The President’s Identity Theft Task Force April 2007 Combating A Strategic Plan IDENTITY THEFT
The Presidentrsquos Identity Theft Task Force
April 2007
Combating A Strategic PlanIDENTITY THEFT
iii
COMBATING IDENTITY THEFT A Strategic Plan
Table of ContentsGlossary of Acronyms v
Identity Theft Task Force Members vii
Letter to the President viii
I Executive Summary 1
A Introduction 1
B TheStrategy 2
II The Contours of the Identity Theft Problem 10
A PrevalenceandCostsof IdentityTheft 11
B IdentityThievesWhoTheyAre 12
C HowIdentityTheftHappensTheToolsof theTrade 13
D WhatIdentityThievesDoWiththeInformation TheyStealTheDifferentFormsof IdentityTheft 18
III A Strategy to Combat Identity Theft 22
A PreventionKeepingConsumerDataoutof the Handsof Criminals 22
1 DecreasingtheUnnecessaryUseof SocialSecurityNumbers 23
2 DataSecurityinthePublicSector 27
a Safeguardingof InformationinthePublicSector 27
b RespondingtoDataBreachesinthePublicSector 28
3 DataSecurityinthePrivateSector 31
a TheCurrentLegalLandscape 31
b Implementationof DataSecurityGuidelinesandRules 32
c RespondingtoDataBreachesinthePrivateSector 34
4 EducatingConsumersonProtecting TheirPersonalInformation 39
B PreventionMakingItHardertoMisuseConsumerData 42
C VictimRecoveryHelpingConsumersRepairTheirLives 45
1 VictimAssistanceOutreachandEducation 45
2 MakingIdentityTheftVictimsWhole 49
3 GatheringBetterInformationontheEffectivenessof Victim RecoveryMeasures 51
iv
D LawEnforcementProsecutingandPunishingIdentityThieves 52
1 CoordinationandIntelligenceInformationSharing 53
a Sourcesof IdentityTheftInformation 54
b FormatforSharingInformationandIntelligence 55
c MechanismsforSharingInformation 55
2 CoordinationwithForeignLawEnforcement 58
3 ProsecutionApproachesandInitiatives 62
4 StatutesCriminalizingIdentity-TheftRelated OffensesTheGaps 65
a TheIdentityTheftStatutes 65
b Computer-RelatedIdentityTheftStatutes 66
c Cyber-ExtortionStatute 66
d SentencingGuidelinesGoverningIdentityTheft 67
5 Trainingof LawEnforcementOfficersandProsecutors 69
6 MeasuringSuccessof LawEnforcementEfforts 70
IV Conclusion The Way Forward 72
APPENDICES
AppendixAIdentityTheftTaskForcersquosGuidanceMemorandum onDataBreachProtocol 73
AppendixBProposedRoutineUseLanguage 83
AppendixCTextof Amendmentsto 18USCsectsect3663(b)and3663A(b) 85
AppendixDTextof Amendmentsto18USCsectsect27032711and3127 andTextof NewLanguagefor18USCsect3512 87
AppendixETextof Amendmentsto18USCsectsect1028and1028A 91
AppendixFTextof Amendmentto18USCsect1032(a)(2) 93
AppendixGTextof Amendmentsto18USCsectsect1030(a)(5)(c) and(g)andto18USC2332b 94
AppendixHTextof Amendmentsto18USCsect1030(a)(7) 97
AppendixITextof AmendmenttoUnitedStatesSentencing Guidelinesect2B11 98
AppendixJ(Descriptionof ProposedSurveys) 99
ENDNOTES 101
TABLE OF CONTENTS
v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of AcronymsAAMVAndashAmericanAssociationof MotorVehicleAdministrators
AARPndashAmericanAssociationof RetiredPersons
ABAndashAmericanBarAssociation
APWGndashAnti-PhishingWorkingGroup
BBBndashBetterBusinessBureau
BINndashBankIdentificationNumber
BJAndashBureauof JusticeAssistance
BJSndashBureauof JusticeStatistics
CCIPSndashComputerCrimeandIntellectualPropertySection(DOJ)
CCMSIndashCreditCardMailSecurityInitiative
CFAAndashComputerFraudandAbuseAct
CFTCndashCommodityFuturesTradingCommission
CIOndashChief InformationOfficer
CIPndashCustomerIdentificationProgram
CIRFUndashCyberInitiativeandResourceFusionCenter
CMRAndashCommercialMailReceivingAgency
CMSndashCentersforMedicareandMedicaidServices(HHS)
CRAndashConsumerreportingagency
CVV2ndashCardVerificationValue2
DBFTFndashDocumentandBenefitFraudTaskForce
DHSndashDepartmentof HomelandSecurity
DOJndashDepartmentof Justice
DPPAndashDriversPrivacyProtectionActof 1994
FACT ActndashFairandAccurateCreditTransactionsActof 2003
FBIndashFederalBureauof Investigation
FCDndashFinancialCrimesDatabase
FCRAndashFairCreditReportingAct
FCU ActndashFederalCreditUnionAct
FDI ActndashFederalDepositInsuranceAct
FDICndashFederalDepositInsuranceCorporation
FEMAndashFederalEmergencyManagementAgency
FERPAndashFamilyandEducationalRightsandPrivacyActof 1974
FFIECndashFederalFinancialInstitutionsExaminationCouncil
FIMSIndashFinancialIndustryMailSecurityInitiative
FinCENndashFinancialCrimesEnforcementNetwork(Departmentof Treasury)
FISMAndashFederalInformationSecurityManagementActof 2002
FRBndashFederalReserveBoardof Governors
FSIndashFinancialServicesInc
FTCndashFederalTradeCommission
FTC ActndashFederalTradeCommissionAct
GAOndashGovernmentAccountabilityOffice
GLB ActndashGramm-Leach-BlileyAct
HHSndashDepartmentof HealthandHumanServices
HIPAAndashHealthInsurancePortabilityandAccountabilityActof 1996
IACPndashInternationalAssociationof Chiefsof Police
IAFCIndashInternationalAssociationof FinancialCrimesInvestigators
IC3ndashInternetCrimeComplaintCenter
ICEndashUSImmigrationandCustomsEnforcement
IRSndashInternalRevenueService
IRS CIndashIRSCriminalInvestigationDivision
vi
IRTPAndashIntelligenceReformandTerrorismPreventionActof 2004
ISIndashIntelligenceSharingInitiative(USPostalInspectionService)
ISPndashInternetserviceprovider
ISS LOBndashInformationSystemsSecurityLineof Business
ITACndashIdentityTheftAssistanceCenter
ITCIndashInformationTechnologyComplianceInstitute
ITRCndashIdentityTheftResourceCenter
MCCndashMajorCitiesChiefs
NACndashNationalAdvocacyCenter
NASDndashNationalAssociationof SecuritiesDealersInc
NCFTAndashNationalCyberForensicTrainingAlliance
NCHELPndashNationalCouncilof HigherEducationLoanPrograms
NCUAndashNationalCreditUnionAdministration
NCVSndashNationalCrimeVictimizationSurvey
NDAAndashNationalDistrictAttorneysAssociation
NIHndashNationalInstitutesof Health
NISTndashNationalInstituteof StandardsandTechnology
NYSEndashNewYorkStockExchange
OCCndashOfficeof theComptrollerof theCurrency
OIGndashOfficeof theInspectorGeneral
OJPndashOfficeof JusticePrograms(DOJ)
OMBndashOfficeof ManagementandBudget
OPMndashOfficeof PersonnelManagement
OTSndashOfficeof ThriftSupervision
OVCndashOfficeforVictimsof Crime(DOJ)
PCIndashPaymentCardIndustry
PINndashPersonalIdentificationNumber
PMAndashPresidentrsquosManagementAgenda
PRCndashPrivacyRightsClearinghouse
QRPndashQuestionableRefundProgram(IRSCI)
RELEAFndashOperationRetailersampLawEnforcementAgainstFraud
RISSndashRegionalInformationSharingSystems
RITNETndashRegionalIdentityTheftNetwork
RPPndashReturnPreparerProgram(IRSCI)
SARndashSuspiciousActivityReport
SBAndashSmallBusinessAdministration
SECndashSecuritiesandExchangeCommission
SMPndashSeniorMedicarePatrol
SSAndashSocialSecurityAdministration
SSLndashSecuritySocketLayer
SSNndashSocialSecuritynumber
TIGTAndashTreasuryInspectorGeneralforTaxAdministration
UNCCndashUnitedNationsCrimeCommission
USA PATRIOT ActndashUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(PubLNo107-56)
USBndashUniversalSerialBus
US-CERTndashUnitedStatesComputerEmergencyReadinessTeam
USPISndashUnitedStatesPostalInspectionService
USSSndashUnitedStatesSecretService
VHAndashVeteransHealthAdministration
VOIPndashVoiceOverInternetProtocol
VPNndashVirtualprivatenetwork
WEDIndashWorkgroupforElectronicDataInterchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force MembersAlberto R Gonzales Chairman
AttorneyGeneral
Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission
Henry M PaulsonDepartmentof Treasury
Carlos M GutierrezDepartmentof Commerce
Michael O LeavittDepartmentof HealthandHumanServices
R James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E PotterUnitedStatesPostalService
Ben S BernankeFederalReserveSystem
Linda M SpringerOfficeof PersonnelManagement
Sheila C BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J AstrueSocialSecurityAdministration
John C DuganOfficeof theComptrollerof theCurrency
John M ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
iii
COMBATING IDENTITY THEFT A Strategic Plan
Table of ContentsGlossary of Acronyms v
Identity Theft Task Force Members vii
Letter to the President viii
I Executive Summary 1
A Introduction 1
B TheStrategy 2
II The Contours of the Identity Theft Problem 10
A PrevalenceandCostsof IdentityTheft 11
B IdentityThievesWhoTheyAre 12
C HowIdentityTheftHappensTheToolsof theTrade 13
D WhatIdentityThievesDoWiththeInformation TheyStealTheDifferentFormsof IdentityTheft 18
III A Strategy to Combat Identity Theft 22
A PreventionKeepingConsumerDataoutof the Handsof Criminals 22
1 DecreasingtheUnnecessaryUseof SocialSecurityNumbers 23
2 DataSecurityinthePublicSector 27
a Safeguardingof InformationinthePublicSector 27
b RespondingtoDataBreachesinthePublicSector 28
3 DataSecurityinthePrivateSector 31
a TheCurrentLegalLandscape 31
b Implementationof DataSecurityGuidelinesandRules 32
c RespondingtoDataBreachesinthePrivateSector 34
4 EducatingConsumersonProtecting TheirPersonalInformation 39
B PreventionMakingItHardertoMisuseConsumerData 42
C VictimRecoveryHelpingConsumersRepairTheirLives 45
1 VictimAssistanceOutreachandEducation 45
2 MakingIdentityTheftVictimsWhole 49
3 GatheringBetterInformationontheEffectivenessof Victim RecoveryMeasures 51
iv
D LawEnforcementProsecutingandPunishingIdentityThieves 52
1 CoordinationandIntelligenceInformationSharing 53
a Sourcesof IdentityTheftInformation 54
b FormatforSharingInformationandIntelligence 55
c MechanismsforSharingInformation 55
2 CoordinationwithForeignLawEnforcement 58
3 ProsecutionApproachesandInitiatives 62
4 StatutesCriminalizingIdentity-TheftRelated OffensesTheGaps 65
a TheIdentityTheftStatutes 65
b Computer-RelatedIdentityTheftStatutes 66
c Cyber-ExtortionStatute 66
d SentencingGuidelinesGoverningIdentityTheft 67
5 Trainingof LawEnforcementOfficersandProsecutors 69
6 MeasuringSuccessof LawEnforcementEfforts 70
IV Conclusion The Way Forward 72
APPENDICES
AppendixAIdentityTheftTaskForcersquosGuidanceMemorandum onDataBreachProtocol 73
AppendixBProposedRoutineUseLanguage 83
AppendixCTextof Amendmentsto 18USCsectsect3663(b)and3663A(b) 85
AppendixDTextof Amendmentsto18USCsectsect27032711and3127 andTextof NewLanguagefor18USCsect3512 87
AppendixETextof Amendmentsto18USCsectsect1028and1028A 91
AppendixFTextof Amendmentto18USCsect1032(a)(2) 93
AppendixGTextof Amendmentsto18USCsectsect1030(a)(5)(c) and(g)andto18USC2332b 94
AppendixHTextof Amendmentsto18USCsect1030(a)(7) 97
AppendixITextof AmendmenttoUnitedStatesSentencing Guidelinesect2B11 98
AppendixJ(Descriptionof ProposedSurveys) 99
ENDNOTES 101
TABLE OF CONTENTS
v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of AcronymsAAMVAndashAmericanAssociationof MotorVehicleAdministrators
AARPndashAmericanAssociationof RetiredPersons
ABAndashAmericanBarAssociation
APWGndashAnti-PhishingWorkingGroup
BBBndashBetterBusinessBureau
BINndashBankIdentificationNumber
BJAndashBureauof JusticeAssistance
BJSndashBureauof JusticeStatistics
CCIPSndashComputerCrimeandIntellectualPropertySection(DOJ)
CCMSIndashCreditCardMailSecurityInitiative
CFAAndashComputerFraudandAbuseAct
CFTCndashCommodityFuturesTradingCommission
CIOndashChief InformationOfficer
CIPndashCustomerIdentificationProgram
CIRFUndashCyberInitiativeandResourceFusionCenter
CMRAndashCommercialMailReceivingAgency
CMSndashCentersforMedicareandMedicaidServices(HHS)
CRAndashConsumerreportingagency
CVV2ndashCardVerificationValue2
DBFTFndashDocumentandBenefitFraudTaskForce
DHSndashDepartmentof HomelandSecurity
DOJndashDepartmentof Justice
DPPAndashDriversPrivacyProtectionActof 1994
FACT ActndashFairandAccurateCreditTransactionsActof 2003
FBIndashFederalBureauof Investigation
FCDndashFinancialCrimesDatabase
FCRAndashFairCreditReportingAct
FCU ActndashFederalCreditUnionAct
FDI ActndashFederalDepositInsuranceAct
FDICndashFederalDepositInsuranceCorporation
FEMAndashFederalEmergencyManagementAgency
FERPAndashFamilyandEducationalRightsandPrivacyActof 1974
FFIECndashFederalFinancialInstitutionsExaminationCouncil
FIMSIndashFinancialIndustryMailSecurityInitiative
FinCENndashFinancialCrimesEnforcementNetwork(Departmentof Treasury)
FISMAndashFederalInformationSecurityManagementActof 2002
FRBndashFederalReserveBoardof Governors
FSIndashFinancialServicesInc
FTCndashFederalTradeCommission
FTC ActndashFederalTradeCommissionAct
GAOndashGovernmentAccountabilityOffice
GLB ActndashGramm-Leach-BlileyAct
HHSndashDepartmentof HealthandHumanServices
HIPAAndashHealthInsurancePortabilityandAccountabilityActof 1996
IACPndashInternationalAssociationof Chiefsof Police
IAFCIndashInternationalAssociationof FinancialCrimesInvestigators
IC3ndashInternetCrimeComplaintCenter
ICEndashUSImmigrationandCustomsEnforcement
IRSndashInternalRevenueService
IRS CIndashIRSCriminalInvestigationDivision
vi
IRTPAndashIntelligenceReformandTerrorismPreventionActof 2004
ISIndashIntelligenceSharingInitiative(USPostalInspectionService)
ISPndashInternetserviceprovider
ISS LOBndashInformationSystemsSecurityLineof Business
ITACndashIdentityTheftAssistanceCenter
ITCIndashInformationTechnologyComplianceInstitute
ITRCndashIdentityTheftResourceCenter
MCCndashMajorCitiesChiefs
NACndashNationalAdvocacyCenter
NASDndashNationalAssociationof SecuritiesDealersInc
NCFTAndashNationalCyberForensicTrainingAlliance
NCHELPndashNationalCouncilof HigherEducationLoanPrograms
NCUAndashNationalCreditUnionAdministration
NCVSndashNationalCrimeVictimizationSurvey
NDAAndashNationalDistrictAttorneysAssociation
NIHndashNationalInstitutesof Health
NISTndashNationalInstituteof StandardsandTechnology
NYSEndashNewYorkStockExchange
OCCndashOfficeof theComptrollerof theCurrency
OIGndashOfficeof theInspectorGeneral
OJPndashOfficeof JusticePrograms(DOJ)
OMBndashOfficeof ManagementandBudget
OPMndashOfficeof PersonnelManagement
OTSndashOfficeof ThriftSupervision
OVCndashOfficeforVictimsof Crime(DOJ)
PCIndashPaymentCardIndustry
PINndashPersonalIdentificationNumber
PMAndashPresidentrsquosManagementAgenda
PRCndashPrivacyRightsClearinghouse
QRPndashQuestionableRefundProgram(IRSCI)
RELEAFndashOperationRetailersampLawEnforcementAgainstFraud
RISSndashRegionalInformationSharingSystems
RITNETndashRegionalIdentityTheftNetwork
RPPndashReturnPreparerProgram(IRSCI)
SARndashSuspiciousActivityReport
SBAndashSmallBusinessAdministration
SECndashSecuritiesandExchangeCommission
SMPndashSeniorMedicarePatrol
SSAndashSocialSecurityAdministration
SSLndashSecuritySocketLayer
SSNndashSocialSecuritynumber
TIGTAndashTreasuryInspectorGeneralforTaxAdministration
UNCCndashUnitedNationsCrimeCommission
USA PATRIOT ActndashUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(PubLNo107-56)
USBndashUniversalSerialBus
US-CERTndashUnitedStatesComputerEmergencyReadinessTeam
USPISndashUnitedStatesPostalInspectionService
USSSndashUnitedStatesSecretService
VHAndashVeteransHealthAdministration
VOIPndashVoiceOverInternetProtocol
VPNndashVirtualprivatenetwork
WEDIndashWorkgroupforElectronicDataInterchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force MembersAlberto R Gonzales Chairman
AttorneyGeneral
Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission
Henry M PaulsonDepartmentof Treasury
Carlos M GutierrezDepartmentof Commerce
Michael O LeavittDepartmentof HealthandHumanServices
R James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E PotterUnitedStatesPostalService
Ben S BernankeFederalReserveSystem
Linda M SpringerOfficeof PersonnelManagement
Sheila C BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J AstrueSocialSecurityAdministration
John C DuganOfficeof theComptrollerof theCurrency
John M ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
iv
D LawEnforcementProsecutingandPunishingIdentityThieves 52
1 CoordinationandIntelligenceInformationSharing 53
a Sourcesof IdentityTheftInformation 54
b FormatforSharingInformationandIntelligence 55
c MechanismsforSharingInformation 55
2 CoordinationwithForeignLawEnforcement 58
3 ProsecutionApproachesandInitiatives 62
4 StatutesCriminalizingIdentity-TheftRelated OffensesTheGaps 65
a TheIdentityTheftStatutes 65
b Computer-RelatedIdentityTheftStatutes 66
c Cyber-ExtortionStatute 66
d SentencingGuidelinesGoverningIdentityTheft 67
5 Trainingof LawEnforcementOfficersandProsecutors 69
6 MeasuringSuccessof LawEnforcementEfforts 70
IV Conclusion The Way Forward 72
APPENDICES
AppendixAIdentityTheftTaskForcersquosGuidanceMemorandum onDataBreachProtocol 73
AppendixBProposedRoutineUseLanguage 83
AppendixCTextof Amendmentsto 18USCsectsect3663(b)and3663A(b) 85
AppendixDTextof Amendmentsto18USCsectsect27032711and3127 andTextof NewLanguagefor18USCsect3512 87
AppendixETextof Amendmentsto18USCsectsect1028and1028A 91
AppendixFTextof Amendmentto18USCsect1032(a)(2) 93
AppendixGTextof Amendmentsto18USCsectsect1030(a)(5)(c) and(g)andto18USC2332b 94
AppendixHTextof Amendmentsto18USCsect1030(a)(7) 97
AppendixITextof AmendmenttoUnitedStatesSentencing Guidelinesect2B11 98
AppendixJ(Descriptionof ProposedSurveys) 99
ENDNOTES 101
TABLE OF CONTENTS
v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of AcronymsAAMVAndashAmericanAssociationof MotorVehicleAdministrators
AARPndashAmericanAssociationof RetiredPersons
ABAndashAmericanBarAssociation
APWGndashAnti-PhishingWorkingGroup
BBBndashBetterBusinessBureau
BINndashBankIdentificationNumber
BJAndashBureauof JusticeAssistance
BJSndashBureauof JusticeStatistics
CCIPSndashComputerCrimeandIntellectualPropertySection(DOJ)
CCMSIndashCreditCardMailSecurityInitiative
CFAAndashComputerFraudandAbuseAct
CFTCndashCommodityFuturesTradingCommission
CIOndashChief InformationOfficer
CIPndashCustomerIdentificationProgram
CIRFUndashCyberInitiativeandResourceFusionCenter
CMRAndashCommercialMailReceivingAgency
CMSndashCentersforMedicareandMedicaidServices(HHS)
CRAndashConsumerreportingagency
CVV2ndashCardVerificationValue2
DBFTFndashDocumentandBenefitFraudTaskForce
DHSndashDepartmentof HomelandSecurity
DOJndashDepartmentof Justice
DPPAndashDriversPrivacyProtectionActof 1994
FACT ActndashFairandAccurateCreditTransactionsActof 2003
FBIndashFederalBureauof Investigation
FCDndashFinancialCrimesDatabase
FCRAndashFairCreditReportingAct
FCU ActndashFederalCreditUnionAct
FDI ActndashFederalDepositInsuranceAct
FDICndashFederalDepositInsuranceCorporation
FEMAndashFederalEmergencyManagementAgency
FERPAndashFamilyandEducationalRightsandPrivacyActof 1974
FFIECndashFederalFinancialInstitutionsExaminationCouncil
FIMSIndashFinancialIndustryMailSecurityInitiative
FinCENndashFinancialCrimesEnforcementNetwork(Departmentof Treasury)
FISMAndashFederalInformationSecurityManagementActof 2002
FRBndashFederalReserveBoardof Governors
FSIndashFinancialServicesInc
FTCndashFederalTradeCommission
FTC ActndashFederalTradeCommissionAct
GAOndashGovernmentAccountabilityOffice
GLB ActndashGramm-Leach-BlileyAct
HHSndashDepartmentof HealthandHumanServices
HIPAAndashHealthInsurancePortabilityandAccountabilityActof 1996
IACPndashInternationalAssociationof Chiefsof Police
IAFCIndashInternationalAssociationof FinancialCrimesInvestigators
IC3ndashInternetCrimeComplaintCenter
ICEndashUSImmigrationandCustomsEnforcement
IRSndashInternalRevenueService
IRS CIndashIRSCriminalInvestigationDivision
vi
IRTPAndashIntelligenceReformandTerrorismPreventionActof 2004
ISIndashIntelligenceSharingInitiative(USPostalInspectionService)
ISPndashInternetserviceprovider
ISS LOBndashInformationSystemsSecurityLineof Business
ITACndashIdentityTheftAssistanceCenter
ITCIndashInformationTechnologyComplianceInstitute
ITRCndashIdentityTheftResourceCenter
MCCndashMajorCitiesChiefs
NACndashNationalAdvocacyCenter
NASDndashNationalAssociationof SecuritiesDealersInc
NCFTAndashNationalCyberForensicTrainingAlliance
NCHELPndashNationalCouncilof HigherEducationLoanPrograms
NCUAndashNationalCreditUnionAdministration
NCVSndashNationalCrimeVictimizationSurvey
NDAAndashNationalDistrictAttorneysAssociation
NIHndashNationalInstitutesof Health
NISTndashNationalInstituteof StandardsandTechnology
NYSEndashNewYorkStockExchange
OCCndashOfficeof theComptrollerof theCurrency
OIGndashOfficeof theInspectorGeneral
OJPndashOfficeof JusticePrograms(DOJ)
OMBndashOfficeof ManagementandBudget
OPMndashOfficeof PersonnelManagement
OTSndashOfficeof ThriftSupervision
OVCndashOfficeforVictimsof Crime(DOJ)
PCIndashPaymentCardIndustry
PINndashPersonalIdentificationNumber
PMAndashPresidentrsquosManagementAgenda
PRCndashPrivacyRightsClearinghouse
QRPndashQuestionableRefundProgram(IRSCI)
RELEAFndashOperationRetailersampLawEnforcementAgainstFraud
RISSndashRegionalInformationSharingSystems
RITNETndashRegionalIdentityTheftNetwork
RPPndashReturnPreparerProgram(IRSCI)
SARndashSuspiciousActivityReport
SBAndashSmallBusinessAdministration
SECndashSecuritiesandExchangeCommission
SMPndashSeniorMedicarePatrol
SSAndashSocialSecurityAdministration
SSLndashSecuritySocketLayer
SSNndashSocialSecuritynumber
TIGTAndashTreasuryInspectorGeneralforTaxAdministration
UNCCndashUnitedNationsCrimeCommission
USA PATRIOT ActndashUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(PubLNo107-56)
USBndashUniversalSerialBus
US-CERTndashUnitedStatesComputerEmergencyReadinessTeam
USPISndashUnitedStatesPostalInspectionService
USSSndashUnitedStatesSecretService
VHAndashVeteransHealthAdministration
VOIPndashVoiceOverInternetProtocol
VPNndashVirtualprivatenetwork
WEDIndashWorkgroupforElectronicDataInterchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force MembersAlberto R Gonzales Chairman
AttorneyGeneral
Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission
Henry M PaulsonDepartmentof Treasury
Carlos M GutierrezDepartmentof Commerce
Michael O LeavittDepartmentof HealthandHumanServices
R James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E PotterUnitedStatesPostalService
Ben S BernankeFederalReserveSystem
Linda M SpringerOfficeof PersonnelManagement
Sheila C BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J AstrueSocialSecurityAdministration
John C DuganOfficeof theComptrollerof theCurrency
John M ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of AcronymsAAMVAndashAmericanAssociationof MotorVehicleAdministrators
AARPndashAmericanAssociationof RetiredPersons
ABAndashAmericanBarAssociation
APWGndashAnti-PhishingWorkingGroup
BBBndashBetterBusinessBureau
BINndashBankIdentificationNumber
BJAndashBureauof JusticeAssistance
BJSndashBureauof JusticeStatistics
CCIPSndashComputerCrimeandIntellectualPropertySection(DOJ)
CCMSIndashCreditCardMailSecurityInitiative
CFAAndashComputerFraudandAbuseAct
CFTCndashCommodityFuturesTradingCommission
CIOndashChief InformationOfficer
CIPndashCustomerIdentificationProgram
CIRFUndashCyberInitiativeandResourceFusionCenter
CMRAndashCommercialMailReceivingAgency
CMSndashCentersforMedicareandMedicaidServices(HHS)
CRAndashConsumerreportingagency
CVV2ndashCardVerificationValue2
DBFTFndashDocumentandBenefitFraudTaskForce
DHSndashDepartmentof HomelandSecurity
DOJndashDepartmentof Justice
DPPAndashDriversPrivacyProtectionActof 1994
FACT ActndashFairandAccurateCreditTransactionsActof 2003
FBIndashFederalBureauof Investigation
FCDndashFinancialCrimesDatabase
FCRAndashFairCreditReportingAct
FCU ActndashFederalCreditUnionAct
FDI ActndashFederalDepositInsuranceAct
FDICndashFederalDepositInsuranceCorporation
FEMAndashFederalEmergencyManagementAgency
FERPAndashFamilyandEducationalRightsandPrivacyActof 1974
FFIECndashFederalFinancialInstitutionsExaminationCouncil
FIMSIndashFinancialIndustryMailSecurityInitiative
FinCENndashFinancialCrimesEnforcementNetwork(Departmentof Treasury)
FISMAndashFederalInformationSecurityManagementActof 2002
FRBndashFederalReserveBoardof Governors
FSIndashFinancialServicesInc
FTCndashFederalTradeCommission
FTC ActndashFederalTradeCommissionAct
GAOndashGovernmentAccountabilityOffice
GLB ActndashGramm-Leach-BlileyAct
HHSndashDepartmentof HealthandHumanServices
HIPAAndashHealthInsurancePortabilityandAccountabilityActof 1996
IACPndashInternationalAssociationof Chiefsof Police
IAFCIndashInternationalAssociationof FinancialCrimesInvestigators
IC3ndashInternetCrimeComplaintCenter
ICEndashUSImmigrationandCustomsEnforcement
IRSndashInternalRevenueService
IRS CIndashIRSCriminalInvestigationDivision
vi
IRTPAndashIntelligenceReformandTerrorismPreventionActof 2004
ISIndashIntelligenceSharingInitiative(USPostalInspectionService)
ISPndashInternetserviceprovider
ISS LOBndashInformationSystemsSecurityLineof Business
ITACndashIdentityTheftAssistanceCenter
ITCIndashInformationTechnologyComplianceInstitute
ITRCndashIdentityTheftResourceCenter
MCCndashMajorCitiesChiefs
NACndashNationalAdvocacyCenter
NASDndashNationalAssociationof SecuritiesDealersInc
NCFTAndashNationalCyberForensicTrainingAlliance
NCHELPndashNationalCouncilof HigherEducationLoanPrograms
NCUAndashNationalCreditUnionAdministration
NCVSndashNationalCrimeVictimizationSurvey
NDAAndashNationalDistrictAttorneysAssociation
NIHndashNationalInstitutesof Health
NISTndashNationalInstituteof StandardsandTechnology
NYSEndashNewYorkStockExchange
OCCndashOfficeof theComptrollerof theCurrency
OIGndashOfficeof theInspectorGeneral
OJPndashOfficeof JusticePrograms(DOJ)
OMBndashOfficeof ManagementandBudget
OPMndashOfficeof PersonnelManagement
OTSndashOfficeof ThriftSupervision
OVCndashOfficeforVictimsof Crime(DOJ)
PCIndashPaymentCardIndustry
PINndashPersonalIdentificationNumber
PMAndashPresidentrsquosManagementAgenda
PRCndashPrivacyRightsClearinghouse
QRPndashQuestionableRefundProgram(IRSCI)
RELEAFndashOperationRetailersampLawEnforcementAgainstFraud
RISSndashRegionalInformationSharingSystems
RITNETndashRegionalIdentityTheftNetwork
RPPndashReturnPreparerProgram(IRSCI)
SARndashSuspiciousActivityReport
SBAndashSmallBusinessAdministration
SECndashSecuritiesandExchangeCommission
SMPndashSeniorMedicarePatrol
SSAndashSocialSecurityAdministration
SSLndashSecuritySocketLayer
SSNndashSocialSecuritynumber
TIGTAndashTreasuryInspectorGeneralforTaxAdministration
UNCCndashUnitedNationsCrimeCommission
USA PATRIOT ActndashUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(PubLNo107-56)
USBndashUniversalSerialBus
US-CERTndashUnitedStatesComputerEmergencyReadinessTeam
USPISndashUnitedStatesPostalInspectionService
USSSndashUnitedStatesSecretService
VHAndashVeteransHealthAdministration
VOIPndashVoiceOverInternetProtocol
VPNndashVirtualprivatenetwork
WEDIndashWorkgroupforElectronicDataInterchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force MembersAlberto R Gonzales Chairman
AttorneyGeneral
Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission
Henry M PaulsonDepartmentof Treasury
Carlos M GutierrezDepartmentof Commerce
Michael O LeavittDepartmentof HealthandHumanServices
R James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E PotterUnitedStatesPostalService
Ben S BernankeFederalReserveSystem
Linda M SpringerOfficeof PersonnelManagement
Sheila C BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J AstrueSocialSecurityAdministration
John C DuganOfficeof theComptrollerof theCurrency
John M ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
vi
IRTPAndashIntelligenceReformandTerrorismPreventionActof 2004
ISIndashIntelligenceSharingInitiative(USPostalInspectionService)
ISPndashInternetserviceprovider
ISS LOBndashInformationSystemsSecurityLineof Business
ITACndashIdentityTheftAssistanceCenter
ITCIndashInformationTechnologyComplianceInstitute
ITRCndashIdentityTheftResourceCenter
MCCndashMajorCitiesChiefs
NACndashNationalAdvocacyCenter
NASDndashNationalAssociationof SecuritiesDealersInc
NCFTAndashNationalCyberForensicTrainingAlliance
NCHELPndashNationalCouncilof HigherEducationLoanPrograms
NCUAndashNationalCreditUnionAdministration
NCVSndashNationalCrimeVictimizationSurvey
NDAAndashNationalDistrictAttorneysAssociation
NIHndashNationalInstitutesof Health
NISTndashNationalInstituteof StandardsandTechnology
NYSEndashNewYorkStockExchange
OCCndashOfficeof theComptrollerof theCurrency
OIGndashOfficeof theInspectorGeneral
OJPndashOfficeof JusticePrograms(DOJ)
OMBndashOfficeof ManagementandBudget
OPMndashOfficeof PersonnelManagement
OTSndashOfficeof ThriftSupervision
OVCndashOfficeforVictimsof Crime(DOJ)
PCIndashPaymentCardIndustry
PINndashPersonalIdentificationNumber
PMAndashPresidentrsquosManagementAgenda
PRCndashPrivacyRightsClearinghouse
QRPndashQuestionableRefundProgram(IRSCI)
RELEAFndashOperationRetailersampLawEnforcementAgainstFraud
RISSndashRegionalInformationSharingSystems
RITNETndashRegionalIdentityTheftNetwork
RPPndashReturnPreparerProgram(IRSCI)
SARndashSuspiciousActivityReport
SBAndashSmallBusinessAdministration
SECndashSecuritiesandExchangeCommission
SMPndashSeniorMedicarePatrol
SSAndashSocialSecurityAdministration
SSLndashSecuritySocketLayer
SSNndashSocialSecuritynumber
TIGTAndashTreasuryInspectorGeneralforTaxAdministration
UNCCndashUnitedNationsCrimeCommission
USA PATRIOT ActndashUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(PubLNo107-56)
USBndashUniversalSerialBus
US-CERTndashUnitedStatesComputerEmergencyReadinessTeam
USPISndashUnitedStatesPostalInspectionService
USSSndashUnitedStatesSecretService
VHAndashVeteransHealthAdministration
VOIPndashVoiceOverInternetProtocol
VPNndashVirtualprivatenetwork
WEDIndashWorkgroupforElectronicDataInterchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force MembersAlberto R Gonzales Chairman
AttorneyGeneral
Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission
Henry M PaulsonDepartmentof Treasury
Carlos M GutierrezDepartmentof Commerce
Michael O LeavittDepartmentof HealthandHumanServices
R James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E PotterUnitedStatesPostalService
Ben S BernankeFederalReserveSystem
Linda M SpringerOfficeof PersonnelManagement
Sheila C BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J AstrueSocialSecurityAdministration
John C DuganOfficeof theComptrollerof theCurrency
John M ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
vii
Identity Theft Task Force MembersAlberto R Gonzales Chairman
