Preventing Identity Theft

Identity theft has become one of the top legal concerns of the information age, as legions of hackers and scammers appropriate other people's personal data-social security numbers, credit card numbers, bank account numbers, driver's license numbers, etc.-and use them for their own personal gain. Most

According to the Federal Trade Commission, more than half of all complaints tracked in 2003 concerned identity theft. Some 215,000 cases of identity theft were reported to the FTC in 2003, up from approximately 162,000 the previous year. The agency reports that in 2002 alone, the United States had some 9.9 million identity theft victims, costing businesses and consumers $53 million. Over the last five years, the total number of identity theft victims in the United States jumps to 27.3 million.

It gets worse: between April 2003 and April 2004, "phishing" (one of the newest scams leading to identity theft) cost victims more than $1.2 billion. Phishing scams involve fooling consumers into giving their personal data to thieves masquerading as legitimate banks, credit card companies and other e-commerce operations.

Identity theft is not just a problem for financial companies and people who let their personal data fall into the wrong hands, however. Identity theft can hurt any company that maintains personal information about employees and/or customers. Most corporations house personal information of their employees-such as security passwords, home addresses, credit card details and personal bank account numbers lor payroll deposits-on their compuler databases. As the keeper of lhis information, the duly to ensure ils security !alls Io the company. Failing Io do so can create enormous legal liability as well as reputation risk.

The threat of identity ihefl, however, can be significantly reduced if companies enact a series of simple but thorough procedures to prevent identity thell where it most commonly occurs.

Threat Assessment

Auditing fur susceptibility to social engineering is an objective method of determining how vulnerable personal information stored inside the walls of a corporation is to theit. Most people arc shocked by how easily personal information can be coaxed from unsuspecting employees, covertly photographed or simply found in a dumpster.

And while the $25,000 to $35,000 price tag for many social engineering audits may seem high, the vulnerabilities revealed by such an audit easily offsets millions of dollars of liability risk.

During the course of conducting social engineering audits, information security consultants obtain lists of employees including spouses' names, home addresses and home phone numbers. Any of this information can be used to perpetrate identity theft. An employee list containing home addresses and spousal information presents a textbook opportunity for perpetrating fraud.

For example, an organization posing as a credit card company could solicit new credit card subscriptions by mail from the client's employee list. They could make an attractive oiler to apply for a new credit card, perhaps with an interest rate of 1% for the first year. Of course, they would request the applicants' social security numbers as part of the registralion information. The client "mailing list" would simplify this process for the perpetrator.

Likewise, a person posing as a dala verification agent for insurance companies could telephone busy spouses at home to verify details of insurance coverage including the PIN of the husband or wife. Spouses who care for small children are particularly susceptible to this type of lraud during lhe daytime when little ones may be al home.

Company executives who want a more quantifiable estimate of the safety of personal information in the custody of various corporations should ask themselves the following questions to see how well prepared they are to prevent identity theft. Answering "no" to any of these questions indicates an opportunity to improve the corporate privacy policy.

* Is all personal information on file accessible on a strictly enforced, need-to-know basis?

* Does the executive committee regularly review the corporate privacy policy?

* Does the company undergo regular social engineering audits, emphasizing privacy?

* Are all hard-copy personal information documents shredded or securely disposed of?

* Are employees strictly forbidden to divulge any personal information about other employees?

* Does the company regularly conduct external security audits done by third-party experts?

* Are employees strictly prohibited from allowing "body surfing"-allowing outside visitors to enter the premises along with them without presenting proper identification-through secured access points?

* Does the company have a privacy officer?

* Does the company have stringent policies, technology and regular audits, regarding the management of viruses and spam (junk e-mail)?

* Are employees regularly reminded not to open e-mail from unknown sources, especially if the message contains attachments, such as executable files?

* Are employees required to report unaccompanied visitors to security?

Legislation to Protect Personal Information

As a matter of risk management, companies need to create, monitor and enforce strict privacy protection policies to safeguard any personal information they keep, whether it is for employees or customers. In addition to that, however, state and federal governments across North America are enacting laws to protect personal privacy, which makes the corporate risk manager's responsibilities all the more critical.

The Identity Theft Penalty Enhancement Act. Signed into law on July 15, 2004, the Act adds two years to prison sentences for criminals convicted of committing crimes with stolen credit card numbers and other personal data. Those who use such information to conduct terrorist ads get an additional five years.

The Identity Theft and Assumption Deterrence Act. Enacted October 30, 1998, this legislation makes identity theft a Federal crime with penalties of up to 15 years imprisonment and a maximum fine of $250,000. It establishes that the person whose identity was stolen is a true victim. Previously, only the creditors who suffered monetary losses were considered victims. This legislation enables the Secret Service, the FBI and other law enforcement agencies to combat this crime. It allows for the identity theft victim to seek restitution if there is a conviction. It also establishes the Federal Trade Commission as a central agency to act as a clearinghouse for complaints, (against credit reporting agencies and creditors) referrals and resources for assistance for victims of identity theft. This statute may serve as a model for states to enact similar legislation and also provide companies with leverage to influence law enforcement to investigate cases.

