The Presidentâ€™s Identity Theft Task Force CombatingIDENTITY THEFT

The Presidentrsquos Identity Theft Task Force

April 2007

Combating A Strategic PlanIDENTITY THEFT

COMBATING IDENTITY THEFT A Strategic Plan

Table of ContentsGlossary of Acronyms v

Identity Theft Task Force Members vii

Letter to the President viii

I Executive Summary 1

A Introduction 1

B TheStrategy 2

II The Contours of the Identity Theft Problem 10

A PrevalenceandCostsof IdentityTheft 11

B IdentityThievesWhoTheyAre 12

C HowIdentityTheftHappensTheToolsof theTrade 13

D WhatIdentityThievesDoWiththeInformation TheyStealTheDifferentFormsof IdentityTheft 18

III A Strategy to Combat Identity Theft 22

A PreventionKeepingConsumerDataoutof the Handsof Criminals 22

1 DecreasingtheUnnecessaryUseof SocialSecurityNumbers 23

2 DataSecurityinthePublicSector 27

a Safeguardingof InformationinthePublicSector 27

b RespondingtoDataBreachesinthePublicSector 28

3 DataSecurityinthePrivateSector 31

a TheCurrentLegalLandscape 31

b Implementationof DataSecurityGuidelinesandRules 32

c RespondingtoDataBreachesinthePrivateSector 34

4 EducatingConsumersonProtecting TheirPersonalInformation 39

B PreventionMakingItHardertoMisuseConsumerData 42

C VictimRecoveryHelpingConsumersRepairTheirLives 45

1 VictimAssistanceOutreachandEducation 45

2 MakingIdentityTheftVictimsWhole 49

3 GatheringBetterInformationontheEffectivenessof Victim RecoveryMeasures 51

D LawEnforcementProsecutingandPunishingIdentityThieves 52

1 CoordinationandIntelligenceInformationSharing 53

a Sourcesof IdentityTheftInformation 54

b FormatforSharingInformationandIntelligence 55

c MechanismsforSharingInformation 55

2 CoordinationwithForeignLawEnforcement 58

3 ProsecutionApproachesandInitiatives 62

4 StatutesCriminalizingIdentity-TheftRelated OffensesTheGaps 65

a TheIdentityTheftStatutes 65

b Computer-RelatedIdentityTheftStatutes 66

c Cyber-ExtortionStatute 66

d SentencingGuidelinesGoverningIdentityTheft 67

5 Trainingof LawEnforcementOfficersandProsecutors 69

6 MeasuringSuccessof LawEnforcementEfforts 70

IV Conclusion The Way Forward 72

APPENDICES

AppendixAIdentityTheftTaskForcersquosGuidanceMemorandum onDataBreachProtocol 73

AppendixBProposedRoutineUseLanguage 83

AppendixCTextof Amendmentsto 18USCsectsect3663(b)and3663A(b) 85

AppendixDTextof Amendmentsto18USCsectsect27032711and3127 andTextof NewLanguagefor18USCsect3512 87

AppendixETextof Amendmentsto18USCsectsect1028and1028A 91

AppendixFTextof Amendmentto18USCsect1032(a)(2) 93

AppendixGTextof Amendmentsto18USCsectsect1030(a)(5)(c) and(g)andto18USC2332b 94

AppendixHTextof Amendmentsto18USCsect1030(a)(7) 97

AppendixITextof AmendmenttoUnitedStatesSentencing Guidelinesect2B11 98

AppendixJ(Descriptionof ProposedSurveys) 99

ENDNOTES 101

TABLE OF CONTENTS

Glossary of AcronymsAAMVAndashAmericanAssociationof MotorVehicleAdministrators

AARPndashAmericanAssociationof RetiredPersons

ABAndashAmericanBarAssociation

APWGndashAnti-PhishingWorkingGroup

BBBndashBetterBusinessBureau

BINndashBankIdentificationNumber

BJAndashBureauof JusticeAssistance

BJSndashBureauof JusticeStatistics

CCIPSndashComputerCrimeandIntellectualPropertySection(DOJ)