AttorneyGeneral
Deborah Platt Majoras Co-ChairmanChairmanFederalTradeCommission
Henry M PaulsonDepartmentof Treasury
Carlos M GutierrezDepartmentof Commerce
Michael O LeavittDepartmentof HealthandHumanServices
R James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E PotterUnitedStatesPostalService
Ben S BernankeFederalReserveSystem
Linda M SpringerOfficeof PersonnelManagement
Sheila C BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J AstrueSocialSecurityAdministration
John C DuganOfficeof theComptrollerof theCurrency
John M ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11 2007
The Honorable George W Bush President of the United States The White House Washington DC
Dear Mr President
By establishing the Presidentrsquos Task Force on Identity Theft by Executive Order 13402 on May 10 2006 you launched a new era in the fight against identity theft As you recognized identity theft exacts a heavy financial and emotional toll from its victims and it severely burdens our economy You called for a coordinated approach among government agencies to vigorously combat this crime Your charge to us was to craft a strategic plan aiming to make the federal governmentrsquos efforts more effective and efficient in the areas of identity theft awareness prevention detection and prosecution To meet that charge we examined the tools law enforcement can use to prevent investigate and prosecute identity theft crimes to recover the proceeds of these crimes and to ensure just and effective punishment of identity thieves We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data And because government must help reduce rather than exacerbate incidents of identity theft we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold Like you we spoke to many citizens whose lives have been uprooted by identity theft and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery We conducted meetings spoke with stakeholders and invited public comment on key issues
Alberto R Gonzales Chairman Attorney General
Deborah Platt Majoras Co-Chairman Chairman Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelysharedThereisaconsensusthatidentitytheftrsquosdamageiswidespreadthatittargetsalldemographicgroupsthatitharmsbothconsumersandbusinessesandthatitseffectscanrangefarbeyondfinancialharmWewerepleasedtolearnthatmanyfederaldepartmentsandagenciesprivatebusinessesanduniversitiesaretryingtocreateacultureof securityalthoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation
ThereisnoquicksolutiontothisproblemButwebelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftandwehopeputtingidentitythievesoutof businessTakenasawholetherecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federalstateandlocallawenforcementofficerstoeducateconsumersandbusinessesondeterringdetectinganddefendingagainstidentitythefttoassistlawenforcementofficersinapprehendingandprosecutingidentitythievesandtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted
Thankyoufortheprivilegeof servingonthisTaskForceOurworkisongoingbutwenowhavethehonorundertheprovisionsof yourExecutiveOrderof transmittingthereportandrecommendationsof thePresidentrsquosTaskForceonIdentityTheft
Verytrulyyours
AlbertoRGonzalesChairman DeborahPlattMajorasCo-ChairmanAttorneyGeneral ChairmanFederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES
COMBATING IDENTITY THEFT A Strategic Plan
I Executive SummaryFromMainStreettoWallStreetfromthebackporchtothefrontofficefromthekitchentabletotheconferenceroomAmericansaretalkingaboutidentitytheftThereasonmillionsof AmericanseachyearsufferthefinancialandemotionaltraumaitcausesThiscrimetakesmanyformsbutitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlivesItisaprob-lemwithnosinglecauseandnosinglesolution
A INTrODuCTIONEightyearsagoCongressenactedtheIdentityTheftandAssumptionDeterrenceAct1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictimssharingthesecomplaintswithfederalstateandlocallawenforcementandprovidingthevictimswithinformationtohelpthemrestoretheirgoodnameSincethenfederalstateandlocalagencieshavetakenstrongactiontocombatidentitytheftTheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagenciestheDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlawsthefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdictionCongresspassedandtheDepartmentof HomelandSecurityissueddraftregulationsontheREALIDActof 2005andnumerousotherfederalagenciessuchastheSocialSecurityAdministration(SSA)haveeducatedconsumersonavoidingandrecoveringfromidentitytheftManyprivatesectorentitiestoohavetakenproactiveandsignificantstepstoprotectdatafromidentitythieveseducateconsumersabouthowtopreventidentitytheftassistlawenforcementinapprehendingidentitythievesandassistidentitytheftvictimswhosufferlosses
Overthosesameeightyearshowevertheproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublicthegovernmentandtheprivatesectorConsumersoverwhelmedwithweeklymediareportsof databreachesfeelvulnerableanduncertainof howtoprotecttheiridentitiesAtthesametimeboththeprivateandpublicsectorshavehadtograpplewithdifficultandcostlydecisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublicAndateverylevelof governmentmdashfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectivemdashidentitythefthasplacedincreasinglypressingdemandsonlawenforcement
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponsesToensurethattheTaskForceheardfromallstakeholdersitsolicitedcommentsfromthepublic
InadditiontoconsumeradvocacygroupslawenforcementbusinessandindustrytheTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrimeTheirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughpreventionawarenessenforcementtrainingandvictimassistanceConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs)andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiersOthersrepresentingcertainbusinesssectorspointedtothebeneficialusesof SSNsinfrauddetectionTheTaskForcewasmindfulof bothconsiderationsanditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuseLocallawenforcementofficersregardlessof wheretheyworkwroteof thechallengesof multi-jurisdictionalinvestigationsandcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythievesVariousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrimeandmanyexpressedsupportforrisk-basednationaldatasecurityandbreachnotificationrequirements
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcersquosrecommendationforafullycoordinatedstrategyOnlyanapproachthatencompasseseffectivepreventionpublicawarenessandedu-cationvictimassistanceandlawenforcementmeasuresandfullyengagesfederalstateandlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime
B THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentwaysitisfundamentallythemisuseof anotherindividualrsquospersonalinformationtocommitfraudIdentitythefthasatleastthreestagesinitsldquolifecyclerdquoanditmustbeattackedateachof thosestages
First the identity thief attempts to acquire a victimrsquos personal information
Criminalsmustfirstgatherpersonalinformationeitherthroughlow-techmethodsmdashsuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquomdashorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodesThelossortheftof personalinformationbyitselfhoweverdoesnotimmediatelyleadtoidentitytheftInsomecasesthieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitemsyetnevermakeuseof thepersonalinformationIthasrecentlybeenreportedthatduringthepastyearthepersonalrecordsof nearly73millionpeoplehavebeenlostorstolenbutthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresultStillbecauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolvedastrategytokeepconsumerdataoutof thehandsof criminalsisessential
Second the thief attempts to misuse the information he has acquired
InthisstagecriminalshaveacquiredthevictimrsquospersonalinformationandnowattempttoselltheinformationoruseitthemselvesThemisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories
Existing account fraud ThisoccurswhenthievesobtainaccountinformationinvolvingcreditbrokeragebankingorutilityaccountsthatarealreadyopenExistingaccountfraudistypicallyalesscostlybutmoreprevalentformof identitytheftForexampleastolencreditcardmayleadtothousandsof dollarsinfraudulentchargesbutthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentityMoreovermostcreditcardcompaniesasamatterof policydonotholdconsumersliableforfraudulentchargesandfederallawcapsliabilityof victimsof creditcardtheftat$50
New account fraud ThievesusepersonalinformationsuchasSocialSecuritynumbersbirthdatesandhomeaddressestoopennewaccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearWhilethistypeof identitytheftislesslikelytooccuritimposesmuchgreatercostsandhardshipsonvictims
Inadditionidentitythievessometimesusestolenpersonalinformationtoobtaingovernmentmedicalorotherbenefitstowhichthecriminalisnotentitled
Third an identity thief has completed his crime and is enjoying the benefits while the victim is realizing the harm
Atthispointinthelifecycleof thetheftvictimsarefirstlearningof thecrimeoftenafterbeingdeniedcreditoremploymentorbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycletheIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentitiesstrengthenseffortstoprotectthepersonalinformationof ournationrsquoscitizenshelpslawenforcementofficialsinvestigateandprosecuteidentitythieveshelpseducateconsumersandbusinessesaboutprotectingthemselvesandincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities
ThePlanfocusesonimprovementsinfourkeyareas
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities
assistingthevictimsof identitytheftinrecoveringfromthecrimeand
deterringidentitytheftbymoreaggressiveprosecutionandpunishmentof thosewhocommitthecrime
InthesefourareastheTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelowAmongthoserecommendationsarethefollowingbroadpolicychanges
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs)themostvaluablecommodityforanidentitythief
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft
thatfederalagenciesshouldimplementabroadsustainedawarenesscampaigntoeducateconsumerstheprivatesectorandthepublicsectorondeterringdetectinganddefendingagainstidentitytheftand
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficientlyandinvestigateandprosecuteidentitythievesmoreeffectively
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanmdashfromthesebroadpolicychangestothesmallstepsmdasharenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamageSomerecommendationscanbeimplementedrelativelyquicklyotherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesectorFollowingaretherecommendationsof thePresidentrsquosTaskForceonIdentityTheft
PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdataReducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrimeGovernmentthebusinesscommunityandconsumershaverolestoplayinprotectingdata
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandcarryfinancialcostsforeveryoneinvolvedWhileldquoperfectsecurityrdquodoesnotexistallentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
bull Surveycurrentuseof SSNsbyfederalgovernment
bull Issueguidanceonappropriateuseof SSNs
bull Establishclearinghouseforldquobestrdquoagencypracticesthatminimizeuseof SSNs
bull Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data Monitor Their Compliance with Existing Guidance
bull Developconcreteguidanceandbestpractices
bull Monitoragencycompliancewithdatasecurityguidance
bull Protectportablestorageandcommunicationsdevices
Ensure Effective Risk-Based Responses to Data Breaches Suffered by Federal Agencies
bull Issuedatabreachguidancetoagencies
bull Publishaldquoroutineuserdquoallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
bull Holdregionalseminarsforbusinessesonsafeguardinginformation
bull Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
bull Developnationalawarenesscampaign
bull Enlistoutreachpartners
bull Increaseoutreachtotraditionallyunderservedcommunities
bull EstablishldquoProtectYourIdentityrdquoDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourcefulitises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheystealAnidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibilityand(2)convincethecreditorthatheisthepersonhepurportstobe
Authenticationincludesdeterminingapersonrsquosidentityatthebeginningof arelationship(sometimescalledverification)andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticatedButtheprocesscanfailIdentitydocumentscanbefalsifiedtheaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionableem-ployeetrainingcanbeinsufficientandpeoplecanfailtofollowprocedures
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesmdashforexamplemulti-factorauthenticationorlayeredsecuritymdashwouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft
Hold Workshops on Authentication
bull Engageacademicsindustryentrepreneursandgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
bull Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumerrsquosbesteffortsatsecuringinformationConsumershaveanumberof rightsandresourcesavailablebutsomesurveysindicatethattheyarenotaswell-informedastheycouldbeGovernmentagenciesmustworktogethertoensurethatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocess
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
bull Trainlawenforcementofficers
bull Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
bull CreateanddistributeanIDTheftVictimStatementof Rights
bull Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
bull Conductassessmentof FACTActremediesunderFCRA
bull Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythievesTheincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimesTheinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectivesagentsandanalystswithmultipleskillsetsWhenasuspectedtheftinvolvesalargenumberof potentialvictimsinvestigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination
Coordination and InformationIntelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
bull Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
bull Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
bull Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governmentrsquos Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist Train and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
bull DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneyrsquosOfficetodesignaspecificidentitytheftprogramforeachdistrict
bull Evaluatemonetarythresholdsforprosecution
bull Encouragestateprosecutionof identitytheft
bull Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
bull ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
bull Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
bull Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
bull Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
bull Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
bull Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
bull Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
bull Amendthecyber-extortionstatutetocoveradditionalalternatetypesof cyber-extortion
Ensure That an Identity Thiefrsquos Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
bull DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
bull Increasenumberof regionalidentitytheftseminars
bull IncreaseresourcesforlawenforcementontheInternet
bull Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systemrsquos Response to Identity Theft
bull Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
bull Expandscopeof nationalcrimevictimizationsurvey
bull ReviewUSSentencingCommissiondata
bull Trackprosecutionsof identitytheftandresourcesspent
bull Conducttargetedsurveys
0
II The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
EverydaytoomanyAmericanslearnthattheiridentitieshavebeencompromisedofteninwaysandtoanextenttheycouldnothaveimaginedIdentitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraudThesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent
Identitytheftmdashthemisuseof anotherindividualrsquospersonalinformationtocommitfraudmdashcanhappeninavarietyof waysbutthebasicelementsarethesameCriminalsfirstgatherpersonalinformationeitherthroughlow-techmethodssuchasstealingmailorworkplacerecordsorldquodumpsterdivingrdquoorthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercodeThesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccountstakeoverexistingaccountsobtaingovernmentbenefitsandservicesorevenevadelawenforcementbyusinganewidentityOftenindividualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremploymentorwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur
IndividualvictimexperiencesbestportraythehavocthatidentitythievescanwreakForexampleinJuly2001anidentitythief gainedcontrolof aretiredArmyCaptainrsquosidentitywhenArmyofficialsatFortBraggNorthCarolinaissuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainrsquosnameandwithhisSocialSecuritynumberThemilitaryidentificationcombinedwiththevictimrsquosthen-excellentcredithistoryallowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonthsFromJulytoDecember2001theidentitythief acquiredgoodsservicesandcashinthevictimrsquosnamevaluedatover$260000Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisnamecreditaccountspersonalandautoloanscheckingandsavingsaccountsandutilityaccountsTheidentitythief purchasedtwotrucksvaluedatover$85000andaHarley-Davidsonmotorcyclefor$25000Thethief alsorentedahouseandpurchasedatime-shareinHiltonHeadSouthCarolinainthevictimrsquosname4
Inanotherinstanceanelderlywomansufferingfromdementiawasvictimizedbyhercaregiverswhoadmittedtostealingasmuchas$200000fromherbeforeherdeathThethievesnotonlyusedthevictimrsquosexistingcreditcardaccountsbutalsoopenednewcreditaccountsinhernameobtainedfinancinginhernametopurchasenewvehiclesforthemselvesandusingafraudulentpowerof attorneyremoved$176000inUSSavingsBondsfromthevictimrsquossafe-depositboxes5
InthesewaysandothersconsumersrsquolivesaredisruptedanddisplacedbyidentitytheftWhilefederalagenciestheprivatesectorandconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
ldquoI was absolutely heartsick to realize our bank accounts were frozen our names were on a bad check list and my driverrsquos license was suspended I hold three licenses in the State of Ohiomdashmy driverrsquos license my real estate license and my RN license After learning my driverrsquos license was suspended I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposterrdquo
Maureen Mitchell Testimony Before House Committee on Financial Services Subcommittee on Financial Institutions and Consumer Credit June 24 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheftmuchworkremainstobedoneThefollowingstrategicplanfocusesonacoordinatedgovernmentresponsetostrengtheneffortstopreventidentitytheftinvestigateandprosecuteidentitytheftraiseawarenessandensurethatvictimsreceivemeaningfulassistance
A PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStatesNumerousstudieshaveattemptedtomeasuretheextentof thiscrimeDOJFTCtheGartnerGroupandJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys6Whilesomeof thedatafromthesesurveysdifferthereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic
Althoughgreaterempiricalresearchisneededthedatashowthatannualmonetarylossesareinthebillionsof dollarsThisincludeslossesassociatedwithnewaccountfraudamorecostlybutlessprevalentformof identitytheftandmisuseof existingaccountsamoreprevalentbutlesscostlyformof identitytheftBusinessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentchargesIndividualvictimshoweveralsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccountsmonetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(egformailingnoticestoconsumersandupgradingsystems)SimilarlyindividualvictimsoftensufferindirectfinancialcostsincludingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcreditVictimsof non-financialidentitytheftforexamplehealth-relatedorcriminalrecordfraudfaceothertypesof harmandfrustration
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheftandtheemotionaltollidentitytheftcantakesomevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythievesVictimsof newaccountidentitytheftforexamplemustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuraciescloseexistingbankaccountsandopennewonesanddisputechargeswithindividualcreditors
Consumersrsquofearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomyIna2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractivenearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe20052006holidayseason7SimilarlyaCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabitsthesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet
B IDENTITY THIEVES WHO THEY ArEUnlikesomegroupsof criminalsidentitythievescannotbereadilyclassi-fiedNosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristicsForthemostpartvictimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisuseditAccordingtotheFTCrsquos2003surveyof identitytheftabout14percentof victimsclaimtoknowtheperpetratorwhomaybeafamilymemberfriendorin-homeemployee
Identitythievescanactaloneoraspartof acriminalenterpriseEachposesuniquethreatstothepublic
Individuals
Accordingtolawenforcementagenciesidentitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictimsIndeedidentitythieveshavebeenknowntopreyonpeopletheyknowincludingcoworkersseniorcitizensforwhomtheyareservingascare-takersandevenfamilymembersSomeidentitythievesrelyontechniquesof minimalsophisticationsuchasstealingmailfromhomeownersrsquomailboxesortrashcontainingfinancialdocumentsInsomejurisdictionsidentitytheftbyillegalimmigrantshasresultedinpassportemploymentandSocialSecurityfraudOccasionallysmallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(ldquomethrdquo)usersandidentitytheft10LawenforcementagenciesinAlbuquerqueHonoluluPhoenixSacramentoSeattleandothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglariesmailtheftandtheftof walletsandpursesInSaltLakeCitymethusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft11TellinglyasmethusehasrisensharplyinrecentyearsespeciallyinthewesternUnitedStatessomeof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheftSomestatelawenforcementofficialsbelievethatthetwoincreasesmightberelatedandthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled ldquoWaitress Gets Own ID When Carding Patronrdquo the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen driverrsquos license which she reported missing weeks earlier in Lakewood Ohio The patron was later charged with identity theft and receiving stolen property
In September 2005 a defendant was sentenced by a federal judge in Colorado to a year and one day in prison and ordered to pay $18151705 in restitution after pleading guilty to the misuse of a Social Security number The defendant had obtained the identifying information of two individuals including their SSNs and used one such identity to obtain a false Missouri driverrsquos license to cash counterfeit checks and to open fraudulent credit ac-counts The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks The case was investigated by the SSA OIG FBI US Postal Inspection Service and the St Charles Missouri Police Department
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheftSomeof thesegroupsmdashincludingnationalgangssuchasHellrsquosAngelsandMS-13mdashareformallyorganizedhaveahierarchicalstructureandarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtraffickingOthergroupsaremoreloosely-organizedandinsomecaseshavetakenadvantageof theInternettoorganizecontacteachotherandcoordinatetheiridentitytheftactivitiesmoreefficientlyMembersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternetOthergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemesInAsiaandEasternEuropeforexampleorganizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldataandinthecomplexityof toolstheyusesuchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite)spyware(softwarethatcovertlygathersuserinformationthroughtheuserrsquosInternetconnectionwithouttheuserrsquosknowledge)andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurposerangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers)Accordingtolawenforcementagenciessuchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrimeevensellinggoodsandservicesmdashsuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersmdashthatmakethestolendataevenmorevaluabletothosewhohaveit
C HOW IDENTITY THEFT HAPPENS THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheftandperhapsthemostvaluablepieceof informationforthethief istheSSNTheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimrsquosnameOtherdatasuchaspersonalidentificationnumbers(PINs)accountnumbersandpasswordsalsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts
IdentitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstoredHomesandbusinessescarsandhealth-clublockerselectronicnetworksandeventrashbasketsanddumpstershavebeentargetsforidentitythievesSome
In July 2003 a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking fraud and extortion The defendant hacked into the computer sys-tem of Financial Services Inc (FSI) an internet web hosting and electronic banking processing company located in Glen Rock New Jersey and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3500 credit card numbers and associated card holder information for FSI customers One of the defendantrsquos accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6000 After a period of negotiation FSI eventually agreed to pay $5000 In sentencing the defendant the federal judge described the scheme as an ldquounprec-edented wide-ranging organized criminal enterpriserdquo that ldquoengaged in numerous acts of fraud extortion and intentional damage to the property of others involving the sophisticated manipulation of computer data financial information and credit card numbersrdquo The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputersincludingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims
Common Theft and Dumpster Diving
WhileoftenconsideredaldquohightechrdquocrimedatatheftoftenisnomoresophisticatedthanstealingpaperdocumentsSomecriminalsstealdocumentscontainingpersonalinformationfrommailboxesindeedmailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptaclesapracticeknownasldquodumpsterdivingrdquo13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching
ProgressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationinthesewaysTheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards checks and identifying documents seized in federal investigation of identity theft ring in Maryland 2005 Source US Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents including checks and credit cards from the US mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing The conspirators used the documents to obtain cash advances and withdrawals from lines of credit In September 2005 a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedmdashameasurethatisintendedamongotherthingstoreducetheabilityof aldquodumpsterdiverrdquotoobtainavictimrsquoscreditcardnumbersimplybylookingthroughthatvictimrsquosdiscardedtrashMerchantshadaperiodof timetocomplywiththatrequirementwhichnowisinfulleffect15
EmployeeInsider Theft
DishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecordsCriminalsalsomaybribeinsidersorbecomeemployeesthemselvestoaccesssensitivedataatcompaniesThefailuretodisableaterminatedemployeersquosaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdataManyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise
Electronic Intrusions or Hacking
HackersstealinformationfrompublicandprivateinstitutionsincludinglargecorporatedatabasesandresidentialwirelessnetworksFirsttheycaninterceptdataduringtransmissionsuchaswhenaretailersendspaymentcardinformationtoacardprocessorHackershavedevelopedtoolstopenetratefirewallsuseautomatedprocessestosearchforaccountdataorotherpersonalinformationexportthedataandhidetheirtracks16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft
SecondhackersalsocangainaccesstounderlyingapplicationsmdashprogramsusedtoldquocommunicaterdquobetweenInternetusersandacompanyrsquosinternaldatabasessuchasprogramstoretrieveproductinformationOneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplicationratherthanthenetwork17Itisoftendifficulttodetectthehackerrsquosapplication-levelactivitiesbecausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduseandthecommunicationisthusseenaspermissibleactivity
AccordingtotheSecretServicemanymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraineandcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof USfinancialsystemsforthepastfiveyears
Social Engineering Phishing MalwareSpyware and Pretexting
IdentitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsourcesincludingfromthevictimhimselfThistypeof deceptionknownasldquosocialengineeringrdquocantakeavarietyof forms
In December 2003 the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies procedures systems and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes Deficiencies in the institutionrsquos screening practices came to light through the OCCrsquos review of the former employeersquos activities
In December 2004 a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowersquos Corpora-tion to process credit card transactions To carry out this scheme the defendant and at least one other person secretly compromised the wireless network at a Lowersquos retail store in Michigan and gained access to Lowersquos central computer system The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowersquos retail stores After an FBI investigation of the intrusion the defendant and a confederate were charged
