitytheftsdamageiswidespread,thatittargetsalldemographicgroups,thatitharmsbothconsumersandbusinesses,andthatitseffectscanrangefarbeyondfinancialharm.Wewerepleasedtolearnthatmanyfederaldepartmentsandagencies,privatebusinesses,anduniversitiesaretryingtocreateacultureof security,althoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation.

Thereisnoquicksolutiontothisproblem.But,webelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftand,wehope,puttingidentitythievesoutof business.Takenasawhole,therecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federal,state,andlocallawenforcementofficers;toeducateconsumersandbusinessesondeterring,detecting,anddefendingagainstidentitytheft;toassistlawenforcementofficersinapprehendingandprosecutingidentitythieves;andtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted.

Thankyoufortheprivilegeof servingonthisTaskForce.Ourworkisongoing,butwenowhavethehonor,undertheprovisionsof yourExecutiveOrder,of transmittingthereportandrecommendationsof thePresidentsTaskForceonIdentityTheft.

Verytrulyyours,

AlbertoR.Gonzales,Chairman DeborahPlattMajoras,Co-ChairmanAttorneyGeneral Chairman,FederalTradeCommission


I. Executive SummaryFromMainStreettoWallStreet,fromthebackporchtothefrontoffice,fromthekitchentabletotheconferenceroom,Americansaretalkingaboutidentitytheft.Thereason:millionsof Americanseachyearsufferthefinancialandemotionaltraumaitcauses.Thiscrimetakesmanyforms,butitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlives.Itisaprob-lemwithnosinglecauseandnosinglesolution.

A. INTrODuCTIONEightyearsago,CongressenactedtheIdentityTheftandAssumptionDeterrenceAct,1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictims,sharingthesecomplaintswithfederal,state,andlocallawenforcement,andprovidingthevictimswithinformationtohelpthemrestoretheirgoodname.Sincethen,federal,state,andlocalagencieshavetakenstrongactiontocombatidentitytheft.TheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagencies;theDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlaws;thefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdiction;Congresspassed,andtheDepartmentof HomelandSecurityissueddraftregulationson,theREALIDActof 2005;andnumerousotherfederalagencies,suchastheSocialSecurityAdministration(SSA),haveeducatedconsumersonavoidingandrecoveringfromidentitytheft.Manyprivatesectorentities,too,havetakenproactiveandsignificantstepstoprotectdatafromidentitythieves,educateconsumersabouthowtopreventidentitytheft,assistlawenforcementinapprehendingidentitythieves,andassistidentitytheftvictimswhosufferlosses.

Overthosesameeightyears,however,theproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublic,thegovernment,andtheprivatesector.Consumers,overwhelmedwithweeklymediareportsof databreaches,feelvulnerableanduncertainof howtoprotecttheiridentities.Atthesametime,boththeprivateandpublicsectorshavehadtograpplewithdifficult,andcostly,decisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublic.And,ateverylevelof governmentfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectiveidentitythefthasplacedincreasinglypressingdemandsonlawenforcement.

PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponses.ToensurethattheTaskForceheardfromallstakeholders,itsolicitedcommentsfromthepublic.

Inadditiontoconsumeradvocacygroups,lawenforcement,business,andindustry,theTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves.3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrime.Theirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem.

Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughprevention,awareness,enforcement,training,andvictimassistance.ConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs),andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiers.Others,representingcertainbusinesssectors,pointedtothebeneficialusesof SSNsinfrauddetection.TheTaskForcewasmindfulof bothconsiderations,anditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuse.Locallawenforcementofficers,regardlessof wheretheywork,wroteof thechallengesof multi-jurisdictionalinvestigations,andcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythieves.Variousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrime,andmanyexpressedsupportforrisk-based,nationaldatasecurityandbreachnotificationrequirements.

ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcesrecommendationforafullycoordinatedstrategy.Onlyanapproachthatencompasseseffectiveprevention,publicawarenessandedu-cation,victimassistance,andlawenforcementmeasures,andfullyengagesfederal,state,andlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime.

B. THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentways,itis,fundamentally,themisuseof anotherindividualspersonalinformationtocommitfraud.Identitythefthasatleastthreestagesinitslifecycle,anditmustbeattackedateachof thosestages:

First, the identity thief attempts to acquire a victims personal information.

Criminalsmustfirstgatherpersonalinformation,eitherthroughlow-techmethodssuchasstealingmailorworkplacerecords,ordumpsterdivingorthroughcomplexandhigh-techfrauds,suchashackingandtheuseof maliciouscomputercodes.Thelossortheftof personalinformationbyitself,however,doesnotimmediatelyleadtoidentitytheft.Insomecases,thieveswhostealpersonalitemsinadvertentlystealpersonalinformation

EXECUTIVE SUMMARY


thatisstoredinorwiththestolenpersonalitems,yetnevermakeuseof thepersonalinformation.Ithasrecentlybeenreportedthat,duringthepastyear,thepersonalrecordsof nearly73millionpeoplehavebeenlostorstolen,butthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresult.Still,becauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolved,astrategytokeepconsumerdataoutof thehandsof criminalsisessential.

Second, the thief attempts to misuse the information he has acquired.

Inthisstage,criminalshaveacquiredthevictimspersonalinformationandnowattempttoselltheinformationoruseitthemselves.Themisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories:

Existing account fraud: Thisoccurswhenthievesobtainaccountinformationinvolvingcredit,brokerage,banking,orutilityaccountsthatarealreadyopen.Existingaccountfraudistypicallyalesscostly,butmoreprevalent,formof identitytheft.Forexample,astolencreditcardmayleadtothousandsof dollarsinfraudulentcharges,butthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentity.Moreover,mostcreditcardcompanies,asamatterof policy,donotholdconsumersliableforfraudulentcharges,andfederallawcapsliabilityof victimsof creditcardtheftat$50.