CCMSIndashCreditCardMailSecurityInitiative

CFAAndashComputerFraudandAbuseAct

CFTCndashCommodityFuturesTradingCommission

CIOndashChief InformationOfficer

CIPndashCustomerIdentificationProgram

CIRFUndashCyberInitiativeandResourceFusionCenter

CMRAndashCommercialMailReceivingAgency

CMSndashCentersforMedicareandMedicaidServices(HHS)

CRAndashConsumerreportingagency

CVV2ndashCardVerificationValue2

DBFTFndashDocumentandBenefitFraudTaskForce

DHSndashDepartmentof HomelandSecurity

DOJndashDepartmentof Justice

DPPAndashDriversPrivacyProtectionActof 1994

FACT ActndashFairandAccurateCreditTransactionsActof 2003

FBIndashFederalBureauof Investigation

FCDndashFinancialCrimesDatabase

FCRAndashFairCreditReportingAct

FCU ActndashFederalCreditUnionAct

FDI ActndashFederalDepositInsuranceAct

FDICndashFederalDepositInsuranceCorporation

FEMAndashFederalEmergencyManagementAgency

FERPAndashFamilyandEducationalRightsandPrivacyActof 1974

FFIECndashFederalFinancialInstitutionsExaminationCouncil

FIMSIndashFinancialIndustryMailSecurityInitiative

FinCENndashFinancialCrimesEnforcementNetwork(Departmentof Treasury)

FISMAndashFederalInformationSecurityManagementActof 2002

FRBndashFederalReserveBoardof Governors

FSIndashFinancialServicesInc

FTCndashFederalTradeCommission

FTC ActndashFederalTradeCommissionAct

GAOndashGovernmentAccountabilityOffice

GLB ActndashGramm-Leach-BlileyAct

HHSndashDepartmentof HealthandHumanServices

HIPAAndashHealthInsurancePortabilityandAccountabilityActof 1996

IACPndashInternationalAssociationof Chiefsof Police

IAFCIndashInternationalAssociationof FinancialCrimesInvestigators

IC3ndashInternetCrimeComplaintCenter

ICEndashUSImmigrationandCustomsEnforcement

IRSndashInternalRevenueService

IRS CIndashIRSCriminalInvestigationDivision

IRTPAndashIntelligenceReformandTerrorismPreventionActof 2004

ISIndashIntelligenceSharingInitiative(USPostalInspectionService)

ISPndashInternetserviceprovider

ISS LOBndashInformationSystemsSecurityLineof Business

ITACndashIdentityTheftAssistanceCenter

ITCIndashInformationTechnologyComplianceInstitute

ITRCndashIdentityTheftResourceCenter

MCCndashMajorCitiesChiefs

NACndashNationalAdvocacyCenter

NASDndashNationalAssociationof SecuritiesDealersInc

NCFTAndashNationalCyberForensicTrainingAlliance

NCHELPndashNationalCouncilof HigherEducationLoanPrograms

NCUAndashNationalCreditUnionAdministration

NCVSndashNationalCrimeVictimizationSurvey

NDAAndashNationalDistrictAttorneysAssociation

NIHndashNationalInstitutesof Health

NISTndashNationalInstituteof StandardsandTechnology

NYSEndashNewYorkStockExchange

OCCndashOfficeof theComptrollerof theCurrency

OIGndashOfficeof theInspectorGeneral

OJPndashOfficeof JusticePrograms(DOJ)

OMBndashOfficeof ManagementandBudget

OPMndashOfficeof PersonnelManagement

OTSndashOfficeof ThriftSupervision

OVCndashOfficeforVictimsof Crime(DOJ)

PCIndashPaymentCardIndustry

PINndashPersonalIdentificationNumber

PMAndashPresidentrsquosManagementAgenda

PRCndashPrivacyRightsClearinghouse

QRPndashQuestionableRefundProgram(IRSCI)

RELEAFndashOperationRetailersampLawEnforcementAgainstFraud

RISSndashRegionalInformationSharingSystems

RITNETndashRegionalIdentityTheftNetwork

RPPndashReturnPreparerProgram(IRSCI)