Phishing ldquoPhishingrdquoisoneof themostprevalentformsof socialengineeringPhisherssendemailsthatappeartobecomingfromlegitimatewell-knownsourcesmdashoftenfinancialinstitutionsorgovernmentagenciesInoneexampletheseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactiveTheemailsprovidealinkwhichgoestoawebsitethatappearslegitimateAfterfollowingthelinkthewebuserisinstructedtoenterpersonalidentifyinginformationsuchashisnameaddressaccountnumberPINandSSNThisinformationisthenharvestedbythephishersInavariantof thispracticevictimsreceiveemailswarningthemthattoavoidlosingsomethingof value(egInternetserviceoraccesstoabankaccount)ortogetsomethingof valuetheymustclickonalinkinthebodyof theemailtoldquoreenterrdquoorldquovalidaterdquotheirpersonaldataSuchphishingschemesoftenmimicfinancialinstitutionsrsquowebsitesandemailsandanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformationAdditionallyphishingrecentlyhastakenonanewformdubbedldquovishingrdquoinwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation18
MalwareSpywareKeystroke Loggers CriminalsalsocanusespywaretoillegallygainaccesstoInternetusersrsquocomputersanddatawithouttheusersrsquopermissionOneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victimsbyopeningtheemailthevictimlaunchestheinstallationof malwaresuchasspywareorkeystrokeloggersontohiscomputerThekeystrokeloggersgatherandsendinformationontheuserrsquosInternetsessionsbacktothehackerincludingusernamesandpasswordsforfinancialaccountsandotherpersonalinformationThesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
ldquoPhishingrdquo Email and Associated Website Impersonating National Credit Union Administration Email and Website Source Anti-Phishing Working Group
At the beginning of the 2006 tax filing season identity thieves sent emails that pur-ported to originate from the IRSrsquos website to taxpayers falsely informing them that there was a problem with their tax refunds The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts In fact when the users entered their personal information ndash such as their SSNs website usernames and passwords bank or credit-card account numbers and expiration dates among other things ndash the phishers simply harvested the data at another location on the Internet Many of these schemes originated abroad particularly in Eastern Europe Since November 2005 the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17500 complaints about phishing scams and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimsrsquopasswordsandotherusefuldatamdashsuchasldquosniffingrdquoInternettrafficforexamplebylisteningtonetworktrafficonasharedphysicalnetworkoronunencryptedorweaklyencryptedwirelessnetworks
Pretexting Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformationInmanycasespretexterscontactafinancialinstitutionortelephonecompanyimpersonatingalegitimatecustomerandrequestthatcustomerrsquosaccountinformationInothercasesthepretextisaccomplishedbyaninsideratthefinancialinstitutionorbyfraudulentlyopeninganonlineaccountinthecustomerrsquosname20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformationdataalsocanbeobtainedbyidentitythievesinanldquoincidentalrdquomannerCriminalsfrequentlystealdatastoragedevicessuchaslaptopsorportablemediathatcontainpersonalinformation21AlthoughthecriminaloriginallytargetedthehardwarehemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitationUnlessadequatelysafeguardedmdashsuchasthroughtheuseof technologicaltoolsforprotectingdatamdashthisinformationcanbeaccessedandusedtostealthevictimrsquosidentityIdentitythievesalsomayobtainconsumerdatawhenitislostormisplaced
Failure to ldquoKnow Your Customerrdquo
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposesForexamplegovernmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiariesorforlawenforcementpurposesIdentitythieveshowevercanstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information22ForexampletheFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformationTheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation
Existinglawshoweverdonotreacheverykindof personalinformationcollectedandsoldbydatabrokersInadditionwhendatabrokersfailtocomplywiththeirstatutorydutiestheyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices
In January 2006 the FTC settled a lawsuit against data broker ChoicePoint Inc alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags Under the settlement ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes to establish a comprehensive information security pro-gram and to obtain audits by an independent security professional every other year until 2026
ldquoSkimmingrdquo
Becauseitispossibletousesomeonersquoscreditaccountwithouthavingphysicalaccesstothecardidentitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumberorusesothertechnologytocollectthataccountinformation23Forexampleoverthepastseveralyearslawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasldquoskimmersrdquoAskimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorldquoskimsrdquoacreditordebitcardSimilartothedevicelegitimatebusinessesuseinprocessingcustomercardpaymentstheskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecardThatdatathencanbedownloadedeithertomakefraudulentcopiesof realcardsortomakepurchaseswhenthecardisnotrequiredsuchasonlineAretailemployeesuchasawaitercaneasilyconcealaskimmeruntilacustomerhandshimacreditcardOnceheisoutof thecustomerrsquossighthecanskimthecardthroughthedeviceandthenswipeitthroughtherestaurantrsquosowncardreadertogenerateareceiptforthecustomertosignThewaiterthencanpasstherecordeddatatoanaccomplicewhocanencodethedataonblankcardswithmagneticstripesAvariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerrsquoscardaswellastheconsumerrsquospassword
D WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimsrsquopersonalinformationcriminalsmisuseitinendlesswaysfromopeningnewaccountsinthevictimrsquosnametoaccessingthevictimrsquosexistingaccountstousingthevictimrsquosnamewhenarrestedRecentsurveydatashowthatmisuseof existingcreditaccountshoweverrepresentsthesinglelargestcategoryof fraud
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecreditbrokeragebankingorutilityaccountsamongothersThemostcommonformhoweverinvolvescreditaccountsThisoccurswhenanidentitythief obtainseithertheactualcreditcardthenumbersassociatedwiththeaccountortheinformationderivedfromthemagneticstriponthebackof thecardBecauseitispossibletomakechargesthroughremotepurchasessuchasonlinesalesorbytelephoneidentitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerrsquoswallet
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A ldquoskimmerrdquo Source Durham Ontario Police
In March 2006 a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked such as restaurants and rental car companies He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsrsquobankaccountsincludingcheckingaccountsmdashsometimesreferredtoasldquoaccounttakeoversrdquo24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStatesCriminalsalsohaveattemptedtoaccessfundsinvictimsrsquoonlinebrokerageaccounts25
FederallawlimitstheliabilityconsumersfacefromexistingaccountmisusegenerallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccountsNeverthelessconsumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords26
New Account Fraud
Amoreseriousif lessprevalentformof identitytheftoccurswhenthievesareabletoopennewcreditutilityorotheraccountsinthevictimrsquosnamemakechargesindiscriminatelyandthendisappearVictimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloanajoborotherbenefitbecauseof anegativecreditratingWhilethisisalessprevalentformof frauditcausesmorefinancialharmislesslikelytobediscoveredquicklybyitsvictimsandrequiresthemosttimeforrecovery
Criminalrsquos skimmer mounted and colored to resemble exterior of real ATM A pinhole camera is mounted inside a plastic brochure holder to capture customerrsquos keystrokes Source University of Texas Police Department
In December 2005 a highly organized ring involved in identity theft counterfeit credit and debit card fraud and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County New Jersey Prosecutorrsquos Office arrested 13 of its members The investigation which began in June 2005 uncovered more than 2000 stolen identities and at least $13 million worth of fraudulent transac-tions The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases Additionally the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey New York and other states
0
Whencriminalsestablishnewcreditcardaccountsinothersrsquonamesthesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccountswhetherinashorttimeoroveralongerperiodBycontrastwhencriminalsestablishnewbankorloanaccountsinothersrsquonamesthefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitutionInsomecasesthecriminaldepositsacheckdrawnonanaccountwithinsufficientfundsorstolenorcounterfeitchecksandthenwithdrawscash
ldquoBrokeringrdquo of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokersForexamplecertainwebsitesknownasldquocardingsitesrdquotrafficinlargequantitiesof stolencredit-carddataNumerousindividualsoftenlocatedindifferentcountriesparticipateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbersTheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20000memberaccounts
Immigration Fraud
Invariouspartsof thecountryillegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosocietyInextremecasesanindividualSSNmaybepassedontoandusedbymanyillegalimmigrants27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharmtheystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheftacrimeinwhichthevictimrsquosidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare28Inadditiontothefinancialharmassociatedwithothertypesof identitytheftvictimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecordsThisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcarehavetheirinsurancedepletedbecomeineligibleforhealthorlifeinsuranceorbecomedisqualifiedfromsomejobsVictimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscoverasfewconsumersregularlyreviewtheirmedicalrecordsandvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnoticesortheyattempttoseekmedicalcarethemselvesonlytodiscoverthattheyhavereachedtheircoveragelimits
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful US citizens in order to gain employment The aliens being criminally prosecuted were identified as a result of Operation Wagon Train an investigation led by agents from US Immigration and Customs Enforcement (ICE) working in conjunction with six US Attorneyrsquos Offices Agents executed civil search warrants at six meat processing plants Numer-ous alien workers were arrested and many were charged with aggravated identity theft state identity theft or forgery Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC In many cases victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name Other victims were denied driverrsquos licenses credit or even medical services because someone had improperly used their personal information before
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminalsincludingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefitsincludingdisasterrelief fundsTheIRSrsquosCriminalInvestigationDivisionforexamplehasseenanincreaseintheuseof stolenSSNstofiletaxreturnsInsomecasesthethief filesafraudulentreturnseekingarefundbeforethetaxpayerfilesWhentherealtaxpayerfilestheIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturnEvenif thetaxpayerultimatelyismadewholethegovernmentsuffersthelossfrompayingmultiplerefunds
Withtheadventof theprescriptiondrugbenefitof MedicarePartDtheDepartmentof HealthandHumanServicesrsquoOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheftThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformationaswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissionsThetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal
Robert C Ingardia a registered representative who had been associated with several broker-dealers assumed the identity of his customers Without authori-zation Mr Ingardia changed the address information for their accounts sold stock in the accounts worth more than $800000 and in an effort to manipulate the market for two thinly-traded penny stock companies used the cash proceeds of the sales to buy more than $230000 worth of stock in the companies The SEC obtained a temporary restraining order against Mr Ingardia in 2001 and a civil injunction against him in 2003 after the United States Attorneyrsquos Office for the Southern District of New York obtained a criminal conviction against him in 2002
In July 2006 DOJ charged a defendant with 66 counts of false claims to the government mail fraud wire fraud and aggravated identity theft relating to the defendantrsquos allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina Using fictitious SSNs and variations of her name the defendant allegedly received $277377 from FEMA
A STRATEGY TO COMBAT IDENTITY THEFT
III A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolutionBecauseidentitythefthasseveralstagesinitsldquolifecyclerdquoitmustbeattackedateachof thosestagesincluding
whentheidentitythief attemptstoacquireavictimrsquospersonalinformation
whenthethief attemptstomisusetheinformationhehasacquiredand
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefitswhilethevictimisrealizingtheharm
Thefederalgovernmentrsquosstrategytocombatidentitytheftmustaddresseachof thesestagesby
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit
makingitmoredifficultforidentitythieveswhentheyareabletoobtainconsumerdatatousetheinformationtostealidentities
assistingvictimsinrecoveringfromthecrimeand
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime
AgreatdealalreadyisbeingdonetocombatidentitytheftbutthereareseveralareasinwhichwecanimproveTheTaskForcersquosrecommendationsasdescribedbelowarefocusedonthoseareas
A PrEVENTION KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdataReducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheftGovernmentthebusinesscommunityandconsumersallplayaroleinprotectingdata
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfrauddamagethereputationof theentitythatexperiencedthebreachandimposetheriskof substantialcostsforallpartiesinvolvedAlthoughthereisnosuchthingasldquoperfectsecurityrdquosomeentitiesfailtoadoptevenbasicsecuritymeasuresincludingmanythatareinexpensiveandreadilyavailable
Thelinkbetweenadatabreachandidentitytheftoftenisunclear
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreachthekindsof informationbreachedandotherfactorsaparticularbreachmayormaynotposeasig-nificantriskof identitytheftLittleempiricalevidenceexistsontheextenttowhichandunderwhatcircumstancesdatabreachesleadtoidentitytheftandsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked29Nonethelessbecausedatathievessearchforrichtargetsof consumerdataitiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises
1 Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythievesbecauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumersAnidentitythief withavictimrsquosSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimrsquosnameAslongasSSNscontinuetobeusedforauthenticationpurposesitisimportanttopreventthievesfromobtainingthem
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectorsAlthoughoriginallycreatedin1936totrackworkersrsquoearningsforsocialbenefitspurposesuseof SSNshasproliferatedoverensuingdecadesIn1961theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumberThenextyeartheIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividualsIndeedtheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposesisexpresslyauthorizedbystatute
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprisesespecial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessingTheuseof SSNsisnowcommoninoursociety
EmployersmustcollectSSNsfortaxreportingpurposesDoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursementSSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividualsandinsomecasesaredisplayedonidentificationcardsIn2004anestimated42millionMedicarecardsdisplayedtheentireSSNasdidapproximately8millionDepartmentof DefenseinsurancecardsInadditionalthoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004andhasissuednewcardsthatdonotdisplaySSNs
In June 2006 a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud SSN fraud aggravated identity theft identification docu-ment fraud and furnishing false information to the SSA The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name He then used this new name and SSN to obtain a new SSN card driverrsquos licenses and United States passport The case was initiated based on information from the Joint Terrorism Task Force in Springfield Massachusetts The agencies involved in the investigation included SSA OIG Department of State Massachusetts State Police and the Springfield and Boston police departments
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservicesSomeuniversitiesstillusetheSSNasthestudentsrsquoidentificationnumberforarangeof purposesfromadministeringloanstotrackinggradesandmayplaceitonstudentsrsquoidentificationcardsalthoughusageforthesepurposesisdeclining
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagenciesstateslocaljurisdictionsandcourtsAsof 200441statesandtheDistrictof Columbiaaswellas75percentof UScountiesdisplayedSSNsinpublicrecords30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcountiesSSNsaremostoftenfoundincourtandpropertyrecords
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentusedisplayordisclosureof SSNsinsteadthereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituationsWithrespecttotheprivatesectorforexampletheGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformationsuchasSSNsthatwasoriginallyobtainedfromcustomersof afinancialinstitutiontheHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsrsquodisclosureof SSNswithoutpatientauthorizationandtheDriverrsquosPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNssubjectto14ldquopermissibleusesrdquo31InthepublicsectorthePrivacyActof 1974requiresfederalagenciestoprovidenoticetoandobtainconsentfromindividualsbeforedisclosingtheirSSNstothirdpartiesexceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts33EvensoareportbytheGovernmentAccountabilityOffice(GAO)concludedthatdespitetheselawsthereweregapsinhowtheuseandtransferof SSNsareregulatedandthatthesegapscreateariskthatSSNswillbemisused34
Therearemanynecessaryorbeneficialusesof theSSNSSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabasesincludingtheircreditfilestoprovidebenefitsanddetectfraudFederalstateandlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividualsotherusesaremoreamatterof convenienceorhabitInmanycasesforexampleitmaybeunnecessarytouseanSSNasanorganizationrsquosinternalidentifierortodisplayitonanidentificationcardInthesecasesadifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitablebutwithouttheriskinherentintheSSNrsquosuseasanauthenticator
In September 2006 a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States The case was investigated by the SSArsquos Office of Inspector General (OIG) ICE and the Pennsylvania State Police
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSNForexamplewithguidancefromtheSSAOIGtheInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersonsSomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-errsquosidentificationnumber35AdditionallytheDepartmentof TreasuryrsquosFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpaymentsfederalincometaxrefundpaymentsandpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment
Moremustbedonetoeliminateunnecessaryusesof SSNsInparticularitwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagenciesTheOfficeof PersonnelManagement(OPM)whichissuesandusesmanyof thefederalformsandproceduresusingtheSSNandtheOfficeof ManagementandBudget(OMB)whichoverseesthemanagementandadministrativepracticesof federalagenciescanplaypivotalrolesinrestrictingtheunnecessaryuseof SSNsofferingguidanceonbettersubstitutesthatarelessvaluabletoidentitythievesandestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable
rECOMMENDATION DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectormdashandtobegintodevelopalternativestrategiesforidentitymanagementmdashtheTaskForcerecommendsthefollowing
Complete review of use of SSNsAsrecommendedintheTaskForcersquosinterimrecommendationsOPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicformsBasedonthatreviewwhichOPMcompletedin2006OPMshouldtakestepstoeliminaterestrictorconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable)incalendaryear2007If necessarytoimplementthisrecommendationExecutiveOrder9397effectiveNovember231943whichrequiresfederalagenciestouseSSNsinldquoanysystemof permanentaccountnumberspertainingtoindividualsrdquoshouldbepartiallyrescindedTheusebyfederalagenciesof SSNsforthepurposesof employmentandtaxationemploymentverificationandsharingof dataforlawenforcementpurposeshoweverisexpresslyauthorizedbystatuteandshouldcontinuetobepermitted
When purchasing advertising space in a trade magazine in 2002 a Colorado man wrote his birth date and Social Security number on the payment check The salesman who received the check then used this information to obtain surgery in the victimrsquos name Two years later the victim received a collection notice demanding payment of over $40000 for the surgery performed on the identity thief In addition to the damage this caused to his credit rating the thiefrsquos medical information was added to the victimrsquos medical records
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNsBasedonitsinventoryOPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecordsincludingtheappropriatewaytorestrictconcealormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystemsOPMshouldissuethispolicyincalendaryear2007
require Agencies to review use of SSNsOMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminatedrestrictedorconcealedinagencybusinessprocessessystemsandpaperandelectronicformsotherthanthoseauthorizedorapprovedbyOPMOMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 200736
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs BasedonresultsfromOMBrsquosreviewof agencypracticesontheuseof SSNstheSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesmdashincludingthedevelopmentof anyalternativestrategiesforidentitymanagementmdashtoavoidduplicationof effortandtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasuresThisshouldbeaccomplishedbythefourthquarterof 2007
Work with State and Local Governments to review use of SSNs Inthesecondquarterof 2007theTaskForceshouldbegintoworkwithstateandlocalgovernmentsmdashthroughorganizationssuchastheNationalGovernorrsquosAssociationtheNationalAssociationof AttorneysGeneraltheNationalLeagueof CitiestheNationalAssociationof CountiestheUSConferenceof MayorstheNationalDistrictAttorneysAssociationandtheNationalAssociationforPublicHealthStatisticsandInformationSystemsmdashtohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystemTheyareessentialinmatchingconsumerstotheircreditfileandthusessentialingrantingcreditanddetectingfraudbuttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumersBeginningin2007theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessitySpecificallytheTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNssuchasDOJFTCSSAandthefinancialregulatoryagenciesshouldgatherinformationfromstakeholdersmdashincludingthefinancialservicesindustrylawenforcementagenciestheconsumerreportingagenciesacademicsandconsumeradvocatesTheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNsAnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008
2 Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposespublicentitiesincludingfederalagenciescollectpersonalinformationaboutindividualsforavarietyof purposessuchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservicesBecausethisinformationoftencanbeusedtocommitidentitytheftagenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation
a Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentrsquosresponsibilitiesintheareaof datasecurityThefirstspecificallygovernsthefederalgovernmentrsquosinformationprivacyprogramandincludessuchlawsasthePrivacyActtheComputerMatchingandPrivacyProtectionActandprovisionsof theE-GovernmentAct37TheotherconcernstheinformationandinformationtechnologysecurityprogramTheFederalInformationSecurityManagementAct(FISMA)theprimarygoverningstatuteforthisprogramestablishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassetsandprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystemsFISMAassignsspecificpolicyandoversightresponsibilitiestoOMBtechnicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST)implementa-tionresponsibilitiestoallagenciesandanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS)FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevelItfurtherrequiresagencyoperationalprogramofficialsChief Informa-tionOfficers(CIOs)andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMBAdditionallyaspartof itsoversightroleOMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformationincludingamemorandumaddressingFISMAoversightandreportingandwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformationandthatrecommendedthatagenciesamongotherthingsencryptalldataonmobiledevicesandusealdquotime-outrdquofunctionforremoteaccessandmobiledevices38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongressThePresidentrsquosManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurityAgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard40
FederalagencyperformanceoninformationsecurityhasbeenunevenAsaresultOMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprogramsOMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroupexploringwaystoimprovegovernmentdatasecu-ritypracticesThiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective
Employeetrainingisessentialtotheeffectivenessof agencysecurityprogramsExistingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchangesissuesandtrendsThiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculumrecommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilitiesaninformation-sharingrepositoryportalof trainingprogramsandopportunitiesforknowledge-sharing(egconferencesandseminars)Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpracticesleadingtoenhancedprotectionof sensitivedata
b responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006Asistruewithprivatesectorbreachesthelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheftUntilthisTaskForceissuedguidanceonthistopicinSeptember2006governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreachesandinparticularhadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers(2)thecontentof thenotice(3)whichthirdpartiesif anyshouldbenotifiedand(4)whethertoofferaffectedindividualscreditmonitoringorotherservices
Theexperienceof thelastyearalsohasmadeonethingapparentanagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach)Forex-ampleanagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutionswhichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotificationTheveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentitieshoweveroftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyActCriticallythePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions
rECOMMENDATION EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
ToensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasurestheTaskForcerecommendsthefollowing
Develop Concrete Guidance and Best Practices OMBandDHSthroughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforceshould(a)outlinebestpracticesintheareaof automatedtoolstrainingprocessesandstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprogramsand(b)developalistof themostcommon10or20ldquomistakesrdquotoavoidinprotectinginformationheldbythegovernmentTheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresidentanditshouldbeimplementedandcompletedinthesecondquarterof 2007
Comply With Data Security Guidance OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdataGiventhatdatabreachescontinuetooccurhoweveritisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMBIf anyagencydoesnotcomplyfullyOMBshouldnotethatfactintheagencyrsquosquarterlyPMAScorecard
Protect Portable Storage and Communications Devices Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof laptopcomputersBecausegovernmentemployeesincreasinglyrelyonlaptopsandotherportablecommunicationsdevicestoconductgovernmentbusinessnolaterthanthesecondquarterof 2007allChief InformationOfficersof federalagenciesshouldremindtheagenciesof theirresponsibilitiestoprotectlaptopsandotherportabledatastorageandcommunicationdevicesIf anyagencydoesnotfullycomplythatfailureshouldbereflectedontheagencyrsquosPMAscorecard
rECOMMENDATION ENSurE EFFECTIVE rISK-BASED rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL AGENCIES
ToassistagenciesinrespondingtothedifficultquestionsthatarisefollowingadatabreachtheTaskForcerecommendsthefollowing
Issue Data Breach Guidance to Agencies TheTaskForcedevelopedandformallyapprovedasetof guidelinesreproducedinAppendixAthatsetsforththefactorsthatshouldbeconsideredindecidingwhetherhowandwhentoinformaffectedindividualsof thelossof personaldatathatcancontributetoidentitytheftandwhethertoofferservicessuchasfreecreditmonitoringtothepersonsaffectedIntheinterimrecommendationstheTaskForcerecommendedthatOMBissuethatguidancetoallagenciesanddepartmentsOMBissuedtheguidanceonSeptember202006
