The Presidents Identity Theft Task Force
April 2007
Combating A Strategic PlanIDENTITY THEFT
iii
COMBATING IDENTITY THEFT A Strategic Plan
Table of ContentsGlossary of Acronyms .................................................................v
Identity Theft Task Force Members ............................................... vii
Letter to the President .............................................................. viii
I. Executive Summary .............................................................. 1
A. Introduction.................................................................................. 1
B. TheStrategy.................................................................................. 2
II. The Contours of the Identity Theft Problem ............................. 10
A. PrevalenceandCostsof IdentityTheft......................................... 11
B. IdentityThieves:WhoTheyAre.................................................. 12
C. HowIdentityTheftHappens:TheToolsof theTrade................... 13
D. WhatIdentityThievesDoWiththeInformation TheySteal:TheDifferentFormsof IdentityTheft........................ 18
III. A Strategy to Combat Identity Theft ....................................... 22
A. Prevention:KeepingConsumerDataoutof the Handsof Criminals..................................................................... 22
1. DecreasingtheUnnecessaryUseof SocialSecurityNumbers........................................................ 23
2. DataSecurityinthePublicSector.......................................... 27
a. Safeguardingof InformationinthePublicSector............... 27
b. RespondingtoDataBreachesinthePublicSector.............. 28
3. DataSecurityinthePrivateSector.......................................... 31
a. TheCurrentLegalLandscape........................................... 31
b. Implementationof DataSecurityGuidelinesandRules..... 32
c. RespondingtoDataBreachesinthePrivateSector............. 34
4. EducatingConsumersonProtecting TheirPersonalInformation..................................................... 39
B. Prevention:MakingItHardertoMisuseConsumerData.............. 42
C. VictimRecovery:HelpingConsumersRepairTheirLives............. 45
1. VictimAssistance:OutreachandEducation........................... 45
2. MakingIdentityTheftVictimsWhole..................................... 49
3. GatheringBetterInformationontheEffectivenessof Victim RecoveryMeasures................................................................ 51
iv
D. LawEnforcement:ProsecutingandPunishingIdentityThieves.......... 52
1. CoordinationandIntelligence/InformationSharing................ 53
a. Sourcesof IdentityTheftInformation................................ 54
b. FormatforSharingInformationandIntelligence................ 55
c. MechanismsforSharingInformation................................ 55
2. CoordinationwithForeignLawEnforcement......................... 58
3. ProsecutionApproachesandInitiatives................................... 62
4. StatutesCriminalizingIdentity-TheftRelated Offenses:TheGaps................................................................ 65
a. TheIdentityTheftStatutes................................................ 65
b. Computer-RelatedIdentityTheftStatutes......................... 66
c. Cyber-ExtortionStatute.................................................... 66
d. SentencingGuidelinesGoverningIdentityTheft................ 67
5. Trainingof LawEnforcementOfficersandProsecutors........... 69
6. MeasuringSuccessof LawEnforcementEfforts...................... 70
IV. Conclusion: The Way Forward ............................................. 72
APPENDICES
AppendixA:IdentityTheftTaskForcesGuidanceMemorandum onDataBreachProtocol................................................................... 73
AppendixB:ProposedRoutineUseLanguage.......................................... 83
AppendixC:Textof Amendmentsto 18U.S.C.3663(b)and3663A(b)................................................... 85
AppendixD:Textof Amendmentsto18U.S.C.2703,2711and3127, andTextof NewLanguagefor18U.S.C.3512................................ 87
AppendixE:Textof Amendmentsto18U.S.C.1028and1028A.......... 91
AppendixF:Textof Amendmentto18U.S.C.1032(a)(2)...................... 93
AppendixG:Textof Amendmentsto18U.S.C.1030(a)(5),(c), and(g)andto18U.S.C.2332b......................................................... 94
AppendixH:Textof Amendmentsto18U.S.C.1030(a)(7).................... 97
AppendixI:Textof AmendmenttoUnitedStatesSentencing Guideline2B1.1............................................................................ 98
AppendixJ(Descriptionof ProposedSurveys)......................................... 99
ENDNOTES ......................................................................................101
TABLE OF CONTENTS
v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of AcronymsAAMVAAmericanAssociationof MotorVehicleAdministrators
AARPAmericanAssociationof RetiredPersons
ABAAmericanBarAssociation
APWGAnti-PhishingWorkingGroup
BBBBetterBusinessBureau
BINBankIdentificationNumber
BJABureauof JusticeAssistance
BJSBureauof JusticeStatistics
CCIPSComputerCrimeandIntellectualPropertySection(DOJ)
CCMSICreditCardMailSecurityInitiative
CFAAComputerFraudandAbuseAct
CFTCCommodityFuturesTradingCommission
CIOChief InformationOfficer
CIPCustomerIdentificationProgram
CIRFUCyberInitiativeandResourceFusionCenter
CMRACommercialMailReceivingAgency
CMSCentersforMedicareandMedicaidServices(HHS)
CRAConsumerreportingagency
CVV2CardVerificationValue2
DBFTFDocumentandBenefitFraudTaskForce
DHSDepartmentof HomelandSecurity
DOJDepartmentof Justice
DPPADriversPrivacyProtectionActof 1994
FACT ActFairandAccurateCreditTransactionsActof 2003
FBIFederalBureauof Investigation
FCDFinancialCrimesDatabase
FCRAFairCreditReportingAct
FCU ActFederalCreditUnionAct
FDI ActFederalDepositInsuranceAct
FDICFederalDepositInsuranceCorporation
FEMAFederalEmergencyManagementAgency
FERPAFamilyandEducationalRightsandPrivacyActof 1974
FFIECFederalFinancialInstitutionsExaminationCouncil
FIMSIFinancialIndustryMailSecurityInitiative
FinCENFinancialCrimesEnforcementNetwork(Departmentof Treasury)
FISMAFederalInformationSecurityManagementActof 2002
FRBFederalReserveBoardof Governors
FSIFinancialServices,Inc.
FTCFederalTradeCommission
FTC ActFederalTradeCommissionAct
GAOGovernmentAccountabilityOffice
GLB ActGramm-Leach-BlileyAct
HHSDepartmentof HealthandHumanServices
HIPAAHealthInsurancePortabilityandAccountabilityActof 1996
IACPInternationalAssociationof Chiefsof Police
IAFCIInternationalAssociationof FinancialCrimesInvestigators
IC3InternetCrimeComplaintCenter
ICEU.S.ImmigrationandCustomsEnforcement
IRSInternalRevenueService
IRS CIIRSCriminalInvestigationDivision
vi
IRTPAIntelligenceReformandTerrorismPreventionActof 2004
ISIIntelligenceSharingInitiative(U.S.PostalInspectionService)
ISPInternetserviceprovider
ISS LOBInformationSystemsSecurityLineof Business
ITACIdentityTheftAssistanceCenter
ITCIInformationTechnologyComplianceInstitute
ITRCIdentityTheftResourceCenter
MCCMajorCitiesChiefs
NACNationalAdvocacyCenter
NASDNationalAssociationof SecuritiesDealers,Inc.
NCFTANationalCyberForensicTrainingAlliance
NCHELPNationalCouncilof HigherEducationLoanPrograms
NCUANationalCreditUnionAdministration
NCVSNationalCrimeVictimizationSurvey
NDAANationalDistrictAttorneysAssociation
NIHNationalInstitutesof Health
NISTNationalInstituteof StandardsandTechnology
NYSENewYorkStockExchange
OCCOfficeof theComptrollerof theCurrency
OIGOfficeof theInspectorGeneral
OJPOfficeof JusticePrograms(DOJ)
OMBOfficeof ManagementandBudget
OPMOfficeof PersonnelManagement
OTSOfficeof ThriftSupervision
OVCOfficeforVictimsof Crime(DOJ)
PCIPaymentCardIndustry
PINPersonalIdentificationNumber
PMAPresidentsManagementAgenda
PRCPrivacyRightsClearinghouse
QRPQuestionableRefundProgram(IRSCI)
RELEAFOperationRetailers&LawEnforcementAgainstFraud
RISSRegionalInformationSharingSystems
RITNETRegionalIdentityTheftNetwork
RPPReturnPreparerProgram(IRSCI)
SARSuspiciousActivityReport
SBASmallBusinessAdministration
SECSecuritiesandExchangeCommission
SMPSeniorMedicarePatrol
SSASocialSecurityAdministration
SSLSecuritySocketLayer
SSNSocialSecuritynumber
TIGTATreasuryInspectorGeneralforTaxAdministration
UNCCUnitedNationsCrimeCommission
USA PATRIOT ActUnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(Pub.L.No.107-56)
USBUniversalSerialBus
US-CERTUnitedStatesComputerEmergencyReadinessTeam
USPISUnitedStatesPostalInspectionService
USSSUnitedStatesSecretService
VHAVeteransHealthAdministration
VOIPVoiceOverInternetProtocol
VPNVirtualprivatenetwork
WEDIWorkgroupforElectronicDataInterchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force MembersAlberto R. Gonzales, Chairman
AttorneyGeneral
Deborah Platt Majoras, Co-ChairmanChairman,FederalTradeCommission
Henry M. PaulsonDepartmentof Treasury
Carlos M. GutierrezDepartmentof Commerce
Michael O. LeavittDepartmentof HealthandHumanServices
R. James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E. PotterUnitedStatesPostalService
Ben S. BernankeFederalReserveSystem
Linda M. SpringerOfficeof PersonnelManagement
Sheila C. BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J. AstrueSocialSecurityAdministration
John C. DuganOfficeof theComptrollerof theCurrency
John M. ReichOfficeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11, 2007
The Honorable George W. Bush President of the United States The White House Washington, D.C.
Dear Mr. President:
By establishing the Presidents Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal governments efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.