SARndashSuspiciousActivityReport

SBAndashSmallBusinessAdministration

SECndashSecuritiesandExchangeCommission

SMPndashSeniorMedicarePatrol

SSAndashSocialSecurityAdministration

SSLndashSecuritySocketLayer

SSNndashSocialSecuritynumber

TIGTAndashTreasuryInspectorGeneralforTaxAdministration

UNCCndashUnitedNationsCrimeCommission

USA PATRIOT ActndashUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(PubLNo107-56)

USBndashUniversalSerialBus

US-CERTndashUnitedStatesComputerEmergencyReadinessTeam

USPISndashUnitedStatesPostalInspectionService

USSSndashUnitedStatesSecretService

VHAndashVeteransHealthAdministration

VOIPndashVoiceOverInternetProtocol

VPNndashVirtualprivatenetwork

WEDIndashWorkgroupforElectronicDataInterchange

GLOSSARY OF ACRONYMS

Identity Theft Task Force MembersAlberto R Gonzales Chairman

AttorneyGeneral

Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission

Henry M PaulsonDepartmentof Treasury

Carlos M GutierrezDepartmentof Commerce

Michael O LeavittDepartmentof HealthandHumanServices

R James NicholsonDepartmentof VeteransAffairs

Michael ChertoffDepartmentof HomelandSecurity

Rob PortmanOfficeof ManagementandBudget

John E PotterUnitedStatesPostalService

Ben S BernankeFederalReserveSystem

Linda M SpringerOfficeof PersonnelManagement

Sheila C BairFederalDepositInsuranceCorporation

Christopher CoxSecuritiesandExchangeCommission

JoAnn JohnsonNationalCreditUnionAdministration

Michael J AstrueSocialSecurityAdministration

John C DuganOfficeof theComptrollerof theCurrency

John M ReichOfficeof ThriftSupervision

LETTER TO THE PRESIDENT

Letter to the President

APriL 11 2007

The Honorable George W Bush President of the United States The White House Washington DC

Dear Mr President

By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues

Alberto R Gonzales Chairman Attorney General

Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission

TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation

ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted

Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft

Verytrulyyours

AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission

I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution

A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses

Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement

PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic

InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem

Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements

ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime

B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages

First the identity thief attempts to acquire a victimrsquos personal information

Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation

EXECUTIVE SUMMARY

thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential

Second the thief attempts to misuse the information he has acquired

InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories

Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50

New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims

Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled

Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm

Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur

Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities

ThePlanfocusesonimprovementsinfourkeyareas

keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation

makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities

assistingthevictimsof identitytheftinrecoveringfromthecrimeand

deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime

InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges

thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief

thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft

thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand

thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively

TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft

PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata

EXECUTIVE SUMMARY

Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit

Data Security in Public Sector

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

bull Surveycurrentuseof SSNsbyfederalgovernment

bull Issueguidanceonappropriateuseof SSNs

bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs

bull Workwithstateandlocalgovernmentstoreviewuseof SSNs

Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance

bull Developconcreteguidanceandbestpractices

bull Monitoragencycompliancewithdatasecurityguidance

bull Protectportablestorageandcommunicationsdevices

Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies

bull Issuedatabreachguidancetoagencies

bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

bull Holdregionalseminarsforbusinessesonsafeguardinginformation

bull Distributeimprovedguidanceforprivateindustry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

bull Developnationalawarenesscampaign

bull Enlistoutreachpartners

bull Increaseoutreachtotraditionallyunderservedcommunities

bull EstablishldquoProtectYourIdentityrdquoDays

Develop Online Clearinghouse for Current Educational Resources

PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe

Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures

Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft

Hold Workshops on Authentication

bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity

bull Issuereportonworkshopfindings

Develop a Comprehensive Record on Private Sector Use of SSNs

VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess

EXECUTIVE SUMMARY

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

bull Trainlawenforcementofficers

bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims

bull CreateanddistributeanIDTheftVictimStatementof Rights

bull Designnationwidetrainingforvictimassistancecounselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

bull Conductassessmentof FACTActremediesunderFCRA

bull Conductassessmentof statecreditfreezelaws

LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination

Coordination and InformationIntelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions

bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft

bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft

Coordination with Foreign Law Enforcement

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist Train and Support Foreign Law Enforcement