Publish a ldquoroutine userdquo Allowing Disclosure of Information Following a BreachToallowagenciestorespondquicklytodatabreachesincludingbysharinginformationaboutpotentiallyaffectedindividualswithotheragenciesandentitiesthatcanassistintheresponsefederalagenciesshouldinaccordancewiththePrivacyActexceptionspublisharoutineusethatspecificallypermitsthedisclosureof informationinconnectionwithresponseandremediationeffortsintheeventof adatabreachSucharoutineusewouldservetoprotecttheinterestsof thepeoplewhoseinformationisatriskbyallowingagenciestotakeappropriatestepstofacilitateatimelyandeffectiveresponsetherebyimprovingtheirabilitytopreventminimizeorremedyanyharmsthatmayresultfromacompromiseof datamaintainedintheirsystemsof recordsThisroutineuseshould
COMBATING IDENTITY THEFT A Strategic Plan
notaffecttheexistingabilityof agenciestoproperlydiscloseandshareinformationforlawenforcementpurposesTheTaskForceofferstheroutineusethatisreproducedinAppendixBasamodelforotherfederalagenciestouseindevelopingandpublishingtheirownroutineuses41DOJhasnowpublishedsucharoutineusewhichbecameeffectiveasof January242007TheproposedroutineuselanguagereproducedinAppendixBshouldbereviewedandadaptedbyagenciestofittheirindividualsystemsof records
3 Data secUrity in the Private sectorDataprotectionintheprivatesectoristhesubjectof numerouslegalrequirementsindustrystandardsandguidelinesprivatecontractualarrangementsandconsumerandbusinesseducationinitiativesButnosystemisperfectanddatabreachescanoccurevenwhenentitieshaveimplementedappropriatedatasafeguards
a The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthatprotectsallconsumerinformationorrequiresthatsuchinformationbesecuredavarietyof specificstatutesandregulationsimposedatasecurityrequirementsforparticularentitiesincertaincontextsTheseincludeTitleVof theGLBActanditsimplementingrulesandguidancewhichrequirefinancialinstitutionstomaintainreasonableprotectionsforthepersonalinformationtheycollectfromcustomers42Section5of theFTCActwhichprohibitsunfairordeceptivepractices43theFCRA44
whichrestrictsaccesstoconsumerreportsandimposessafedisposalrequirementsamongotherthings45HIPAAwhichprotectshealthinformation46Section326of theUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorism(USAPATRIOT)Act47whichrequiresverificationof theidentityof personsopeningaccountswithfinancialinstitutionsandtheDriversPrivacyProtectionActof 1994(DPPA)whichprohibitsmostdisclosuresof driversrsquopersonalinformation48SeeVolumeIIPartAforadescriptionof federallawsandregulationsrelatedtodatasecurity
ThefederalbankregulatoryagenciesmdashtheFederalDepositInsuranceCorporation(FDIC)FederalReserveBoard(FRB)NationalCreditUnionAdministration(NCUA)Officeof theComptrollerof theCur-rency(OCC)andtheOfficeof ThriftSupervision(OTS)mdashandtheFTCandSECamongothershavepursuedactiveregulatoryandenforcementprogramstoaddressthedatasecuritypracticesof thoseentitieswithintheirrespectivejurisdictionsDependingontheseverityof aviolationthefinancialregulatoryagencieshavecitedinstitutionsforviolationswithouttakingformalactionwhenmanagementquicklyremediedthesituation
BJrsquos Wholesale Club Inc suffered a data breach that led to the loss of thousands of credit card numbers and millions of dollars in unauthorized charges Following the breach the FTC charged the company with engaging in an unfair practice by failing to provide reasonable security for credit card information The FTC charged that BJrsquos stored the information in unencrypted clear text without a business need to do so failed to defend its wireless systems against unauthorized access failed to use strong credentials to limit access to the information and failed to use adequate procedures for detecting and investigating intrusions The FTC also charged that these failures were easy to exploit by hackers and led to millions of dollars in fraudulent charges
A STRATEGY TO COMBAT IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremediedthefinan-cialregulatoryagencieshavetakenformalpublicactionsandsoughtcivilpenaltiesrestitutionandceaseanddesistordersTheFDIChastaken17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006theFRBhastaken14formalenforcementactionssince2001theOCChastaken18formalactionssince2002andtheOTShastakeneightformalenforcementactionsinthepastfiveyearsRemediesinthesecaseshaveincludedsubstantialpenaltiesandrestitutionconsumernotificationandrestrictionsontheuseof customerinformationAdditionallytheFTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-mationtheymaintainedMostof thesecaseshavebeenbroughtinthelasttwoyearsTheSECalsohasbroughtdatasecuritycasesSeeVolumeIIPartBforadescriptionof enforcementactionsrelatingtodatasecurity
InadditiontofederallaweverystateandtheDistrictof ColumbiahasitsownlawstoprotectconsumersfromunfairordeceptivepracticesMore-over37stateshavedatabreachnoticelaws49andsomestateshavelawsrelevanttodatasecurityincludingsafeguardsanddisposalrequirements
TradeassociationsindustrycollaborationsindependentorganizationswithexpertiseindatasecurityandnonprofitshavedevelopedguidanceandstandardsforbusinessesTopicsincludeincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsdevelopingprivacyandsecurityplansemployeescreeningtrainingandmanagementimplementingelectronicandphysicalsafeguardsemployingthreatrecognitiontechniquessafeguardinginternationaltransactionsandcreditanddebitcardsecurity50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractualprovisionsthatrequirethird-partyservicevendorswithaccesstotheinstitutionrsquossensitivedatatosafeguardthatdata51Generallytheseprovisionsalsoaddressspecificpracticesforcontractingorganizationsincludingconductinginitialandfollow-upsecurityauditsof avendorrsquosdatacenterandrequiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganizationrsquosprivacyanddataprotectionobligations52
b Implementation of Data Security Guidelines and rules
ManyprivatesectororganizationsunderstandtheirvulnerabilitiesandhavemadesignificantstridesinincorporatingdatasecurityintotheiroperationsorimprovingexistingsecurityprogramsSeeVolumeIIPartCforadescriptionof educationeffortsforbusinessesonsafeguardingdataForexamplemanycompaniesandfinancialinstitutionsnowregularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004 the New York Attorney General settled a case with BarnesampNoblecom fining the company $60000 and requiring it to implement a data security program after an investigation revealed that an alleged design vulnerability in the companyrsquos website permitted unauthorized access to consumersrsquo personal information and enabled thieves to make fraudulent purchases In addition California Vermont and New York settled a joint action with Ziff Davis Media Inc involving security shortcomings that exposed the credit card numbers and other personal information of about 12000 consumers
In 2006 the Federal Reserve Board issued a Cease and Desist Order against an Alabama-based financial institution for among other things failing to comply with an existing Board regulation that required implementation of an information security program
COMBATING IDENTITY THEFT A Strategic Plan
computerortelephonesenddualconfirmationswhencustomerssubmitachangeof addresslimitaccesstonon-publicpersonalinformationtonecessarypersonnelregularlymonitorwebsitesforphishingandfirewallsforhackingperformassessmentsof networksecuritytodeterminetheadequacyof protectionfromintrusionvirusesandotherdatasecuritybreachesandpostidentitythefteducationmaterialsoncompanywebsitesAdditionallymanyfirmswithintheconsumerdataindustryofferservicesthatprovidecompanieswithcomprehensivebackgroundchecksonprospectiveemployeesandtenantsaspermittedbylawundertheFCRAandhelpcompaniesverifytheidentityof customers
Yetasthereportsof databreachincidentscontinuetoshowfurtherimprovementsarenecessaryInasurveyof financialinstitutions95per-centof respondentsreportedgrowthintheirinformationsecuritybudgetin2005with71percentreportingthattheyhaveadefinedinformationsecuritygovernanceframework53Butmanyorganizationsalsoreportthattheyareintheearlystagesof implementingcomprehensivesecurityproce-duresForinstanceinasurveyof technologydecisionmakersreleasedin200685percentof respondentsindicatedthattheirstoreddatawaseithersomewhatorextremelyvulnerablewhileonly22percenthadimplement-edastoragesecuritysolutiontopreventunauthorizedaccess54Thesamesurveyrevealedthat58percentof datamanagersrespondingbelievedtheirnetworkswerenotassecureastheycouldbe55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedatasecuritypoliciesforreasonsof costandlackof expertiseA2005surveyfoundthatwhilemanysmallbusinessesareacceleratingtheiradoptionanduseof informationtechnologyandtheInternetmanydonothavebasicsecuritymeasuresinplace56Forexampleof thesmallbusinessessurveyed
bull nearly20percentdidnotusevirusscansforemailabasicinformationsecuritysafeguard
bull over60percentdidnotprotecttheirwirelessnetworkswitheventhesimplestof encryptionsolutions
bull over70percentreportedexpectationsof amorechallengingenvironmentfordetectingsecuritythreatsbutonly30percentreportedincreasinginformationsecurityspendingin2005and
bull 74percentreportedhavingnoinformationsecurityplaninplace
FurthercomplicatingmattersisthefactthatsomefederalagenciesareunabletoreceivedatafromprivatesectorentitiesinanencryptedformThereforesomeprivatesectorentitiesthathavetotransmitsensitivedatatofederalagenciesmdashsometimespursuanttolaworregulationsissuedbyagenciesmdashareunabletofullysafeguardthetransmitteddatabecausetheymustdecryptthedatabeforetheycansendittotheagenciesThe
In 2005 the FTC settled a law enforcement action with Superior Mortgage a mortgage company alleging that the company failed to comply with the GLB Safeguards Rule The FTC alleged that the companyrsquos security procedures were deficient in the areas of risk assessment access controls document protection and oversight of service providers The FTC also charged Superior with misrepresenting how it applied encryption to sensitive consumer information Superior agreed to undertake a comprehensive data security program and retain an independent auditor to assess and certify its security procedures every two years for the next 10 years
A STRATEGY TO COMBAT IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghowagenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothisproblembasedonthelevelof riskinvolvedincludingbutnotlimitedtoencryption
c responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclearreportsof privatesectordatasecuritybreachesaddtoconsumersrsquofearof identitythievesgainingaccesstosensitiveconsumerinformationandundermineconsumerconfidencePursuanttotheGLBActthefinancialregulatoryagenciesrequirefinancialinstitutionsundertheirjurisdictiontoimplementprogramsdesignedtosafeguardcustomerinformationInadditionthefederalbankregulatoryagencies(FDICFRBNCUAOCCandOTS)haveissuedguidancewithrespecttobreachnotificationInaddition37stateshavelawsrequiringthatconsumersbenotifiedwhentheirinformationhasbeensubjecttoabreach57Someof thelawsalsorequirethattheentitythatexperiencedthebreachnotifylawenforcementconsumerreportingagenciesandotherpotentiallyaffectedparties58NoticetoconsumersmayhelpthemavoidormitigateinjurybyallowingthemtotakeappropriateprotectiveactionssuchasplacingafraudalertontheircreditfileormonitoringtheiraccountsInsomecasestheorganizationexperiencingthebreachhasofferedadditionalassistanceincludingfreecreditmonitoringservicesMoreoverpromptnotificationtolawenforcementallowsfortheinvestigationanddeterrenceof identitytheftandrelatedunlawfulconduct
Thestateshavetakenavarietyof approachesregardingwhennoticetoconsumersisrequiredSomestatesrequirenoticetoconsumerswheneverthereisunauthorizedaccesstosensitivedataOtherstatesrequirenotificationonlywhenthebreachof informationposesarisktoconsumersNoticeisnotrequiredforexamplewhenthedatacannotbeusedtocommitidentitytheftorwhentechnologicalprotectionspreventfraudstersfromaccessingdataThisapproachrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtoignoremoresignificantincidentsandcanimposeunnecessarycostsonconsumerstheorganizationthatsufferedthebreachandothersUnderthisapproachhoweverorganizationsstruggletoassesswhethertherisksaresufficienttowarrantconsumernotificationFactorsrelevanttothatassessmentoftenincludethesensitivityof thebreachedinformationtheextenttowhichitisprotectedfromaccess(egbyusingtechnologicaltoolsforprotectingdata)howthebreachoccurred(egwhethertheinformationwasdeliberatelystolenasopposedtoaccidentallymisplaced)andanyevidencethatthedataactuallyhavebeenmisused
Anumberof billsestablishingafederalnoticerequirementhavebeenintroducedinCongressManyof thestatelawsandthebillsinCongress
In 2004 an FDIC examination of a state-chartered bank disclosed significant computer system deficiencies and inadequate controls to prevent unauthorized access to customer information The FDIC issued an order directing the bank to develop and implement an information security program and specifically ordered the bank among other things to perform a formal risk assessment of internal and external threats that could result in unauthorized access to customer information The bank also was ordered to review computer user access levels to ensure that access was restricted to only those individuals with a legitimate business need to access the information
COMBATING IDENTITY THEFT A Strategic Plan
addresswhoshouldbenotifiedwhennoticeshouldbegivenwhatinformationshouldbeprovidedinthenoticehownoticeshouldbeeffectedandthecircumstancesunderwhichconsumernoticeshouldbedelayedforlawenforcementpurposes
Despitethesubstantialeffortundertakenbythepublicandprivatesectorstoeducatebusinessesonhowtorespondtodatabreaches(seeVolumeIIPartDforadescriptionof educationforbusinessesonrespondingtodatabreaches)thereisroomforimprovementbybusinessesinplanningforandrespondingtodatabreachesSurveysof largecorporationsandretailersindicatethatfewerthanhalf of themhaveformalbreachresponseplansForexampleanApril2006cross-industrysurveyrevealedthatonly45percentof largemultinationalcorporationsheadquarteredintheUShadaformalprocessforhandlingsecurityviolationsanddatabreaches59Fourteenpercentof thecompaniessurveyedhadexperiencedasignificantprivacybreachinthepastthreeyears60AJuly2005surveyof largeNorthAmericancorporationsfoundthatalthough80percentof respondingcompaniesreportedhavingprivacyordata-protectionstrategiesonly31percenthadaformalnotificationprocedureintheeventof adatabreach61Moreoveronesurveyfoundthatonly43percentof retailershadformalincidentresponseplansandevenfewerhadtestedtheirplans62
rECOMMENDATION ESTABLISH NATIONAL STANDArDS EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumerinformationbutanumberof privateentitiesarenotsubjecttothoselawsTheGLBActforexampleappliestoldquofinancialinstitutionsrdquobutgenerallynottootherentitiesthatcollectandmaintainsensitiveinformationSimilarlyexistingfederalbreachnotificationstandardsdonotextendtoallentitiesthatholdsensitiveconsumerinformationandthevariousstatelawsthatcontainbreachnotificationrequirementsdifferinvariousrespectscomplicatingcomplianceAccordinglytheTaskForcerecommendsthedevelopmentof (1)anationalstandardimposingsafeguardsrequirementsonallprivateentitiesthatmaintainsensitiveconsumerinformationand(2)anationalstandardrequiringentitiesthatmaintainsensitiveconsumerinformationtoprovidenoticetoconsumersandlawenforcementintheeventof abreachSuchnationalstandardsshouldprovideclarityandpredictabilityforbusinessesandconsumersandshouldincorporatethefollowingimportantprinciples
Covered data Thenationalstandardsfordatasecurityandforbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer became the target of an elaborate fraud ring the company looked to one of the major credit reporting agencies for assistance By using shared data maintained by that agency the retailer was able to identify applications with common data elements and flag them for further scrutiny By using the shared applica-tion data in connection with the activities of this fraud ring the company avoided $26000 in fraud losses
A STRATEGY TO COMBAT IDENTITY THEFT
perpetrateidentitytheftmdashinparticularanydataorcombinationof consumerdatathatwouldallowsomeonetouselogintooraccessanindividualrsquosaccountortoestablishanewaccountusingtheindividualrsquosidentifyinginformationThisidentifyinginformationincludesanameaddressortelephonenumberpairedwithauniqueidentifiersuchasaSocialSecuritynumberadriverrsquoslicensenumberabiometricrecordorafinancialaccountnumber(togetherwithaPINorsecuritycodeif suchPINorcodeisrequiredtoaccessanaccount)(hereinafterldquocovereddatardquo)Thestandardsshouldnotcoverdatasuchasanameandaddressalonethatbyitself typicallywouldnotcauseharmThedefinitionsof covereddatafordatasecurityanddatabreachnotificationrequirementsshouldbeconsistent
Covered entities Thenationalstandardsfordatasecurityandbreachnotificationshouldcoveranyprivateentitythatcollectsmaintainssellstransfersdisposesoforotherwisehandlescovereddatainanymediumincludingelectronicandpaperformats
unusable dataNationalstandardsshouldrecognizethatrenderingdataunusabletooutsidepartieslikelywouldpreventldquoacquisitionrdquoof thedataandthusordinarilywouldsatisfyanentityrsquoslegalobligationstoprotectthedataandwouldnottriggernotificationof abreachThestandardsshouldnotendorseaspecifictechnologybecauseunusabilityisnotastaticconceptandtheeffectivenessof particulartechnologiesmaychangeovertime
Risk-based standard for breach notification Thenationalbreachnotificationstandardshouldrequirethatcoveredentitiesprovidenoticetoconsumersintheeventof adatabreachbutonlywhentheriskstoconsumersarerealmdashthatiswhenthereisasignificantriskof identitytheftduetothebreachThisldquosignificantriskof identitytheftrdquotriggerfornotificationrecognizesthatexcessivebreachnotificationcanoverwhelmconsumerscausingthemtotakecostlyactionswhenthereislittleriskorconverselytoignorethenoticeswhentherisksarereal
Notification to law enforcement Thenationalbreachnotificationstandardshouldprovidefortimelynotificationtolawenforcementandexpresslyallowlawenforcementtoauthorizeadelayinrequiredconsumernoticeeitherforlawenforcementornationalsecurityreasons(andeitheronitsownbehalf oronbehalf of stateorlocallawenforcement)
relationship to current federal standards Thenationalstandardsfordatasecurityandbreachnotificationshouldbedraftedtobeconsistentwithandsoasnottodisplaceanyrulesregulations
COMBATING IDENTITY THEFT A Strategic Plan
guidelinesstandardsorguidanceissuedundertheGLBActbytheFTCthefederalbankregulatoryagenciestheSECortheCommodityFuturesTradingCommission(CFTC)unlessthoseagenciessodetermine
Preemption of state laws ToensurecomprehensivenationalrequirementsthatprovideclarityandpredictabilitywhilemaintaininganeffectiveenforcementroleforthestatesthenationaldatasecurityandbreachnotificationstandardsshouldpreemptstatedatasecurityandbreachnotificationlawsbutauthorizeenforcementbythestateAttorneysGeneralforentitiesnotsubjecttothejurisdictionof thefederalbankregulatoryagenciestheSECortheCFTC
rulemaking and enforcement authorityCoordinatedrulemakingauthorityundertheAdministrativeProcedureActshouldbegiventotheFTCthefederalbankregulatoryagenciestheSECandtheCFTCtoimplementthenationalstandardsThoseagenciesshouldbeauthorizedtoenforcethestandardsagainstentitiesundertheirrespectivejurisdictionsandshouldspecificallybeauthorizedtoseekcivilpenaltiesinfederaldistrictcourt
Private right of action Thenationalstandardsshouldnotprovidefororcreateaprivaterightof action
Standardsincorporatingsuchprincipleswillpromptcoveredentitiestoestablishandimplementadministrativetechnicalandphysicalsafeguardstoensurethesecurityandconfidentialityof sensitiveconsumerinformationprotectagainstanyanticipatedthreatsorhazardstothesecurityorintegrityof suchinformationandprotectagainstunauthorizedaccesstooruseof suchinfor-mationthatcouldresultinsubstantialharmorinconveniencetoanyconsumerBecausethecostsassociatedwithimplementingsafeguardsorprovidingbreachnoticemaybedifferentforsmallbusinessesandlargerbusinessesormaydifferbasedonthetypeof informationheldbyabusinessthenationalstandardshouldexpresslycallforactionsthatarereasonablefortheparticularcoveredentityandshouldnotadoptaone-size-fits-allapproachtotheimplementationof safeguards
rECOMMENDATION BETTEr EDuCATE THE PrIVATE SECTOr ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesectoronhowtosafeguarddatathecontinuedproliferationof databreachessuggeststhatmoreneedstobedoneWhilethereisnoperfectdatasecuritysystemacompanythatissensitizedtothe
When a major consumer lending institution encountered a problem when the loss ratio on many of its loans mdashincluding mortgages and consumer loansmdashbecame excessively high due to fraud the bank hired a leading provider of fraud prevention products to authenticate potential customers during the application process prior to extending credit The result was immediate two million dollars of confirmed fraud losses were averted within the first six months of implementation
A STRATEGY TO COMBAT IDENTITY THEFT
importanceof datasecurityunderstandsitslegalobligationsandhastheinformationitneedstosecureitsdataadequatelyislesslikelytosufferadatacompromiseTheTaskForcethereforemakesthefollowingrecommendationsconcerninghowtobettereducatetheprivatesector
Hold regional Seminars for Businesses on Safeguarding Information Bythefourthquarterof 2007thefederalfinancialregulatoryagenciesandtheFTCwithsupportfromotherTaskForcememberagenciesshouldholdregionalseminarsanddevelopself-guidedandonlinetutorialsforbusinessesandfinancialinstitutionsaboutsafeguardinginformationpreventingandreportingbreachesandassistingidentitytheftvictimsTheseminarrsquosleadersshouldmakeeffortstoincludesmallbusinessesinthesesessionsandaddresstheirparticularneedsTheseseminarscouldbeco-sponsoredbylocalbarassociationstheBetterBusinessBureaus(BBBs)andothersimilarorganizationsSelf-guidedtutorialsshouldbemadeavailablethroughtheTaskForcersquosonlineclearinghouseatwwwidtheftgov
Distribute Improved Guidance for Private Industry Inthesecondquarterof 2007theFTCshouldexpandwrittenguidancetoprivatesectorentitiesthatarenotregulatedbythefederalbankregulatoryagenciesortheSEConstepstheyshouldtaketosafeguardinformationTheguidanceshouldbedesignedtogiveamoredetailedexplanationof thebroadprinciplesencompassedinexistinglawsLiketheInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletissuedundertheauspicesof theFederalFinancialInstitutionsExaminationCouncil63theguidanceshouldberisk-basedandflexibleinrecognitionof thefactthatdifferentprivatesectorentitieswillwarrantdifferentsolutions
rECOMMENDATION INITIATE INVESTIGATIONS OF DATA SECurITY VIOLATIONS
Beginningimmediatelyappropriategovernmentagenciesshouldinitiateinvestigationsof andif appropriatetakeenforcementactionsagainstentitiesthatviolatethelawsgoverningdatasecu-rityTheFTCSECandfederalbankregulatoryagencieshaveusedregulatoryandenforcementeffortstorequirecompaniestomaintainappropriateinformationsafeguardsunderthelawFed-eralagenciesshouldcontinueandexpandtheseeffortstoensurethatsuchentitiesusereasonabledatasecuritymeasuresWhereappropriatetheagenciesshouldshareinformationaboutthoseenforcementactionsonwwwidtheftgov
A leading payment processing and bill payment company recently deployed an automated fraud detection and case management system to more than 40 financial institutions The system helps ensure that receiving and paying bills online remains a safe practice for consumers To mitigate risk and reduce fraud for banks and consumers before it happens the system combines the companyrsquos cumulative knowledge of payment patterns and a sophisticated analytics engine to help financial services organizations detect and stop unauthorized payments
COMBATING IDENTITY THEFT A Strategic Plan
4 eDUcating consUmers on Protecting their Personal informationThefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-tionEverydayunwittingconsumerscreateriskstothesecurityof theirpersonalinformationFromfailingtoinstallfirewallprotectiononacom-puterharddrivetoleavingpaidbillsinamailslotconsumersleavethedooropentoidentitythievesConsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitytheft
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-mationaboutidentitytheftNumerousdepartmentsandagenciestargetidentitytheft-relatedmessagestorelevantpopulationsSeeVolumeIIPartEforadescriptionof federalconsumereducationeffortsTheFTCthroughitsIdentityTheftClearinghouseandongoingoutreachplaysaprimaryroleinconsumerawarenessandeducationdevelopinginforma-tionthathasbeenco-brandedbyavarietyof groupsandagenciesItswebsitewwwftcgovidtheft servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumersTheFTCalsorecentlyimple-mentedanationalpublicawarenesscampaigncenteredaroundthethemesof ldquoDeterDetectandDefendrdquowhichseekstodrivebehavioralchangesinconsumersthatwillreducetheirriskof identitytheft(Deter)encouragethemtomonitortheircreditreportsandaccountstoalertthemof identitytheftassoonaspossibleafteritoccurs(Detect)andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend)Thiscampaignman-datedintheFACTActconsistsof directmessagingtoconsumersaswellasmaterialwrittenfororganizationscommunityleadersandlocallawenforcementTheDeterDetectandDefendmaterialshavebeenadoptedanddistributedbyhundredsof entitiesbothpublicandprivate
TheSSAandthefederalregulatoryagenciesareamongthemanyothergovernmentbodiesthatalsoplayasignificantroleineducatingconsum-ersonhowtoprotectthemselvesForexampletheSSAaddedames-sagetoitsSSNverificationprintoutwarningthepublicnottosharetheirSSNswithothersThiswarningwasespeciallytimelyintheaftermathof HurricaneKatrinawhichnecessitatedtheissuanceof alargenumberof thoseprintoutsSimilarlytheSeniorMedicarePatrol(SMP)programfundedbyUSAdministrationonAgingintheDepartmentof HealthandHumanServicesusesseniorvolunteerstoeducatetheirpeersaboutprotectingtheirpersonalinformationandpreventingandidentifyingcon-sumerandhealthcarefraudTheSMPprogramalsohasworkedcloselywiththeCentersforMedicareandMedicaidServicestoprotectseniorsfromnewscamsaimedatdefraudingthemof theirMedicarenumbersandotherpersonalinformationAndtheUSPostalInspectionServicehasproducedanumberof consumereducationmaterialsincludingseveralvideosalertingthepublictotheproblemsassociatedwithidentitytheft
0
A STRATEGY TO COMBAT IDENTITY THEFT
SignificantconsumereducationeffortsalsoaretakingplaceatthestatelevelNearlyallof thestateAttorneysGeneralofferinformationonthepreventionandremediationof identitytheftontheirwebsitesandseveralstateshaveconductedconferencesandworkshopsfocusedoneducationandtraininginprivacyprotectionandidentitytheftpreventionOverthepastyeartheAttorneyGeneralof IllinoisandtheGovernorsof NewMexicoandCaliforniahavehostedsummitmeetingsbringingtogetherlawenforcementeducatorsvictimsrsquocoordinatorsconsumeradvocatesandthebusinesscommunitytodevelopbetterstrategiesforeducatingthepublicandfightingidentitytheftTheNationalGovernorsAssociationconvenedtheNationalStrategicPolicyCouncilonCyberandElectronicCrimeinSeptember2006totriggeracoordinatededucationandpreventioneffortbyfederalstateandlocalpolicymakersTheNewYorkStateConsumerProtectionBoardhasconductedldquoConsumerActionDaysrdquowithfreeseminarsaboutidentitytheftandotherconsumerprotectionissues
PolicedepartmentsalsoprovideconsumereducationtotheircommunitiesManydepartmentshavedevelopedmaterialsandmakethemavailableinpolicestationsincitygovernmentbuildingsandonwebsites64Asof thiswritingmorethan500localpolicedepartmentsareusingtheFTCrsquosldquoDeterDetectDefendrdquocampaignmaterialstoteachtheircommunitiesaboutidentitytheftOthergroupsincludingtheNationalApartmentAssociationandtheNationalAssociationof Realtorsalsohavepromotedthiscampaignbydistributingthematerialstotheirmembership
AlthoughmosteducationalmaterialisdirectedatconsumersingeneralsomeisaimedatandtailoredtospecifictargetgroupsOnesuchgroupiscollegestudentsForseveralreasonsmdashincludingthevastamountsof personaldatathatcollegesmaintainaboutthemandtheirtendencytokeeppersonaldataunguardedinshareddormitoryroomsmdashstudentsarefrequenttargetsof identitythievesAccordingtoonereportone-thirdtoone-half of allreportedpersonalinformationbreachesin2006haveoccurredatcollegesanduniversities65Inrecognitionof theincreasedvulnerabilityof thispopulationmanyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsitesorientationcampaignsandseminars66
Federalstateandlocalgovernmentagenciesprovideagreatdealof iden-titytheft-relatedinformationtothepublicthroughtheInternetprintedmaterialsDVDsandin-personpresentationsThemessagestheagenciesprovidemdashhowtoprotectpersonalinformationhowtorecognizeapoten-tialproblemwheretoreportatheftandhowtodealwiththeaftermathmdashareechoedbyindustrylawenforcementadvocatesandthemediaSeeVolumeIIPartFforadescriptionof privatesectorconsumereducationeffortsButthereislittlecoordinationamongtheagenciesoncurrentedu-cationprogramsDisseminationinsomecasesisrandominformationis
COMBATING IDENTITY THEFT A Strategic Plan
limitedandevaluationof effectivenessisalmostnonexistentAlthoughagreatdealof usefulinformationisbeingdisseminatedtheextenttowhichthemessagesarereachingengagingormotivatingconsumersisunclear
rECOMMENDATION INITIATE A MuLTI-YEAr PuBLIC AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof anyplantoreducetheincidenceof identitythefttheTaskForcerecommendsthatmemberagenciesinthethirdquarterof 2007initiateamulti-yearnationalpublicawarenesscampaignthatbuildsontheFTCrsquoscurrentldquoAvoIDTheftDeterDetectDefendrdquocampaigndevelopedpursuanttodirectionintheFACTActThiscampaignshouldincludethefollowingelements
Develop a Broad Awareness Campaign BybroadeningthecurrentFTCcampaignintoamulti-yearawarenesscampaignandbyengagingtheAdCouncilorsimilarentitiesaspartnersimportantandempoweringmessagesshouldbedisseminatedmorewidelyandbymorepartnersThecampaignshouldincludepublicserviceannouncementsontheInternetradioandtelevisionandinnewspapersandmagazinesandshouldaddresstheissuefromavarietyof perspectivesfrompreventionthroughmitigationandremediationandreachavarietyof audiences