Alberto R. Gonzales, Chairman Attorney General
Deborah Platt Majoras, Co-Chairman Chairman, Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
TheviewsyouexpressedintheExecutiveOrderarewidelyshared.Thereisaconsensusthatidentitytheftsdamageiswidespread,thatittargetsalldemographicgroups,thatitharmsbothconsumersandbusinesses,andthatitseffectscanrangefarbeyondfinancialharm.Wewerepleasedtolearnthatmanyfederaldepartmentsandagencies,privatebusinesses,anduniversitiesaretryingtocreateacultureof security,althoughsomehavebeenfasterthanotherstoconstructsystemstoprotectpersonalinformation.
Thereisnoquicksolutiontothisproblem.But,webelievethatacoordinatedstrategicplancangoalongwaytowardstemmingtheinjuriescausedbyidentitytheftand,wehope,puttingidentitythievesoutof business.Takenasawhole,therecommendationsthatcomprisethisstrategicplanaredesignedtostrengthentheeffortsof federal,state,andlocallawenforcementofficers;toeducateconsumersandbusinessesondeterring,detecting,anddefendingagainstidentitytheft;toassistlawenforcementofficersinapprehendingandprosecutingidentitythieves;andtoincreasethesafeguardsemployedbyfederalagenciesandtheprivatesectorwithrespecttothepersonaldatawithwhichtheyareentrusted.
Thankyoufortheprivilegeof servingonthisTaskForce.Ourworkisongoing,butwenowhavethehonor,undertheprovisionsof yourExecutiveOrder,of transmittingthereportandrecommendationsof thePresidentsTaskForceonIdentityTheft.
Verytrulyyours,
AlbertoR.Gonzales,Chairman DeborahPlattMajoras,Co-ChairmanAttorneyGeneral Chairman,FederalTradeCommission
COMBATING IDENTITY THEFT A Strategic Plan
I. Executive SummaryFromMainStreettoWallStreet,fromthebackporchtothefrontoffice,fromthekitchentabletotheconferenceroom,Americansaretalkingaboutidentitytheft.Thereason:millionsof Americanseachyearsufferthefinancialandemotionaltraumaitcauses.Thiscrimetakesmanyforms,butitinvariablyleavesvictimswiththetaskof repairingthedamagetotheirlives.Itisaprob-lemwithnosinglecauseandnosinglesolution.
A. INTrODuCTIONEightyearsago,CongressenactedtheIdentityTheftandAssumptionDeterrenceAct,1whichcreatedthefederalcrimeof identitytheftandchargedtheFederalTradeCommission(FTC)withtakingcomplaintsfromidentitytheftvictims,sharingthesecomplaintswithfederal,state,andlocallawenforcement,andprovidingthevictimswithinformationtohelpthemrestoretheirgoodname.Sincethen,federal,state,andlocalagencieshavetakenstrongactiontocombatidentitytheft.TheFTChasdevelopedtheIdentityTheftDataClearinghouseintoavitalresourceforconsumersandlawenforcementagencies;theDepartmentof Justice(DOJ)hasprosecutedvigorouslyawiderangeof identitytheftschemesundertheidentitytheftstatutesandotherlaws;thefederalfinancialregulatoryagencies2haveadoptedandenforcedrobustdatasecuritystandardsforentitiesundertheirjurisdiction;Congresspassed,andtheDepartmentof HomelandSecurityissueddraftregulationson,theREALIDActof 2005;andnumerousotherfederalagencies,suchastheSocialSecurityAdministration(SSA),haveeducatedconsumersonavoidingandrecoveringfromidentitytheft.Manyprivatesectorentities,too,havetakenproactiveandsignificantstepstoprotectdatafromidentitythieves,educateconsumersabouthowtopreventidentitytheft,assistlawenforcementinapprehendingidentitythieves,andassistidentitytheftvictimswhosufferlosses.
Overthosesameeightyears,however,theproblemof identitythefthasbecomemorecomplexandchallengingforthegeneralpublic,thegovernment,andtheprivatesector.Consumers,overwhelmedwithweeklymediareportsof databreaches,feelvulnerableanduncertainof howtoprotecttheiridentities.Atthesametime,boththeprivateandpublicsectorshavehadtograpplewithdifficult,andcostly,decisionsaboutinvestmentsinsafeguardsandwhatmoretodotoprotectthepublic.And,ateverylevelof governmentfromthelargestcitieswithmajorpolicedepartmentstothesmallesttownswithonefrauddetectiveidentitythefthasplacedincreasinglypressingdemandsonlawenforcement.
PubliccommentshelpedtheTaskForcedefinetheissuesandchallengesposedbyidentitytheftanddevelopitsstrategicresponses.ToensurethattheTaskForceheardfromallstakeholders,itsolicitedcommentsfromthepublic.
Inadditiontoconsumeradvocacygroups,lawenforcement,business,andindustry,theTaskForcealsoreceivedcommentsfromidentitytheftvictimsthemselves.3Thevictimswroteof theburdensandfrustrationsassociatedwiththeirrecoveryfromthiscrime.Theirstoriesreaffirmedtheneedforthegovernmenttoactquicklytoaddressthisproblem.
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForcestronglyaffirmedtheneedforafullycoordinatedapproachtofightingtheproblemthroughprevention,awareness,enforcement,training,andvictimassistance.ConsumerswrotetotheTaskForceexhortingthepublicandprivatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers(SSNs),andmanyof thosewhosubmittedcommentsdiscussedthechallengesraisedbytheoveruseof SocialSecuritynumbersasidentifiers.Others,representingcertainbusinesssectors,pointedtothebeneficialusesof SSNsinfrauddetection.TheTaskForcewasmindfulof bothconsiderations,anditsrecommendationsseektostriketheappropriatebalanceinaddressingSSNuse.Locallawenforcementofficers,regardlessof wheretheywork,wroteof thechallengesof multi-jurisdictionalinvestigations,andcalledforgreatercoordinationandresourcestosupporttheinvestigationandprosecutionof identitythieves.Variousbusinessgroupsdescribedthestepstheyhavetakentominimizetheoccurrenceandimpactof thecrime,andmanyexpressedsupportforrisk-based,nationaldatasecurityandbreachnotificationrequirements.
ThesecommunicationsfromthepublicwentalongwaytowardinformingtheTaskForcesrecommendationforafullycoordinatedstrategy.Onlyanapproachthatencompasseseffectiveprevention,publicawarenessandedu-cation,victimassistance,andlawenforcementmeasures,andfullyengagesfederal,state,andlocalauthoritieswillbesuccessfulinprotectingcitizensandprivateentitiesfromthecrime.
B. THE STrATEGY Althoughidentitytheftisdefinedinmanydifferentways,itis,fundamentally,themisuseof anotherindividualspersonalinformationtocommitfraud.Identitythefthasatleastthreestagesinitslifecycle,anditmustbeattackedateachof thosestages:
First, the identity thief attempts to acquire a victims personal information.
Criminalsmustfirstgatherpersonalinformation,eitherthroughlow-techmethodssuchasstealingmailorworkplacerecords,ordumpsterdivingorthroughcomplexandhigh-techfrauds,suchashackingandtheuseof maliciouscomputercodes.Thelossortheftof personalinformationbyitself,however,doesnotimmediatelyleadtoidentitytheft.Insomecases,thieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
thatisstoredinorwiththestolenpersonalitems,yetnevermakeuseof thepersonalinformation.Ithasrecentlybeenreportedthat,duringthepastyear,thepersonalrecordsof nearly73millionpeoplehavebeenlostorstolen,butthatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasaresult.Still,becauseanylossortheftof personalinformationistroublingandpotentiallydevastatingforthepersonsinvolved,astrategytokeepconsumerdataoutof thehandsof criminalsisessential.
Second, the thief attempts to misuse the information he has acquired.
Inthisstage,criminalshaveacquiredthevictimspersonalinformationandnowattempttoselltheinformationoruseitthemselves.Themisuseof stolenpersonalinformationcanbeclassifiedinthefollowingbroadcategories:
Existing account fraud: Thisoccurswhenthievesobtainaccountinformationinvolvingcredit,brokerage,banking,orutilityaccountsthatarealreadyopen.Existingaccountfraudistypicallyalesscostly,butmoreprevalent,formof identitytheft.Forexample,astolencreditcardmayleadtothousandsof dollarsinfraudulentcharges,butthecardgenerallywouldnotprovidethethief withenoughinformationtoestablishafalseidentity.Moreover,mostcreditcardcompanies,asamatterof policy,donotholdconsumersliableforfraudulentcharges,andfederallawcapsliabilityof victimsof creditcardtheftat$50.
New account fraud: Thievesusepersonalinformation,suchasSocialSecuritynumbers,birthdates,andhomeaddresses,toopennewaccountsinthevictimsname,makechargesindiscriminately,andthendisappear.Whilethistypeof identitytheftislesslikelytooccur,itimposesmuchgreatercostsandhardshipsonvictims.
Inaddition,identitythievessometimesusestolenpersonalinformationtoobtaingovernment,medical,orotherbenefitstowhichthecriminalisnotentitled.
Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.
Atthispointinthelifecycleof thetheft,victimsarefirstlearningof thecrime,oftenafterbeingdeniedcreditoremployment,orbeingcontactedbyadebtcollectorseekingpaymentforadebtthevictimdidnotincur.
Inlightof thecomplexityof theproblemateachof thestagesof thislifecycle,theIdentityTheftTaskForceisrecommendingaplanthatmarshalsgovernmentresourcestocrackdownonthecriminalswhotrafficinstolenidentities,strengthenseffortstoprotectthepersonalinformationof ournationscitizens,helpslawenforcementofficialsinvestigateandprosecuteidentitythieves,helpseducateconsumersandbusinessesaboutprotectingthemselves,andincreasesthesafeguardsonpersonaldataentrustedtofederalagenciesandprivateentities.
ThePlanfocusesonimprovementsinfourkeyareas:
keepingsensitiveconsumerdataoutof thehandsof identitythievesthroughbetterdatasecurityandmoreaccessibleeducation;
makingitmoredifficultforidentitythieveswhoobtainconsumerdatatouseittostealidentities;
assistingthevictimsof identitytheftinrecoveringfromthecrime;and deterringidentitytheftbymoreaggressiveprosecutionandpunishment
of thosewhocommitthecrime.