New account fraud: Thievesusepersonalinformation,suchasSocialSecuritynumbers,birthdates,andhomeaddresses,toopennewaccountsinthevictimsname,makechargesindiscriminately,andthendisappear.Whilethistypeof identitytheftislesslikelytooccur,itimposesmuchgreatercostsandhardshipsonvictims.

Inaddition,identitythievessometimesusestolenpersonalinformationtoobtaingovernment,medical,orotherbenefitstowhichthecriminalisnotentitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

Atthispointinthelifecycleof thetheft,victimsarefirstlearningof thecrime,oftenafterbeingdeniedcreditoremployment,orbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur.

Inlightof thecomplexityof theproblemateachof thestagesof thislifecycle,theIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentities,strengthenseffortstoprotectthepersonalinformationof ournationscitizens,helpslawenforcementofficialsinvestigateandprosecuteidentitythieves,helpseducateconsumersandbusinessesaboutprotectingthemselves,andincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities.

ThePlanfocusesonimprovementsinfourkeyareas:

keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation;

makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities;

assistingthevictimsof identitytheftinrecoveringfromthecrime;and deterringidentitytheftbymoreaggressiveprosecutionandpunishment

of thosewhocommitthecrime.

Inthesefourareas,theTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelow.Amongthoserecommendationsarethefollowingbroadpolicychanges:

thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs),themostvaluablecommodityforanidentitythief;

thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft;

thatfederalagenciesshouldimplementabroad,sustainedawarenesscampaigntoeducateconsumers,theprivatesector,andthepublicsectorondeterring,detecting,anddefendingagainstidentitytheft;and

thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficiently,andinvestigateandprosecuteidentitythievesmoreeffectively.

TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanfromthesebroadpolicychangestothesmallstepsarenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamage.Somerecommendationscanbeimplementedrelativelyquickly;otherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesector.Followingaretherecommendationsof thePresidentsTaskForceonIdentityTheft:

PrEVENTION: KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdata.Reducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrime.Government,thebusinesscommunity,andconsumershaverolestoplayinprotectingdata.

EXECUTIVE SUMMARY


Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfraud,damagethereputationof theentitythatexperiencedthebreach,andcarryfinancialcostsforeveryoneinvolved.Whileperfectsecuritydoesnotexist,allentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit.

Data Security in Public Sector

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Surveycurrentuseof SSNsbyfederalgovernment

Issueguidanceonappropriateuseof SSNs

Establishclearinghouseforbestagencypracticesthatminimizeuseof SSNs

Workwithstateandlocalgovernmentstoreviewuseof SSNs

Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Developconcreteguidanceandbestpractices

Monitoragencycompliancewithdatasecurityguidance

Protectportablestorageandcommunicationsdevices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issuedatabreachguidancetoagencies

Publisharoutineuseallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Holdregionalseminarsforbusinessesonsafeguardinginformation

Distributeimprovedguidanceforprivateindustry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Developnationalawarenesscampaign

Enlistoutreachpartners

Increaseoutreachtotraditionallyunderservedcommunities

EstablishProtectYourIdentityDays

Develop Online Clearinghouse for Current Educational Resources

PrEVENTION: MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourceful,itises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheysteal.Anidentitythief whowantstoopennewaccountsinavictimsnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibility;and(2)convincethecreditorthatheisthepersonhepurportstobe.

Authenticationincludesdeterminingapersonsidentityatthebeginningof arelationship(sometimescalledverification),andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticated.Buttheprocesscanfail:Identitydocumentscanbefalsified;theaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionable;em-ployeetrainingcanbeinsufficient;andpeoplecanfailtofollowprocedures.

Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesforexample,multi-factorauthenticationorlayeredsecuritywouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft.

Hold Workshops on Authentication

Engageacademics,industry,entrepreneurs,andgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity

Issuereportonworkshopfindings

Develop a Comprehensive Record on Private Sector Use of SSNs

VICTIM rECOVErY: HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumersbesteffortsatsecuringinformation.Consumershaveanumberof rightsandresourcesavailable,butsomesurveysindicatethattheyarenotaswell-informedastheycouldbe.Governmentagenciesmustworktogethertoensurethatvictimshavetheknowledge,tools,andassistancenecessarytominimizethedamageandbegintherecoveryprocess.

EXECUTIVE SUMMARY


Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

Trainlawenforcementofficers

Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims

CreateanddistributeanIDTheftVictimStatementof Rights

Designnationwidetrainingforvictimassistancecounselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

Conductassessmentof FACTActremediesunderFCRA

Conductassessmentof statecreditfreezelaws

LAW ENFOrCEMENT: PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythieves.Theincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimes.Theinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectives,agents,andanalystswithmultipleskillsets.Whenasuspectedtheftinvolvesalargenumberof potentialvictims,investigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions

Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft

Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft

Coordination with Foreign Law Enforcement

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Governments Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Prosecution Approaches and Initiatives

Increase Prosecutions of Identity Theft

DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneysOfficetodesignaspecificidentitytheftprogramforeachdistrict

Evaluatemonetarythresholdsforprosecution

Encouragestateprosecutionof identitytheft

Createworkinggroupsandtaskforces

Conduct Targeted Enforcement Initiatives

ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale

Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem

Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens

Review Civil Monetary Penalty Programs

EXECUTIVE SUMMARY


Gaps in Statutes Criminalizing Identity Theft

Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted

Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses

Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications

Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers

Amendthecyber-extortionstatutetocoveradditional,alternatetypesof cyber-extortion

Ensure That an Identity Thiefs Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Law Enforcement Training

Enhance Training for Law Enforcement Officers and Prosecutors

DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft

Increasenumberof regionalidentitytheftseminars

IncreaseresourcesforlawenforcementontheInternet

Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft

Measuring the Success of Law Enforcement

Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systems Response to Identity Theft

Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims

Expandscopeof nationalcrimevictimizationsurvey

ReviewU.S.SentencingCommissiondata

Trackprosecutionsof identitytheftandresourcesspent

Conducttargetedsurveys

0

II. The Contours of the Identity Theft Problem

THE CONTOURS OF THE IDENTITY THEFT PROBLEM

Everyday,toomanyAmericanslearnthattheiridentitieshavebeencompromised,ofteninwaysandtoanextenttheycouldnothaveimagined.Identitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraud.Thesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent.