Enlist Outreach PartnersTheagenciesconductingthecampaignshouldenlistasoutreachpartnersnationalorganizationseitherthathavebeenactiveinhelpingconsumersprotectthemselvesagainstidentitytheftsuchastheAARPtheIdentityTheftResourceCenter(ITRC)andthePrivacyRightsClearinghouse(PRC)orthatmaybewell-situatedtohelpinthisareasuchastheWhiteHouseOfficeof Faith-BasedandCommunityInitiatives
Increase Outreach to Traditionally underserved Communities Outreachtounderservedcommunitiesshouldincludeencouraginglanguagetranslationsof existingmaterialsandinvolvingcommunity-basedorganizationsaspartners
Establish ldquoProtect Your Identity Daysrdquo ThecampaignshouldestablishldquoProtectYourIdentityDaysrdquotopromotebetterdatasecuritybybusinessesandindividualcommitmenttosecuritybyconsumersTheseldquoProtectYourIdentityDaysrdquoshouldalsobuildonthepopularityof communityldquoshred-insrdquobyencouragingcommunityandbusinessorganizationstoshreddocumentscontainingpersonalinformation
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION DEVELOP AN ONLINE CLEArINGHOuSErdquo FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007theTaskForcememberagenciesdevelopanonlineldquoclearinghouserdquoforcurrentidentitythefteducationalresourcesforconsumersbusinessesandlawenforcementfromavarietyof sourcesatwwwidtheftgovThiswouldmakethematerialsimmediatelyavailableinoneplacetoanypublicorprivateentitywillingtolaunchaneducationprogramandtoanycitizeninterestedinaccessingtheinformationRatherthanrecreatecontententitiescouldlinkdirectlytotheclearinghousefortimelyandaccuratein-formationEducationalmaterialsshouldbeaddedtothewebsiteonanongoingbasis
B PrEVENTION MAKING IT HArDEr TO MISuSE CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthefirststepinreducingtheincidenceof identitytheftButbecausenosecurityisperfectandthievesareresourcefulitisessentialtoreducetheopportunitiesforcriminalstomisusethedatatheydomanagetosteal
Anidentitythief whowantstoopennewaccountsinavictimrsquosnamemustbeableto(1)provideidentifyinginformationtoenablethecreditororothergrantorof benefitstoaccessinformationonwhichtobaseaneligibilitydecisionand(2)convincethecreditororothergrantorof benefitsthatheisinfactthepersonhepurportstobeForexampleacreditcardgrantorprocessinganapplicationforacreditcardwillusetheSSNtoaccesstheconsumerrsquoscreditreporttocheckhiscreditworthinessandmayrelyonphotodocumentstheSSNandorotherproof toaccessothersourcesof informationintendedtoldquoverifyrdquotheapplicantrsquosidentityThustheSSNisacriticalpieceof informationforthethiefanditswideavailabilityincreasestheriskof identitytheft
Identitysystemsfollowatwo-foldprocessfirstdetermining(ldquoidentificationrdquo)andsetting(ldquoenrollmentrdquo)theidentityof anindividualattheonsetof therelationshipandsecondlaterensuringthattheindividualisthesamepersonwhowasinitiallyenrolled(ldquoauthenticationrdquo)Withtheexceptionof bankssavingsassociationscreditunionssomebroker-dealersmutualfundsfuturescommissionmerchantsandintroducingbrokers(collectivelyldquofinancialinstitutionsrdquo)thereisnogenerally-applicablelegalobligationonprivatesectorentitiestouseanyparticularmeansof identificationFinancialinstitutionsarerequiredtofollowcertainverificationprocedurespursuanttoregulationspromulgatedbythefederalbankregulatoryagenciestheDepartmentof
COMBATING IDENTITY THEFT A Strategic Plan
TreasurytheSECandtheCFTCundertheUSAPATRIOTAct67TheregulationsrequirethesefinancialinstitutionstoestablishaCustomerIdentificationProgram(CIP)specifyingidentifyinginformationthatwillbeobtainedfromeachcustomerwhenaccountsareopened(whichmustincludeataminimumnamedateof birthaddressandanidentificationnumbersuchasanSSN)TheCIPrequirementisintendedtoensurethatfinancialinstitutionsformareasonablebelief thattheyknowthetrueidentityof eachcustomerwhoopensanaccountThegovernmenttooismakingeffortstoimplementnewidentificationmechanismsForexampleREALIDisanationwideeffortintendedtopreventterrorismreducefraudandimprovethereliabilityandaccuracyof identificationdocumentsthatstategovernmentsissue68SeeVolumeIIPartGforadescriptionof recentlawsrelatingtoidentificationdocuments
Theverificationprocesscanfailhoweverinanumberof waysFirstidentitydocumentsmaybefalsifiedSecondcheckingtheidentifyinginformationagainstotherverifyingsourcesof informationcanproducevaryingresultsdependingontheaccuracyof theinitialinformationpre-sentedandtheaccuracyorqualityof theverifyingsourcesTheprocessalsocanfailbecauseemployeesaretrainedimproperlyorfailtofollowproperproceduresIdentitythievesexploiteachof theseopportunitiestocircumventtheverificationprocess69
OnceanindividualrsquosidentityhasbeenverifieditmustbeauthenticatedeachtimehewantstheaccessforwhichhewasinitiallyverifiedsuchasaccesstoabankaccountGenerallybusinessesauthenticateanindividualbyrequiringhimtopresentsomesortof credentialtoprovethatheisthesameindividualwhoseidentitywasoriginallyverifiedAcredentialisgenerallyoneormoreof thefollowing
bull Somethingapersonknowsmdashmostcommonlyapasswordbutalsomaybeaquerythatrequiresspecificknowledgeonlythecustomerislikelytohavesuchastheexactamountof thecustomerrsquosmonthlymortgagepayment
bull SomethingapersonhasmdashmostcommonlyaphysicaldevicesuchasaUniversalSerialBus(USB)tokenasmartcardorapassword-generatingdevice70
bull SomethingapersonismdashmostcommonlyaphysicalcharacteristicsuchasafingerprintirisfaceandhandgeometryThistypeof authenticationisreferredtoasbiometrics71
Someentitiesuseasingleformof authenticationmdashmostcommonlyapasswordmdashbutif itiscompromisedtherearenootherfail-safesinthesystemToaddressthisproblemthefederalbankregulatoryagenciesissuedguidancepromotingstrongercustomerauthenticationmethodsforcertainhigh-risktransactionsSuchmethodsaretoincludetheuseof multi-factorauthenticationlayeredsecurityorothersimilarcontrols
A STRATEGY TO COMBAT IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactionsthatareidentifiedashigh-riskTheguidancemorebroadlyprovidesthatbankssavingsassociationsandcreditunionsconductrisk-basedassessmentsevaluatecustomerawarenessprogramsanddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingInternet-basedfinancialservices72Financialinstitutionscoveredbytheguidancewereadvisedthattheagenciesexpectedthemtohavecompletedtheriskassessmentandimplementedriskmitigationactivitiesbyyear-end200673Alongwiththefinancialservicesindustryotherindustrieshavebeguntoimplementnewauthenticationproceduresusingdifferenttypesof credentials
SSNshavemanyadvantagesandarewidelyusedinourcurrentmarketplacetomatchconsumerswiththeirrecords(includingtheircreditfiles)andaspartof theauthenticationprocessKeepingtheauthenticationprocessconvenientforconsumersandcreditgrantorswithoutmakingittooeasyforcriminalstoimpersonateconsumersrequiresafinebalanceNotwithstandingimprovementsincertainindustriesandcompanieseffortstofacilitatethedevelopmentof betterwaystoauthenticateconsumerswithoutundueburdenwouldhelppreventcriminalsfromprofitingfromtheircrime
rECOMMENDATION HOLD WOrKSHOPS ON AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingtheidentitiesof individualswouldmakeitharderforidentitythievestoopennewaccountsoraccessexistingaccountsusingotherindividualsrsquoinformationtheTaskForcewillholdaworkshoporseriesof workshopsinvolvingacademicsindustryandentrepreneursfocusedondevelopingandpromotingimprovedmeansof authenticatingtheidentitiesof individualsTheseexpertswilldiscusstheexistingproblemandexaminethelimitationsof currentprocessesof authenticationWiththatinformationtheTaskForcewillprobeviabletechnologicalandothersolutionsthatwillreduceidentityfraudandidentifyneedsforfutureresearchSuchworkshopshavebeensuccessfulindevelopingcreativeandtimelyresponsestoconsumerprotectionissuesandtheworkshopsareexpectedtobeusefulforboththeprivateandpublicsectorsForexamplethefederalgovernmenthasaninterestasafacilitatorof thedevelopmentof newtechnologiesandinimplementingtechnologiesthatbetterprotectthedataithandlesinprovidingbenefitsandservicesandasanemployer
COMBATING IDENTITY THEFT A Strategic Plan
AsnotedintheTaskForcersquosinterimrecommendationstothePresidenttheFTCandotherTaskForcememberagencieswillhostthefirstsuchworkshopinthesecondquarterof 2007TheTaskForcealsorecommendsthatareportbeissuedorsubsequentworkshopsbeheldtoreportonanyproposalsorbestpracticesidentifiedduringtheworkshopseries
rECOMMENDATION DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1abovetheTaskForcerecommendsdevelopingacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatingtheirnecessity
C VICTIM rECOVErY HELPING CONSuMErS rEPAIr THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautionsanessentialstepinthefightagainstthiscrimeisensuringthatvictimshavetheknowledgetoolsandassistancenecessarytominimizethedamageandbegintherecoveryprocessCurrentlyconsumershaveanumberof rightsandavailableresourcesbuttheymaynotbeawareof them
1 victim assistance oUtreach anD eDUcationFederalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatetheharmstheysufferForexampleundertheFACTActvictimscan(1)placealertsontheircreditfiles(2)requestcopiesof applicationsandotherdocumentsusedbythethief(3)requestthatthecreditreportingagenciesblockfraudulenttradelinesoncreditreportsand(4)obtaininformationonthefraudulentaccountsfromdebtcollectors
InsomecasestherecoveryprocessisrelativelystraightforwardConsum-erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-chasesforexampletypicallycangetthechargesremovedwithoutundueburdenInothercaseshoweversuchasthoseinvolvingnew-accountfraudrecoverycanbeanordeal
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhavebecomevictimsof identitytheftorif theirpersonalinformationhasbeenbreachedForexampletheFTCrsquoswebsitewwwftcgovidtheftcontainsstep-by-steprecoveryinformationforvictimsaswellasforthosewhomaybeatriskfollowingacompromiseof theirdataManyotheragenciesandorganizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-tionandassistancetovictims
A STRATEGY TO COMBAT IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair Credit Reporting Act that provide a number of new tools for victims to recover from identity theft These include the right to place a fraud alert with the credit reporting agencies and receive a free copy of the credit report An initial alert lasts for 90 days A victim with an identity theft report documenting actual misuse of the consumer information is entitled to place a 7-year alert on his file In addition under the FACT Act victims can request copies of documents relating to fraudulent transactions and can obtain information from a debt collector regarding a debt fraudulently incurred in the victimrsquos name Victims who have a police report also can ask that fraudulent accounts be blocked from their credit report and can prevent businesses from reporting information that resulted from identity theft to the credit reporting agencies
Identity theft victims and consumers who suspect that they may become victims because of lost data are advised to act quickly to prevent or minimize harm The steps are straightforward
bull Contact one of the three major credit reporting agencies to place a fraud alert on their credit file The agencies are required to transmit this information to the other two companies Consumers who place this 90-day alert are entitled to a free copy of their credit report Fraud alerts are most useful when a consumerrsquos SSN is compromised creating the risk of new account fraud
bull Contact any creditors where fraudulent accounts were opened or charges were made to dispute these transactions and follow up in writing
bull Report actual incidents of identity theft to the local police department and obtain a copy of the police report This document will be essential to exercising other remedies
bull Report the identity theft incident to the ID Theft Data Clearinghouse by filing a complaint online at ftcgovidtheft or calling toll free 877 ID THEFT The complaint will be entered into the Clearinghouse and shared with the law enforcement agencies who use the database to investigate and prosecute identity crimes
bull Some states provide additional protections to identity theft victims by allowing them to request a ldquocredit freezerdquo which prevents consumersrsquo credit reports from being released without their express consent Because most companies obtain a credit report from a consumer before extending credit a credit freeze will likely prevent the extension of credit in a consumerrsquos name without the consumerrsquos express permission
StategovernmentsalsoprovideassistancetovictimsStateconsumerprotectionagenciesprivacyagenciesandstateAttorneysGeneralprovidevictiminformationandguidanceontheirwebsitesandsomeprovidepersonalassistanceaswellAnumberof stateshaveestablishedhotlinescounselingandotherassistanceforvictimsof identitytheftForexampletheIllinoisAttorneyGeneralrsquosofficehasimplementedanIdentityTheftHotlineeachcallerisassignedaconsumeradvocatetoassistwiththerecoveryprocessandtohelppreventfurthervictimization
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof privatesectororganizationsalsoprovidecriticalvictimassistanceNot-for-profitgroupssuchasthePrivacyRightsClearinghouse(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounselingandassistanceforidentitytheftvictimswhoneedhelpingoingthroughtherecoveryprocessTheIdentityTheftAssistanceCenter(ITAC)avictimassistanceprogramestablishedbythefinancialservicesindustryhashelpedapproximately13000victimsresolveproblemswithdisputedaccountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin2004FinallymanyindividualcompanieshaveestablishedhotlinesdistributedmaterialsandprovidedspecialservicesforcustomerswhoseinformationhasbeenmisusedIndeedsomecompaniesrelyontheiridentitytheftservicesasmarketingtools
DespitethissubstantialeffortbythepublicandprivatesectorstoeducateandassistvictimsthereisroomforimprovementManyvictimsarenotawareordonottakeadvantageof theresourcesavailabletothemForexamplewhiletheFTCreceivesroughly250000contactsfromvictimseveryyearthatnumberisonlyasmallpercentageof allidentitytheftvictimsMoreoveralthoughfirstresponderscouldbeakeyresourceforidentitytheftvictimsthefirstrespondersoftenareoverworkedandmaynothavetheinformationthattheyneedaboutthestepsforvictimrecov-eryItisessentialthereforethatpublicandprivateoutreacheffortsbeexpandedbettercoordinatedandbetterfunded
rECOMMENDATION PrOVIDE SPECIALIZED TrAINING ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY THEFT VICTIMS
FirstrespondersandotherswhoprovidedirectassistanceandsupporttoidentitytheftvictimsmustbeadequatelytrainedAccordinglytheTaskForcerecommendsthefollowing
Train Local Law Enforcement Officers Bythethirdquarterof 2007federallawenforcementagencieswhichcouldincludetheUSPostalInspectionServicetheFBItheSecretServiceandtheFTCshouldconducttrainingseminarsmdashdeliveredinpersononlineorviavideomdashforlocallawenforcementofficersonavailableresourcesandprovidingassistanceforvictims
Provide Educational Materials for First responders That Can Be readily used as a reference Guide for Identity Theft VictimsDuringthethirdquarterof 2007theFTCandDOJshoulddevelopareferenceguidewhichshouldincludecontactinformationforresourcesandinformationonfirststepstorecoveryandshouldmakethatguideavailabletolawenforcementofficersthroughtheonlineclearinghouseat
A STRATEGY TO COMBAT IDENTITY THEFT
wwwidtheftgovSuchguidancewouldassistfirstrespondersindirectingvictimsontheirwaytorecovery
Distribute an Identity Theft Victim Statement of rights Federallawprovidessubstantialassistancetovictimsof identitytheftFromobtainingapolicereporttoblockingfraudulentaccountsinacreditreportconsumersmdashaswellaslawenforcementprivatebusinessesandotherpartiesinvolvedintherecoveryprocessmdashneedtoknowwhatremediesareavailableAccordinglytheTaskForcerecommendsthatduringthethirdquarterof 2007theFTCdraftanIDTheftVictimStatementof Rightsashortandsimplestatementof thebasicrightsvictimspossessundercurrentlawThisdocumentshouldthenbedisseminatedtovictimsthroughlawenforcementthefinancialsectorandadvocacygroupsandpostedatwwwidtheftgov
Develop Nationwide Training for Victim Assistance Counselors Crimevictimsreceiveassistancethroughawidearrayof federalandstate-sponsoredprogramsaswellasnonprofitorganizationsAdditionallyeveryUnitedStatesAttorneyrsquosOfficeinthecountryhasavictim-witnesscoordinatorwhoisresponsibleforreferringcrimevictimstotheappropriateresourcestoresolveharmsthatresultedfromthemisuseof theirinformationAllof thesecounselorsshouldbetrainedtorespondtothespecificneedsof identitytheftvictimsincludingassistingthemincopingwiththefinancialandemotionalimpactof identitycrimeThereforetheTaskForcerecommendsthatastandardizedtrainingcurriculumforvictimassistancebedevelopedandpromotedthroughanationwidetrainingcampaignincludingthroughDOJrsquosOfficeforVictimsof Crime(OVC)AlreadyOVChasbegunorganizingtrainingworkshopsthefirstof whichwasheldinDecember2006Theseworkshopsareintendedtotrainnotonlyvictim-witnesscoordinatorsfromUSAttorneyrsquosOfficesbutalsostatetribalandlocalvictimserviceprovidersTheprogramwillhelpadvocateslearnhowtoassistvictimsinself-advocacyandhowandwhentointerveneinavictimrsquosrecoveryprocessTrainingtopicswillincludehelpingvictimsdealwiththeeconomicandemotionalramificationsof identitytheftassistingvictimswithunderstandinghowanidentitytheftcaseproceedsthroughthecriminaljusticesystemandidentitytheftlawsAdditionalworkshopsshouldbeheldin2007
rECOMMENDATION DEVELOP AVENuES FOr INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-relatedissueswithoutassistancesomeindividualswould
COMBATING IDENTITY THEFT A Strategic Plan
benefitfromindividualizedcounselingTheavailabilityof personalizedassistanceshouldbeincreasedthroughnationalserviceorganizationssuchasthoseusingretiredseniorsorsimilargroupsandprobonoactivitiesbylawyerssuchasthoseorganizedbytheAmericanBarAssociation(ABA)InofferingindividualizedassistancetoidentitytheftvictimstheseorganizationsandprogramsshouldusethevictimresourceguidesthatarealreadyavailablethroughtheFTCandDOJrsquosOfficeforVictimsof CrimeSpecificallytheTaskForcealsorecommendsthefollowing
Engage the American Bar Association to Develop a Program Focusing on Assisting Identity Theft Victims with recovery TheABAhasexpertiseincoordinatinglegalrepresentationinspecificareasof practicethroughlawfirmvolunteersMoreoverlawfirmshavetheresourcesandexpertisetostaff anefforttoassistvictimsof identitytheftAccordinglytheTaskForcerecommendsthatbeginningin2007theABAwithassistancefromtheDepartmentof Justicedevelopaprobonoreferralprogramfocusingonassistingidentitytheftvictimswithrecovery
2 making iDentity theft victims WholeIdentitytheftinflictsmanykindsof harmuponitsvictimsmakingitdifficultforthemtofeelthattheyeverwillrecoverfullyBeyondtangibleformsof harmstatisticscannotadequatelyconveytheemotionaltollthatidentitytheftoftenexactsonitsvictimswhofrequentlyreportfeelingsof violationangeranxietybetrayalof trustandevenself-blameorhopelessnessThesefeelingsmaycontinueorevenincreaseasvictimsworkthroughthecreditrecoveryandcriminaljusticeprocessesEmbarrassmentculturalfactorsorpersonalorfamilycircumstances(egif thevictimhasarelationshiptotheidentitythief)maykeepthevictimsfromreportingtheproblemtolawenforcementinturnmakingthemineligibletotakeadvantageof certainremediesOftenthesereactionsareintensifiedbytheongoinglong-termnatureof thecrimeCriminalsmaynotstopcommittingidentitytheftafterhavingbeencaughttheysimplyuseinformationagainstthesameindividualinanewwayortheyselltheinformationsothatmultipleidentitythievescanuseitEvenwhenthefraudulentactivityceasestheeffectsof negativeinformationonthevictimrsquoscreditreportcancontinueforyears
ThemanyhoursvictimsspendinattemptingtorecoverfromtheharmstheysufferoftentakesatollonvictimsthatisnotreflectedintheirmonetarylossesOnereasonthatidentitytheftcanbesodestructivetoitsvictimsisthesheeramountof timeandenergyoftenrequiredtorecoverfromtheoffenseincludinghavingtocorrectcreditreportsdisputechargeswithindividualcreditorscloseandreopenbankaccountsandmonitorcreditreportsforfutureproblemsarisingfromthetheft
ldquoI received delinquent bills for purchases she [the suspect] made I spent countless hours on calls with creditors in Texas who were reluctant to believe that the accounts that had been opened were fraudulent I spent days talking to police in Texas in an effort to convince them that I was allowed by Texas law to file a report and have her [the suspect] charged with the theft of my identity I had to send more than 50 letters to the creditors to have them remove the more than 60 inquiries that were made by this womanrdquo
Nicole Robinson Testimony before House Ways and Means Committee Subcommittee on Social Security May 22 2001
0
A STRATEGY TO COMBAT IDENTITY THEFT
Inadditiontolosingtimeandmoneysomeidentitytheftvictimssuffertheindignityof beingmistakenforthecriminalwhostoletheiridenti-tiesandhavebeenwrongfullyarrested74Inonecaseavictimrsquosdriverrsquoslicensewasstolenandtheinformationfromthelicensewasusedtoopenafraudulentbankaccountandtowritemorethan$10000inbadchecksThevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthecriminalInadditiontotheresultingfeelingsof traumathistypeof harmisaparticularlydifficultoneforanidentitytheftvictimtoresolve
rECOMMENDATION AMEND CrIMINAL rESTITuTION STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthedirectfinancialcostsof identitytheftoffensesHoweverthereisnospecificprovisioninthefederalrestitutionstatutesforcompensationforthetimespentbyvictimsrecoveringfromthecrimeandcourtdecisionsinterpretingthestatutessuggestthatsuchrecoverywouldbeprecluded
AsstatedintheTaskForcersquosinterimrecommendationstothePresidenttheTaskForcerecommendsthatCongressamendthefederalcriminalrestitutionstatutestoallowforrestitutionfromacriminaldefendanttoanidentitytheftvictiminanamountequaltothevalueof thevictimrsquostimereasonablyspentattemptingtoremediatetheintendedoractualharmincurredfromtheidentitytheftoffenseThelanguageof theproposedamendmentisinAppendixCDOJtransmittedtheproposedamendmenttoCongressonOctober42006
rECOMMENDATION EXPLOrE THE DEVELOPMENT OF A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthattheyarewhotheysaytheyareIndeedsomeidentitytheftvic-timshavebeenmistakenforthecriminalwhostoletheiridentityandhavebeenarrestedbasedonwarrantsissuedforthethief whostoletheirpersonaldataTogiveidentitytheftvictimsameanstoauthenticatetheiridentitiesinsuchasituationseveralstateshavedevelopedidentificationdocumentsorldquopassportsrdquothatauthenticateidentitytheftvictimsThesevoluntarymechanismsaredesignedtopreventthemisuseof thevictimrsquosnameinthe
COMBATING IDENTITY THEFT A Strategic Plan
criminaljusticesystemwhenforexampleanidentitythief useshisvictimrsquosnamewhenarrestedThesedocumentsoftenusemultiplefactorsforauthenticationsuchasbiometricdataandapasswordTheFBIhasestablishedasimilarsystemthroughtheNationalCrimeInformationCenterallowingidentitytheftvictimstoplacetheirnameinanldquoIdentityFilerdquoThisprogramtooislimitedinscopeBeginningin2007theTaskForcememberagenciesshouldleadanefforttostudythefeasibilityof developinganationwidesystemallowingidentitytheftvictimstoobtainadocumentthattheycanusetoavoidbeingmistakenforthesuspectwhohasmisusedtheiridentityThesystemshouldbuildontheprogramsalreadyusedbyseveralstatesandtheFBI
3 gathering better information on the effectiveness of victim recovery measUres IdentitytheftvictimshavebeengrantedmanynewrightsinrecentyearsGatheringreliableinformationabouttheutilityof thesenewrightsiscriticaltoevaluatingwhethertheyareworkingwellorneedtobemodifiedAdditionallybecausesomestateshavemeasuresinplacetoassistidentitytheftvictimsthathavenofederalcounterpartitisimportanttoassessthesuccessof thosemeasurestodeterminewhethertheyshouldbeadoptedmorewidelyBuildingarecordof victimsrsquoexperiencesinexercisingtheirrightsisthereforecrucialtoensuringthatanystrategytofightidentitytheftiswell-supported
rECOMMENDATION ASSESS EFFICACY OF TOOLS AVAILABLE TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-ments
Conduct Assessment of FACT Act remedies under FCrA TheFCRAisamongthefederallawsthatenablevictimstorestoretheirgoodnameTheFACTActamendmentstotheFCRAprovideseveralnewrightsandtoolsforactualorpotentialidentitytheftvictimsincludingtheavailabilityof creditfilefraudalertstheblockingof fraudulenttradelinesoncreditreportstherighttohavecreditorsceasefurnishinginformationrelatingtofraudulentaccountstocreditreportingagenciesandtherighttoobtainbusinessrecordsrelatingtofraudulentaccountsManyof theserightshavebeenineffectforashorttimeAccordinglytheTaskForcerecommendsthattheagencieswithenforcementauthorityforthesestatutoryprovisionsassesstheirimpactandeffectivenessthroughappropriatesurveysAgenciesshouldreportontheresultsincalendaryear2008
A STRATEGY TO COMBAT IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws Amongthestate-enactedremedieswithoutafederalcounterpartisonegrantingconsumerstherighttoobtainacreditfreezeCreditfreezesmakeaconsumerrsquoscreditreportinaccessiblewhenforexampleanidentitythief attemptstoopenanaccountinthevictimrsquosnameStatelawsdifferinseveralrespectsincludingwhetherallconsumerscanobtainafreezeoronlyidentitytheftvictimswhethercreditreportingagenciescanchargetheconsumerforunfreezingafile(whichwouldbenecessarywhenapplyingforcredit)andthetimeallowedtothecreditreportingagenciestounfreezeafileTheseprovisionsarerelativelynewandthereisnoldquotrackrecordrdquotoshowhoweffectivetheyarewhatcoststheymayimposeonconsumersandbusinessesandwhatfeaturesaremostbeneficialtoconsumersAnassessmentof howthesemeasureshavebeenimplementedandhoweffectivetheyhavebeenwouldhelppolicymakersinconsideringwhetherafederalcreditfreezelawwouldbeappropriateAccordinglytheTaskForcerecommendsthattheFTCwithsupportfromtheTaskForcememberagenciesassesstheimpactandeffectivenessof creditfreezelawsandreportontheresultsinthefirstquarterof 2008
D LAW ENFOrCEMENT PrOSECuTING AND PuNISHING IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-tiveconsumerinformationthroughbetterdatasecurityandincreasededu-cationand(2)preventingthemisuseof informationthatmaybeobtainedbywould-beidentitythievesShouldthosemechanismsfailstrongcrimi-nallawenforcementisnecessarytobothpunishanddeteridentitythieves
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeitnecessaryformanylawenforcementagenciesatalllevelsof governmenttodevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimesTheprincipalfederallawenforcementagenciesthatinvestigateidentitytheftaretheFBItheUnitedStatesSecretServicetheUnitedStatesPostalInspectionServiceSSAOIGandICEOtheragenciesaswellasotherfederalInspectorsGeneralalsomaybecomeinvolvedinidentitytheftinvestigations
Ininvestigatingidentitytheftlawenforcementagenciesuseawiderangeof techniquesfromphysicalsurveillancetofinancialanalysistocomputerforensicsIdentitytheftinvestigationsarelabor-intensiveandbecausenosingleinvestigatorcanpossessallof theskillsetsneededtohandleeachof thesefunctionstheinvestigationsoftenrequiremultipledetectivesanalystsandagentsInadditionwhenasuspectedidentity
In September 2006 the Michigan Attorney General won the conviction of a prison inmate who had orchestrated an elaborate scheme to claim tax refunds owed to low income renters through the statersquos homestead property tax program Using thousands of identities the defendant and his cohorts were detected by alert US Postal carriers who were suspicious of the large number of Treasury checks mailed to certain addresses
COMBATING IDENTITY THEFT A Strategic Plan
theftinvolveslargenumbersof potentialvictimsinvestigativeagenciesmayneedadditionalpersonneltohandlevictim-witnesscoordinationandinformationissues
Duringthelastseveralyearsfederalandstateagencieshaveaggressivelyenforcedthelawsthatprohibitthetheftof identitiesAll50statesandtheDistrictof Columbiahavesomeformof legislationthatprohibitsidentitytheftandinallthosejurisdictionsexceptMaineidentitytheftcanbeafelonySeeVolumeIIPartHforadescriptionof statecriminallawenforcementeffortsInthefederalsystemawiderangeof statutoryprovisionsisusedtoinvestigateandprosecuteidentitytheftincludingmostnotablytheaggravatedidentitytheftstatute75enactedin2004whichcarriesamandatorytwo-yearprisonsentenceSincethenDOJhasmadeincreasinguseof theaggravatedidentitytheftstatuteinFiscalYear2006DOJcharged507defendantswithaggravatedidentitytheftupfrom226defendantschargedwithaggravatedidentitytheftinFiscalYear2005Inmanyof thesecasesthecourtshaveimposedsubstantialsentencesSeeVolumeIIPartIforadescriptionof sentencinginfederalidentitytheftprosecutions
TheDepartmentof JusticealsohasinitiatedmanyspecialidentitytheftinitiativesinrecentyearsThefirstof theseinMay2002involved73criminalprosecutionsbyUSAttorneyrsquosOfficesagainst135individualsin24federaldistrictsSincethenidentitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrimeForexampleldquoOperationCyberSweeprdquoaNovember2003initiativetargetingInternet-relatedeconomiccrimeresultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrimeSeeVolumeIIPartJforadescriptionof specialenforcementandprosecutioninitiatives
1 coorDination anD intelligenceinformation sharingFederallawenforcementagencieshaverecognizedtheimportanceof coordinationamongagenciesandof informationsharingbetweenlawenforcementandtheprivatesectorCoordinationhasbeenchallenginghoweverforseveralreasonsidentitytheftdatacurrentlyresideinnumerousdatabasesthereisnostandardreportingformforallidentitytheftcomplaintsandmanylawenforcementagencieshavelimitedresourcesGiventhesechallengeslawenforcementhasrespondedtotheneedforgreatercooperationbyamongotherthingsforminginteragencytaskforcesanddevelopingformalintelligence-sharingmechanismsLawenforcementalsohasworkedtodevelopmethodsof facilitatingthetimelyreceiptandanalysisof identitytheftcomplaintdataandotherintelligence