Inthesefourareas,theTaskForcemakesanumberof recommendationssummarizedingreaterdetailbelow.Amongthoserecommendationsarethefollowingbroadpolicychanges:
thatfederalagenciesshouldreducetheunnecessaryuseof SocialSecuritynumbers(SSNs),themostvaluablecommodityforanidentitythief;
thatnationalstandardsshouldbeestablishedtorequireprivatesectorentitiestosafeguardthepersonaldatatheycompileandmaintainandtoprovidenoticetoconsumerswhenabreachoccursthatposesasignificantriskof identitytheft;
thatfederalagenciesshouldimplementabroad,sustainedawarenesscampaigntoeducateconsumers,theprivatesector,andthepublicsectorondeterring,detecting,anddefendingagainstidentitytheft;and
thataNationalIdentityTheftLawEnforcementCentershouldbecreatedtoallowlawenforcementagenciestocoordinatetheireffortsandinformationmoreefficiently,andinvestigateandprosecuteidentitythievesmoreeffectively.
TheTaskForcebelievesthatallof therecommendationsinthisstrategicplanfromthesebroadpolicychangestothesmallstepsarenecessarytowageamoreeffectivefightagainstidentitytheftandreduceitsincidenceanddamage.Somerecommendationscanbeimplementedrelativelyquickly;otherswilltaketimeandthesustainedcooperationof governmententitiesandtheprivatesector.Followingaretherecommendationsof thePresidentsTaskForceonIdentityTheft:
PrEVENTION: KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALSIdentitytheftdependsonaccesstoconsumerdata.Reducingtheopportuni-tiesforthievestogetthedataiscriticaltofightingthecrime.Government,thebusinesscommunity,andconsumershaverolestoplayinprotectingdata.
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfraud,damagethereputationof theentitythatexperiencedthebreach,andcarryfinancialcostsforeveryoneinvolved.Whileperfectsecuritydoesnotexist,allentitiesthatcollectandmaintainsensitiveconsumerinformationmusttakereasonableandappropriatestepstoprotectit.
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management
Surveycurrentuseof SSNsbyfederalgovernment
Issueguidanceonappropriateuseof SSNs
Establishclearinghouseforbestagencypracticesthatminimizeuseof SSNs
Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance
Developconcreteguidanceandbestpractices
Monitoragencycompliancewithdatasecurityguidance
Protectportablestorageandcommunicationsdevices
Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
Issuedatabreachguidancetoagencies
Publisharoutineuseallowingdisclosureof informationafterabreachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social Security Numbers
Better Educate the Private Sector on Safeguarding Data
Holdregionalseminarsforbusinessesonsafeguardinginformation
Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
Initiate a Multi-Year Public Awareness Campaign
Developnationalawarenesscampaign
Enlistoutreachpartners
Increaseoutreachtotraditionallyunderservedcommunities
EstablishProtectYourIdentityDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION: MAKING IT HArDEr TO MISuSE CONSuMEr DATA Becausesecuritysystemsareimperfectandthievesareresourceful,itises-sentialtoreducetheopportunitiesforcriminalstomisusethedatatheysteal.Anidentitythief whowantstoopennewaccountsinavictimsnamemustbeableto(1)provideidentifyinginformationtoallowthecreditororothergrantorof benefitstoaccessinformationonwhichtobaseadecisionabouteligibility;and(2)convincethecreditorthatheisthepersonhepurportstobe.
Authenticationincludesdeterminingapersonsidentityatthebeginningof arelationship(sometimescalledverification),andlaterensuringthatheisthesamepersonwhowasoriginallyauthenticated.Buttheprocesscanfail:Identitydocumentscanbefalsified;theaccuracyof theinitialinformationandtheaccuracyorqualityof theverifyingsourcescanbequestionable;em-ployeetrainingcanbeinsufficient;andpeoplecanfailtofollowprocedures.
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-erswithoutburdeningconsumersorbusinessesforexample,multi-factorauthenticationorlayeredsecuritywouldgoalongwaytowardpreventingcriminalsfromprofitingfromidentitytheft.
Hold Workshops on Authentication
Engageacademics,industry,entrepreneurs,andgovernmentexpertsondevelopingandpromotingbetterwaystoauthenticateidentity
Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY: HELPING CONSuMErS rEPAIr THEIr LIVESIdentitytheftcanbecommitteddespiteaconsumersbesteffortsatsecuringinformation.Consumershaveanumberof rightsandresourcesavailable,butsomesurveysindicatethattheyarenotaswell-informedastheycouldbe.Governmentagenciesmustworktogethertoensurethatvictimshavetheknowledge,tools,andassistancenecessarytominimizethedamageandbegintherecoveryprocess.
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims
Trainlawenforcementofficers
Provideeducationalmaterialsforfirstrespondersthatcanbeusedasareferenceguideforidentitytheftvictims
CreateanddistributeanIDTheftVictimStatementof Rights
Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
Conductassessmentof FACTActremediesunderFCRA
Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT: PrOSECuTING AND PuNISHING IDENTITY THIEVESStrongcriminallawenforcementisnecessarytopunishanddeteridentitythieves.Theincreasingsophisticationof identitythievesinrecentyearshasmeantthatlawenforcementagenciesatalllevelsof governmenthavehadtoincreasetheresourcestheydevotetoinvestigatingrelatedcrimes.Theinves-tigationsarelabor-intensiveandgenerallyrequireastaff of detectives,agents,andanalystswithmultipleskillsets.Whenasuspectedtheftinvolvesalargenumberof potentialvictims,investigativeagenciesoftenneedadditionalper-sonneltohandlevictim-witnesscoordination.
Coordination and Information/Intelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector
Enhanceabilityof lawenforcementtoreceiveinformationfromfinancialinstitutions
Initiatediscussionswithfinancialservicesindustryoncountermeasurestoidentitytheft
Initiatediscussionswithcreditreportingagenciesonpreventingidentitytheft
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Enhance the United States Governments Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft
Assist, Train, and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
DesignateanidentitytheftcoordinatorforeachUnitedStatesAttorneysOfficetodesignaspecificidentitytheftprogramforeachdistrict
Evaluatemonetarythresholdsforprosecution
Encouragestateprosecutionof identitytheft
Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
ConductenforcementinitiativesfocusedonusingunfairordeceptivemeanstomakeSSNsavailableforsale
Conductenforcementinitiativesfocusedonidentitytheftrelatedtothehealthcaresystem
Conductenforcementinitiativesfocusedonidentitytheftbyillegalaliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
COMBATING IDENTITY THEFT A Strategic Plan
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes
Amendtheidentitytheftandaggravatedidentitytheftstatutestoensurethatidentitythieveswhomisappropriateinformationbelongingtocorporationsandorganizationscanbeprosecuted
Addnewcrimestothelistof predicateoffensesforaggravatedidentitytheftoffenses
Amendthestatutethatcriminalizesthetheftof electronicdatabyeliminatingthecurrentrequirementthattheinformationmusthavebeenstolenthroughinterstatecommunications
Penalizecreatorsanddistributorsof maliciousspywareandkeyloggers
Amendthecyber-extortionstatutetocoveradditional,alternatetypesof cyber-extortion
Ensure That an Identity Thiefs Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
DevelopcourseatNationalAdvocacyCenterfocusedoninvestigationandprosecutionof identitytheft
Increasenumberof regionalidentitytheftseminars
IncreaseresourcesforlawenforcementontheInternet
Reviewcurriculatoenhancebasicandadvancedtrainingonidentitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice Systems Response to Identity Theft
Gatherandanalyzestatisticallyreliabledatafromidentitytheftvictims
Expandscopeof nationalcrimevictimizationsurvey
ReviewU.S.SentencingCommissiondata
Trackprosecutionsof identitytheftandresourcesspent
Conducttargetedsurveys
0
II. The Contours of the Identity Theft Problem
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Everyday,toomanyAmericanslearnthattheiridentitieshavebeencompromised,ofteninwaysandtoanextenttheycouldnothaveimagined.Identitytheftvictimsexperienceasenseof hopelessnesswhensomeonestealstheirgoodnameandgoodcredittocommitfraud.Thesevictimsalsospeakof theirfrustrationinfightingagainstanunknownopponent.
Identitytheftthemisuseof anotherindividualspersonalinformationtocommitfraudcanhappeninavarietyof ways,butthebasicelementsarethesame.Criminalsfirstgatherpersonalinformation,eitherthroughlow-techmethodssuchasstealingmailorworkplacerecords,ordumpsterdiving,orthroughcomplexandhigh-techfraudssuchashackingandtheuseof maliciouscomputercode.Thesedatathievesthenselltheinformationoruseitthemselvestoopennewcreditaccounts,takeoverexistingaccounts,obtaingovernmentbenefitsandservices,orevenevadelawenforcementbyusinganewidentity.Often,individualslearnthattheyhavebecomevictimsof identitytheftonlyafterbeingdeniedcreditoremployment,orwhenadebtcollectorseekspaymentforadebtthevictimdidnotincur.