Prosecution Approaches and Initiatives

Increase Prosecutions of Identity Theft

bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict

bull Evaluatemonetarythresholdsforprosecution

bull Encouragestateprosecutionof identitytheft

bull Createworkinggroupsandtaskforces

Conduct Targeted Enforcement Initiatives

bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale

bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem

bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens

Review Civil Monetary Penalty Programs

EXECUTIVE SUMMARY

Gaps in Statutes Criminalizing Identity Theft

Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted

bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses

bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications

bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers

bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion

Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Law Enforcement Training

Enhance Training for Law Enforcement Officers and Prosecutors

bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft

bull Increasenumberof regionalidentitytheftseminars

bull IncreaseresourcesforlawenforcementontheInternet

bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft

Measuring the Success of Law Enforcement

Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft

bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims

bull Expandscopeof nationalcrimevictimizationsurvey

bull ReviewUSSentencingCommissiondata

bull Trackprosecutionsof identitytheftandresourcesspent

bull Conducttargetedsurveys

II The Contours of the Identity Theft Problem

THE CONTOURS OF THE IDENTITY THEFT PROBLEM

EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent

Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur

IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4

Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5

InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses

ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo

Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003

andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance

A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic

Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime

Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration

Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors

Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance

surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet

B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee

Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic

Individuals

Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9

Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases

In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property

In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department

Significant Criminal Groups and Organizations

Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup

Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit

C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts

IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome

In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million

thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit

Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims

Common Theft and Dumpster Diving

WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching

ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept

Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice

A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution

creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15

EmployeeInsider Theft

DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise

Electronic Intrusions or Hacking

HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft

SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity

AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears

Social Engineering Phishing MalwareSpyware and Pretexting

IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms

In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities

In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged

Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18

MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough

ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group

At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS

malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks

Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20

Stolen Media

Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced

Failure to ldquoKnow Your Customerrdquo

Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata

TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation

Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices

In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026

ldquoSkimmingrdquo

Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword

D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud

Misuse of Existing Accounts

Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet

A ldquoskimmerrdquo Source Durham Ontario Police

In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy

Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25

FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26

New Account Fraud

Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery

Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department

In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states

Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash

ldquoBrokeringrdquo of Stolen Data

Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts

Immigration Fraud

Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit

Medical Identity Theft

Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits

Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before

Other Frauds

Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds

Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal

Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002

In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA

A STRATEGY TO COMBAT IDENTITY THEFT

III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding

whentheidentitythief attemptstoacquireavictimrsquospersonalinformation

whenthethief attemptstomisusetheinformationhehasacquiredand

afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm

Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby

keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit

makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities

assistingvictimsinrecoveringfromthecrimeand

deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime

AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas

A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS

Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata

Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable

Thelinkbetweenadatabreachandidentitytheftoftenisunclear

Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises

1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem

SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute

Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety

EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs

In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments

theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining

SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords

Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34

Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic

AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator

In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police

Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment

Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable

rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr

Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing

Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted

When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records

Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007

require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736

Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007

Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs

rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs

SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm

toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008

2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation

a Safeguarding of Information in the Public Sector

Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual

reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39

FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40

FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective

Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata

b responding to Data Breaches in the Public Sector

Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto

databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices

Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions

rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE

ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing

Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007

Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand

directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard

Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard

rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES

ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing

Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006

Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould

notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records

3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards

a The Current Legal Landscape

Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44

whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity

ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation

BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges

Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity

InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements

TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50

Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52

b Implementation of Data Security Guidelines and rules

ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia

In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers

In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program

computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers

Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55

Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed

bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard

bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions

bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and

bull 74percentreportedhavingnoinformationsecurityplaninplace

FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe

In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years

E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption

c responding to Data Breaches in the Private Sector

Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct

Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused

Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress

In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information

addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes

Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62

rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS

Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples

Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto

When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses

perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent

Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats

unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime

Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal

Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)

relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations

guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine

Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC

rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt

Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action

Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards

rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA

Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe

When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation

importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector

Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov

Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions

rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS

Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov

A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments

4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft

Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate

TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft

SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues

PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership

AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66

Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis

limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear

rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN

Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements

Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences

Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives

Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners

Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation

rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES

TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis

B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA

Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal

Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft

Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof

TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments

Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69

OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing

bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment

bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70

bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71

Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols

reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials

SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime

rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION

Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer

AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries

AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity

C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES

Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them

1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors

InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal

Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims

Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies

Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward

bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud

bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing

bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies

bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes

bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission

StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization

Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools

DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded

rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS

FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing

Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims

Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat

wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery

Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov

Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007

rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS

Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould

benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing

Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery

2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears

ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft

ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo

Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001

Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve

rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED

Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded

AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006

rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES

Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe

criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI

3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported

rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS

TheTaskForcerecommendsthefollowingsurveysorassess-ments

Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008

Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008

D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES

Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves

Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations

Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity

In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses

theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues

Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions

TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives

1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence

In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals

a Sources of Identity Theft Information

Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata

Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation

OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels

b Format for Sharing Information and Intelligence

Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange

ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes

c Mechanisms for Sharing Information

Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions

andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow

Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces

DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources

rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr

TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry

In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure

rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM

TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft

CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport

rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr

Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector

Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction

Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction

Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction

2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring

suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory

Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations

NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets

Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations

The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects

rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT

TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide

rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE

Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved

rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES

Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices

rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT

TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)

rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT

Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007

3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ

NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims

rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT

TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken

Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities

Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible

Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases

Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel

rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES

Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing

unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale

Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram

Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates

rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS

Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered

4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft

a The Identity Theft Statutes

Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations

TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse

counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses

b Computer-related Identity Theft Statutes

Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct

Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000

c Cyber-Extortion Statute

Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata

crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances

d Sentencing Guidelines Governing Identity Theft

Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79

rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES

TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions

Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE

Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE

Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF

Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG

Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH

rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM

TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI

5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors

Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement

rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS

Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)

Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials

Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims

review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft

6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts

AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts

rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT

Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces

Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft

review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007

Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources

Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ

IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover

Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing

CONCLUSION

Appendices

APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol

APPENDICES

APPENDIX BProposed routine use Language

Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic

Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80

Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm

Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse

Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments

APPENDICES

APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)

Proposed Language

(a) Section3663of Title18UnitedStatesCodeisamendedby

(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)

(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand

(3) Addingthefollowingafterparagraph(5)of subsection(b)

ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo

Makeconformingchangestothefollowing

(b) Section3663Aof Title18UnitedStatesCodeisamendedby

(1) AddingthefollowingafterSection3663A(b)(4)

ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo

Section Analysis

Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible

Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld

thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense

APPENDICES

APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512

ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement

Proposed Language

sect 2703 Required disclosure of customer communications or records

(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection

(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash

(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor

(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash

(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor

(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection

exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle

(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash

(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant

sect 2711 Definitions for chapter

Asusedinthischaptermdash

(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection

(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand

(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash

(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash

(i) has jurisdiction over the offense being investigated

(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or

(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or

(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants

(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle

(2) thetermldquocourtof competentjurisdictionrdquomeansmdash

APPENDICES

(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash

(ii) is in or for a district in which the provider of electronic communication service is located

(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or

(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or

(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice

sect 3512 Foreign requests for assistance in criminal investigations and prosecutions

(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both

(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash

(1) issue orders requiring the appearance of a person or the production of documents or other things or both

(2) administer any necessary oath and

(3) take testimony or statements and receive documents or other things

(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash

(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located

(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or

(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia

(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located

(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law

(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States

(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782

(h) As used in this section ndash

(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and

(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure

APPENDICES

APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A

ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes

Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses

Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))

Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations

(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo

Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo

(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo

rationale

Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies

Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto

scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind

PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf

InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks

UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities

APPENDICES

APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)

ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes

Proposed Language

1030(a) Whoevermdash

(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash

(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)