In a ldquoOperation Firewallrdquo the Secret Service was responsible for the first-ever takedown of a large illegal online bazaar Using the website wwwshadowcrewcom the Shadowcrew organization had thousands of members engaged in the online trafficking of stolen identity information and documents such as driversrsquo licenses passports and Social Security cards as well as stolen credit card debit card and bank account numbers The Shadowcrew members trafficked in at least 17 million stolen credit card numbers and caused total losses in excess of $4 million The Secret Service successfully shut down the website following a year-long undercover investigation which resulted in the arrests of 21 individu-als in the United States on criminal charges in October 2004 Additionally law enforcement officers in six foreign countries arrested or searched eight individuals
A STRATEGY TO COMBAT IDENTITY THEFT
a Sources of Identity Theft Information
Currentlyfederallawenforcementhasanumberof sourcesof informationaboutidentitytheftTheprimarysourceof directconsumercomplaintdataistheFTCwhichthroughitsIdentityTheftClearinghousemakesavailabletolawenforcementthroughasecurewebsitethecomplaintsitreceivesInternet-relatedidentitytheftcomplaintsalsoarereceivedbytheInternetCrimeComplaintCenter(IC3)ajointventureof theFBIandNationalWhiteCollarCrimeCenterTheIC3developscaseleadsfromthecomplaintsitreceivesandsendsthemtolawenforcementthroughoutthecountryAdditionallyaspecialcomponentof theFBIthatworkscloselywiththeIC3istheCyberInitiativeandResourceFusionUnit(CIRFU)TheCIRFUbasedinPittsburghfacilitatestheoperationof theNationalCyberForensicTrainingAlliance(NCFTA)apublicprivateallianceandfusioncenterbymaximizingintelligencedevelopmentandanalyticalresourcesfromlawenforcementandcriticalindustrypartnersTheUSPostalInspectionServicealsohostsitsFinancialCrimesDatabaseaweb-basednationaldatabaseavailabletoUSPostalServiceinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussourcesThesearebutafewof thesourcesof identitytheftdataforlawenforcementSeeVolumeIIPartKforadescriptionof howlawenforcementobtainsandanalyzesidentitytheftdata
Privatesectorentitiesmdashincludingthefinancialservicesindustryandcreditreportingagenciesmdashalsoareimportantsourcesof identitytheftinformationforlawenforcementagenciesTheyoftenarebestpositionedtoidentifyearlyanomaliesinvariouscomponentsof thee-commerceenvironmentinwhichtheirbusinessesinteractwhichmayrepresenttheearliestindicatorsof anidentitytheftscenarioForthisreasonandothersfederallawenforcementhasundertakennumerouspublic-andprivate-sectorcollaborationsinrecentyearstoimproveinformationsharingForexamplecorporationshaveplacedanalystsandinvestigatorswithIC3insupportof initiativesandinvestigationsInadditionITACthecooperativeinitiativeof thefinancialservicesindustrysharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheftSeeVolumeIIPartKforadescriptionof otherprivatesectorsourcesof identitytheftdataSuchalliancesenablecriticalindustryexpertsandlawenforcementagenciestoworktogethertomoreexpeditiouslyreceiveandprocessinformationandintelligencevitalbothtoearlyidentificationof identitytheftschemesandrapiddevelopmentof aggressiveinvestigationsandmitigationstrategiessuchaspublicserviceadvisoriesAtthesametimehoweverlawenforcementagenciesreportthattheyhaveencounteredobstaclesinobtainingsupportandassistancefromkeyprivate-sectorstakeholdersinsomecasesabsentlegalprocesssuchassubpoenastoobtaininformation
COMBATING IDENTITY THEFT A Strategic Plan
OnebarriertomorecompletecoordinationisthatidentitytheftinformationresidesinmultipledatabasesevenwithinindividuallawenforcementagenciesAsingleinstanceof identitytheftmayresultininformationbeingpostedatfederalstateandlocallawenforcementagenciescreditreportingagenciescreditissuersfinancialinstitutionstelecommunicationscompaniesandregulatoryagenciesThisinturnleadstotheinefficientldquostove-pipingrdquoof relevantdataandintelligenceAdditionallyinmanycasesagenciesdonotorcannotshareinformationwithotheragenciesmakingitdifficulttodeterminewhetheranidentitytheftcomplaintisrelatedtoasingleincidentoraseriesof incidentsThisproblemmaybeevenmorepronouncedatthestateandlocallevels
b Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagenciestocommunicateelectronicallyusingastandardformatwhichgreatlyimpedesthesharingof criminallawenforcementinformationWhendatacollectionsystemsusedifferentformatstodescribethesameeventorfactatleastoneof thesystemsmustbereprogrammedtofittheotherprogramrsquostermsWhereseveralhundredvariablesareinvolvedtheprogrammingresourcesrequiredtoconnectthetwodatabasescanbeaninsurmountablebarriertodataexchange
ToaddressthatconcernseverallawenforcementorganizationsincludingtheInternationalAssociationof Chiefsof Policersquos(IACP)PrivateSectorLiaisonCommitteeandtheMajorCitiesrsquoChiefs(MCC)haverecommendeddevelopingastandardelectronicidentitytheftpolicereportformReportsthatuseastandardformatcouldbesharedamonglawenforcementagenciesandstoredinanationalrepositoryforinvestigatorypurposes
c Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformationsharingandintelligenceanalysisinidentity-theftinvestigationsSeeVolumeIIPartLforadescriptionof federallawenforcementoutreacheffortsAsjustoneexampletheRegionalInformationSharingSystems(RISS)Programisalong-standingfederally-fundedprogramtosupportregionallawenforcementeffortstocombatidentitytheftandothercrimesWithinthatprogramlawenforcementhasestablishedintelligence-sharingsystemsTheseincludeforexampletheRegionalIdentityTheftNetwork(RITNET)createdtoprovideInternet-accessibleidentitytheftinformationforfederalstateandlocallawenforcementagencieswithintheEasternDistrictof PennsylvaniaRITNETisdesignedtoincludedatafromtheFTClawenforcementagenciesandthebankingindustryandallowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
A STRATEGY TO COMBAT IDENTITY THEFT
andlinkinvestigatorsItalsowillcollectinformationonallreportedfraudsregardlessof sizetherebyeliminatingtheadvantageidentitythieveshaveinkeepingtheftamountslow
Multi-agencyworkinggroupsandtaskforcesareanothersuccessfulinvestigativeapproachallowingdifferentagenciestomarshalresourcesshareintelligenceandcoordinateactivitiesFederalauthoritiesleadorco-leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheftSeeVolumeIIPartMforadescriptionof interagencyworkinggroupsandtaskforces
DespitetheseeffortscoordinationamongagenciescanbeimprovedBettercoordinationwouldhelplawenforcementofficersldquoconnectthedotsrdquoininvestigationsandpoollimitedresources
rECOMMENDATION ESTABLISH A NATIONAL IDENTITY THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernmentestablishasresourcespermitaninteragencyNationalIdentityTheftLawEnforcementCentertobetterconsolidateanalyzeandshareidentitytheftinformationamonglawenforcementagenciesregulatoryagenciesandtheprivatesectorThiseffortshouldbeledbytheDepartmentof Justiceandincluderepresentativesof federallawenforcementagenciesincludingtheFBItheSecretServicetheUSPostalInspectionServicetheSSAOIGandtheFTCLeveragingexistingresourcesincreasedemphasisshouldbeplacedontheanalysisof identitytheftcomplaintdataandotherinformationandintelligencerelatedtoidentitytheftfrompublicandprivatesourcesincludingfromidentitytheftinvestigationsThisinformationshouldbemadeavailabletoappropriatelawenforcementatalllevelstoaidintheinvestigationprosecutionandpreventionof identitytheftcrimesincludingtotargetorganizedgroupsof identitythievesandthemostseriousoffendersoperatingbothintheUnitedStatesandabroadEffectivemechanismsthatenablelawenforcementofficersfromaroundthecountrytoshareaccessandsearchappropriatelawenforcementinformationaround-the-clockincludingthroughremoteaccessshouldalsobedevelopedAsanexampleintelligencefromdocumentsseizedduringinvestigationscouldhelpfacilitatetheabilityof agentsandofficerstoldquoconnectthedotsrdquobetweenvariousinvestigationsaroundthecountry
In a case prosecuted by the United States Attorneyrsquos Office for the Eastern District of Pennsylvania a gang purchased 180 properties using false or stolen names The thieves colluded to procure inflated appraisals for the properties obtained financing and drained the excess profits for their own benefit resulting in harm to the identity theft victims and to the neighborhood when most of the properties went into foreclosure
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION DEVELOP AND PrOMOTE THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendationsthatthefederalgovernmentledbytheFTCdevelopandpro-moteauniversalpolicereportlikethatrecommendedbytheIACPandMCCmdashastandarddocumentthatanidentitytheftvictimcouldcompleteprintandtaketoanylocallawenforce-mentagencyforverificationandincorporationintothepolicedepartmentrsquosreportsystemThiswouldmakeiteasierforvic-timstoobtainthesereportsfacilitateentryof theinformationintoacentraldatabasethatcouldbeusedbylawenforcementtoanalyzepatternsandtrendsandinitiatemoreinvestigationsof identitytheft
CriminallawenforcerstheFTCandrepresentativesof financialinstitutionstheconsumerdataindustryandconsumeradvocacygroupshaveworkedtogethertodevelopastandardformthatmeetsthisneedandcapturesessentialinformationTheresultingIdentityTheftComplaint(ldquoComplaintrdquo)formwasmadeavailableinOctober2006viatheFTCrsquosIdentityTheftwebsitewwwftcgovidtheftConsumerscanprintcopiesof theircom-pletedComplaintandtakeittotheirpolicestationwhereitcanbeusedasthebasisforapolicereportTheComplaintprovidesmuchgreaterspecificityaboutthedetailsof thecrimethanwouldatypicalpolicereportsoconsumerswillbeabletosubmitittocreditreportingagenciesandcreditorstoassistinresolvingtheiridentitytheft-relatedproblemsFurthertheinformationtheyenterintotheComplaintwillbecollectedintheFTCrsquosIdentityTheftDataClearinghousethusenrichingthissourceof consum-ercomplaintsforlawenforcementThissystemalsorelievestheburdenonlocallawenforcementbecauseconsumersarecomplet-ingthedetailedComplaintbeforefilingtheirpolicereport
rECOMMENDATION ENHANCE INFOrMATION SHArING BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneralandfinancialinstitutionsinparticularareanimportantsourceof identitytheft-relatedinformationforlawenforcementtheTaskForcerecommendsthefollowingstepstoenhanceinformationsharingbetweenlawenforcementandtheprivatesector
A STRATEGY TO COMBAT IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information From Financial Institutions Section609(e)of theFairCreditReportingActenablesidentitytheftvictimstoreceiveidentitytheft-relateddocumentsandtodesignatelawenforcementagenciestoreceivethedocumentsontheirbehalfDespitethatfactlawenforcementagencieshavesometimesencountereddifficultiesinobtainingsuchinformationwithoutasubpoenaBythesecondquarterof 2007DOJshouldinitiatediscussionswiththefinancialsectortoensuregreatercompliancewiththislawandshouldincludeotherlawenforcementagenciesinthesediscussionsDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With the Financial Services Industry on Countermeasures to Identity Thieves FederallawenforcementagenciesledbytheUSPostalInspectionServiceshouldcontinuediscussionswiththefinancialservicesindustryasearlyasthesecondquarterof 2007todevelopmoreeffectivefraudpreventionmeasurestodeteridentitythieveswhoacquiredatathroughmailtheftDiscussionsshouldincludeuseof thePostalInspectionServicersquoscurrentFinancialIndustryMailSecurityInitiativeThePostalInspectionServiceonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthosediscussionsandwhereappropriaterelaythoserecommendationstotheappropriateprivateorpublicsectorentityforaction
Initiate Discussions With Credit reporting Agencies On Preventing Identity Theft Bythesecondquarterof 2007DOJshouldinitiatediscussionswiththecreditreportingagenciesonpossiblemeasuresthatwouldmakeitmoredifficultforidentitythievestoobtaincreditbasedonaccesstoavictimrsquoscreditreportThediscussionsshouldincludeotherlawenforcementagenciesincludingtheFTCDOJonanongoingbasisshouldcompileanyrecommendationsthatmayresultfromthediscussionsandwhereappropriaterelaytherecommendationstotheappropriateprivateorpublicsectorentityforaction
2 coorDination With foreign laW enforcementFederalenforcementagencieshavefoundthatasignificantportionof theidentitytheftcommittedintheUnitedStatesoriginatesinothercountriesThereforecoordinationandcooperationwithforeignlawenforcementisessentialApositivestepbytheUnitedStatesinensuring
COMBATING IDENTITY THEFT A Strategic Plan
suchcoordinationwastheratificationof theConventiononCybercrime(2001)TheCybercrimeConventionisthefirstmultilateralinstrumentdraftedtoaddresstheproblemsposedbythespreadof criminalactivityoncomputernetworksincludingoffensesthatrelatetothestealingof personalinformationandtheexploitationof thatinformationtocommitfraudTheCybercrimeConventionrequirespartiestoestablishlawsagainsttheseoffensestoensurethatdomesticlawsgivelawenforcementofficialsthenecessarylegalauthoritytogatherelectronicevidenceandtoprovideinternationalcooperationtootherpartiesinthefightagainstcomputer-relatedcrimeTheUnitedStatesparticipatedinthedraftingof theConventionandinNovember2001wasanearlysignatory
Becauseof theinternationalnatureof manyformsof identitytheftprovidingassistancetoandreceivingassistancefromforeignlawenforcementonidentitytheftiscriticalforUSenforcementagenciesUndercurrentlawtheUnitedStatesgenerallyisabletoprovidesuchassistancewhichfulfillsourobligationsundervarioustreatiesandenhancesourabilitytoobtainreciprocalassistancefromforeignagenciesIndeedtherearenumerousexamplesof collaborationsbetweenUSandforeignlawenforcementinidentitytheftinvestigations
NeverthelesslawenforcementfacesseveralimpedimentsintheirabilitytocoordinateeffortswithforeigncounterpartsFirsteventhoughfederallawenforcementagencieshavesuccessfullyidentifiednumerousforeignsuspectstraffickinginstolenconsumerinformationtheirabilitytoarrestandprosecutethesecriminalsisverylimitedManycountriesdonothavelawsdirectlyaddressingidentitytheftorhavegeneralfraudlawsthatdonotparallelthoseintheUnitedStatesThusinvestigatorsintheUnitedStatesmaybeabletoproveviolationsof Americanidentitytheftstatutesyetbeunabletoshowviolationsof theforeigncountryrsquoslawThiscanimpactcooperationonextraditionorcollectionof evidencenecessarytoprosecuteoffendersintheUnitedStatesAdditionallysomeforeigngovernmentsareunwillingtocooperatefullywithAmericanlawenforcementrepresentativesormaycooperatebutfailtoaggressivelyprosecuteoffendersorseizecriminalassets
Secondcertainstatutesgoverningforeignrequestsforelectronicandotherevidencemdashspecifically18USCsect2703and28USCsect1782mdashfailtomakeclearwhetherhowandinwhichcourtcertainrequestscanbefulfilledThisjurisdictionaluncertaintyhasimpededtheabilityof Americanlawenforcementofficerstoassisttheircounterpartsinothercountrieswhoareconductingidentitytheftinvestigations
The FBI Legal Attache in Bucharest recently contributed to the development and launch of wwwefraudaro a Romanian government website for the collection of fraud complaints based on the IC3 model The IC3 also provided this Legal Attache with complaints received by US victims who were targets of a Romanian Internet crime ring The complaint forms provided to Romanian authorities via the Legal Attache assisted the Romanian police and Ministry of Justice with the prosecution of Romanian subjects
0
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ENCOurAGE OTHEr COuNTrIES TO ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING IDENTITY THEFT
TheDepartmentof JusticeafterconsultingwiththeDepartmentof StateshouldformallyencourageothercountriestoenactsuitabledomesticlegislationcriminalizingidentitytheftAnumberof countriesalreadyhaveadoptedorareconsideringadoptingcriminalidentity-theftoffensesInadditionsince2005theUnitedNationsCrimeCommission(UNCC)hasconvenedaninternationalExpertGrouptoexaminetheworldwideproblemof fraudandidentitytheftThatExpertGroupisdraftingareporttotheUNCC(forpresentationin2007)thatisexpectedtodescribethemajortrendsinfraudandidentitytheftinnumerouscountriesandtoofferrecommendationsonbestpracticesbygovernmentsandtheprivatesectortocombatfraudandidentitytheftDOJshouldprovideinputtotheExpertGroupconcerningtheneedforthecriminalizationof identitytheftworldwide
rECOMMENDATION FACILITATE INVESTIGATION AND PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE CONVENTION ON CYBErCrIME Or TO ENSurE THAT THEIr LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelptoassurethatallcountrieshavethelegalauthoritytocollectelectronicevidenceandtheabilitytocooperateintrans-borderidentitytheftinvestigationsthatinvolveelectronicdataTheUSgovernmentshouldcontinueitseffortstopromoteuniversalaccessiontotheConventionandassistothercountriesinbringingtheirlawsintocompliancewiththeConventionrsquosstandardsTheDepartmentof StateinclosecoordinationwiththeDepartmentof JusticeandDepartmentof HomelandSecurityshouldleadthiseffortthroughappropriatebilateralandmultilateraloutreachmechanismsOtheragenciesincludingtheDepartmentof CommerceandtheFTCshouldparticipateintheseoutreacheffortsasappropriateThisoutreacheffortbeganyearsagoinanumberof internationalsettingsandshouldcontinueuntilbroadinternationalacceptanceof theConventiononCybercrimeisachieved
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION IDENTIFY COuNTrIES THAT HAVE BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY THEFT AND TArGET THEM FOr DIPLOMATIC AND ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE THEIr PrACTICES
Safehavensforperpetratorsof identitytheftandindividualswhoaidandabetsuchillegalactivitiesshouldnotexistHowevertheinactionof lawenforcementagenciesinsomecountrieshasturnedthosecountriesintobreedinggroundsforsophisticatedcriminalnetworksdevotedtoidentitytheftCountriesthattoleratetheexistenceof suchcriminalnetworksencouragetheirgrowthandemboldenperpetratorstoexpandtheiroperationsIn2007theUSlawenforcementcommunitywithinputfromtheinternationallawenforcementcommunityshouldidentifythecountriesthataresafehavensforidentitythievesOnceidentifiedtheUSgovernmentshoulduseappropriatediplomaticmeasuresandanysuitableenforcementmechanismstoencouragethosecountriestochangetheirpractices
rECOMMENDATION ENHANCE THE uS GOVErNMENTrsquoS ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourtscanrespondtoappropriateforeignrequestsforelectronicandotherevidenceincriminalinvestigationssothattheUnitedStatescanbetterprovidepromptassistancetoforeignlawenforcementinidentitytheftcasesThisclarificationcanbeaccomplishedbyamending18USCsect2703andmakingaccompanyingamendmentsto18USCsectsect2711and3127andbyenactinganewstatute18USCsect3512whichwouldsupplementtheforeignassistanceauthorityof 28USCsect1782ProposedlanguagefortheselegislativechangesisavailableinAppendixD(textof amendmentsto18USCsectsect27032711and3127andtextof newlanguagefor18USCsect3512)
A STRATEGY TO COMBAT IDENTITY THEFT
rECOMMENDATION ASSIST TrAIN AND SuPPOrT FOrEIGN LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-inglywillrequireforeigncooperationfederallawenforcementagenciesledbyDOJFBISecretServiceUSPISandICEshouldassisttrainandsupportforeignlawenforcementthroughtheuseof Internetintelligence-collectionentitiesincludingIC3andCIRFUandcontinuetomakeitaprioritytoworkwithothercountriesinjointinvestigationstargetingidentitytheftThisworkshouldbegininthethirdquarterof 2007
3 ProsecUtion aPProaches anD initiativesAspartof itsefforttoprosecuteidentitytheftaggressivelyDOJsince2002hasconductedanumberof enforcementinitiativesthathavefocusedinwholeorinpartonidentitytheftInadditiontobroaderenforcementinitiativesledbyDOJvariousindividualUSAttorneyrsquosOfficeshaveundertakentheirownidentitythefteffortsForexampletheUSAttorneyrsquosOfficeintheDistrictof Oregonhasanidentitytheftldquofasttrackrdquoprogramthatrequireseligibledefendantstopleadguiltytoaggravatedidentitytheftandagreewithoutlitigationtoa24-monthminimummandatorysentenceUnderthisprogramitiscontemplatedthatdefendantswillpleadguiltyandbesentencedonthesamedaywithouttheneedforapre-sentencereporttobecompletedpriortotheguiltypleaandwaiveallappellateandpost-convictionremediesInexchangefortheirpleasof guiltydefendantsarenotchargedwiththepredicateoffensesuchasbankfraudormailtheftwhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelinesInadditiontwoUSAttorneyrsquosOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraudknownasOperationCheckmateSeeVolumeIIPartJ
NotwithstandingtheseeffortschallengesremainforfederallawenforcementBecauseof limitedresourcesandashortageof prosecutorsmanyUSAttorneyrsquosOfficeshavemonetarythresholdsmdashierequirementsthatacertainamountof monetarylossmusthavebeensufferedbythevictimsmdashbeforetheUSAttorneyrsquosOfficewillopenanidentitytheftcaseWhenaUSAttorneyrsquosOfficedeclinestoopenacasebasedonamonetarythresholdinvestigativeagentscannotobtainadditionalinformationthroughgrandjurysubpoenasthatcouldhelptouncovermoresubstantialmonetarylossestothevictims
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION INCrEASE PrOSECuTIONS OF IDENTITY THEFT
TheTaskForcerecommendsthattofurtherincreasethenumberof prosecutionsof identitythievesthefollowingstepsshouldbetaken
Designate An Identity Theft Coordinator for Each united States Attorneyrsquos Office To Design a Specific Identity Theft Program for Each DistrictDOJshoulddirectthateachUSAttorneyrsquosOfficebyJune2007designateoneAssistantUSAttorneywhoshouldserveasapointof contactandsourceof expertisewithinthatofficeforotherprosecutorsandagentsThatAssistantUSAttorneyalsoshouldassisteachUSAttorneyinmakingadistrict-specificdeterminationabouttheareasonwhichtofocustobestaddresstheproblemof identitytheftForexampleinsomesouthwestborderdistrictsidentitytheftmaybebestaddressedbysteppingupeffortstoprosecuteimmigrationfraudInotherdistrictsidentitytheftmaybebestaddressedbyincreasingprosecutionsof bankfraudschemesorbymakinganefforttoaddidentitytheftviolationstothechargesthatarebroughtagainstthosewhocommitwiremailbankfraudschemesthroughthemisappropriationof identities
Evaluate Monetary Thresholds for ProsecutionByJune2007theinvestigativeagenciesandUSAttorneyrsquosOfficesshouldre-evaluatecurrentmonetarythresholdsforinitiatingidentitytheftcasesandspecificallyshouldconsiderwhethermonetarythresholdsforacceptingsuchcasesforprosecutionshouldbeloweredinlightof thefactthatinvestigationsoftenrevealadditionallossandadditionalvictimsthatmonetarylossmaynotalwaysadequatelyreflecttheharmsufferedandthattheaggravatedidentitytheftstatutemakesitpossibleforthegovernmenttoobtainsignificantsentencesevenincaseswherepreciselycalculatingthemonetarylossisdifficultorimpossible
Encourage State Prosecution of Identity Theft DOJshouldexplorewaystoincreaseresourcesandtrainingforlocalinvestigatorsandprosecutorshandlingidentitytheftcasesMoreovereachUSAttorneybyJune2007shouldengageindiscussionswithstateandlocalprosecutorsinhisorherdistricttoencouragethoseprosecutorstoacceptcasesthatdonotmeetappropriately-setthresholdsforfederalprosecutionwiththeunderstandingthatthesecasesneednotalwaysbebroughtasidentitytheftcases
A STRATEGY TO COMBAT IDENTITY THEFT
Create Working Groups and Task Forces Bytheendof 2007USAttorneysandinvestigativeagenciesshouldcreateormakeincreaseduseof interagencyworkinggroupsandtaskforcesdevotedtoidentitytheftWherefundsforataskforceareunavailableconsiderationshouldbegiventoformingworkinggroupswithnon-dedicatedpersonnel
rECOMMENDATION CONDuCT TArGETED ENFOrCEMENT INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-mentinitiativesthatfocusexclusivelyorprimarilyonidentitytheftTheinitiativesshouldpursuethefollowing
unfair or Deceptive Means to Make SSNs Available for Sale Beginningimmediatelylawenforcementshouldmoreaggressivelytargetthecommunityof businessesontheInternetthatsellindividualsrsquoSSNsorothersensitiveinformationtoanyonewhoprovidesthemwiththeindividualrsquosnameandotherlimitedinformationTheSSAOIGandotheragenciesalsoshouldcontinueorinitiateinvestigationsof entitiesthatuseunlawfulmeanstomakeSSNsandothersensitivepersonalinformationavailableforsale
Identity Theft related to the Health Care System HHSshouldcontinuetoinvestigateidentitytheftrelatedtoMedicarefraudAspartof thiseffortHHSshouldbegintoworkwithstateauthoritiesimmediatelytoprovideforstrongerstatelicensureandcertificationof providerspractitionersandsuppliersSchemestodefraudMedicaremayinvolvethetheftof beneficiariesrsquoandprovidersrsquoidentitiesandidentificationnumberstheopeningof bankaccountsinindividualsrsquonamesandthesubmissionof fraudulentMedicareclaimsMedicarepaymentislinkedtostatelicensureandcertificationof providerspractitionersandsuppliersasbusinessentitiesLackof statelicensureandcertificationlawsandorlawsthatdonotrequireidentificationandlocationinformationof ownersandofficersof providerspractitionersandsupplierscanhampertheabilityof HHStostopidentitytheftrelatedtofraudulentbillingof theMedicareprogram
Identity Theft By Illegal AliensLawenforcementagenciesparticularlytheDepartmentof HomelandSecurityshouldconducttargetedenforcementinitiativesdirectedatillegalalienswhousestolenidentitiestoenterorstayintheUnitedStates
COMBATING IDENTITY THEFT A Strategic Plan
rECOMMENDATION rEVIEW CIVIL MONETArY PENALTY PrOGrAMS
Bythefourthquarterof 2007federalagenciesincludingtheSECthefederalbankregulatoryagenciesandtheDepartmentof TreasuryshouldreviewtheircivilmonetarypenaltyprogramstoassesswhethertheyadequatelyaddressidentitytheftIf theydonotanalysisshouldbedoneastowhatif anyremediesincludinglegislationwouldbeappropriateandanysuchlegislationshouldbeproposedbythefirstquarterof 2008If afederalagencydoesnothaveacivilmonetarypenaltyprogramtheestablishmentof suchaprogramwithrespecttoidentitytheftshouldbeconsidered
4 statUtes criminalizing iDentity-theft relateD offenses the gaPsFederallawenforcementhassuccessfullyinvestigatedandprosecutedidentitytheftunderavarietyof criminalstatutesEffectiveprosecutioncanbehinderedinsomecaseshoweverasaresultof certaingapsinthosestatutesAtthesametimeagapinoneaspectof theUSSentencingGuidelineshasprecludedsomecourtsfromenhancingthesentencesforsomeidentitythieveswhoseconductaffectedmultiplevictimsSeeVolumeIIPartNforanadditionaldescriptionof federalcriminalstatutesusedtoprosecuteidentitytheft
a The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftaretheidentitytheftstatute(18USCsect1028(a)(7))andtheaggravatedidentitytheftstatute(18USCsect1028A(a))Theidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof apersoninconnectionwithanyunlawfulactivitythateitherconstitutesaviolationof federallaworthatconstitutesafelonyunderstateorlocallaw76Similarlytheaggravatedidentitytheftstatutegenerallyprohibitsthepossessionoruseof ameansof identificationof anotherpersonduringthecommissionoforinrelationtoanyof severalenumeratedfederalfeloniesandprovidesforenhancedpenaltiesinthosesituations
TherearetwogapsinthesestatuteshoweverFirstbecausebothstatutesarelimitedtotheillegaluseof ameansof identificationof ldquoapersonrdquoitisunclearwhetherthegovernmentcanprosecuteanidentitythief whomisusesthemeansof identificationof acorporationororganizationsuchasthenamelogotrademarkoremployeridentificationnumberof alegitimatebusinessThisgapmeansthatfederalprosecutorscannotusethosestatutestochargeidentitythieveswhoforexamplecreateanduse
A STRATEGY TO COMBAT IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporationorwhoengageinphishingschemesthatuseanorganizationrsquosnameSecondtheenumeratedfeloniesintheaggravatedidentitytheftstatutedonotincludecertaincrimesthatrecurinidentitytheftandfraudcasessuchasmailtheftutteringcounterfeitsecuritiestaxfraudandconspiracytocommitcertainoffenses
b Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitythefthavesimilarlimitationsthatprecludetheiruseincertainimportantcircumstancesFirst18USCsect1030(a)(2)criminalizesthetheftof informationfromacomputerHoweverfederalcourtsonlyhavejurisdictionif thethief usesaninterstatecommunicationtoaccessthecomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution)Asaresultthetheftof personalinformationeitherbyacorporateinsiderusingthecompanyrsquosinternallocalnetworksorbyathief intrudingintoawirelessnetworkgenerallywouldnotinvolveaninterstatecommunicationandcouldnotbeprosecutedunderthisstatuteInonecaseinNorthCarolinaforinstanceanindividualbrokeintoahospitalcomputerrsquoswirelessnetworkandtherebyobtainedpatientinformationStateinvestigatorsandthevictimaskedtheUnitedStatesAttorneyrsquosOfficetosupporttheinvestigationandchargethecriminalBecausethecommunicationsoccurredwhollyintrastatehowevernofederallawcriminalizedtheconduct
Asecondlimitationisfoundin18USCsect1030(a)(5)whichcriminalizesactionsthatcauseldquodamagerdquotocomputersiethatimpairtheldquointegrityoravailabilityrdquoof dataorcomputersystems77Absentspecialcircumstancesthelosscausedbythecriminalconductmustexceed$5000toconstituteafederalcrimeManyidentitythievesobtainpersonalinformationbyinstallingmaliciousspywaresuchaskeyloggersonmanyindividualsrsquocomputersWhethertheprogramssucceedinobtainingtheunsuspectingcomputerownerrsquosfinancialdatathesesortsof programsharmtheldquointegrityrdquoof thecomputeranddataNeverthelessitisoftendifficultorimpossibletomeasurethelossthisdamagecausestoeachcomputerownerortoprovethatthetotalvalueof thesemanysmalllossesexceeds$5000
c Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-relatedidentitytheftcasesistheldquocyber-extortionrdquoprovisionof theComputerFraudandAbuseAct18USCsect1030(a)(7)Thisprovisionwhichprohibitsthetransmissionof athreatldquotocausedamagetoaprotectedcomputerrdquo78isusedtoprosecutecriminalswhothreatentodeletedata
COMBATING IDENTITY THEFT A Strategic Plan