Identitytheftthemisuseof anotherindividualspersonalinformationtocommitfraudcanhappeninavarietyof ways,butthebasicelementsarethesame.Criminalsfirstgatherpersonalinformation,eitherthroughlow-techmethodssuchasstealingmailorworkplacerecords,ordumpsterdiving,orthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercode.Thesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccounts,takeoverexistingaccounts,obtaingovernmentbenefitsandservices,orevenevadelawenforcementbyusinganewidentity.Often,individualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremployment,orwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur.

Individualvictimexperiencesbestportraythehavocthatidentitythievescanwreak.Forexample,inJuly2001,anidentitythief gainedcontrolof aretiredArmyCaptainsidentitywhenArmyofficialsatFortBragg,NorthCarolina,issuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainsnameandwithhisSocialSecuritynumber.Themilitaryidentification,combinedwiththevictimsthen-excellentcredithistory,allowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonths.FromJulytoDecember2001,theidentitythief acquiredgoods,services,andcashinthevictimsnamevaluedatover$260,000.Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisname:creditaccounts,personalandautoloans,checkingandsavingsaccounts,andutilityaccounts.Theidentitythief purchasedtwotrucksvaluedatover$85,000andaHarley-Davidsonmotorcyclefor$25,000.Thethief alsorentedahouseandpurchasedatime-shareinHiltonHead,SouthCarolina,inthevictimsname.4

Inanotherinstance,anelderlywomansufferingfromdementiawasvictimizedbyhercaregivers,whoadmittedtostealingasmuchas$200,000fromherbeforeherdeath.Thethievesnotonlyusedthevictimsexistingcreditcardaccounts,butalsoopenednewcreditaccountsinhername,obtainedfinancinginhernametopurchasenewvehiclesforthemselves,and,usingafraudulentpowerof attorney,removed$176,000inU.S.SavingsBondsfromthevictimssafe-depositboxes.5

Inthesewaysandothers,consumerslivesaredisruptedanddisplacedbyidentitytheft.Whilefederalagencies,theprivatesector,andconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses

I was absolutely heartsick to realize our bank accounts were frozen, our names were on a bad check list, and my drivers license was suspended. I hold three licenses in the State of Ohiomy drivers license, my real estate license, and my R.N. license. After learning my drivers license was suspended, I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposter.

Maureen Mitchell Testimony Before House Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit June 24, 2003


andimpactof identitytheft,muchworkremainstobedone.Thefollowingstrategicplanfocusesonacoordinatedgovernmentresponseto:strengtheneffortstopreventidentitytheft;investigateandprosecuteidentitytheft;raiseawareness;andensurethatvictimsreceivemeaningfulassistance.

A. PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStates.Numerousstudieshaveattemptedtomeasuretheextentof thiscrime.DOJ,FTC,theGartnerGroup,andJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys.6Whilesomeof thedatafromthesesurveysdiffer,thereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic.

Althoughgreaterempiricalresearchisneeded,thedatashowthatannualmonetarylossesareinthebillionsof dollars.Thisincludeslossesassociatedwithnewaccountfraud,amorecostly,butlessprevalentformof identitytheft,andmisuseof existingaccounts,amoreprevalentbutlesscostlyformof identitytheft.Businessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentcharges.Individualvictims,however,alsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime.

Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccounts,monetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(e.g.,formailingnoticestoconsumersandupgradingsystems).Similarly,individualvictimsoftensufferindirectfinancialcosts,includingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcredit.Victimsof non-financialidentitytheft,forexample,health-relatedorcriminalrecordfraud,faceothertypesof harmandfrustration.

Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheft,andtheemotionaltollidentitytheftcantake,somevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythieves.Victimsof newaccountidentitytheft,forexample,mustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuracies,closeexistingbankaccountsandopennewones,anddisputechargeswithindividualcreditors.

Consumersfearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomy.Ina2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractive,nearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe2005/2006holidayseason.7Similarly,aCyberSecurityIndustryAlliance

surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen.8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabits,thesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet.

B. IDENTITY THIEVES: WHO THEY ArEUnlikesomegroupsof criminals,identitythievescannotbereadilyclassi-fied.Nosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristics.Forthemostpart,victimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisusedit.AccordingtotheFTCs2003surveyof identitytheft,about14percentof victimsclaimtoknowtheperpetrator,whomaybeafamilymember,friend,orin-homeemployee.

Identitythievescanactaloneoraspartof acriminalenterprise.Eachposesuniquethreatstothepublic.

Individuals

Accordingtolawenforcementagencies,identitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictims.Indeed,identitythieveshavebeenknowntopreyonpeopletheyknow,includingcoworkers,seniorcitizensforwhomtheyareservingascare-takers,andevenfamilymembers.Someidentitythievesrelyontechniquesof minimalsophistication,suchasstealingmailfromhomeownersmailboxesortrashcontainingfinancialdocuments.Insomejurisdictions,identitytheftbyillegalimmigrantshasresultedinpassport,employment,andSocialSecurityfraud.Occasionally,smallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments.9

Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(meth)usersandidentitytheft.10LawenforcementagenciesinAlbuquerque,Honolulu,Phoenix,Sacramento,Seattle,andothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglaries,mailtheft,andtheftof walletsandpurses.InSaltLakeCity,methusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft.11Tellingly,asmethusehasrisensharplyinrecentyears,especiallyinthewesternUnitedStates,someof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheft.Somestatelawenforcementofficialsbelievethatthetwoincreasesmightberelated,andthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases.