Individualvictimexperiencesbestportraythehavocthatidentitythievescanwreak.Forexample,inJuly2001,anidentitythief gainedcontrolof aretiredArmyCaptainsidentitywhenArmyofficialsatFortBragg,NorthCarolina,issuedthethief anactivedutymilitaryidentificationcardintheretiredcaptainsnameandwithhisSocialSecuritynumber.Themilitaryidentification,combinedwiththevictimsthen-excellentcredithistory,allowedtheidentitythief togoonanunhinderedspendingspreelastingseveralmonths.FromJulytoDecember2001,theidentitythief acquiredgoods,services,andcashinthevictimsnamevaluedatover$260,000.Thevictimidentifiedmorethan60fraudulentaccountsof alltypesthatwereopenedinhisname:creditaccounts,personalandautoloans,checkingandsavingsaccounts,andutilityaccounts.Theidentitythief purchasedtwotrucksvaluedatover$85,000andaHarley-Davidsonmotorcyclefor$25,000.Thethief alsorentedahouseandpurchasedatime-shareinHiltonHead,SouthCarolina,inthevictimsname.4
Inanotherinstance,anelderlywomansufferingfromdementiawasvictimizedbyhercaregivers,whoadmittedtostealingasmuchas$200,000fromherbeforeherdeath.Thethievesnotonlyusedthevictimsexistingcreditcardaccounts,butalsoopenednewcreditaccountsinhername,obtainedfinancinginhernametopurchasenewvehiclesforthemselves,and,usingafraudulentpowerof attorney,removed$176,000inU.S.SavingsBondsfromthevictimssafe-depositboxes.5
Inthesewaysandothers,consumerslivesaredisruptedanddisplacedbyidentitytheft.Whilefederalagencies,theprivatesector,andconsumersthemselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
I was absolutely heartsick to realize our bank accounts were frozen, our names were on a bad check list, and my drivers license was suspended. I hold three licenses in the State of Ohiomy drivers license, my real estate license, and my R.N. license. After learning my drivers license was suspended, I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposter.
Maureen Mitchell Testimony Before House Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit June 24, 2003
COMBATING IDENTITY THEFT A Strategic Plan
andimpactof identitytheft,muchworkremainstobedone.Thefollowingstrategicplanfocusesonacoordinatedgovernmentresponseto:strengtheneffortstopreventidentitytheft;investigateandprosecuteidentitytheft;raiseawareness;andensurethatvictimsreceivemeaningfulassistance.
A. PrEVALENCE AND COSTS OF IDENTITY THEFTThereisconsiderabledebateabouttheprevalenceandcostof identitytheftintheUnitedStates.Numerousstudieshaveattemptedtomeasuretheextentof thiscrime.DOJ,FTC,theGartnerGroup,andJavelinResearcharejustsomeof theorganizationsthathavepublishedreportsof theiridentitytheftsurveys.6Whilesomeof thedatafromthesesurveysdiffer,thereisagreementthatidentitytheftexactsaserioustollontheAmericanpublic.
Althoughgreaterempiricalresearchisneeded,thedatashowthatannualmonetarylossesareinthebillionsof dollars.Thisincludeslossesassociatedwithnewaccountfraud,amorecostly,butlessprevalentformof identitytheft,andmisuseof existingaccounts,amoreprevalentbutlesscostlyformof identitytheft.Businessessuffermostof thedirectlossesfrombothformsof identitytheftbecauseindividualvictimsgenerallyarenotheldresponsibleforfraudulentcharges.Individualvictims,however,alsocollectivelyspendbillionsof dollarsrecoveringfromtheeffectsof thecrime.
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopenaccountsormisuseexistingaccounts,monetarycostsof identitytheftincludeindirectcoststobusinessesforfraudpreventionandmitigationof theharmonceithasoccurred(e.g.,formailingnoticestoconsumersandupgradingsystems).Similarly,individualvictimsoftensufferindirectfinancialcosts,includingthecostsincurredinbothcivillitigationinitiatedbycreditorsandinovercomingthemanyobstaclestheyfaceinobtainingorretainingcredit.Victimsof non-financialidentitytheft,forexample,health-relatedorcriminalrecordfraud,faceothertypesof harmandfrustration.
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsforthevictimsof newaccountidentitytheft,andtheemotionaltollidentitytheftcantake,somevictimshavetospendwhatcanbeaconsiderableamountof timetorepairthedamagecausedbytheidentitythieves.Victimsof newaccountidentitytheft,forexample,mustcorrectfraudulentinformationintheircreditreportsandmonitortheirreportsforfutureinaccuracies,closeexistingbankaccountsandopennewones,anddisputechargeswithindividualcreditors.
Consumersfearsof becomingidentitytheftvictimsalsomayharmourdigitaleconomy.Ina2006onlinesurveyconductedbytheBusinessSoftwareAllianceandHarrisInteractive,nearlyoneinthreeadults(30percent)saidthatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe2005/2006holidayseason.7Similarly,aCyberSecurityIndustryAlliance
surveyinJune2005foundthat48percentof consumersavoidedmakingpurchasesontheInternetbecausetheyfearedthattheirfinancialinformationmightbestolen.8Althoughnostudieshavecorrelatedtheseattitudeswithactualonlinebuyinghabits,thesesurveysindicatethatsecurityconcernslikelyinhibitsomecommercialuseof theInternet.
B. IDENTITY THIEVES: WHO THEY ArEUnlikesomegroupsof criminals,identitythievescannotbereadilyclassi-fied.Nosurveysprovidecomprehensivedataontheirprimarypersonalordemographiccharacteristics.Forthemostpart,victimsarenotinagoodpositiontoknowwhostoletheirinformationorwhomisusedit.AccordingtotheFTCs2003surveyof identitytheft,about14percentof victimsclaimtoknowtheperpetrator,whomaybeafamilymember,friend,orin-homeemployee.
Identitythievescanactaloneoraspartof acriminalenterprise.Eachposesuniquethreatstothepublic.
Individuals
Accordingtolawenforcementagencies,identitythievesoftenhavenopriorcriminalbackgroundandsometimeshavepre-existingrelationshipswiththevictims.Indeed,identitythieveshavebeenknowntopreyonpeopletheyknow,includingcoworkers,seniorcitizensforwhomtheyareservingascare-takers,andevenfamilymembers.Someidentitythievesrelyontechniquesof minimalsophistication,suchasstealingmailfromhomeownersmailboxesortrashcontainingfinancialdocuments.Insomejurisdictions,identitytheftbyillegalimmigrantshasresultedinpassport,employment,andSocialSecurityfraud.Occasionally,smallclustersof individualswithnosignificantcriminalrecordsworktogetherinalooselyknitfashiontoobtainpersonalinformationandeventocreatefalseorfraudulentdocuments.9
Anumberof recentreportshavefocusedontheconnectionbetweenindividualmethamphetamine(meth)usersandidentitytheft.10LawenforcementagenciesinAlbuquerque,Honolulu,Phoenix,Sacramento,Seattle,andothercitieshavereportedthatmethaddictsareengaginginidentityanddatatheftthroughburglaries,mailtheft,andtheftof walletsandpurses.InSaltLakeCity,methusersreportedlyareorganizedbywhite-supremacistgangstocommitidentitytheft.11Tellingly,asmethusehasrisensharplyinrecentyears,especiallyinthewesternUnitedStates,someof thesamejurisdictionsreportingthehighestlevelsof methusealsosufferfromthehighestincidenceof identitytheft.Somestatelawenforcementofficialsbelievethatthetwoincreasesmightberelated,andthatidentitytheftmayserveasamajorfundingmechanismformethlabsandpurchases.
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
In an article entitled Waitress Gets Own ID When Carding Patron, the Associated Press reported that a bar waitress checking to see whether a patron was old enough to legally drink alcohol was handed her own stolen drivers license, which she reported missing weeks earlier in Lakewood, Ohio. The patron was later charged with identity theft and receiving stolen property.
In September 2005, a defendant was sentenced by a federal judge in Colorado to a year and one day in prison, and ordered to pay $181,517.05 in restitution, after pleading guilty to the misuse of a Social Security number. The defendant had obtained the identifying information of two individuals, including their SSNs, and used one such identity to obtain a false Missouri drivers license, to cash counterfeit checks, and to open fraudulent credit ac-counts. The defendant used the second identity to open a fraudulent credit account and to cash fraudulent checks. The case was investigated by the SSA OIG, FBI, U.S. Postal Inspection Service, and the St. Charles, Missouri, Police Department.
COMBATING IDENTITY THEFT A Strategic Plan
Significant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteadyincreaseintheinvolvementof groupsandorganizationsof repeatoffendersorcareercriminalsinidentitytheft.Someof thesegroupsincludingnationalgangssuchasHellsAngelsandMS-13areformallyorganized,haveahierarchicalstructure,andarewell-knowntolawenforcementbecauseof theirlongstandinginvolvementinothermajorcrimessuchasdrugtrafficking.Othergroupsaremoreloosely-organizedand,insomecases,havetakenadvantageof theInternettoorganize,contacteachother,andcoordinatetheiridentitytheftactivitiesmoreefficiently.Membersof thesegroupsoftenarelocatedindifferentcountriesandcommunicateprimarilyviatheInternet.Othergroupshaveareal-worldconnectionwithoneanotherandshareanationalityorethnicgroup.
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreignorganizedcriminalgroupsincomputer-orInternet-relatedidentitytheftschemes.InAsiaandEasternEurope,forexample,organizedgroupsareincreasinglysophisticatedbothinthetechniquestheyusetodeceiveInternetusersintodisclosingpersonaldata,andinthecomplexityof toolstheyuse,suchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuserlogsontohiscomputerorabankingwebsite),spyware(softwarethatcovertlygathersuserinformationthroughtheusersInternetconnection,withouttheusersknowledge),andbotnets(networksof computersthatcriminalshavecompromisedandtakencontrolof forsomeotherpurpose,rangingfromdistributionof spamandmaliciouscomputercodetoattacksonothercomputers).Accordingtolawenforcementagencies,suchgroupsalsoaredemonstratingincreasinglevelsof sophisticationandspecializationintheironlinecrime,evensellinggoodsandservicessuchassoftwaretemplatesformakingcounterfeitidentificationcardsandpaymentcardmagneticstripencodersthatmakethestolendataevenmorevaluabletothosewhohaveit.
C. HOW IDENTITY THEFT HAPPENS: THE TOOLS OF THE TrADE Consumerinformationisthecurrencyof identitytheft,andperhapsthemostvaluablepieceof informationforthethief istheSSN.TheSSNandanamecanbeusedinmanycasestoopenanaccountandobtaincreditorotherbenefitsinthevictimsname.Otherdata,suchaspersonalidentificationnumbers(PINs),accountnumbers,andpasswords,alsoarevaluablebecausetheyenablethievestoaccessexistingconsumeraccounts.
Identitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonalconsumerinformationeverywheresuchdataarelocatedorstored.Homesandbusinesses,carsandhealth-clublockers,electronicnetworks,andeventrashbasketsanddumpstershavebeentargetsforidentitythieves.Some
In July 2003, a Russian computer hacker was sentenced in federal court to a prison term of four years for supervising a criminal enterprise in Russia dedicated to computer hacking, fraud, and extortion. The defendant hacked into the computer sys-tem of Financial Services, Inc. (FSI), an internet web hosting and electronic banking processing company located in Glen Rock, New Jersey, and stole 11 passwords used by FSI employees to access the FSI computer network as well as a text file containing approximately 3,500 credit card numbers and associated card holder information for FSI customers. One of the defendants accomplices then threatened FSI that the hacker group would publicly release this stolen credit card information and hack into and further damage the FSI computer system unless FSI paid $6,000. After a period of negotiation, FSI eventually agreed to pay $5,000. In sentencing the defendant, the federal judge described the scheme as an unprec-edented, wide-ranging, organized criminal enterprise that engaged in numerous acts of fraud, extortion, and intentional damage to the property of others, involving the sophisticated manipulation of computer data, financial information, and credit card numbers. The court found that the defendant was responsible for an aggregate loss to his victims of approximately $25 million.
thievesusemoretechnologically-advancedmeanstoextractinformationfromcomputers,includingmalicious-codeprogramsthatsecretlyloginformationorgivecriminalsaccesstoit.
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentitythievestostealthepersonalinformationof theirvictims.
Common Theft and Dumpster Diving
Whileoftenconsideredahightechcrime,datatheftoftenisnomoresophisticatedthanstealingpaperdocuments.Somecriminalsstealdocumentscontainingpersonalinformationfrommailboxes;indeed,mailtheftappearstobeacommonwaythatmethusersandproducersobtainconsumerdata.12Otheridentitythievessimplytakedocumentsthrownintounprotectedtrashreceptacles,apracticeknownasdumpsterdiving.13Stillothersstealinformationusingtechniquesnomoresophisticatedthanpursesnatching.
Progressisbeingmadeinreducingtheopportunitiesthatidentitythieveshavetoobtainpersonalinformationintheseways.TheFairandAccurateCreditTransactionsActof 2003(FACTAct)14requiresmerchantsthataccept
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Partial display of credit cards, checks, and identifying documents seized in federal investigation of identity theft ring in Maryland, 2005. Source: U.S. Department of Justice
A ramp agent for a major airline participated in a scheme to steal financial documents, including checks and credit cards, from the U.S. mail at Thurgood Marshall Baltimore-Wash-ington International Airport and transfer those financial documents to his co-conspirators for processing. The conspirators used the documents to obtain cash advances and withdrawals from lines of credit. In September 2005, a federal judge sentenced the ramp agent to 14 years in prison and ordered him to pay $7 million in restitution.
COMBATING IDENTITY THEFT A Strategic Plan
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronicallyprintedameasurethatisintended,amongotherthings,toreducetheabilityof adumpsterdivertoobtainavictimscreditcardnumbersimplybylookingthroughthatvictimsdiscardedtrash.Merchantshadaperiodof timetocomplywiththatrequirement,whichnowisinfulleffect.15
Employee/Insider Theft
Dishonestinsiderscanstealsensitiveconsumerdatabyremovingpaperdocumentsfromaworksiteoraccessingelectronicrecords.Criminalsalsomaybribeinsiders,orbecomeemployeesthemselvestoaccesssensitivedataatcompanies.Thefailuretodisableaterminatedemployeesaccesstoacomputersystemorconfidentialdatabasescontainedwithinthesystemalsocouldleadtothecompromiseof sensitiveconsumerdata.Manyfederalagencieshavetakenenforcementactionstopunishanddetersuchinsidercompromise.
Electronic Intrusions or Hacking
Hackersstealinformationfrompublicandprivateinstitutions,includinglargecorporatedatabasesandresidentialwirelessnetworks.First,theycaninterceptdataduringtransmission,suchaswhenaretailersendspaymentcardinformationtoacardprocessor.Hackershavedevelopedtoolstopenetratefirewalls,useautomatedprocessestosearchforaccountdataorotherpersonalinformation,exportthedata,andhidetheirtracks.16Severalrecentgovernmentenforcementactionshavetargetedthistypeof datatheft.
Second,hackersalsocangainaccesstounderlyingapplicationsprogramsusedtocommunicatebetweenInternetusersandacompanysinternaldatabases,suchasprogramstoretrieveproductinformation.Oneresearchfirmestimatesthatnearly75percentof hackerattacksaretargetedattheapplication,ratherthanthenetwork.17Itisoftendifficulttodetectthehackersapplication-levelactivities,becausethehackerconnectstothewebsitethroughthesamelegitimaterouteanycustomerwoulduse,andthecommunicationisthusseenaspermissibleactivity.
AccordingtotheSecretService,manymajorbreachesinthecreditcardsystemin2006originatedintheRussianFederationandtheUkraine,andcriminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsomeof thelargestbreachesof U.S.financialsystemsforthepastfiveyears.
Social Engineering: Phishing, Malware/Spyware, and Pretexting
Identitythievesalsousetrickerytoobtainpersonalinformationfromunwittingsources,includingfromthevictimhimself.Thistypeof deception,knownassocialengineering,cantakeavarietyof forms.
In December 2003, the Office of the Comptroller of the Currency (OCC) directed a large financial institution to improve its employee screening policies, procedures, systems, and controls after finding that the institution had inadvertently hired a convicted felon who used his new post to engage in identity theft-related crimes. Deficiencies in the institutions screening practices came to light through the OCCs review of the former employees activities.
In December 2004, a federal district judge in North Carolina sentenced a defendant to 108 months in prison after he pleaded guilty to crimes stemming from his unauthorized access to the nationwide computer system used by the Lowes Corpora-tion to process credit card transactions. To carry out this scheme, the defendant and at least one other person secretly compromised the wireless network at a Lowes retail store in Michigan and gained access to Lowes central computer system. The defendant then installed a computer program de-signed to capture customer credit card information on the computer system of several Lowes retail stores. After an FBI investigation of the intrusion, the defendant and a confederate were charged.
Phishing: Phishingisoneof themostprevalentformsof socialengineering.Phisherssendemailsthatappeartobecomingfromlegitimate,well-knownsourcesoften,financialinstitutionsorgovernmentagencies.Inoneexample,theseemailmessagestelltherecipientthathemustverifyhispersonalinformationforanaccountorotherservicetoremainactive.Theemailsprovidealink,whichgoestoawebsitethatappearslegitimate.Afterfollowingthelink,thewebuserisinstructedtoenterpersonalidentifyinginformation,suchashisname,address,accountnumber,PIN,andSSN.Thisinformationisthenharvestedbythephishers.Inavariantof thispractice,victimsreceiveemailswarningthemthattoavoidlosingsomethingof value(e.g.,Internetserviceoraccesstoabankaccount)ortogetsomethingof value,theymustclickonalinkinthebodyof theemailtoreenterorvalidatetheirpersonaldata.Suchphishingschemesoftenmimicfinancialinstitutionswebsitesandemails,andanumberof themhaveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheirdemandsforinformation.Additionally,phishingrecentlyhastakenonanewform,dubbedvishing,inwhichthethievesuseVoiceOverInternetProtocol(VOIP)technologytospoof thetelephonecallsystemsof financialinstitutionsandrequestcallersprovidetheiraccountinformation.18
Malware/Spyware/Keystroke Loggers: CriminalsalsocanusespywaretoillegallygainaccesstoInternetuserscomputersanddatawithouttheuserspermission.Oneemail-basedformof socialengineeringistheuseof enticingemailsofferingfreepornographicimagestoagroupof victims;byopeningtheemail,thevictimlaunchestheinstallationof malware,suchasspywareorkeystrokeloggers,ontohiscomputer.ThekeystrokeloggersgatherandsendinformationontheusersInternetsessionsbacktothehacker,includingusernamesandpasswordsforfinancialaccountsandotherpersonalinformation.Thesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Phishing Email and Associated Website Impersonating National Credit Union Administration Email and Website Source: Anti-Phishing Working Group
At the beginning of the 2006 tax filing season, identity thieves sent emails that pur-ported to originate from the IRSs website to taxpayers, falsely informing them that there was a problem with their tax refunds. The emails requested that the taxpayers provide their SSNs so that the IRS could match their identities to the proper tax accounts. In fact, when the users entered their personal information such as their SSNs, website usernames and passwords, bank or credit-card account numbers and expiration dates, among other things the phishers simply harvested the data at another location on the Internet. Many of these schemes originated abroad, particularly in Eastern Europe. Since November 2005, the Treasury Inspector General for Tax Administra-tion (TIGTA) and the IRS have received over 17,500 complaints about phishing scams, and TIGTA has identified and shut down over 230 phishing host sites targeting the IRS.
COMBATING IDENTITY THEFT A Strategic Plan
malwarehavesupplementedotherlong-establishedmethodsbywhichcriminalsobtainvictimspasswordsandotherusefuldatasuchassniffingInternettraffic,forexample,bylisteningtonetworktrafficonasharedphysicalnetwork,oronunencryptedorweaklyencryptedwirelessnetworks.
Pretexting: Pretexting19isanotherformof socialengineeringusedtoobtainsensitiveinformation.Inmanycases,pretexterscontactafinancialinstitutionortelephonecompany,impersonatingalegitimatecustomer,andrequestthatcustomersaccountinformation.Inothercases,thepretextisaccomplishedbyaninsideratthefinancialinstitution,orbyfraudulentlyopeninganonlineaccountinthecustomersname.20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformation,dataalsocanbeobtainedbyidentitythievesinanincidentalmanner.Criminalsfrequentlystealdatastoragedevices,suchaslaptopsorportablemedia,thatcontainpersonalinformation.21Althoughthecriminaloriginallytargetedthehardware,hemaydiscoverthestoredpersonalinformationandrealizeitsvalueandpossibilityforexploitation.Unlessadequatelysafeguardedsuchasthroughtheuseof technologicaltoolsforprotectingdatathisinformationcanbeaccessedandusedtostealthevictimsidentity.Identitythievesalsomayobtainconsumerdatawhenitislostormisplaced.