crashcomputersorknockcomputersoff of theInternetusingadenialof serviceattackSomecyber-criminalsextortcompanieshoweverwithoutexplicitlythreateningtocausedamagetocomputersInsteadtheystealconfidentialdataandthenthreatentomakeitpublicif theirdemandsarenotmetInothercasesthecriminalcausesthedamagefirstmdashsuchasbyaccessingacorporatecomputerwithoutauthorityandencryptingcriticaldatamdashandthenthreatensnottocorrecttheproblemunlessthevictimpaysThustherequirementinsection1030(a)(7)thatthedefendantmustexplicitlyldquothreatentocausedamagerdquocanprecludesuccessfulprosecutionsforcyber-extortionunderthisstatuteundercertaincircumstances
d Sentencing Guidelines Governing Identity Theft
Inrecentyearsthecourtshavecreatedsomeuncertaintyabouttheapplicabilityof theldquomultiplevictimenhancementrdquoprovisionof theUSSentencingGuidelinesinidentitytheftcasesThisprovisionallowscourtstoincreasethesentenceforanidentitythief whovictimizesmorethanonepersonItisunclearhoweverwhetherthissentencingenhancementapplieswhenthevictimshavenotsustainedactualmonetarylossForexampleinsomejurisdictionswhenafinancialinstitutionindemnifies20victimsof unauthorizedchargestotheircreditcardsthecourtsconsiderthefinancialinstitutiontobetheonlyvictimInsuchcasestheidentitythief thereforemaynotbepenalizedforhavingengagedinconductthatharmed20peoplesimplybecausethose20peoplewerelaterindemnifiedThisinterpretationof theSentencingGuidelinesconflictswithaprimarypurposeof theIdentityTheftandAssumptionDeterrenceActof 1998tovindicatetheinterestsof individualidentitytheftvictims79
rECOMMENDATION CLOSE THE GAPS IN FEDErAL CrIMINAL STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowinglegislativeactions
Amend the Identity Theft and Aggravated Identity Theft Statutes to Ensure That Identity Thieves Who Misappropriate Information Belonging to Corporations and Organizations Can Be ProsecutedProposedamendmentsto18USCsectsect1028and1028AareavailableinAppendixE
A STRATEGY TO COMBAT IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for Aggravated Identity Theft Offenses Theaggravatedidentitytheftstatute18USCsect1028Ashouldincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesmdashmailtheftutteringcounterfeitsecuritiesandtaxfraudaswellasconspiracytocommitspecifiedfeloniesalreadylistedin18USCsect1028Amdashinthestatutorylistof predicateoffensesforthatoffenseProposedadditionsto18USCsect1028AarecontainedinAppendixE
Amend the Statute That Criminalizes the Theft of Electronic Data By Eliminating the Current requirement That the Information Must Have Been Stolen Through Interstate Communications Theproposedamendmentto18USCsect1030(a)(2)isavailableinAppendixF
Penalize Malicious Spyware and Keyloggers Thestatutoryprovisionsin18USCsect1030(a)(5)shouldbeamendedtopenalizeappropriatelytheuseof maliciousspywareandkeyloggersbyeliminatingthecurrentrequirementthatthedefendantrsquosactionmustcauseldquodamagerdquotocomputersandthatthelosscausedbytheconductmustexceed$5000Proposedamendmentsto18USCsectsect1030(a)(5)(c)and(g)andtheaccompanyingamendmentto18USCsect2332b(g)areincludedinAppendixG
Amend the Cyber-Extortion Statute to Cover Additional Alternate Types of Cyber-Extortion Theproposedamendmentto18USCsect1030(a)(7)isavailableinAppendixH
rECOMMENDATION ENSurE THAT AN IDENTITY THIEFrsquoS SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof ldquovictimrdquoasthattermisusedunderUnitedStatesSentencingGuidelinesection2B11tostateclearlythatavictimneednothavesustainedanactualmonetarylossThisamendmentwillensurethatcourtscanenhancethesentencesimposedonidentitythieveswhocauseharmtomultiplevictimsevenwhenthatharmdoesnotresultinanymonetarylosstothevictimsTheproposedamendmenttoUnitedStatesSentencingGuidelinesection2B11isavailableinAppendixI
COMBATING IDENTITY THEFT A Strategic Plan
5 training of laW enforcement officers anD ProsecUtorsTrainingcanbethekeytoeffectiveinvestigationsandprosecutionsandmuchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-ecutorshavebeentrainedontopicsrelatingtoidentitytheftInadditiontoongoingtrainingbyUSAttorneyrsquosOfficesforexampleseveralfederallawenforcementagenciesmdashincludingDOJthePostalInspectionServicetheSecretServicetheFTCandtheFBImdashalongwiththeAmericanAsso-ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointlyover20regionalone-daytrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesacrossthecountrySeeVolumeIIPartOforadescriptionof trainingbyandforinvestigatorsandprosecutors
Nonethelesstheamountfocusandcoordinationof lawenforcementtrainingshouldbeexpandedIdentitytheftinvestigationsandprosecu-tionsinvolveparticularchallengesmdashincludingtheneedtocoordinatewithforeignauthoritiessomedifficultieswiththeapplicationof theSentenc-ingGuidelinesandthechallengesthatarisefromtheinevitablegapintimebetweenthecommissionof theidentitytheftandthereportingof theidentitytheftmdashthatwarrantmorespecializedtrainingatalllevelsof lawenforcement
rECOMMENDATION ENHANCE TrAINING FOr LAW ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused Solely on Investigation and Prosecution of Identity TheftBythethirdquarterof 2007DOJrsquosOfficeof LegalEducationshouldcompletethedevelopmentof acoursespecificallyfocusedonidentitytheftforprosecutorsTheidentitytheftcourseshouldincludeamongotherthingsareviewof thescopeof theproblemareviewof applicablestatutesforfeitureandsentencingguidelineapplicationsanoutlineof investigativeandcasepresentationtechniquestrainingonaddressingtheuniqueneedsof identitytheftvictimsandareviewof programsforbetterutilizingcollectiveresources(workinggroupstaskforcesandanyldquomodelprogramsrdquomdashfasttrackprogramsetc)
Increase Number of regional Identity Theft SeminarsIn2006thefederalagenciesandtheAAMVAheldanumberof regionalidentitytheftseminarsforstateandlocallawenforcementofficersIn2007thenumberof seminarsshouldbeincreasedAdditionallytheparticipatingentitiesshouldcoordinatewiththeTaskForcetoprovidethemostcompletetargetedandup-to-datetrainingmaterials
0
A STRATEGY TO COMBAT IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet Theidentitytheftclearinghousesitewwwidtheftgovshouldbeusedastheportalforlawenforcementagenciestogainaccesstoadditionaleducationalmaterialsoninvestigatingidentitytheftandrespondingtovictims
review Curricula to Enhance Basic and Advanced Training on Identity Theft Bythefourthquarterof 2007federalinvestigativeagenciesshouldreviewtheirowntrainingcurriculaandcurriculaof theFederalLawEnforcementTrainingCentertoensurethattheyareprovidingthemostusefultrainingonidentitytheft
6 measUring sUccess of laW enforcement effortsOneshortcominginthefederalgovernmentrsquosabilitytounderstandandrespondeffectivelytoidentitytheftisthelackof comprehensivestatisticaldataaboutthesuccessof lawenforcementeffortstocombatidentitytheftSpecificallytherearefewbenchmarksthatmeasuretheactivitiesof thevariouscomponentsof thecriminaljusticesystemintheirresponsetoidentitytheftsoccurringwithintheirjurisdictionslittledataonstateandlocalenforcementandlittleinformationonhowidentitytheftincidentsarebeingprocessedinstatecourts
AddressingthesequestionsrequiresbenchmarksandperiodicdatacollectionTheBureauof JusticeStatistics(BJS)hasplatformsinplaceaswellasthetoolstocreatenewplatformstoobtaininformationaboutidentitytheftfromvictimsandtheresponsetoidentitytheftfromlawenforcementagenciesstateandfederalprosecutorsandcourts
rECOMMENDATION ENHANCE THE GATHErING OF STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE SYSTEMrsquoS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft Victims TheBJSandFTCshouldcontinuetogatherandanalyzestatisticallyreliabledatafromidentitytheftvictimsTheBJSshouldconductitssurveysincollaborationwithsubjectmatterexpertsfromtheFTCBJSshouldaddadditionalquestionsonidentitythefttothehouseholdportionof itsNationalCrimeVictimizationSurvey(NCVS)andconductperiodicsupplementstogathermorein-depthinformationTheFTCshouldconductageneralidentitytheftsurveyapproximatelyeverythreeyearsindependentlyorinconjunctionwithBJSorothergovernmentagenciesTheFTCalsoshouldconductsurveysfocusedmorenarrowlyonissuesrelatedtotheeffectivenessof andcompliancewiththeidentitytheft-relatedprovisionsof theconsumerprotectionlawsitenforces
COMBATING IDENTITY THEFT A Strategic Plan
Expand Scope of National Crime Victimization Survey (NCVS)Thescopeof theannualNCVSshouldbeexpandedtocollectinformationaboutthecharacteristicsconsequencesandextentof identitytheftforindividualsages12andolderCurrentlyinformationonidentitytheftiscollectedonlyfromthehouseholdrespondentanddoesnotcapturedataonmultiplevictimsinthehouseholdormultipleepisodesof identitytheft
review of Sentencing Commission Data DOJandtheFTCshouldsystematicallyreviewandanalyzeUSSentencingCommissionidentitytheft-relatedcasefileseverytwotofouryearsandshouldbegininthethirdquarterof 2007
Track Prosecutions of Identity Theft and the Amount of resources Spent InordertobettertrackresourcesspentonidentitytheftcasesDOJshouldbythesecondquarterof 2007createanldquoIdentityTheftrdquocategoryonthemonthlyreportthatiscompletedbyallAssistantUnitedStatesAttorneysandshouldreviseitsdepartmentalcasetrackingapplicationtoallowforthereportingof offensesbyindividualsubsectionsof section1028AdditionallyBJSshouldincorporateadditionalquestionsintheNationalSurveyof Prosecutorstobetterunderstandtheimpactidentitytheftishavingonprosecutorialresources
Conduct Targeted Surveys Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpoliceBJSshouldundertakenewdatacollectionsinspecifiedareasProposeddetailsof thosesurveysareincludedinAppendixJ
IV Conclusion The Way ForwardThereisnomagicbulletthatwilleradicateidentitytheftTosuccessfullycombatidentitytheftanditseffectswemustkeeppersonalinformationoutof thehandsof thievestakestepstopreventanidentitythief frommisusinganydatathatmayendupinhishandsprosecutehimvigorouslyif hesucceedsincommittingthecrimeanddoallwecantohelpthevictimsrecover
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentitytheftmdashonethatencompasseseffectivepreventionpublicawarenessandeducationvictimassistanceandlawenforcementmeasuresandthatfullyengagesfederalstateandlocalauthoritiesandtheprivatesectormdashwillhaveanychanceof solvingtheproblemThisproposedstrategicplanstrivestosetoutsuchacomprehensiveapproachtocombatingidentitytheftbutitisonlythebeginningEachof thestakeholdersmdashconsumersbusinessandgovernmentmdashmustfullyandactivelyparticipateinthisfightforustosucceedandmuststayattunedtoemergingtrendsinordertoadaptandrespondtodevelopingthreatstoconsumerwellbeing
CONCLUSION
COMBATING IDENTITY THEFT A Strategic Plan
Appendices
APPENDIX AIdentity Theft Task Forcersquos Guidance Memorandum on Data Breach Protocol
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
0
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX BProposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfromanagencyrsquossystemof recordsmaybedisclosedwithoutasubjectindividualrsquosconsentif thedisclosureisldquoforaroutineuseasdefinedinsubsection(a)(7)of thissectionanddescribedundersubsection(e)(4)(D)of thissectionrdquo5USCsect552a(b)(3)Subsection(a)(7)of theActstatesthatldquothetermlsquoroutineusersquomeanswithrespecttothedisclosureof arecordtheuseof suchrecordforapurposewhichiscompatiblewiththepurposeforwhichitwascollectedrdquo5USCsect552a(a)(7)TheOfficeof ManagementandBudgetwhichpursuanttosubsection(v)of thePrivacyActhasguidanceandoversightresponsibilityfortheimplementationof theActbyfederalagencieshasadvisedthatthecompatibilityconceptencompasses(1)functionallyequivalentusesand(2)otherusesthatarenecessaryandproper52FedReg1299012993(Apr201987)Inrecognitionof andinaccordancewiththeActrsquoslegislativehistoryOMBinitsinitialPrivacyActguidancestatedthatldquo[t]hetermroutineuserecognizesthattherearecorollarypurposeslsquocompatiblewiththepurposeforwhich[theinformation]wascollectedrsquothatareappropriateandnecessaryfortheefficientconductof governmentandinthebestinterestof boththeindividualandthepublicrdquo40FedReg2894828953(July91975)Aroutineusetoprovidefordisclosureinconnectionwithresponseandremedialeffortsintheeventof abreachof federaldatawouldcertainlyqualifyassuchanecessaryandproperuseof informationmdashausethatisinthebestinterestof boththeindividualandthepublic
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublishnotificationintheFederalRegisterof ldquoeachroutineuseof therecordscontainedinthesystemincludingthecategoriesof usersandthepurposeof suchuserdquo5USCsect552a(e)(4)(D)TheDepartmentof JusticehasdevelopedthefollowingroutineusethatitplanstoapplytoitsPrivacyActsystemsof recordsandwhichallowsfordisclosureasfollows80
Toappropriateagenciesentitiesandpersonswhen(1)theDepartmentsuspectsorhasconfirmedthatthesecurityorconfidentialityof informationinthesystemof recordshasbeencompromised(2)theDepartmenthasdeterminedthatasaresultof thesuspectedorconfirmedcompromisethereisariskof harmtoeconomicorpropertyinterestsidentitytheftorfraudorharmtothesecurityorintegrityof thissystemorothersystemsorprograms(whethermaintainedbytheDepartmentoranotheragencyorentity)thatrelyuponthecompromisedinformationand(3)thedisclosuremadetosuchagenciesentitiesandpersonsisreasonablynecessarytoassistinconnectionwiththeDepartmentrsquoseffortstorespondtothesuspectedorconfirmedcompromiseandpreventminimizeorremedysuchharm
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof theirPrivacyActsystemsof recordsToaddanewroutineusetoanagencyrsquosexistingsystemsof recordsanagencymustsimplypublishanoticeintheFederalRegisteramendingitsexistingsystemsof recordstoincludethenewroutineuse
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederalRegisternoticeof anynewroutineuseatleast30dayspriortoitsuseandldquoprovideanopportunityforinterestedpersonstosubmitwrittendataviewsorargumentstotheagencyrdquo5USCsect552a(e)(11)Additionallysubsection(r)of theActrequiresthatanagencyprovideCongressandOMBwithldquoadequateadvancenoticerdquoof anyproposaltomakealdquosignificantchangeinasystemof recordsrdquo5USCsect552a(r)OMBhasstatedthattheadditionof aroutineusequalifiesasasignificantchangethatmustbereportedtoCongressandOMBandthatsuchnoticeistobeprovidedatleast40dayspriortothealterationSeeAppendixItoOMBCircularNoA-130mdashFederalAgencyResponsibilitiesforMaintainingRecordsAboutIndividuals61FedReg64356437(Feb201996)OnceanoticeispreparedforpublicationtheagencywouldsendittotheFederalRegisterOMBandCongressusuallysimultaneouslyandtheproposedchangetothesystem(iethenewroutineuse)wouldbecomeeffective40daysthereafterSeeidat6438(regardingtimingof systemsof recordsreportsandnotingthatnoticeandcommentperiodforroutineusesandperiodforOMBandcongressionalreviewmayrunconcurrently)Recognizingthateachagencylikelywillreceivedifferenttypesof commentsinresponsetoitsnoticetheTaskForcerecommendsthatOMBworktoensureaccuracyandconsistencyacrosstherangeof agencyresponsestopubliccomments
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX CText of Amendments to 18 uSC sectsect 3663(b) and 3663A(b)
Proposed Language
(a) Section3663of Title18UnitedStatesCodeisamendedby
(1) Deletingldquoandrdquoattheendof paragraph(4)of subsection(b)
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)andinsertinginlieuthereof ldquoandrdquoand
(3) Addingthefollowingafterparagraph(5)of subsection(b)
ldquo(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)of thistitlepayanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Makeconformingchangestothefollowing
(b) Section3663Aof Title18UnitedStatesCodeisamendedby
(1) AddingthefollowingafterSection3663A(b)(4)
ldquo(5)inthecaseof anoffenseunderthistitlesection1028(a)(7)or1028A(a)payanamountequaltothevalueof thevictimrsquostimereasonablyspentinanattempttoremediateintendedoractualharmincurredfromtheoffenserdquo
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theof-fenseRestitutioncouldthereforeincludeanamountequaltothevalueof thevictimrsquostimespentclearingavictimrsquoscreditreportorresolvingchargesmadebytheperpetratorforwhichthevictimhasbeenmaderesponsible
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclearthatrestitutionordersmayincludeanamountequaltothevalueof thevictimrsquostimespentremediatingtheactualorintendedharmof theidentitytheftoraggravatedidentitytheftoffenseThefederalcourtsof appealshaveinterpretedtheexistingprovisionsof Section3663insuchawaythatwouldlikelyprecludetherecoveryof suchamountsabsentexplicitstatutoryauthorizationForexampleinUnited States v Arvanitis902F3d489(7thCir1990)thecourtheldthatrestitutionorderedforoffensesresultinginlossof propertymustbelimitedtorecoveryof propertywhichisthesubjectof theoffensesandmaynotincludeconsequentialdamagesSimilarlyinUnited States v Husky924F2d223(11thCir1991)theEleventhCircuitheld
thatthelistof compensableexpensesinarestitutionstatuteisexclusiveandthusthedistrictcourtdidnothavetheauthoritytoorderthedefendanttopayrestitutiontocompensatethevictimformentalanguishandsufferingFinallyinUnited States v Schinnell80F3d1064(5thCir1996)thecourtheldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedindeterminingtheamountof lossorinrecoveringthosefundsthusavictimof wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststoreconstructbankstatementsforthetimeperiodduringwhichthedefendantperpetuatedtheschemeforthecostof temporaryemployeestoreconstructmonthlybankstatementsandforthecostsincurredinborrowingfundstoreplacestolenfundsThesenewsubsectionswillprovidestatutoryauthorityforinclusionof amountsequaltothevalueof thevictimrsquostimereasonablyspentremediatingtheharmincurredasaresultof theidentitytheftoffense
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX DText of Amendments to 18 uSC sectsect 2703 2711 and 3127 and Text of New Language for 18 uSC sect 3512
ThebasisfortheseproposalsissetforthinSectionIII2of thestrategicplanwhichdescribescoordinationwithforeignlawenforcement
Proposed Language
sect 2703 Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic storagemdashAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationserviceof thecontentsof awireorelectroniccommunicationthatisinelectronicstorageinanelectroniccommunicationssystemforonehundredandeightydaysorlessonlypursuanttoawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdiction oranequivalentStatewarrantAgovernmentalentitymayrequirethedisclosurebyaproviderof electroniccommunicationsservicesof thecontentsof awireorelectroniccommunicationthathasbeeninelectronicstorageinanelectroniccommunicationssystemformorethanonehundredandeightydaysbythemeansavailableundersubsection(b)of thissection
(b) Contents of wire or electronic communications in a remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof remotecomputingservicetodisclosethecontentsof anywireorelectroniccommunicationtowhichthisparagraphismadeapplicablebyparagraph(2)of thissubsectionmdash
(A) withoutrequirednoticetothesubscriberorcustomerif thegovernmentalentityobtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrantor
(B) withpriornoticefromthegovernmentalentitytothesubscriberorcustomerif thegovernmentalentitymdash
(i) usesanadministrativesubpoenaauthorizedbyaFederalorStatestatuteoraFederalorStategrandjuryortrialsubpoenaor
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)of thissection
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle
(c) Records concerning electronic communication service or remote computing servicemdash(1)Agovernmentalentitymayrequireaproviderof electroniccommunicationserviceorremotecomputingservicetodisclosearecordorotherinformationpertainingtoasubscribertoorcustomerof suchservice(notincludingthecontentsof communications)onlywhenthegovernmentalentitymdash
(A) obtainsawarrantissuedusingtheproceduresdescribedintheFederalRulesof CriminalProcedurebyacourtwithjurisdictionovertheoffenseunderinvestigationby a court of competent jurisdictionorequivalentStatewarrant
sect 2711 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsdefinedinsection2510of thistitlehaverespectivelythedefinitionsgivensuchtermsinthatsection
(2) thetermldquoremotecomputingservicerdquomeanstheprovisiontothepublicof computerstorageorprocessingservicesbymeansof anelectroniccommunicationssystemand
(3) thetermldquocourtof competentjurisdictionrdquohasthemeaningassignedbysection3127andincludesanyFederalcourtwithinthatdefinitionwithoutgeographiclimitationmeansmdash
(A) any district court of the United States (including a magistrate judge of such a court) or any United States court of appeals thatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located or in which the wire or electronic communications records or other information are stored or
(iii) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) a court of general criminal jurisdiction of a State authorized by the law of that State to issue search warrants
sect 3127 Definitions for chapter
Asusedinthischaptermdash
(1) thetermsldquowirecommunicationrdquoldquoelectroniccommunicationrdquoldquoelectroniccommunicationservicerdquoandldquocontentsrdquohavethemeaningssetforthforsuchtermsinsection2510of thistitle
(2) thetermldquocourtof competentjurisdictionrdquomeansmdash
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
(A) anydistrictcourtof theUnitedStates(includingamagistratejudgeof suchacourt)oranyUnitedStatescourtof appealshavingjurisdictionovertheoffensebeinginvestigatedthatndash
(i) has jurisdiction over the offense being investigated
(ii) is in or for a district in which the provider of electronic communication service is located
(iii) is in or for a district in which a landlord custodian or other person subject to 3124(a) or (b) is located or
(iv) is acting on a request for foreign assistance pursuant to section 3512 of this title or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedbythelawof thatStatetoenterordersauthorizingtheuseof apenregisteroratrapandtracedevice
sect 3512 Foreign requests for assistance in criminal investigations and prosecutions
(a) Upon application of an attorney for the government a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses or in proceedings related to the prosecution of criminal offenses including but not limited to proceedings regarding forfeiture sentencing and restitution Such orders may include the issuance of a search warrant as provided under Rule 41 of the Federal Rules of Criminal Procedure a warrant or order for contents of stored wire or electronic communications or for records related thereto as provided under 18 USC sect 2703 an order for a pen register or trap and trace device as provided under 18 USC sect 3123 or an order requiring the appearance of a person for the purpose of providing testimony or a statement or requiring the production of documents or other things or both
(b) In response to an application for execution of a request from a foreign authority as described in subsection (a) a Federal judge may also issue an order appointing a person to direct the taking of testimony or statements or of the production of documents or other things or both A person so appointed may be authorized to ndash
(1) issue orders requiring the appearance of a person or the production of documents or other things or both
(2) administer any necessary oath and
(3) take testimony or statements and receive documents or other things
0
(c) Except as provided in subsection (d) an application for execution of a request from a foreign authority under this section may be filed ndash
(1) in the district in which a person who may be required to appear resides or is located or in which the documents or things to be produced are located
(2) in cases in which the request seeks the appearance of persons or production of documents or things that may be located in multiple districts in any one of the districts in which such a person documents or things may be located or
(3) in any case the district in which a related Federal criminal investigation or prosecution is being conducted or in the District of Columbia
(d) An application for a search warrant under this section other than an application for a warrant issued as provided under 18 USC sect 2703 must be filed in the district in which the place or person to be searched is located
(e) A search warrant may be issued under this section only if the foreign offense for which the evidence is sought involves conduct that if committed in the United States would be considered an offense punishable by imprisonment for more than one year under federal or state law
(f) Except as provided in subsection (d) an order or warrant issued pursuant to this section may be served or executed in any place in the United States
(g) This section does not preclude any foreign authority or an interested person from obtaining assistance in a criminal investigation or prosecution pursuant to 28 USC sect 1782
(h) As used in this section ndash
(1) the term ldquoforeign authorityrdquo means a foreign judicial authority a foreign authority responsible for the investigation or prosecution of criminal offenses or for proceedings related to the prosecution of criminal offenses or an authority designated as a competent authority or central authority for the purpose of making requests for assistance pursuant to an agreement or treaty with the United States regarding assistance in criminal matters and
(2) the terms ldquoFederal judgerdquo and ldquoattorney for the Governmentrdquo have the meaning given such terms for the purposes of the Federal Rules of Criminal Procedure
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX EText of Amendments to 18 uSC sectsect 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4aof thestrategicplanwhichdescribesgapsintheidentitytheftstatutes
Proposed Amendment to Aggravated Identity Theft Statute to Add Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18USCsect1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theftandfraudcasesspecificallymailtheft(18USCsect1708)utteringcounterfeitsecurities(18USCsect513)andtaxfraud(26USCsectsect72017206and7207)aswellasconspiracytocommitspecifiedfeloniesalreadylistedinsection1028Amdashinthestatutorylistof predicateoffensesforthatoffense(18USCsect1028A(c))
Proposed Additions to Both Statutes to Include Misuse of Identifying Information of Organizations
(a) Section1028(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
Section1028A(a)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(1)thephraseldquo(includinganorganizationasdefinedinSection18of thisTitle)rdquoafterthewordldquopersonrdquo
(b) Section1028(d)(7)of Title18UnitedStatesCodeisamendedbyinsertinginparagraph(7)thephraseldquoorotherpersonrdquoafterthewordldquoindividualrdquo
rationale
Corporateidentitytheftwherebycriminalsassumetheidentityof corporateentitiestocloakfraudulentschemesinamisleadinganddeceptiveairof legitimacyhavebecomerampantCriminalsroutinelyengageinunauthorizedldquoappropriationrdquoof legitimatecompaniesrsquonamesandlogosinavarietyof contextsmisrepresentingthemselvesasofficersoremployeesof acorporationsendingforgedorcounterfeitdocumentsorfinancialinstrumentstovictimstoimprovetheirauraof legitimacyandofferingnonexistentbenefits(egloansandcreditcards)inthenamesof companies
Oneegregiousexampleof corporateidentitytheftisrepresentedontheInternetbythepracticecommonlyknownasldquophishingrdquowherebycriminalselectronicallyassumetheidentityof acorporationinordertodefraudunsuspectingrecipientsof emailsolicitationstovoluntarilydiscloseidentifyingandfinancialaccountinformationThispersonalinformationisthenusedtofurthertheunderlyingcriminalschememdashforexampleto
scavengethebankandcreditcardaccountsof theseunwittingconsumervictimsPhishingisjustoneexampleof howcriminalsinmass-marketingfraudschemesincorporatecorporateidentitytheftintotheirschemesthoughphishingalsoisdesignedwithindividualidentitytheftinmind
PhishinghasbecomesoroutineinmanymajorfraudschemesthatnoparticularcorporationcanbeeasilysingledoutashavingsufferedaspecialldquohorrorstoryrdquowhichstandsabovetherestInAugust2005theldquoAnti-PhishingWorkingGrouprdquodeterminedinjustthatmonthalonetherewere5259uniquephishingwebsitesaroundtheworldByDecember2005thatnumberhadincreasedto7197andtherewere15244uniquephishingreportsItwasalsoreportedinAugust2005that84corporateentitiesrsquonames(andevenlogosandwebcontent)wereldquohijackedrdquo(iemisused)inphishingattacksthoughonly3of thesecorporatebrandsaccountedfor80percentof phishingcampaignsByDecember2005thenumberof victimizedcorporateentitieshadincreasedto120Thefinancialsectorisandhasbeenthemostheavilytargetedindustrysectorinphishingschemesaccountingfornearly85percentof allphishingattacksSee eg httpantiphishingorgapwg_phishing_activity_report_august_05pdf
InadditionmajorcompanieshavereportedtotheDepartmentof Justicethattheircorporatenameslogosandmarksareoftenbeingmisusedinothertypesof fraudschemesTheseincludetelemarketingfraudschemesinwhichcommunicationspurporttocomefromlegitimatebanksorcompaniesorofferproductsorservicesfromlegitimatebanksandcompaniesandWestAfricanfraudschemesthatmisuselegitimatebanksandcompaniesrsquonamesincommu-nicationswithvictimsorincounterfeitchecks
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)and1028A(a)of Title18UnitedStatesCodetoapplyonlytoldquonaturalrdquopersonsortoalsoprotectcorporateentitiesThesetwoamendmentswouldclarifythatCongressintendedthatthesestatuteapplybroadlyandmaybeusedagainstphishingdirectedagainstvictimcorporateentities
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX FText of Amendment to 18 uSC sect 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
1030(a) Whoevermdash
(2) intentionallyaccessesacomputerwithoutauthorizationorexceedsauthorizedaccessandtherebyobtainsndash
(A) informationcontainedinafinancialrecordof afinancialinstitutionorof acardissuerasdefinedinsection1602(n)of title15orcontainedinafileof aconsumerreportingagencyonaconsumerassuchtermsaredefinedintheFairCreditReportingAct(15USC1681etseq)
(B) informationfromanydepartmentoragencyof theUnitedStatesor
(C) informationfromanyprotectedcomputerif theconductinvolvedaninterstateorforeigncommunication