(B) informationfromanydepartmentoragencyof theUnitedStatesor

(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication

APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b

ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes

Proposed Language

18 USC sect 1030

(a) Whoevermdash

(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer

(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor

(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand

(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash

(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue

(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals

(iii) physicalinjurytoanyperson

(iv) athreattopublichealthorsafetyor

(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity

(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash

(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this

APPENDICES

sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph

(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph

(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection

(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection

(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand

(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand

(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth

(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash

(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value

(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals

(iii) physical injury to any person

(iv) a threat to public health or safety

(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or

(vi) damage affecting ten or more protected computers during any 1-year period

or an attempt to commit an offense punishable under this subparagraph

(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph

(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph

(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both

(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or

(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph

(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware

18USCsect2332b(g)(5)(B)(I)

1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)

APPENDICES

APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)

ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute

Proposed Language

18 USC sect 1030(a)(7)

(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash

(a) threattocausedamagetoaprotectedcomputer

(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or

(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion

APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11

ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft

Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)

ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies

APPENDICES

APPENDIX JDescription of Proposed Surveys

Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing

bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions

bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft

bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any

beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered

bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates

bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders

bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves

APPENDICES

ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft

AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts

2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission

3 Thepubliccommentsareavailableatwwwidtheftgov

4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo

5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html

6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf

7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm

8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf

9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html

10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm

11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526

12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html

13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND

14PubLNo108-159117Stat1952

15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)

16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf

17LanowitzTGartnerResearchIDNumberG00127407December12005

18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml

19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm

20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm

21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006

2215USCsect1681e15USCsect6802(a)

23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber

24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml

ENDNOTES

25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm

26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard

27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006

28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf

29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever

30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf

3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq

325USCsect552a

33SeeegArizRevStatsect44-1373

34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005

35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection

36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears

37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo

38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)

39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity

40Seehttpwwwwhitehousegovresultsagendascorecardhtml

ENDNOTES

41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue

4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)

4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09

4415USCsectsect1681-1681xasamended

45PubLNo108-159117Stat1952

4642USCsectsect1320detseq

4731USCsect5318(l)

4818USCsectsect2721etseq

49httpwwwncslorgprogramsliscipprivbreachlawshtm

50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml

51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)

52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml

53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml

54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity

56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)

57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))

58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))

59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)

61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)

62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml

63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm

64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)

65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006

66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation

ENDNOTES

67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)

68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm

69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m

Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf

70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter

71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov

72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf

73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf

74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)

7518USCsect1028A

7618USCsect1028(d)(7)

77See18USCsect1030(e)(8)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable

ENDNOTES

Combating Identity Theft A Strategic Plan

Table of Contents

Glossary of Acronyms

Identity Theft Task Force Members


I Executive Summary

A Introduction

B The Strategy

Prevention Keeping Consumer Data out of the Hands of Criminals

Prevention Making it Harder to Misuse Consumer Data

Victim Recovery Helping Consumers Repair Their Lives

Law Enforcement Prosecuting and Punishing Identity Thieves


A Prevalence and Costs of Identity Theft

B Identity Thieves Who They Are

C How Identity Theft Happens The Tools of the Trade

D What Identity Thieves Do with the Information They Steal The Different Forms of Identity Theft

III A Strategy to Combat Identity Theft

A Prevention Keeping Consumer Data Out of the Hands of Criminals

1 Decreasing the Unnecessary Use of Social Security Numbers

2 Data Security in the Public Sector

3 Data Security in the Private Sector

4 Educating Consumers on Protecting Their Personal Information

B Prevention Making it Harder to Misuse Consumer Data

C Victim Recovery Helping Consumers Repair Their Lives

1 Victim Assisstance Outreach and Education

2 Making Identity Theft Victims Whole

3 Gathering Better Information on the Effectiveness of Victim Recovery Measures

D Law Enforcement Prosecuting and Punishing Identity Thieves

1 Coordination and IntelligenceInformation Sharing

2 Coordination with Foreign Law Enforcement

3 Prosecution Approaches and Initiatives

4 Statutes Criminalizing Identity-Theft Related Offenses The Gaps

5 Training of Law Enforcement Officers and Prosecutors

6 Measuring Success of Law Enforcement Efforts

IV Conclusion The Way Forward

Appendices

Appendix A Identity Theft Task Forces Guidance Memorandum on Data Breach Protocol