Failure to Know Your Customer
Databrokerscompileconsumerinformationfromavarietyof publicandprivatesourcesandthenofferitforsaletodifferententitiesforarangeof purposes.Forexample,governmentagenciesoftenpurchaseconsumerinformationfromdatabrokerstolocatewitnessesorbeneficiaries,orforlawenforcementpurposes.Identitythieves,however,canstealpersonalinformationfromdatabrokerswhofailtoensurethattheircustomershavealegitimateneedforthedata.
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct(GLBAct)imposespecificdutiesoncertaintypesof databrokersthatdisseminateparticulartypesof information.22Forexample,theFCRArequiresdatabrokersthatareconsumerreportingagenciestomakereasonableeffortstoverifytheidentityof theircustomersandtoensurethatthosecustomershaveapermissiblepurposeforobtainingtheinformation.TheGLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancialinformation.
Existinglaws,however,donotreacheverykindof personalinformationcollectedandsoldbydatabrokers.Inaddition,whendatabrokersfailtocomplywiththeirstatutoryduties,theyopenthedoortocriminalswhocanaccessthepersonalinformationheldbythedatabrokersbyexploitingpoorcustomerverificationpractices.
In January 2006, the FTC settled a lawsuit against data broker ChoicePoint, Inc., alleging that it violated the FCRA when it failed to perform due diligence in evaluating and approving new customers. The FTC alleged that ChoicePoint approved as customers for its consumer reports identity thieves who lied about their credentials and whose applications should have raised obvious red flags. Under the settlement, ChoicePoint paid $10 million in civil penalties and $5 mil-lion in consumer redress and agreed to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish a comprehensive information security pro-gram, and to obtain audits by an independent security professional every other year until 2026.
Skimming
Becauseitispossibletousesomeonescreditaccountwithouthavingphysicalaccesstothecard,identitytheftiseasilyaccomplishedwhenacriminalobtainsareceiptwiththecreditaccountnumber,orusesothertechnologytocollectthataccountinformation.23Forexample,overthepastseveralyears,lawenforcementauthoritieshavewitnessedasubstantialincreaseintheuseof devicesknownasskimmers.Askimmerisaninexpensiveelectronicdevicewithaslotthroughwhichapersonpassesorskimsacreditordebitcard.Similartothedevicelegitimatebusinessesuseinprocessingcustomercardpayments,theskimmerreadsandrecordsthemagneticallyencodeddataonthemagneticstripeonthebackof thecard.Thatdatathencanbedownloadedeithertomakefraudulentcopiesof realcards,ortomakepurchaseswhenthecardisnotrequired,suchasonline.Aretailemployee,suchasawaiter,caneasilyconcealaskimmeruntilacustomerhandshimacreditcard.Onceheisoutof thecustomerssight,hecanskimthecardthroughthedevice,andthenswipeitthroughtherestaurantsowncardreadertogenerateareceiptforthecustomertosign.Thewaiterthencanpasstherecordeddatatoanaccomplice,whocanencodethedataonblankcardswithmagneticstripes.Avariationof skimminginvolvesanATM-mounteddevicethatisabletocapturethemagneticinformationontheconsumerscard,aswellastheconsumerspassword.
D. WHAT IDENTITY THIEVES DO WITH THE INFOrMATION THEY STEAL: THE DIFFErENT FOrMS OF IDENTITY THEFTOncetheyobtainvictimspersonalinformation,criminalsmisuseitinendlessways,fromopeningnewaccountsinthevictimsname,toaccessingthevictimsexistingaccounts,tousingthevictimsnamewhenarrested.Recentsurveydatashowthatmisuseof existingcreditaccounts,however,representsthesinglelargestcategoryof fraud.
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecredit,brokerage,banking,orutilityaccounts,amongothers.Themostcommonform,however,involvescreditaccounts.Thisoccurswhenanidentitythief obtainseithertheactualcreditcard,thenumbersassociatedwiththeaccount,ortheinformationderivedfromthemagneticstriponthebackof thecard.Becauseitispossibletomakechargesthroughremotepurchases,suchasonlinesalesorbytelephone,identitythievesareoftenabletocommitfraudevenasthecardremainsintheconsumerswallet.
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
A skimmer Source: Durham, Ontario Police
In March 2006, a former candidate for the presidency of Peru pleaded guilty in a federal district court to charges relating to a large-scale credit card fraud and money laundering conspiracy. The defendant collected stolen credit card numbers from people in Florida who had used skimmers to obtain the information from customers of retail busi-nesses where they worked, such as restaurants and rental car companies. He used some of the credit card fraud proceeds to finance various trips to Peru during his candidacy.
COMBATING IDENTITY THEFT A Strategic Plan
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolvingunauthorizedaccesstofundsinvictimsbankaccounts,includingcheckingaccountssometimesreferredtoasaccounttakeovers.24ThePostalInspectionServicereportsthatithasseenanincreaseinaccounttakeoversoriginatingoutsidetheUnitedStates.Criminalsalsohaveattemptedtoaccessfundsinvictimsonlinebrokerageaccounts.25
Federallawlimitstheliabilityconsumersfacefromexistingaccountmisuse,generallyshieldingvictimsfromdirectlossesduetofraudulentchargestotheiraccounts.Nevertheless,consumerscanspendmanyhoursdisputingthechargesandmakingothercorrectionstotheirfinancialrecords.26
New Account Fraud
Amoreserious,if lessprevalent,formof identitytheftoccurswhenthievesareabletoopennewcredit,utility,orotheraccountsinthevictimsname,makechargesindiscriminately,andthendisappear.Victimsoftendonotlearnof thefrauduntiltheyarecontactedbyadebtcollectororareturneddownforaloan,ajob,orotherbenefitbecauseof anegativecreditrating.Whilethisisalessprevalentformof fraud,itcausesmorefinancialharm,islesslikelytobediscoveredquicklybyitsvictims,andrequiresthemosttimeforrecovery.
Criminals skimmer, mounted and colored to resemble exterior of real ATM. A pinhole camera is mounted inside a plastic brochure holder to capture customers keystrokes. Source: University of Texas Police Department
In December 2005, a highly organized ring involved in identity theft, counterfeit credit and debit card fraud, and fencing of stolen products was shut down when Postal Inspectors and detectives from the Hudson County, New Jersey, Prosecutors Office arrested 13 of its members. The investigation, which began in June 2005, uncovered more than 2,000 stolen identities and at least $1.3 million worth of fraudulent transac-tions. The investigation revealed an additional $1 million in fraudulent credit card purchases in more than 30 states and fraudulent ATM withdrawals. The ac-count information came from computer hackers outside the United States who were able to penetrate corporate databases. Additionally, the ring used counterfeit bank debit cards encoded with legitimate account numbers belonging to unsuspecting victims to make fraudulent withdrawals of hundreds of thousands of dollars from ATMs in New Jersey, New York, and other states.
0
Whencriminalsestablishnewcreditcardaccountsinothersnames,thesolepurposeistomakethemaximumuseof theavailablecreditfromthoseaccounts,whetherinashorttimeoroveralongerperiod.Bycontrast,whencriminalsestablishnewbankorloanaccountsinothersnames,thefraudoftenisdesignedtoobtainasingledisbursementof fundsfromafinancialinstitution.Insomecases,thecriminaldepositsacheckdrawnonanaccountwithinsufficientfunds,orstolenorcounterfeitchecks,andthenwithdrawscash.
Brokering of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personalidentificationdatafromcompromisedaccountsbycriminaldatabrokers.Forexample,certainwebsites,knownascardingsites,trafficinlargequantitiesof stolencredit-carddata.Numerousindividuals,oftenlocatedindifferentcountries,participateinthesecardingsitestoacquireandreviewnewlyacquiredcardnumbersandsupervisethereceiptanddistributionof thosenumbers.TheSecretServicecalculatedthatthetwolargestcurrentcardingsitescollectivelyhavenearly20,000memberaccounts.
Immigration Fraud
Invariouspartsof thecountry,illegalimmigrantsusefraudulentlyobtainedSSNsorpassportstoobtainemploymentandassimilateintosociety.Inextremecases,anindividualSSNmaybepassedontoandusedbymanyillegalimmigrants.27Althoughvictimsof thistypeof identitytheftmaynotnecessarilysufferfinancialharm,theystillmustspendhouruponhourattemptingtocorrecttheirpersonalrecordstoensurethattheyarenotmistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit.
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentitytheft,acrimeinwhichthevictimsidentifyinginformationisusedtoobtainormakefalseclaimsformedicalcare.28Inadditiontothefinancialharmassociatedwithothertypesof identitytheft,victimsof medicalidentitytheftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedicalrecords.Thisinaccurateinformationcanpotentiallycausevictimstoreceiveimpropermedicalcare,havetheirinsurancedepleted,becomeineligibleforhealthorlifeinsurance,orbecomedisqualifiedfromsomejobs.Victimsmaynotevenbeawarethatathefthasoccurredbecausemedicalidentitytheftcanbedifficulttodiscover,asfewconsumersregularlyreviewtheirmedicalrecords,andvictimsmaynotrealizethattheyhavebeenvictimizeduntiltheyreceivecollectionnotices,ortheyattempttoseekmedicalcarethemselves,onlytodiscoverthattheyhavereachedtheircoveragelimits.