APPENDIX GText of Amendments to 18 uSC sectsect 1030(a)(5) (c) and (g) and to 18 uSC sect 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIIID4bof thestrategicplanwhichdescribesgapsinthecomputer-relatedidentitytheftstatutes
Proposed Language
18 USC sect 1030
(a) Whoevermdash
(5)
(A) (i)knowinglycausesthetransmissionof aprograminformationcodeorcommandandasaresultof suchconductintentionallycausesdamagewithoutauthorizationtoaprotectedcomputer
(B) (ii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductrecklesslycausesdamageor
(C) (iii)intentionallyaccessesaprotectedcomputerwithoutauthorizationandasaresultof suchconductcausesdamageand
(B) byconductdescribedinclause(i)(ii)or(iii)of subparagraph(A)caused(orinthecaseof anattemptedoffensewouldif completedhavecaused)mdash
(i) lossto1ormorepersonsduringany1-yearperiod(andforpurposesof aninvestigationprosecutionorotherproceedingbroughtbytheUnitedStatesonlylossresultingfromarelatedcourseof conductaffecting1ormoreotherprotectedcomputers)aggregatingatleast$5000invalue
(ii) themodificationorimpairmentorpotentialmodificationorimpairmentof themedicalexaminationdiagnosistreatmentorcareof 1ormoreindividuals
(iii) physicalinjurytoanyperson
(iv) athreattopublichealthorsafetyor
(v) damageaffectingacomputersystemusedbyorforagovernmententityinfurtheranceof theadministrationof justicenationaldefenseornationalsecurity
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissectionismdash
(2) (A)exceptasprovidedinsubparagraph(B)afineunderthistitleorimprisonmentfornotmorethanoneyearorbothinthecaseof anoffenseundersubsection(a)(2)(a)(3)(a)(5)(A)(iii)or(a)(6)of this
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
sectionwhichdoesnotoccurafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(3) (B)afineunderthistitleorimprisonmentfornotmorethantenyearsorbothinthecaseof anoffenseundersubsection(a)(4)(a)(5)(A)(iii)or(a)(7)of thissectionwhichoccursafteraconvictionforanotheroffenseunderthissectionoranattempttocommitanoffensepunishableunderthissubparagraph
(4) (A)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan10yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)oranattempttocommitanoffensepunishableunderthatsubsection
(B)afineunderthistitleimprisonmentfornotmorethan5yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(ii)oranattempttocommitanoffensepunishableunderthatsubsection
(C)exceptasprovidedinparagraph(5)afineunderthistitleimprisonmentfornotmorethan20yearsorbothinthecaseof anoffenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii)oranattempttocommitanoffensepunishableundereithersubsectionthatoccursafteraconvictionforanotheroffenseunderthissectionand
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptstocauseseriousbodilyinjuryfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentfornotmorethan20yearsorbothand
(B)if theoffenderknowinglyorrecklesslycausesorattemptstocausedeathfromconductinviolationof subsection(a)(5)(A)(i)afineunderthistitleorimprisonmentforanytermof yearsorforlifeorboth
(4) (A) a fine under this title imprisonment for not more than 5 years or both in the case of an offense under subsection (a)(5)(B) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused)mdash
(i) loss to 1 or more persons during any 1-year period (and for purposes of an investigation prosecution or other proceeding brought by the United States only loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5000 in value
(ii) the modification or impairment or potential modification or impairment of the medical examination diagnosis treatment or care of 1 or more individuals
(iii) physical injury to any person
(iv) a threat to public health or safety
(v) damage affecting a computer used by or for a government entity in furtherance of the administration of justice national defense or national security or
(vi) damage affecting ten or more protected computers during any 1-year period
or an attempt to commit an offense punishable under this subparagraph
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E) a fine under this title imprisonment for not more than 10 years or both in the case of an offense under subsection (a)(5)(A) which does not occur after a conviction for another offense under this section if the offense caused (or in the case of an attempted offense would if completed have caused) a harm provided in subparagraphs (c)(4)(A)(i) through (vi) or an attempt to commit an offense punishable under this subparagraph
(C) a fine under this title imprisonment for not more than 20 years or both in the case of an offense under subsection (a)(5) that occurs after a conviction for another offense under this section or an attempt to commit an offense punishable under this subparagraph
(D) if the offender attempts to cause or knowingly or recklessly causes serious bodily injury from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for not more than 20 years or both
(E) if the offender attempts to cause or knowingly or recklessly causes death from conduct in violation of subsection (a)(5)(A) a fine under this title or imprisonment for any term of years or for life or both or
(F) a fine under this title imprisonment for not more than one year or both for any other offense under subsection (a)(5) or an attempt to commit an offense punishable under this subparagraph
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof thissectionmaymaintainacivilactionagainsttheviolatortoobtaincompensatorydamagesandinjunctiverelief orotherequitablereliefAcivilactionforaviolationof thissectionmaybebroughtonlyif theconductinvolves1of thefactorssetforthinclause(i)(ii)(iii)(iv)or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A)Damagesforaviolationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamagesNoactionmaybebroughtunderthissubsectionunlesssuchactionisbegunwithin2yearsof thedateof theactcomplainedof orthedateof thediscoveryof thedamageNoactionmaybebroughtunderthissubsectionforthenegligentdesignormanufactureof computerhardwarecomputersoftwareorfirmware
18USCsect2332b(g)(5)(B)(I)
1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX HText of Amendments to 18 uSC sect 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIIID4cof thestrategicplanwhichdescribesgapsinthecyber-extortionstatute
Proposed Language
18 USC sect 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorotherthingof valuetransmitsininterstateorforeigncommerceanycommunicationcontaininganyndash
(a) threattocausedamagetoaprotectedcomputer
(b) threat to obtain information from a protected computer without authorization or in excess of authorization or to impair the confidentiality of information obtained from a protected computer without authorization or by exceeding authorized access or
(c) demand or request for money or other thing of value in relation to damage to a protected computer where such damage was caused to facilitate the extortion
APPENDIX IText of Amendment to united States Sentencing Guideline sect 2B11
ThebasisforthisproposedamendmentissetforthinSectionIIID4dof thestrategicplanwhichdescribestheSentencingGuidelinesprovisiongoverningidentitytheft
Proposed language for united States Sentencing Guidelines sect 2B11 comment(n1)
ldquoVictimrdquomeans(A)anypersonwhosustainedanyharmwhethermonetaryornon-monetaryasaresultof theoffenseHarmisintendedtobeaninclusivetermandincludesbodilyinjurynon-monetarylosssuchasthetheftof ameansof identificationinvasionof privacyreputationaldamageandinconvenienceldquoPersonrdquoincludesindividualscorporationscompaniesassociationsfirmspartnershipssocietiesandjointstockcompanies
APPENDICES
COMBATING IDENTITY THEFT A Strategic Plan
APPENDIX JDescription of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponseandpreventionactivitiesof stateandlocalpolicetheBureauof JusticeStatistics(BJS)shouldundertakenewdatacollectionsinthreeareas(1)asurveyof lawenforcementagenciesfocusedontheresponsetoidentitytheft(2)enhancementstotheexistingLawEnforcementManagementandAdministrativeStatistics(LEMAS)surveyplatformand(3)enhancementstotheexistingtrainingacademysurveyplatformSpecificallyBJSshouldundertaketodothefollowing
bull New survey of state and local law enforcement agenciesAnewstudyfocusedonstateandlocallawenforcementresponsestoidentitytheftshouldseektodocumentagencypersonneloperationsworkloadandpoliciesandprogramsrelatedtothehandlingof thiscrimeDetailontheorganizationalstructureif anyassociatedwithidentitytheftresponseshouldbeincluded(forexampletheuseof specialunitsdevotedtoidentitytheft)ThestudyshouldinquireaboutparticipationinregionalidentitythefttaskforcescommunityoutreachandeducationeffortsaswellasidentitytheftpreventionprogramsInformationcollectedshouldalsoincludeseveralsummarymeasuresof identitytheftintheagenciesrsquojurisdictions(offensesknownarrestsreferralsoutcomes)withthegoalof producingsomestandardizedmetricswithwhichtocomparejurisdictions
bull Enhancement to existing LEMAS survey BJSshoulddevelopaspecialbatteryof questionsfortheexistingLEMASsurveyplatformTheLEMASsurveyconductedroughlyeverythreeyearssince1987collectsdetailedadministrativeinformationfromanationallyrepresentativesampleof about3000agenciesThesampleincludesallagencieswith100ormoreofficersandastratifiedrandomsampleof smalleragenciesaswellascampuslawenforcementagenciesInformationcollectedshouldincludewhetheragenciespresentlyenforceidentitytheftlawsutilizespecialunitshavedesignatedpersonnelparticipateinregionalidentitythefttaskforcesandhavepoliciesandproceduresinplacerelatedtotheprocessingof identitytheftincidentsThesurveyshouldalsoinquirewhetheragenciescollectsummarymeasuresof identitytheftintheirjurisdictionsincludingoffensesknownarrestsreferralsandanyoutcomemeasuresFinallythisstudyshouldalsocollectinformationonwhetheragenciesareengagedincommunityoutreacheducationandpreventionactivitiesrelatedtoidentitytheft
bull Enhancement to existing law enforcement training academy survey BJSshoulddevelopaspecialbatteryof questionsfortheexistinglawenforcementtrainingacademysurveyplatformAsectionof thedatacollectioninstrumentshouldbedevotedtothetypesof trainingif any
00
beingprovidedbybasicacademiesacrossthecountryintheareaof identitytheftBJSshouldsubsequentlyprovidestatisticsonthenumberof recruitswhoreceivetrainingonidentitytheftaswellasthenatureandcontentof thetrainingIn-servicetrainingprovidedtoactive-dutyofficersshouldalsobecovered
bull The Bureau of Justice Statistics should revise both the State Court Processing Statistics (SCPS) and National Judicial Reporting Program (NJRP) programs so that they are capable of distinguishing identity theft from other felony offensesInadditionthescopeof thesesurveysshouldbeexpandedtoincludemisdemeanoridentitytheftoffendersIf SCPSandNJRPwereabletofollowidentitytheftoffendersthenavarietyof differenttypesof court-specificinformationcouldbecollectedTheseincludehowmanyoffendersarechargedwithidentitytheftintheNationrsquoscourtswhatpercentageof theseoffendersarereleasedatpretrialandhowarethecourtsadjudicating(egconvictingordismissing)identitytheftoffendersAmongthoseconvictedidentitytheftoffendersdatashouldbecollectedonhowmanyarebeingsentencedtoprisonjailorprobationTheseprojectsshouldalsoilluminatethepriorcriminalhistoriesorrapsheetsof identitytheftoffendersBothprojectsshouldalsoallowforthepostconvictiontrackingof identitytheftoffendersforthepurposesof examiningtheiroverallrecidivismrates
bull BJSshouldensurethatotherstatecourtstudiesthatitfundsarereconfiguredtoanalyzetheproblemof identitytheftForexampleStateCourtOrganization(SCO)currentlysurveystheorganizationalstructureof theNationrsquosstatecourtsThissurveycouldbesupplementedwithadditionalquestionnairesthatmeasurewhetherspecialcourtssimilartogundrugordomesticviolencecourtsarebeingcreatedforidentitytheftoffendersAlsoSCOshouldexaminewhethercourtsaretrainingorfundingstaff equippedtohandleidentitytheftoffenders
bull BJSshouldensurethattheCivilJusticeSurveyof StateCourtswhichexaminesciviltriallitigationinasampleof theNationrsquosstatecourtsisbroadenedtoidentifyandtrackvariouscivilenforcementproceduresandtheirutilizationagainstidentitythieves
APPENDICES
0
COMBATING IDENTITY THEFT A Strategic Plan
ENDNOTES1 PublicLaw105-318112Stat3007(Oct301998)TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identitytheftItincludesthemisuseof anyidentifyinginformationwhichcouldincludenameSSNaccountnumberpasswordorotherinformationlinkedtoanindividualtocommitaviolationof federalorstatelawThedefinitionthuscoversmisuseof existingaccountsaswellascreationof newaccounts
2 ThefederalfinancialregulatoryagenciesincludethebankingandsecuritiesregulatorsnamelytheFederalDepositInsuranceCorporationtheFederalReserveBoardtheNationalCreditUnionAdministrationtheOfficeof theComptrollerof theCurrencytheOfficeof ThriftSupervisiontheCommodityFuturesTradingCommissionandtheSecuritiesandExchangeCommission
3 Thepubliccommentsareavailableatwwwidtheftgov
4 Testimonyof JohnMHarrisonJune192003SenateBankingCommitteeldquoTheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCreditReportingActrdquo
5 SeeUSAttorneyrsquosOfficeWesternDistrictof MichiganPressRelease(July52006)availableathttpwwwusdojgovusaomiwpressJMiller_ Others10172006html
6 JavelinStrategyandResearch2007 Identity Fraud Survey Report Identity Fraud is Dropping Continued Vigilance Necessary(Feb2007)summaryavailableathttpwwwjavelinstrategycomBureauof JusticeStatistics(DOJ)(2004)availableathttpwwwojpusdojgovbjspubpdfit04pdfGartnerInc(2003)availableathttpwwwgartnercom5_aboutpress_releasespr21july2003ajspFTC2003SurveyReport(2003)availableathttpwwwconsumergovidtheftpdf synovate_reportpdf
7 SeeBusinessSoftwareAllianceConsumer Confidence in Online Shopping Buoyed by Security Software Protection BSA Survey Suggests (Jan122006)availableathttpwwwbsacybersafetycomnews2005-Online-Shopping-Confidencecfm
8 SeeCyberSecurityIndustryAllianceInternet Security Voter Survey (June2005)at9availableathttpswwwcsiallianceorgpublicationssurveys_and_pollsCSIA_Internet_Security_Survey_June_2005pdf
9 SeeUSAttorneyrsquosOfficeSouthernDistrictof FloridaPressRelease(July192006)availableat httpwwwusdojgovusaoflsPressReleases060719-01html
10See egJohnLelandMeth Users Attuned to Detail Add Another Habit ID TheftNewYorkTimesJuly112006availableathttpwwwnytimescom20060711us11methhtmlex=1153540800ampen=7b6c7773afa880beampei=5070ByronAcohidoandJonSwartzMeth addictsrsquo other habit Online TheftUSATodayDecember142005availableathttpwwwusatodaycomtechnewsinternetprivacy2005-12-14-meth-online-theft_xhtm
0
11BobMimsId Theft Is the No 1 Runaway US CrimeTheSaltLakeTribuneMay32006availableat2006WLNR7592526
12DennisTomboyMeth Addicts Stealing MailDeseretMorningNewsApril282005httpdeseretnewscomdnview0124960012971400html
13StephenMihmDumpster-Diving for Your IdentityNewYorkTimesMagazineDecember212003availableathttpwwwnytimescom20031221magazine21IDENTITYhtmlex=1387342800ampen=b693eef01223bc3bampei=5007amppartner=USERLAND
14PubLNo108-159117Stat1952
15TheFACTActrequiredmerchantstocomplywiththistruncationprovisionwithinthreeyearsof theActrsquospassagewithrespecttoanycashregisterordevicethatwasinusebeforeJanuary12005andwithinoneyearof theActrsquospassagewithrespecttoanycashregisterordevicethatwasfirstputintouseonorafterJanuary1200515USCsect1681c(g)(3)
16Overview of Attack TrendsCERTCoordinationCenter2002availableathttpwwwcertorgarchivepdfattack_trendspdf
17LanowitzTGartnerResearchIDNumberG00127407December12005
18ldquoVishingrdquo Is Latest Twist In Identity Theft Scam ConsumerAffairsJuly242006availableathttpwwwconsumeraffairscomnews04200607scam_vishinghtml
19FraudstershaverecentlyusedpretextingtechniquestoobtainphonerecordsseeegJonathanKrimOnline Data Gets Personal Cell Phone Records For SaleWashingtonPostJuly132005availableat2005WLNR10979279andtheFTCispursuingenforcementactionsagainstthemSeehttpwwwftcgovopa200605phonerecordshtm
20TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretextersInformationonthesettlementof thosecasesisavailableathttpwwwftcgovopa200203pretextingsettlementshtm
21SeeegComputers Stolen with Data on 72000 Medicaid RecipientsCincinnatiEnquirerJune32006
2215USCsect1681e15USCsect6802(a)
23AlthoughtheFACTActamendmentstotheFairCreditReportingActrequiremerchantstotruncatecreditaccountnumbersallowingonlythefinalfivedigitstoappearonanelectronicallygeneratedreceipt15USCsect1618c(g)manuallycreatedreceiptsmightstillcontainthefullaccountnumber
24Seehttpwwwbizjournalscomphiladelphiastories20060724daily30htmlSee alsoIdentityTheftResourceCenterFactSheet126Checking Account Takeover and Check Fraud httpwwwidtheftcenterorgvg126shtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
25ForexampletheSecuritiesandExchangeCommissioninstitutedproceedingsagainsta19-year-oldinternethackerafterthehackerillicitlyaccessedaninvestorrsquosonlinebrokerageaccountHisbogustransactionssavedthehackerapproximately$37000intradinglossesTheSECalsoobtainedanemergencyassetfreezetohaltanEstonia-basedldquoaccountintrusionrdquoschemethattargetedonlinebrokerageaccountsintheUStomanipulatethemarketsSeeLitigationReleaseNo19949(Dec192006)availableat httpwwwsecgovlitigationlitreleases2006lr19949htm
26ForunauthorizedcreditcardchargestheFairCreditBillingActlimitsconsumerliabilitytoamaximumof $50peraccount15USCsect1643Forbankaccountfrauddifferentlawsdetermineconsumersrsquolegalremediesbasedonthetypeof fraudthatoccurredForexampleapplicablestatelawsprotectconsumersagainstfraudcommittedbyathief usingpaperdocumentslikestolenorcounterfeitchecksIfhoweverthethief usedanelectronicfundtransferfederallawappliesTheElectronicFundTransferActlimitsconsumerliabilityforunauthorizedtransactionsinvolvinganATMordebitcarddependingonhowquicklytheconsumerreportsthelossortheftof hiscard(1)if reportedwithintwobusinessdaysof discoverytheconsumerrsquoslossesarelimitedtoamaximumof $50(2)if reportedmorethantwobusinessdaysafterdiscoverybutwithin60daysof thetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldloseupto$500and(3)if reportedmorethan60daysafterthetransmittaldateof theaccountstatementcontainingunauthorizedtransactionshecouldfaceunlimitedliability15USCsect1693gAsamatterof policysomecreditanddebitcardcompanieswaiveliabilityundersomecircumstancesfreeingtheconsumerfromfraudulentuseof hiscreditordebitcard
27SeeJohnLelandSome ID Theft Is Not For Profit But to Get a JobNYTimesSept42006
28SeeWorldPrivacyForumMedical Identity Theft The Information Crime That Can Kill You(May32006)availableatworldprivacyforumorgpdfwpf_medicalidtheft2006pdf
29Seehttpwwwidanalyticscomnews_and_events20051208htmSomeotherorganizationshavebegunconductingstatisticalanalysestodeterminethelinkbetweendatabreachesandidentitytheftTheseeffortsarestillintheirearlystageshowever
30GovernmentAccountingOfficeSocial Security Numbers Government Could Do More to Reduce Display in Public Records and On Identity Cards(November2004)at2availableathttpwwwgaogovnewitemsd0559pdf
3115USCsectsect6801etseq42USCsectsect1320detseq18USCsectsect2721etseq
325USCsect552a
33SeeegArizRevStatsect44-1373
34Social Security Numbers Federal and State Laws Restrict Use of SSNs Yet Gaps RemainGAO-05-1016TSeptember152005
0
35Seeegwwwwpsiccomedicomm_sub_pshtmlmm=3Non-SSN Member Numbers to Be Assigned for Privacy Protection
36Exceptwhereexpresslynotedallreferencestoyearsinthisstrategicplanareintendedtorefertocalendaryearsratherthanfiscalyears
37ThefederalgovernmentrsquosoverallinformationprivacyprogramderivesprimarilyfromfivestatutesthatassignOMBpolicyandoversightresponsibilitiesandagenciesresponsibilityforimplementationThePrivacyActof 1974(5USCsect552a)setscollectionmaintenanceanddisclosureconditionsaccessandamendmentrightsandnoticeandrecord-keepingrequirementswithrespecttopersonallyidentifiableinformationretrievedbynameorpersonalidentifierTheComputerMatchingandPrivacyProtectionActof 1988(5USCsect552anote)amendedthePrivacyActtoprovideaframeworkfortheelectroniccomparisonof personnelandbenefits-relatedinformationsystemsThePaperworkReductionActof 1995(44USCsect3501etseq)andtheInformationTechnologyManagementReformActof 1996(alsoknownasClinger-CohenAct41USCsect251note)linkedagencyprivacyactivitiestoinformationtechnologyandinformationresourcesmanagementandassignedtoagencyChief InformationOfficers(CIO)theresponsibilitytoensureimplementationof privacyprogramswithintheirrespectiveagenciesFinallySection208of theE-GovernmentActof 2002(44USCsect3501note)includedprovisionsrequiringagenciestoconductprivacyimpactassessmentsonneworsubstantiallyalteredinformationtechnologysystemsandelectronicinformationcollectionsandpostwebprivacypoliciesatmajorentrypointstotheirInternetsitesTheseprovisionsarediscussedinOMBmemorandum03-22ldquoOMBGuidanceforImplementingthePrivacyProvisionsof theE-GovernmentActof 2002rdquo
38See Protection of Sensitive Agency InformationMemorandumfromClayJohnsonIIIDeputyDirectorforManagementOMBtoHeadsof DepartmentsandAgenciesM-06-16(June232006)
39TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayedanimportantroleinpublicsectordatasecurityUS-CERTisapartnershipbetweenDHSandthepublicandprivatesectorsEstablishedin2003toprotectthenationrsquosInternetinfrastructureUS-CERTcoordinatesdefenseagainstandresponsestocyberattacksacrossthenationTheorganizationinteractswithfederalagenciesstateandlocalgovernmentsindustryprofessionalsandotherstoimproveinformationsharingandincidentresponsecoordinationandtoreducecyberthreatsandvulnerabilitiesUS-CERTprovidesthefollowingsupport(1)cybersecurityeventmonitoring(2)advancedwarningonemergingthreats(3)incidentresponsecapabilitiesforfederalandstateagencies(4)malwareanalysisandrecoverysupport(5)trendsandanalysisreportingtoolsand(6)othersupportservicesintheareaof cybersecurityUS-CERTalsoprovidesconsumerandbusinesseducationonInternetandinformationsecurity
40Seehttpwwwwhitehousegovresultsagendascorecardhtml
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
41TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfromthatincludedintheTaskForcersquosinterimrecommendationsinthatitfurtherclarifiesamongotherthingsthecategoriesof usersandthecircumstancesunderwhichdisclosurewouldbeldquonecessaryandproperrdquoinaccordancewiththeOMBrsquosguidanceonthisissue
4215USCsectsect6801-0916CFRPart313(FTC)12CFRPart30AppB(OCCnationalbanks)12CFRPart208AppD-2andPart225AppF(FRBstatememberbanksandholdingcompanies)12CFRPart364AppB(FDICstatenon-memberbanks)12CFRPart570AppB(OTSsavingsassociations)12CFRPart748AppA(NCUAcreditunions)16CFRPart314(FTCfinancialinstitutionsthatarenotregulatedbytheFRBFDICOCCOTSNCUACFTCorSEC)17CFRPart24830(SEC)17CFRPart16030(CFTC)
4315USCsect45(a)FurtherthefederalbankregulatoryagencieshaveauthoritytoenforceSection5of theFTCActagainstentitiesoverwhichtheyhavejurisdictionSee15USCsectsect6801-09
4415USCsectsect1681-1681xasamended
45PubLNo108-159117Stat1952
4642USCsectsect1320detseq
4731USCsect5318(l)
4818USCsectsect2721etseq
49httpwwwncslorgprogramsliscipprivbreachlawshtm
50httpwwwbbborgsecurityandprivacySecurityPrivacyMadeSimplerpdfwwwstaysafeonlineorgbasicscompanybasic_tipshtmlThe Financial Services Roundtable Voluntary Guidelines for Consumer Confidence in Online Financial ServicesavailableatwwwbitsinfoorgdownloadsPublications20PagebitsconsconpdfwwwrealtororgrealtororgnsffilesNARInternetSecurityGuidepdf$FILENARInternetSecurityGuidepdfwwwantiphishingorgreportsbestpracticesforispspdf wwwuschambercomsbsecuritydefaulthtmwwwtrusteorgpdfSecurityGuidelinespdfwwwthe-dmaorgprivacyinformationsecurityshtmlhttpwwwstaysafeonlineorgbasicscompanybasic_tipshtml
51ThesechangesmaybeattributabletorequirementscontainedintheregulationsimplementingTitleVof theGLBActSee12CFRPart30AppB(nationalbanks)12CFRPart208AppD-2andPart225App5(statememberbanksandholdingcompanies)12CFRPart364AppB(statenon-memberbanks)12CFRPart570AppB(savingsassociations)12CFRPart748AppAandBand12CFRPart717(creditunions)16CFRPart314(financialinstitutionsthatarenotregulatedbytheFDICFRBNCUAOCCorOTS)
52SeeeghttpwwwtrusteorgpdfSecurityGuidelinespdfhttpwwwthe-dmaorgprivacyinformationsecurityshtml
0
53DeloitteFinancialServices2006 Global Security Surveyavailableathttpsingerucusnetblogarchives756-Deloitte-Security-Surveyshtml
54DatalinkData Storage Security StudyMarch2006availableatwwwdatalinkcomsecurity
55Id
56SeeSmallBusinessTechnologyInstituteSmall Business Information Security Readiness(July2005)
57SeeegCalifornia(CalCivCodesect179882(2006))Illinois(815IllCompStat5305(2005))Louisiana(LaRevStat513074(2006))RhodeIsland(RIGenLawssect11-4923(2006))
58SeeegColorado(ColoRevStatsect6-1-716(2006))Florida(FlaStatsect8175681(2005))NewYork(NYCLSGenBussect889-aa(2006))Ohio(OhioRevCodeAnnsect134919(2006))
59PonemonInstituteLLCBenchmark Study of European and US Corporate Privacy Practicesp16(Apr262006)
60Id
61PonemonInstituteLLC2005 Benchmark Study of Corporate Privacy Practices(July112005)
62MultiChannelMerchantRetailers Need to Provide Greater Data Security Survey Says(Dec12005)availableathttpmultichannelmerchantcomopsandfulfillmentadvisorretailers_data_security_1201indexhtml
63SeeInformationTechnologyExaminationHandbookrsquosInformationSecurityBookletavailableathttpwwwffiecgovguideshtm
64Seeeghttpwwwpvkansascompolicecrimeiden_theftshtml(PrairieVillageKansas)httpphoenixgovPOLICEdcd1html(PhoenixArizona)wwwcoarapahoecousdepartmentsSHindexasp(ArapahoeCountyColorado)
65Colleges Are Textbook Cases of Cybersecurity BreachesUSATODAYAugust12006
66Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof MichiganwhichlaunchedIdentityWebacomprehensivesitebasedontherecommendationsof agraduateclassinfallof 2003TheStateUniversityof NewYorkrsquosOrangeCountyCommunityCollegeoffersidentitytheftseminarstheresultof astudentwhofellvictimtoascamAvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsitesBowlingGreenStateUniversityinKentuckyemailscampus-wideldquofraudalertsrdquowhenitsuspectsthatascamisbeingtargetedtoitsstudentsInrecentyearsmorecollegesanduniversitieshavehiredchief privacyofficersfocusinggreaterattentionontheharmsthatcanresultfromthemisuseof studentsrsquoinformation
ENDNOTES
0
COMBATING IDENTITY THEFT A Strategic Plan
67See31CFRsect103121(bankssavingsassociationscreditunionsandcertainnon-federallyregulatedbanks)31CFRsect103122(broker-dealers)17CFRsect2700-1131CFRsect103131(mutualfunds)and31CFRsect103123(futurescommissionmerchantsandintroducingbrokers)
68Seehttpwwwdhsgovxprevprotlawsgc_1172765386179shtm
69AprimaryreasoncriminalsuseotherpeoplersquosidentitiestocommitidentitytheftistoenablethemtooperatewithanonymityHoweverincommittingidentitytheftthesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalertbusinessesSection114of theFACTActseekstotakeadvantageof businessesrsquoawarenessof thesepatternsandrequiresthefederalbankregulatoryagenciesandtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsandcreditorsaddressingidentitytheftIndevelopingtheguidelinestheagenciesmustidentifypatternspracticesandspecificformsof activitythatindicatethepossibleexistenceof identitytheft15USCsect1681m
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequireeachfinancialinstitutionandcreditortodevelopandimplementanidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetectingpreventingandmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccountsTheproposedregulationsincludeguidelineslistingpatternspracticesandspecificformsof activitythatshouldraisealdquoredflagrdquosignalingapossibleriskof identitytheftRecognizingtheseldquoredflagsrdquocanenablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharmisdoneSee71FedReg40786(July182006)tobecodifiedat12CFRParts41(OCC)222(FRB)334and364(FDIC)571(OTS)717(NCUA)and16CFRPart681(FTC)availableathttpwwwoccgovfrfedregister71fr40786pdf
70USBtokendevicesaretypicallysmallvehiclesforstoringdataTheyaredifficulttoduplicateandaretamper-resistantTheUSBtokenispluggeddirectlyintotheUSBportof acomputeravoidingtheneedforanyspecialhardwareontheuserrsquoscomputerHoweveraloginandpasswordarestillrequiredtoaccesstheinformationcontainedonthedeviceSmartcardsresembleacreditcardandcontainamicroprocessorthatallowsthemtostoreandretaininformationSmartcardsareinsertedintoacompatiblereaderandif recognizedmayrequireapasswordtoperformatransactionFinallythecommontokensysteminvolvesadevicethatgeneratesaone-timepasswordatpredeterminedintervalsTypicallythispasswordwouldbeusedinconjunctionwithotherlogininformationsuchasaPINtoallowaccesstoacomputernetworkThissystemisfrequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter
71Biometricsareautomatedmethodsof recognizinganindividualbasedonmeasurablebiological(anatomicalandphysiological)andbehavioralcharacteristicsBiometricscommonlyimplementedorstudiedincludefingerprintfaceirisvoicesignatureandhandgeometryManyothermodalitiesareinvariousstagesof developmentandassessmentAdditionalinformationonbiometrictechnologiesfederalbiometricprogramsandassociatedprivacyconsiderationscanbefoundatwwwbiometricsgov
0
72SeeAuthentication in an Internet Banking Environment(October122005)availableathttpwwwffiecgovpdfauthentication_guidancepdf
73SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in an Internet Banking Environment(August152006)availableathttpwwwffiecgovpdfauthentication_faqpdf
74SeeKristinDavisandJessicaAndersonBut Officer That Isnrsquot MeKiplingerrsquosPersonalFinance(October2005)BobSullivanThe Darkest Side of ID TheftMSNBCcom(Dec12003)DavidBrietkopfState of Va Creates Special Cards for Crime VictimsTheAmericanBanker(Nov182003)
7518USCsect1028A
7618USCsect1028(d)(7)
77See18USCsect1030(e)(8)
7818USCsect1030(a)(7)
79SRepNo105-274at9(1998)
80AsthisTaskForcehasbeenchargedwithconsideringthefederalresponsetoidentitytheftthisroutineusenoticedoesnotincludeallpossibletriggerssuchasembarrassmentorharmtoreputationHoweverafterconsiderationof theStrategicPlanandtheworkof othergroupschargedwithassessingPrivacyActconsiderationsOMBmaydeterminethataroutineusethattakesintoaccountotherpossibletriggersmaybepreferable
ENDNOTES