Notification of Risk to Personal Data Act. On June 26, 2003 Senator Dianne Feinstein (D-California) introduced legislation that would require businesses or government agencies to notify individuals when their database is broken into and personal data (e.g., social security number, driver's license number, bank account number or credit card number) has been compromised. The bill was modeled partly on California's law SB 1386, and failure to comply would result in fines of $5,000 per violation or up to $25,000 per day while the violation persists.

The Canadian Privacy Act. In place since 1983, the Privacy Act protects the personal information of Canadian citizens as collected by government agencies. The Privacy Act guarantees citizens access to information collected about them and their right to challenge the accuracy of that information.

The Personal Information Protection and Electronic Documents Act. Also known as PlPEDA, this gives Canadian citizens the right to view and correct any personal information that commercial companies have collected about them. PIPEDA requires business to inform consumers that their personal information is being collected, why it is being collected and for what purposes it will be used. Under PIPEDA's guidelines, personal information may only be gathered by companies with the knowledge and consent of the consumer, if it is collected for a reasonable purpose, if the information is kept accurate and up to date, if it is open to inspection and correction by the consumer, and if it is stored securely. Failure to abide by PlPEDA can be reported to the Canadian Privacy Commissioner as well as remanded to Federal Court.

The Alberta Personal Information Protection Act (PlPA). Enacted on January 1, 2004, this law is similar in most respects to PIPEDA, except that it also specifically states that the law applies to employee information as well. In addition to commercial organizations, PIPA also applies to non-profits, trade unions, private schools, unincorporated associations, professional regulatory associations, any individual acting in a commercial capacity or any individual acting on behalf of a corporation, unincorporated association, trade union or partnership.

California SB 168. Also known as the Identity Theft Prevention bill, this went into effect on July 1, 2004. It prohibits businesses from posting or otherwise disseminating customers' social security numbers, and it requires health care providers and insurers to take precautions to safeguard SSNs they keep on file.

SB 168 also allows people to "freeze" their credit reports, meaning that identity thieves cannot open fraudulent new accounts without inputting an additional PIN that is known only to the consumer. The bill also formalizes the process through which a credit bureau allows a person to place a fraud alert on their credit reports in case they have been a victim of identity theft.

The Children's Online Privacy Protection Act (COPPA). Enacted in 1998, this gives parents control over what information is collected from their children online and to what end that information may be used. COPPA requires, among other things, commercial websites to notify children before obtaining information from them as well as post the company's privacy policy on its home page.

Personal Liability

While companies can do much to control the threat of identity theft during business hours and at the office, once employees leave for the day, they are only as secure as they make themselves. To protect employees from the dangers of identity theft, some simple education might prove very useful. Anybody with a bank account, a PIN and a credit history is susceptible to electronic fraud, particularly when their employers, personal vendors and creditors are electronically storing personal financial identifiers.

As with the corporate idenlily theft readiness questionnaire, individuals might also ask themselves a similar set of questions to see how they can better protect their persona data. Again, answering "no" to any of the following questions highlights where one should adjust their own personal privacy protection policy. Employers may wish to forward this questionnaire through company newsletters, internal e-mail or training programs.

* Do you verify that all mailed credit card statements are never undelivered and arrive on time?

* Do you lock your PIN card away in a a secure place as opposed to carrying it on your person?

* Do you refrain from supplying your PIN or other such identification on credit applications?

* Do you check your credit rating annually? Do you keep copies of your past credit ratings on file?

* Do you obscure or cover PIN entries al ATMs, gas pumps and retail stores?

* Do you refrain from opening e-mail from unknown sources? Do you refrain from opening attachments on such e-mail?

* Do you refrain from giving personal information to solicitors knocking at your door?

* Do you keep a record of all your credit card and ATM cards, with emergency telephone numbers to report stolen cards?

* Do you shred all documents with your address, banking information or financial information, prior to disposal?

Dealing with Identity Theft

Despite diligent prevention efforts, the possibility of becoming an identity theft victim remains a stark possibility. In the event this occurs, there are agencies and organizations that can provide help. It is critical that as soon as an act of identity theft has been discovered, the affected individual(s) contact the following:

* Notify all of your financial institutions and electronic billing suppliers, such as banks, credit unions, mortgager, cell phone carriers, car leasors, credit card companies and other financial service providers.

* Contact the local police as well as your local FBI field office.

* In Ontario, Canada call the joint Royal Canadian Mounted Police/Ontario Privacy Protection task force at 888.495.8501.

* Across Canada, contact your local police electronic crime detective and open a complaint file number.

* To protect your credit rating, notify the major credit rating agencies: Dun and Bradstreet (905.568.6000) Equifax (800.685.1111) Experian (888.397.3742) Trans Union (800.916.8800).

Identity theft is now a fact of life, but corporations and individuals alike can take steps to harden their defenses to this new genre of fraud. The best defense is to be aware of the risk and to take simple preventative steps in both your personal life and within your business practices to minimize the risk.