In an article entitled Waitress Gets Own ID When Carding Patron, the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen drivers license, which she reported missing weeks earlier in Lakewood, Ohio. The patron was later charged with identity theft and receiving stolen property.

In September 2005, a defendant was sentenced by a federal judge in Colorado to a year and one day in prison, and ordered to pay $181,517.05 in restitution, after pleading guilty to the misuse of a Social Security number. The defendant had obtained the identifying information of two individuals, including their SSNs, and used one such identity to obtain a false Missouri drivers license, to cash counterfeit checks, and to open fraudulent credit ac-counts. The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks. The case was investigated by the SSA OIG, FBI, U.S. Postal Inspection Service, and the St. Charles, Missouri, Police Department.


Significant Criminal Groups and Organizations

Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheft.Someof thesegroupsincludingnationalgangssuchasHellsAngelsandMS-13areformallyorganized,haveahierarchicalstructure,andarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtrafficking.Othergroupsaremoreloosely-organizedand,insomecases,havetakenadvantageof theInternettoorganize,contacteachother,andcoordinatetheiridentitytheftactivitiesmoreefficiently.Membersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternet.Othergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup.

Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemes.InAsiaandEasternEurope,forexample,organizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldata,andinthecomplexityof toolstheyuse,suchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite),spyware(softwarethatcovertlygathersuserinformationthroughtheusersInternetconnection,withouttheusersknowledge),andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurpose,rangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers).Accordingtolawenforcementagencies,suchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrime,evensellinggoodsandservicessuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersthatmakethestolendataevenmorevaluabletothosewhohaveit.

C. HOW IDENTITY THEFT HAPPENS: THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheft,andperhapsthemostvaluablepieceof informationforthethief istheSSN.TheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimsname.Otherdata,suchaspersonalidentificationnumbers(PINs),accountnumbers,andpasswords,alsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts.

Identitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstored.Homesandbusinesses,carsandhealth-clublockers,electronicnetworks,andeventrashbasketsanddumpstershavebeentargetsforidentitythieves.Some

In July 2003, a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking, fraud, and extortion. The defendant hacked into the computer sys-tem of Financial Services, Inc. (FSI), an internet web hosting and electronic banking processing company located in Glen Rock, New Jersey, and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3,500 credit card numbers and associated card holder information for FSI customers. One of the defendants accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6,000. After a period of negotiation, FSI eventually agreed to pay $5,000. In sentencing the defendant, the federal judge described the scheme as an unprec-edented, wide-ranging, organized criminal enterprise that engaged in numerous acts of fraud, extortion, and intentional damage to the property of others, involving the sophisticated manipulation of computer data, financial information, and credit card numbers. The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million.

thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputers,includingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit.

Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims.

Common Theft and Dumpster Diving

Whileoftenconsideredahightechcrime,datatheftoftenisnomoresophisticatedthanstealingpaperdocuments.Somecriminalsstealdocumentscontainingpersonalinformationfrommailboxes;indeed,mailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata.12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptacles,apracticeknownasdumpsterdiving.13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching.

Progressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationintheseways.TheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept


Partial display of credit cards, checks, and identifying documents seized in federal investigation of identity theft ring in Maryland, 2005. Source: U.S. Department of Justice

A ramp agent for a major airline participated in a scheme to steal financial documents, including checks and credit cards, from the U.S. mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing. The conspirators used the documents to obtain cash advances and withdrawals from lines of credit. In September 2005, a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution.


creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedameasurethatisintended,amongotherthings,toreducetheabilityof adumpsterdivertoobtainavictimscreditcardnumbersimplybylookingthroughthatvictimsdiscardedtrash.Merchantshadaperiodof timetocomplywiththatrequirement,whichnowisinfulleffect.15

Employee/Insider Theft

Dishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecords.Criminalsalsomaybribeinsiders,orbecomeemployeesthemselvestoaccesssensitivedataatcompanies.Thefailuretodisableaterminatedemployeesaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdata.Manyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise.

Electronic Intrusions or Hacking

Hackersstealinformationfrompublicandprivateinstitutions,includinglargecorporatedatabasesandresidentialwirelessnetworks.First,theycaninterceptdataduringtransmission,suchaswhenaretailersendspaymentcardinformationtoacardprocessor.Hackershavedevelopedtoolstopenetratefirewalls,useautomatedprocessestosearchforaccountdataorotherpersonalinformation,exportthedata,andhidetheirtracks.16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft.

Second,hackersalsocangainaccesstounderlyingapplicationsprogramsusedtocommunicatebetweenInternetusersandacompanysinternaldatabases,suchasprogramstoretrieveproductinformation.Oneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplication,ratherthanthenetwork.17Itisoftendifficulttodetectthehackersapplication-levelactivities,becausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduse,andthecommunicationisthusseenaspermissibleactivity.

AccordingtotheSecretService,manymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraine,andcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof U.S.financialsystemsforthepastfiveyears.

Social Engineering: Phishing, Malware/Spyware, and Pretexting

Identitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsources,includingfromthevictimhimself.Thistypeof deception,knownassocialengineering,cantakeavarietyof forms.

In December 2003, the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies, procedures, systems, and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes. Deficiencies in the institutions screening practices came to light through the OCCs review of the former employees activities.

In December 2004, a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowes Corpora-tion to process credit card transactions. To carry out this scheme, the defendant and at least one other person secretly compromised the wireless network at a Lowes retail store in Michigan and gained access to Lowes central computer system. The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowes retail stores. After an FBI investigation of the intrusion, the defendant and a confederate were charged.