THE CONTOURS OF THE IDENTITY THEFT PROBLEM
Federal identity theft charges were brought against 148 illegal aliens accused of stealing the identities of law-ful U.S. citizens in order to gain employment. The aliens being criminally prosecuted were identified as a result of Operation Wagon Train, an investigation led by agents from U.S. Immigration and Customs Enforcement (ICE), working in conjunction with six U.S. Attorneys Offices. Agents executed civil search warrants at six meat processing plants. Numer-ous alien workers were arrested, and many were charged with aggravated identity theft, state identity theft, or forgery. Many of the names and Social Security numbers being used at the meat processing plants were reported stolen by identity theft victims to the FTC. In many cases, victims indicated that they received letters from the Internal Revenue Service demanding back taxes for income they had not reported because it was earned by someone working under their name. Other victims were denied drivers licenses, credit, or even medical services because someone had improperly used their personal information before.
COMBATING IDENTITY THEFT A Strategic Plan
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminals,includingmortgagefraudandfraudschemesdirectedatobtaininggovernmentbenefits,includingdisasterrelief funds.TheIRSsCriminalInvestigationDivision,forexample,hasseenanincreaseintheuseof stolenSSNstofiletaxreturns.Insomecases,thethief filesafraudulentreturnseekingarefundbeforethetaxpayerfiles.Whentherealtaxpayerfiles,theIRSmaynotaccepthisreturnbecauseitisconsideredaduplicatereturn.Evenif thetaxpayerultimatelyismadewhole,thegovernmentsuffersthelossfrompayingmultiplerefunds.
Withtheadventof theprescriptiondrugbenefitof MedicarePartD,theDepartmentof HealthandHumanServicesOfficeof theInspectorGeneral(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolvingidentitytheft.ThesefraudsincludetelemarketerswhofraudulentlysolicitpotentialMedicarePartDbeneficiariestodiscloseinformationsuchastheirHealthInsuranceClaimNumber(whichincludestheSSN)andbankaccountinformation,aswellasmarketerswhoobtainidentitiesfromnursinghomesandotheradultcarefacilities(includingdeceasedbeneficiariesandseverelycognitivelyimpairedpersons)andusethemfraudulentlytoenrollunwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsalescommissions.Thetypesof fraudthatcanbeperpetratedbyanidentitythief arelimitedonlybytheingenuityandresourcesof thecriminal.
Robert C. Ingardia, a registered representative who had been associated with several broker-dealers, assumed the identity of his customers. Without authori-zation, Mr. Ingardia changed the address information for their accounts, sold stock in the accounts worth more than $800,000, and, in an effort to manipulate the market for two thinly-traded penny stock companies, used the cash proceeds of the sales to buy more than $230,000 worth of stock in the companies. The SEC obtained a temporary restraining order against Mr. Ingardia in 2001, and a civil injunction against him in 2003 after the United States Attorneys Office for the Southern District of New York obtained a criminal conviction against him in 2002.
In July 2006, DOJ charged a defendant with 66 counts of false claims to the government, mail fraud, wire fraud, and aggravated identity theft, relating to the defendants allegedly fraudulent applications for disaster assistance from the Federal Emergency Management Agency (FEMA) following Hurricane Katrina. Using fictitious SSNs and variations of her name, the defendant allegedly received $277,377 from FEMA.
A STRATEGY TO COMBAT IDENTITY THEFT
III. A Strategy to Combat Identity TheftIdentitytheftisamulti-facetedproblemforwhichthereisnosimplesolution.Becauseidentitythefthasseveralstagesinitslifecycle,itmustbeattackedateachof thosestages,including:
whentheidentitythief attemptstoacquireavictimspersonalinformation;
whenthethief attemptstomisusetheinformationhehasacquired;and
afteranidentitythief hascompletedhiscrimeandisenjoyingthebenefits,whilethevictimisrealizingtheharm.
Thefederalgovernmentsstrategytocombatidentitytheftmustaddresseachof thesestagesby:
keepingsensitiveconsumerdataoutof thehandsof identitythievesinthefirstplacethroughbetterdatasecurityandbyeducatingconsumersonhowtoprotectit;
makingitmoredifficultforidentitythieves,whentheyareabletoobtainconsumerdata,tousetheinformationtostealidentities;
assistingvictimsinrecoveringfromthecrime;and
deterringidentitytheftbyaggressivelyprosecutingandpunishingthosewhocommitthecrime.
Agreatdealalreadyisbeingdonetocombatidentitytheft,butthereareseveralareasinwhichwecanimprove.TheTaskForcesrecommendations,asdescribedbelow,arefocusedonthoseareas.
A. PrEVENTION: KEEPING CONSuMEr DATA OuT OF THE HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumerdata.Reducingtheopportunitiesforidentitythievestoobtainthedatainthefirstplaceisthefirststeptoreducingidentitytheft.Government,thebusinesscommunity,andconsumersallplayaroleinprotectingdata.
Datacompromisescanexposeconsumerstothethreatof identitytheftorrelatedfraud,damagethereputationof theentitythatexperiencedthebreach,andimposetheriskof substantialcostsforallpartiesinvolved.Althoughthereisnosuchthingasperfectsecurity,someentitiesfailtoadoptevenbasicsecuritymeasures,includingmanythatareinexpensiveandreadilyavailable.
Thelinkbetweenadatabreachandidentitytheftoftenisunclear.
COMBATING IDENTITY THEFT A Strategic Plan
Dependingonthenatureof thebreach,thekindsof informationbreached,andotherfactors,aparticularbreachmayormaynotposeasig-nificantriskof identitytheft.Littleempiricalevidenceexistsontheextenttowhich,andunderwhatcircumstances,databreachesleadtoidentitytheft,andsomestudiesindicatethatdatabreachesandidentitytheftmaynotbestronglylinked.29Nonetheless,becausedatathievessearchforrichtargetsof consumerdata,itiscriticalthatorganizationsthatcollectandmaintainsensitiveconsumerinformationtakereasonablestepstoprotectitandexplorenewtechnologiestopreventdatacompromises.
1. Decreasing the Unnecessary Use of social secUrity nUmbersTheSSNisespeciallyvaluabletoidentitythieves,becauseoftenitisthekeypieceof informationusedinauthenticatingtheidentitiesof consumers.Anidentitythief withavictimsSSNandcertainotherinformationgenerallycanopenaccountsorobtainotherbenefitsinthevictimsname.AslongasSSNscontinuetobeusedforauthenticationpurposes,itisimportanttopreventthievesfromobtainingthem.
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedasconsumeridentifiersthroughouttheprivateandpublicsectors.Althoughoriginallycreatedin1936totrackworkersearningsforsocialbenefitspurposes,useof SSNshasproliferatedoverensuingdecades.In1961,theFederalCivilServiceCommissionestablishedanumericalidentificationsystemforallfederalemployeesusingtheSSNastheidentificationnumber.Thenextyear,theIRSdecidedtobeginusingtheSSNasitstaxpayeridentificationnumber(TIN)forindividuals.Indeed,theusebyfederalagenciesof SSNsforthepurposesof employmentandtaxation,employmentverification,andsharingof dataforlawenforcementpurposes,isexpresslyauthorizedbystatute.
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthatmostpeoplealreadypossessedencouragedwidespreaduseof theSSNasanidentifierbybothgovernmentagenciesandprivateenterprises,especial-lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomateddataprocessing.Theuseof SSNsisnowcommoninoursociety.
EmployersmustcollectSSNsfortaxreportingpurposes.DoctorsorhospitalsmayneedthemtofacilitateMedicarereimbursement.SSNsalsoareusedininternalsystemstosortandtrackinformationaboutindividuals,andinsomecasesaredisplayedonidentificationcards.In2004,anestimated42millionMedicarecardsdisplayedtheentireSSN,asdidapproximately8millionDepartmentof Defenseinsurancecards.Inaddition,althoughtheVeteransHealthAdministration(VHA)discontinuedtheissuanceof VeteransIdentificationCardsthatdisplaySSNsinMarch2004,andhasissuednewcardsthatdonotdisplaySSNs,
In June 2006, a federal judge in Massachusetts sentenced a defendant to five years in prison after a jury convicted him of passport fraud, SSN fraud, aggravated identity theft, identification docu-ment fraud, and furnishing false information to the SSA. The defendant had assumed the identity of a deceased individual and then used fraudulent documents to have the name of the deceased legally changed to a third name. He then used this new name and SSN to obtain a new SSN card, drivers licenses, and United States passport. The case was initiated based on information from the Joint Terrorism Task Force in Springfield, Massachusetts. The agencies involved in the investigation included SSA OIG, Department of State, Massachusetts State Police, and the Springfield and Boston police departments.
A STRATEGY TO COMBAT IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissuedcardscontainingSSNsremainincirculationwithveteransreceivingVAhealthcareservices.SomeuniversitiesstillusetheSSNasthestudentsidentificationnumberforarangeof purposes,fromadministeringloanstotrackinggrades,andmayplaceitonstudentsidentificationcards,althoughusageforthesepurposesisdeclining.
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagencies,states,localjurisdictions,andcourts.Asof 2004,41statesandtheDistrictof Columbia,aswellas75percentof U.S.counties,displayedSSNsinpublicrecords.30Althoughthenumberandtypeof recordsinwhichSSNsaredisplayedvarygreatlyacrossstatesandcounties,SSNsaremostoftenfoundincourtandpropertyrecords.