Appendix B Proposed Routine Use Language

Appendix C Text of Amendments to 18 USC sectsect 3663(b) and 3663A(b)

Appendix D Text of Amendments to 18 USC sectsect 2703 2711 and 3127 and Text of New Language for 18 USC sect 3512

Appendix E Text of Amendments to 18 USC sectsect 1028 and 1028A

Appendix F Text of Amendment to 18 USC sect 1030(a)(2)

Appendix G Text of Amendments to 18 USC sectsect 1030(a)(5) (c) and (g) and to 18 USC sect 2332b

Appendix H Text of Amendments to 18 USC sect 1030(a)(7)

Appendix I Text of Amendment to united States Sentencing Guideline sect 2B11

Appendix J Description of Proposed Surveys

Endnotes

Table of ContentsGlossary of Acronyms v

Identity Theft Task Force Members vii

Letter to the President viii

I Executive Summary 1

A Introduction 1

B TheStrategy 2

II The Contours of the Identity Theft Problem 10

A PrevalenceandCostsof IdentityTheft 11

B IdentityThievesWhoTheyAre 12

C HowIdentityTheftHappensTheToolsof theTrade 13

D WhatIdentityThievesDoWiththeInformation TheyStealTheDifferentFormsof IdentityTheft 18

III A Strategy to Combat Identity Theft 22

A PreventionKeepingConsumerDataoutof the Handsof Criminals 22

1 DecreasingtheUnnecessaryUseof SocialSecurityNumbers 23

2 DataSecurityinthePublicSector 27

a Safeguardingof InformationinthePublicSector 27

b RespondingtoDataBreachesinthePublicSector 28

3 DataSecurityinthePrivateSector 31

a TheCurrentLegalLandscape 31

b Implementationof DataSecurityGuidelinesandRules 32

c RespondingtoDataBreachesinthePrivateSector 34

4 EducatingConsumersonProtecting TheirPersonalInformation 39

B PreventionMakingItHardertoMisuseConsumerData 42

C VictimRecoveryHelpingConsumersRepairTheirLives 45

1 VictimAssistanceOutreachandEducation 45

2 MakingIdentityTheftVictimsWhole 49

3 GatheringBetterInformationontheEffectivenessof Victim RecoveryMeasures 51

APPENDICES

ENDNOTES 101

TABLE OF CONTENTS

AttorneyGeneral

APriL 11 2007

Dear Mr President

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

APPENDICES

ENDNOTES 101

TABLE OF CONTENTS

AttorneyGeneral

APriL 11 2007

Dear Mr President

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

AttorneyGeneral

APriL 11 2007

Dear Mr President

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

AttorneyGeneral

APriL 11 2007

Dear Mr President

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

AttorneyGeneral

APriL 11 2007

Dear Mr President

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

APriL 11 2007

Dear Mr President

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

Verytrulyyours

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

EXECUTIVE SUMMARY

Individuals

Stolen Media

ldquoSkimmingrdquo

New Account Fraud

Immigration Fraud

Other Frauds

CONCLUSION

Appendices

APPENDICES

Proposed Language

Section Analysis

APPENDICES

Proposed Language

APPENDICES

rationale

APPENDICES

Proposed Language

18 USC sect 1030

(a) Whoevermdash

APPENDICES

Proposed Language

18 USC sect 1030(a)(7)

APPENDICES

14PubLNo108-159117Stat1952

ENDNOTES

325USCsect552a

ENDNOTES

45PubLNo108-159117Stat1952

4731USCsect5318(l)

ENDNOTES

7518USCsect1028A

7618USCsect1028(d)(7)

7818USCsect1030(a)(7)

79SRepNo105-274at9(1998)

ENDNOTES

Table of Contents




I Executive Summary

A Introduction

B The Strategy





























Appendices











Endnotes

The Presidentâ€™s Identity Theft Task Force CombatingIDENTITY THEFT

Documents