Phishing: Phishingisoneof themostprevalentformsof socialengineering.Phisherssendemailsthatappeartobecomingfromlegitimate,well-knownsourcesoften,financialinstitutionsorgovernmentagencies.Inoneexample,theseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactive.Theemailsprovidealink,whichgoestoawebsitethatappearslegitimate.Afterfollowingthelink,thewebuserisinstructedtoenterpersonalidentifyinginformation,suchashisname,address,accountnumber,PIN,andSSN.Thisinformationisthenharvestedbythephishers.Inavariantof thispractice,victimsreceiveemailswarningthemthattoavoidlosingsomethingof value(e.g.,Internetserviceoraccesstoabankaccount)ortogetsomethingof value,theymustclickonalinkinthebodyof theemailtoreenterorvalidatetheirpersonaldata.Suchphishingschemesoftenmimicfinancialinstitutionswebsitesandemails,andanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformation.Additionally,phishingrecentlyhastakenonanewform,dubbedvishing,inwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation.18

Malware/Spyware/Keystroke Loggers: CriminalsalsocanusespywaretoillegallygainaccesstoInternetuserscomputersanddatawithouttheuserspermission.Oneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victims;byopeningtheemail,thevictimlaunchestheinstallationof malware,suchasspywareorkeystrokeloggers,ontohiscomputer.ThekeystrokeloggersgatherandsendinformationontheusersInternetsessionsbacktothehacker,includingusernamesandpasswordsforfinancialaccountsandotherpersonalinformation.Thesesophisticatedmethodsof accessingpersonalinformationthrough


Phishing Email and Associated Website Impersonating National Credit Union Administration Email and Website Source: Anti-Phishing Working Group

At the beginning of the 2006 tax filing season, identity thieves sent emails that pur-ported to originate from the IRSs website to taxpayers, falsely informing them that there was a problem with their tax refunds. The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts. In fact, when the users entered their personal information such as their SSNs, website usernames and passwords, bank or credit-card account numbers and expiration dates, among other things the phishers simply harvested the data at another location on the Internet. Many of these schemes originated abroad, particularly in Eastern Europe. Since November 2005, the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17,500 complaints about phishing scams, and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS.


malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimspasswordsandotherusefuldatasuchassniffingInternettraffic,forexample,bylisteningtonetworktrafficonasharedphysicalnetwork,oronunencryptedorweaklyencryptedwirelessnetworks.

Pretexting: Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformation.Inmanycases,pretexterscontactafinancialinstitutionortelephonecompany,impersonatingalegitimatecustomer,andrequestthatcustomersaccountinformation.Inothercases,thepretextisaccomplishedbyaninsideratthefinancialinstitution,orbyfraudulentlyopeninganonlineaccountinthecustomersname.20

Stolen Media

Inadditiontoinstancesof deliberatetheftof personalinformation,dataalsocanbeobtainedbyidentitythievesinanincidentalmanner.Criminalsfrequentlystealdatastoragedevices,suchaslaptopsorportablemedia,thatcontainpersonalinformation.21Althoughthecriminaloriginallytargetedthehardware,hemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitation.Unlessadequatelysafeguardedsuchasthroughtheuseof technologicaltoolsforprotectingdatathisinformationcanbeaccessedandusedtostealthevictimsidentity.Identitythievesalsomayobtainconsumerdatawhenitislostormisplaced.

Failure to Know Your Customer

Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposes.Forexample,governmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiaries,orforlawenforcementpurposes.Identitythieves,however,canstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata.

TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information.22Forexample,theFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformation.TheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation.

Existinglaws,however,donotreacheverykindof personalinformationcollectedandsoldbydatabrokers.Inaddition,whendatabrokersfailtocomplywiththeirstatutoryduties,theyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices.

In January 2006, the FTC settled a lawsuit against data broker ChoicePoint, Inc., alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers. The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags. Under the settlement, ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish a comprehensive information security pro-gram, and to obtain audits by an independent security professional every other year until 2026.

Skimming

Becauseitispossibletousesomeonescreditaccountwithouthavingphysicalaccesstothecard,identitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumber,orusesothertechnologytocollectthataccountinformation.23Forexample,overthepastseveralyears,lawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasskimmers.Askimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorskimsacreditordebitcard.Similartothedevicelegitimatebusinessesuseinprocessingcustomercardpayments,theskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecard.Thatdatathencanbedownloadedeithertomakefraudulentcopiesof realcards,ortomakepurchaseswhenthecardisnotrequired,suchasonline.Aretailemployee,suchasawaiter,caneasilyconcealaskimmeruntilacustomerhandshimacreditcard.Onceheisoutof thecustomerssight,hecanskimthecardthroughthedevice,andthenswipeitthroughtherestaurantsowncardreadertogenerateareceiptforthecustomertosign.Thewaiterthencanpasstherecordeddatatoanaccomplice,whocanencodethedataonblankcardswithmagneticstripes.Avariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerscard,aswellastheconsumerspassword.

D. WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL: THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimspersonalinformation,criminalsmisuseitinendlessways,fromopeningnewaccountsinthevictimsname,toaccessingthevictimsexistingaccounts,tousingthevictimsnamewhenarrested.Recentsurveydatashowthatmisuseof existingcreditaccounts,however,representsthesinglelargestcategoryof fraud.

Misuse of Existing Accounts

Misuseof existingaccountscaninvolvecredit,brokerage,banking,orutilityaccounts,amongothers.Themostcommonform,however,involvescreditaccounts.Thisoccurswhenanidentitythief obtainseithertheactualcreditcard,thenumbersassociatedwiththeaccount,ortheinformationderivedfromthemagneticstriponthebackof thecard.Becauseitispossibletomakechargesthroughremotepurchases,suchasonlinesalesorbytelephone,identitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerswallet.


A skimmer Source: Durham, Ontario Police

In March 2006, a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy. The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked, such as restaurants and rental car companies. He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy.


Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsbankaccounts,includingcheckingaccountssometimesreferredtoasaccounttakeovers.24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStates.Criminalsalsohaveattemptedtoaccessfundsinvictimsonlinebrokerageaccounts.25

Federallawlimitstheliabilityconsumersfacefromexistingaccountmisuse,generallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccounts.Nevertheless,consumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords.26

New Account Fraud

Amoreserious,if lessprevalent,formof identitytheftoccurswhenthievesareabletoopennewcredit,utility,orotheraccountsinthevictimsname,makechargesindiscriminately,andthendisappear.Victimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloan,ajob,orotherbenefitbecauseof anegativecreditrating.Whilethisisalessprevalentformof fraud,itcausesmorefinancialharm,islesslikelytobediscoveredquicklybyitsvictims,andrequiresthemosttimeforrecovery.

Criminals skimmer, mounted and colored to resemble exterior of real ATM. A pinhole camera is mounted inside a plastic brochure holder to capture customers keystrokes. Source: University of Texas Police Department

In December 2005, a highly organized ring involved in identity theft, counterfeit credit and debit card fraud, and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County, New Jersey, Prosecutors Office arrested 13 of its members. The investigation, which began in June 2005, uncovered more than 2,000 stolen identities and at least $1.3 million worth of fraudulent transac-tions. The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals. The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases. Additionally, the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey, New York, and other states.

0

Whencriminalsestablishnewcreditcardaccountsinothersnames,thesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccounts,whetherinashorttimeoroveralongerperiod.Bycontrast,whencriminalsestablishnewbankorloanaccountsinothersnames,thefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitution.Insomecases,thecriminaldepositsacheckdrawnonanaccountwithinsufficientfunds,orstolenorcounterfeitchecks,andthenwithdrawscash.

Brokering of Stolen Data

Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokers.Forexample,certainwebsites,knownascardingsites,trafficinlargequantitiesof stolencredit-carddata.Numerousindividuals,oftenlocatedindifferentcountries,participateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbers.TheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20,000memberaccounts.

Immigration Fraud

Invariouspartsof thecountry,illegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosociety.Inextremecases,anindividualSSNmaybepassedontoandusedbymanyillegalimmigrants.27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharm,theystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit.

Medical Identity Theft

Recentreportshavebroughtattentiontotheproblemof medicalidentitytheft,acrimeinwhichthevictimsidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare.28Inadditiontothefinancialharmassociatedwithothertypesof identitytheft,victimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecords.Thisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcare,havetheirinsurancedepleted,becomeineligibleforhealthorlifeinsurance,orbecomedisqualifiedfromsomejobs.Victimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscover,asfewconsumersregularlyreviewtheirmedicalrecords,andvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnotices,ortheyattempttoseekmedicalcarethemselves,onlytodiscoverthattheyhavereachedtheircoveragelimits.


Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful U.S. citizens in order to gain employment. The aliens being criminally prosecuted were identified as a result of Operation Wagon Train, an investigation led by agents from U.S. Immigration and Customs Enforcement (ICE), working in conjunction with six U.S. Attorneys Offices. Agents executed civil search warrants at six meat processing plants. Numer-ous alien workers were arrested, and many were charged with aggravated identity theft, state identity theft, or forgery. Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC. In many cases, victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name. Other victims were denied drivers licenses, credit, or even medical services because someone had improperly used their personal information before.


Other Frauds

Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminals,includingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefits,includingdisasterrelief funds.TheIRSsCriminalInvestigationDivision,forexample,hasseenanincreaseintheuseof stolenSSNstofiletaxreturns.Insomecases,thethief filesafraudulentreturnseekingarefundbeforethetaxpayerfiles.Whentherealtaxpayerfiles,theIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturn.Evenif thetaxpayerultimatelyismadewhole,thegovernmentsuffersthelossfrompayingmultiplerefunds.

Withtheadventof theprescriptiondrugbenefitof MedicarePartD,theDepartmentof HealthandHumanServicesOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheft.ThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformation,aswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissions.Thetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal.

Robert C. Ingardia, a registered representative who had been associated with several broker-dealers, assumed the identity of his customers. Without authori-zation, Mr. Ingardia changed the address information for their accounts, sold stock in the accounts worth more than $800,000, and, in an effort to manipulate the market for two thinly-traded penny stock companies, used the cash proceeds of the sales to buy more than $230,000 worth of stock in the companies. The SEC obtained a temporary restraining order against Mr. Ingardia in 2001, and a civil injunction against him in 2003 after the United States Attorneys Office for the Southern District of New York obtained a criminal conviction against him in 2002.

In July 2006, DOJ charged a defendant with 66 counts of false claims to the government, mail fraud, wire fraud, and aggravated identity theft, relating to the defendants allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina. Using fictitious SSNs and variations of her name, the defendant allegedly received $277,377 from FEMA.

A STRATEGY TO COMBAT IDENTITY THEFT

III. A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolution.Becauseidentitythefthasseveralstagesinitslifecycle,itmustbeattackedateachof thosestages,including:

whentheidentitythief attemptstoacquireavictimspersonalinformation;

whenthethief attemptstomisusetheinformationhehasacquired;and

afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefits,whilethevictimisrealizingtheharm.

Thefederalgovernmentsstrategytocombatidentitytheftmustaddresseachof thesestagesby:

keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit;

makingitmoredifficultforidentitythieves,whentheyareabletoobtainconsumerdata,tousetheinformationtostealidentities;

assistingvictimsinrecoveringfromthecrime;and

deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime.

Agreatdealalreadyisbeingdonetocombatidentitytheft,butthereareseveralareasinwhichwecanimprove.TheTaskForcesrecommendations,asdescribedbelow,arefocusedonthoseareas.

A. PrEVENTION: KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS

Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdata.Reducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheft.Government,thebusinesscommunity,andconsumersallplayaroleinprotectingdata.

Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfraud,damagethereputationof theentitythatexperiencedthebreach,andimposetheriskof substantialcostsforallpartiesinvolved.Althoughthereisnosuchthingasperfectsecurity,someentitiesfailtoadoptevenbasicsecuritymeasures,includingmanythatareinexpensiveandreadilyavailable.

Thelinkbetweenadatabreachandidentitytheftoftenisunclear.


Dependingonthenatureof thebreach,thekindsof informationbreached,andotherfactors,aparticularbreachmayormaynotposeasig-nificantriskof identitytheft.Littleempiricalevidenceexistsontheextenttowhich,andunderwhatcircumstances,databreachesleadtoidentitytheft,andsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked.29Nonetheless,becausedatathievessearchforrichtargetsof consumerdata,itiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises.

1. Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythieves,becauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumers.Anidentitythief withavictimsSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimsname.AslongasSSNscontinuetobeusedforauthenticationpurposes,itisimportanttopreventthievesfromobtainingthem.

SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectors.Althoughoriginallycreatedin1936totrackworkersearningsforsocialbenefitspurposes,useof SSNshasproliferatedoverensuingdecades.In1961,theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumber.Thenextyear,theIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividuals.Indeed,theusebyfederalagenciesof SSNsforthepurposesof employmentandtaxation,employmentverification,andsharingof dataforlawenforcementpurposes,isexpresslyauthorizedbystatute.

Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprises,especial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessing.Theuseof SSNsisnowcommoninoursociety.

EmployersmustcollectSSNsfortaxreportingpurposes.DoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursement.SSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividuals,andinsomecasesaredisplayedonidentificationcards.In2004,anestimated42millionMedicarecardsdisplayedtheentireSSN,asdidapproximately8millionDepartmentof Defenseinsurancecards.Inaddition,althoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004,andhasissuednewcardsthatdonotdisplaySSNs,

In June 2006, a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud, SSN fraud, aggravated identity theft, identification docu-ment fraud, and furnishing false information to the SSA. The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name. He then used this new name and SSN to obtain a new SSN card, drivers licenses, and United States passport. The case was initiated based on information from the Joint Terrorism Task Force in Springfield, Massachusetts. The agencies involved in the investigation included SSA OIG, Department of State, Massachusetts State Police, and the Springfield and Boston police departments.


theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservices.SomeuniversitiesstillusetheSSNasthestudentsidentificationnumberforarangeof purposes,fromadministeringloanstotrackinggrades,andmayplaceitonstudentsidentificationcards,althoughusageforthesepurposesisdeclining.

SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagencies,states,localjurisdictions,andcourts.Asof 2004,41statesandtheDistrictof Columbia,aswellas75percentof U.S.counties,displayedSSNsinpublicrecords.30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcounties,SSNsaremostoftenfoundincourtandpropertyrecords.

Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentuse,display,ordisclosureof SSNs;instead,thereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituations.Withrespecttotheprivatesector,forexample,theGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformation,suchasSSNs,thatwasoriginallyobtainedfromcustomersof afinancialinstitution;theHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsdisclosureof SSNswithoutpatientauthorization;andtheDriversPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNs,subjectto14permissibleuses.31Inthepublicsector,thePrivacyActof 1974requiresfederalagenciestoprovidenoticeto,andobtainconsentfrom,individualsbeforedisclosingtheirSSNstothirdparties,exceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception.32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts.33Evenso,areportbytheGovernmentAccountabilityOffice(GAO)concludedthat,despitetheselaws,thereweregapsinhowtheuseandtransferof SSNsareregulated,andthatthesegapscreateariskthatSSNswillbemisused.34

Therearemanynecessaryorbeneficialusesof theSSN.SSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabases,includingtheircreditfiles,toprovidebenefitsanddetectfraud.Federal,state,andlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic.

AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividuals,otherusesaremoreamatterof convenienceorhabit.Inmanycases,forexample,itmaybeunnecessarytouseanSSNasanorganizationsinternalidentifierortodisplayitonanidentificationcard.Inthesecases,adifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitable,butwithouttheriskinherentintheSSNsuseasanauthenticator.

In September 2006, a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document. The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States. The case was investigated by the SSAs Office of Inspector General (OIG), ICE, and the Pennsylvania State Police.


Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSN.Forexample,withguidancefromtheSSAOIG,theInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersons.SomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-ersidentificationnumber.35Additionally,theDepartmentof TreasurysFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpayments,federalincometaxrefundpayments,andpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment.

Moremustbedonetoeliminateunnecessaryusesof SSNs.Inparticular,itwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagencies.TheOfficeof PersonnelManagement(OPM),whichissuesandusesmanyof thefederalformsandproceduresusingtheSSN,andtheOfficeof ManagementandBudget(OMB),whichoverseesthemanagementandadministrativepracticesof federalagencies,canplaypivotalrolesinrestrictingtheunnecessaryuseof SSNs,offeringguidanceonbettersubstitutesthatarelessvaluabletoidentitythieves,andestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable.

rECOMMENDATION: DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr

Tolimittheunnecessaryuseof SSNsinthepublicsectorandtobegintodevelopalternativestrategiesforidentitymanagementtheTaskForcerecommendsthefollowing:

Complete review of use of SSNs.AsrecommendedintheTaskForcesinterimrecommendations,OPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicforms.Basedonthatreview,whichOPMcompletedin2006,OPMshouldtakestepstoeliminate,restrict,orconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable),incalendaryear2007.If necessarytoimplementthisrecommendation,ExecutiveOrder9397,effectiveNovember23,1943,whichrequiresfederalagenciestouseSSNsinanysystemof permanentaccountnumberspertainingtoindividuals,shouldbepartiallyrescinded.Theusebyfederalagenciesof SSNsforthepurposesof employmentandtaxation,employmentverification,andsharingof dataforlawenforcementpurposes,however,isexpresslyauthorizedbystatuteandshouldcontinuetobepermitted.

When purchasing advertising space in a trade magazine in 2002, a Colorado man wrote his birth date and Social Security number on the payment check. The salesman who received the check then used this information to obtain surgery in the victims name. Two years later, the victim received a collection notice demanding payment of over $40,000 for the surgery performed on the identity thief. In addition to the damage this caused to his credit rating, the thiefs medical information was added to the victims medical records.


Issue Guidance on Appropriate use of SSNs.Basedonitsinventory,OPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecords,includingtheappropriatewaytorestrict,conceal,ormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystems.OPMshouldissuethispolicyincalendaryear2007.

require Agencies to review use of SSNs.OMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminated,restricted,orconcealedinagencybusinessprocesses,systems,andpaperandelectronicforms,otherthanthoseauthorizedorapprovedbyOPM.OMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 2007.36

Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs. BasedonresultsfromOMBsreviewof agencypracticesontheuseof SSNs,theSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesincludingthedevelopmentof anyalternativestrategiesforidentitymanagementtoavoidduplicationof effort,andtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasures.Thisshouldbeaccomplishedbythefourthquarterof 2007.

Work with State and Local Governments to review use of SSNs. Inthesecondquarterof 2007,theTaskForceshouldbegintoworkwithstateandlocalgovernmentsthroughorganizationssuchastheNationalGovernorsAssociation,theNationalAssociationof AttorneysGeneral,theNationalLeagueof Cities,theNationalAssociationof Counties,theU.S.Conferenceof Mayors,theNationalDistrictAttorneysAssociation,andtheNationalAssociationforPublicHealthStatisticsandInformationSystemstohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs.

rECOMMENDATION: DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs

SSNsareanintegralpartof ourfinancialsystem.Theyareessentialinmatchingconsumerstotheircreditfile,andthusessentialingrantingcreditanddetectingfraud,buttheiravailabilitytoidentitythievescreatesapossibilityof harm


toconsumers.Beginningin2007,theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessity.Specifically,theTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNs,suchasDOJ,FTC,SSA,andthefinancialregulatoryagencies,shouldgatherinformationfromstakeholdersincludingthefinancialservicesindustry,lawenforcementagencies,theconsumerreportingagencies,academics,andconsumeradvocates.TheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNs.AnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008.

2. Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposes,publicentities,includingfederalagencies,collectpersonalinformationaboutindividualsforavarietyof purposes,suchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservices.Becausethisinformationoftencanbeusedtocommitidentitytheft,agenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation.

a. Safeguarding of Information in the Public Sector

Twosetsof lawsandassociatedpoliciesframethefederalgovernmentsresponsibilitiesintheareaof datasecurity.Thefirstspecificallygovernsthefederalgovernmentsinformationprivacyprogram,andincludessuchlawsasthePrivacyAct,theComputerMatchingandPrivacyProtectionAct,andprovisionsof theE-GovernmentAct.37Theotherconcernstheinformationandinformationtechnologysecurityprogram.TheFederalInformationSecurityManagementAct(FISMA),theprimarygoverningstatuteforthisprogram,establishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassets,andprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystems.FISMAassignsspecificpolicyandoversightresponsibilitiestoOMB,technicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST),implementa-tionresponsibilitiestoallagencies,andanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS).FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevel.Itfurtherrequiresagencyoperationalprogramofficials,Chief Informa-tionOfficers(CIOs),andInspectorsGeneral(IGs)toconductannual


reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMB.Additionally,aspartof itsoversightrole,OMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformation,includingamemorandumaddressingFISMAoversightandreporting,andwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformation,andthatrecommendedthatagencies,amongotherthings,encryptalldataonmobiledevicesanduseatime-outfunctionforremoteaccessandmobiledevices.38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity.39

FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongress.ThePresidentsManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurity.AgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard.40

Federalagencyperformanceoninformationsecurityhasbeenuneven.Asaresult,OMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprograms.OMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroup,exploringwaystoimprovegovernmentdatasecu-ritypractices.Thiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective.

Employeetrainingisessentialtotheeffectivenessof agencysecurityprograms.Existingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchanges,issues,andtrends.Thiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculum;recommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilities;aninformation-sharingrepository/portalof trainingprograms;andopportunitiesforknowledge-sharing(e.g.,conferencesandseminars).Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpractices,leadingtoenhancedprotectionof sensitivedata.

b. responding to Data Breaches in the Public Sector

Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006.Asistruewithprivatesectorbreaches,thelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheft.UntilthisTaskForceissuedguidanceonthistopicinSeptember2006,governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto


databreaches,andinparticular,hadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers,(2)thecontentof thenotice,(3)whichthirdparties,if any,shouldbenotified,and(4)whethertoofferaffectedindividualscreditmonitoringorotherservices.

Theexperienceof thelastyearalsohasmadeonethingapparent:anagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach).Forex-ample,anagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutions,whichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotification.Theveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentities,however,oftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyAct.Critically,thePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions.

rECOMMENDATION: EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE

Toensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasures,theTaskForcerecommendsthefollowing:

Develop Concrete Guidance and Best Practices. OMBandDHS,throughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforce,should(a)outlinebestpracticesintheareaof automatedtools,training,processes,andstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprograms,and(b)developalistof themostcommon10or20mistakestoavoidinprotectinginformationheldbythegovernment.TheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresident,anditshouldbeimplementedandcompletedinthesecondquarterof 2007.

Comply With Data Security Guidance. OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdata.Giventhatdatabreachescontinuetooccur,however,itisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand

0


directivestoOMB.If anyagencydoesnotcomplyfully,OMBshouldnotethatfactintheagencysquarterlyPMAScorecard.

Protect Portable Storage and Communications Devices. Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof lap

The President’s Identity Theft Task Force ... · The President’s Identity Theft Task Force...

Documents

Transcript of The President’s Identity Theft Task Force ... · The President’s Identity Theft Task Force...