Nosinglefederallawregulatescomprehensivelytheprivatesectororgovernmentuse,display,ordisclosureof SSNs;instead,thereareavarietyof lawsgoverningSSNuseincertainsectorsorinspecificsituations.Withrespecttotheprivatesector,forexample,theGLBActrestrictstheredisclosuretothirdpartiesof non-publicpersonalinformation,suchasSSNs,thatwasoriginallyobtainedfromcustomersof afinancialinstitution;theHealthInsurancePortabilityandAccountabilityAct(HIPAA)limitscoveredhealthcareorganizationsdisclosureof SSNswithoutpatientauthorization;andtheDriversPrivacyProtectionActprohibitsstatemotorvehicledepartmentsfromdisclosingSSNs,subjectto14permissibleuses.31Inthepublicsector,thePrivacyActof 1974requiresfederalagenciestoprovidenoticeto,andobtainconsentfrom,individualsbeforedisclosingtheirSSNstothirdparties,exceptforanestablishedroutineuseorpursuanttoanotherPrivacyActexception.32Anumberof statestatutesrestricttheuseanddisplayof SSNsincertaincontexts.33Evenso,areportbytheGovernmentAccountabilityOffice(GAO)concludedthat,despitetheselaws,thereweregapsinhowtheuseandtransferof SSNsareregulated,andthatthesegapscreateariskthatSSNswillbemisused.34
Therearemanynecessaryorbeneficialusesof theSSN.SSNsoftenareusedtomatchconsumerswiththeirrecordsanddatabases,includingtheircreditfiles,toprovidebenefitsanddetectfraud.Federal,state,andlocalgovernmentsrelyextensivelyonSSNswhenadministeringprogramsthatdeliverservicesandbenefitstothepublic.
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenabledisparateorganizationstocommunicateaboutindividuals,otherusesaremoreamatterof convenienceorhabit.Inmanycases,forexample,itmaybeunnecessarytouseanSSNasanorganizationsinternalidentifierortodisplayitonanidentificationcard.Inthesecases,adifferentuniqueidentifiergeneratedbytheorganizationcouldbeequallysuitable,butwithouttheriskinherentintheSSNsuseasanauthenticator.
In September 2006, a defendant was sentenced by a federal judge in Pennsylvania to six months in prison after pleading guilty to Social Security card misuse and possession of a false immigration document. The defendant provided a fraudulent Permanent Resident Alien card and a fraudulent Social Security card to a state trooper as evidence of authorized stay and employment in the United States. The case was investigated by the SSAs Office of Inspector General (OIG), ICE, and the Pennsylvania State Police.
COMBATING IDENTITY THEFT A Strategic Plan
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-duceunnecessaryuseof theSSN.Forexample,withguidancefromtheSSAOIG,theInternationalAssociationof Chiefsof Police(IACP)adopt-edaresolutioninSeptember2005toendthepracticeof displayingSSNsinpostersandotherwrittenmaterialsrelatingtomissingpersons.SomehealthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-ersidentificationnumber.35Additionally,theDepartmentof TreasurysFinancialManagementServicenolongerincludespersonalidentificationnumbersonthechecksthatitissuesforbenefitpayments,federalincometaxrefundpayments,andpaymentstobusinessesforgoodsandservicesprovidedtothefederalgovernment.
Moremustbedonetoeliminateunnecessaryusesof SSNs.Inparticular,itwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandardforuseordisplayof SSNsbyfederalagencies.TheOfficeof PersonnelManagement(OPM),whichissuesandusesmanyof thefederalformsandproceduresusingtheSSN,andtheOfficeof ManagementandBudget(OMB),whichoverseesthemanagementandadministrativepracticesof federalagencies,canplaypivotalrolesinrestrictingtheunnecessaryuseof SSNs,offeringguidanceonbettersubstitutesthatarelessvaluabletoidentitythieves,andestablishinggreaterconsistencywhentheuseof SSNsisnecessaryorunavoidable.
rECOMMENDATION: DECrEASE THE uNNECESSArY uSE OF SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsectorandtobegintodevelopalternativestrategiesforidentitymanagementtheTaskForcerecommendsthefollowing:
Complete review of use of SSNs.AsrecommendedintheTaskForcesinterimrecommendations,OPMundertookareviewof theuseof SSNsinitscollectionof humanresourcedatafromagenciesandonOPM-basedpapersandelectronicforms.Basedonthatreview,whichOPMcompletedin2006,OPMshouldtakestepstoeliminate,restrict,orconcealtheuseof SSNs(includingassigningemployeeidentificationnumberswherepracticable),incalendaryear2007.If necessarytoimplementthisrecommendation,ExecutiveOrder9397,effectiveNovember23,1943,whichrequiresfederalagenciestouseSSNsinanysystemof permanentaccountnumberspertainingtoindividuals,shouldbepartiallyrescinded.Theusebyfederalagenciesof SSNsforthepurposesof employmentandtaxation,employmentverification,andsharingof dataforlawenforcementpurposes,however,isexpresslyauthorizedbystatuteandshouldcontinuetobepermitted.
When purchasing advertising space in a trade magazine in 2002, a Colorado man wrote his birth date and Social Security number on the payment check. The salesman who received the check then used this information to obtain surgery in the victims name. Two years later, the victim received a collection notice demanding payment of over $40,000 for the surgery performed on the identity thief. In addition to the damage this caused to his credit rating, the thiefs medical information was added to the victims medical records.
A STRATEGY TO COMBAT IDENTITY THEFT
Issue Guidance on Appropriate use of SSNs.Basedonitsinventory,OPMshouldissuepolicyguidancetothefederalhumancapitalmanagementcommunityontheappropriateandinappropriateuseof SSNsinemployeerecords,includingtheappropriatewaytorestrict,conceal,ormaskSSNsinemployeerecordsandhumanresourcemanagementinformationsystems.OPMshouldissuethispolicyincalendaryear2007.
require Agencies to review use of SSNs.OMBhassurveyedallfederalagenciesregardingtheiruseof SSNstodeterminethecircumstancesunderwhichsuchusecanbeeliminated,restricted,orconcealedinagencybusinessprocesses,systems,andpaperandelectronicforms,otherthanthoseauthorizedorapprovedbyOPM.OMBshouldcompletetheanalysisof thesesurveysinthesecondquarterof 2007.36
Establish a Clearinghouse for Agency Practices that Minimize Use of SSNs. BasedonresultsfromOMBsreviewof agencypracticesontheuseof SSNs,theSSAshoulddevelopaclearinghouseforagencypracticesandinitiativesthatminimizeuseanddisplayof SSNstofacilitatesharingof bestpracticesincludingthedevelopmentof anyalternativestrategiesforidentitymanagementtoavoidduplicationof effort,andtopromoteinteragencycollaborationinthedevelopmentof moreeffectivemeasures.Thisshouldbeaccomplishedbythefourthquarterof 2007.
Work with State and Local Governments to review use of SSNs. Inthesecondquarterof 2007,theTaskForceshouldbegintoworkwithstateandlocalgovernmentsthroughorganizationssuchastheNationalGovernorsAssociation,theNationalAssociationof AttorneysGeneral,theNationalLeagueof Cities,theNationalAssociationof Counties,theU.S.Conferenceof Mayors,theNationalDistrictAttorneysAssociation,andtheNationalAssociationforPublicHealthStatisticsandInformationSystemstohighlightanddiscussthevulnerabilitiescreatedbytheuseof SSNsandtoexplorewaystoeliminateunnecessaryuseanddisplayof SSNs.
rECOMMENDATION: DEVELOP COMPrEHENSIVE rECOrD ON PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystem.Theyareessentialinmatchingconsumerstotheircreditfile,andthusessentialingrantingcreditanddetectingfraud,buttheiravailabilitytoidentitythievescreatesapossibilityof harm
COMBATING IDENTITY THEFT A Strategic Plan
toconsumers.Beginningin2007,theTaskForceshoulddevelopacomprehensiverecordontheusesof theSSNintheprivatesectorandevaluatetheirnecessity.Specifically,theTaskForcememberagenciesthathavedirectexperiencewiththeprivatesectoruseof SSNs,suchasDOJ,FTC,SSA,andthefinancialregulatoryagencies,shouldgatherinformationfromstakeholdersincludingthefinancialservicesindustry,lawenforcementagencies,theconsumerreportingagencies,academics,andconsumeradvocates.TheTaskForceshouldthenmakerecommendationstothePresidentastowhetheradditionalspecificstepsshouldbetakenwithrespecttotheuseof SSNs.AnysuchrecommendationsshouldbemadetothePresidentbythefirstquarterof 2008.
2. Data secUrity in the PUblic sectorWhileprivateorganizationsmaintainconsumerinformationforcommercialpurposes,publicentities,includingfederalagencies,collectpersonalinformationaboutindividualsforavarietyof purposes,suchasdeterminingprogrameligibilityanddeliveringefficientandeffectiveservices.Becausethisinformationoftencanbeusedtocommitidentitytheft,agenciesmustguardagainstunauthorizeddisclosureormisuseof personalinformation.
a. Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernmentsresponsibilitiesintheareaof datasecurity.Thefirstspecificallygovernsthefederalgovernmentsinformationprivacyprogram,andincludessuchlawsasthePrivacyAct,theComputerMatchingandPrivacyProtectionAct,andprovisionsof theE-GovernmentAct.37Theotherconcernstheinformationandinformationtechnologysecurityprogram.TheFederalInformationSecurityManagementAct(FISMA),theprimarygoverningstatuteforthisprogram,establishesacomprehensiveframeworkforensur-ingtheeffectivenessof informationsecuritycontrolsoverinformationre-sourcesthatsupportfederaloperationsandassets,andprovidesfordevel-opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederalinformationandinformationsystems.FISMAassignsspecificpolicyandoversightresponsibilitiestoOMB,technicalguidanceresponsibilitiestotheNationalInstituteof StandardsandTechnology(NIST),implementa-tionresponsibilitiestoallagencies,andanoperationalassistanceroletotheDepartmentof HomelandSecurity(DHS).FISMArequirestheheadof eachagencytoimplementpoliciesandprocedurestocost-effectivelyreduceinformationtechnologysecurityriskstoanacceptablelevel.Itfurtherrequiresagencyoperationalprogramofficials,Chief Informa-tionOfficers(CIOs),andInspectorsGeneral(IGs)toconductannual
A STRATEGY TO COMBAT IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresultstoOMB.Additionally,aspartof itsoversightrole,OMBissuedseveralguidancememorandalastyearonhowagenciesshouldsafeguardsensitiveinformation,includingamemorandumaddressingFISMAoversightandreporting,andwhichprovidedachecklistdevelopedbyNISTconcerningprotectionof remotelyaccessedinformation,andthatrecommendedthatagencies,amongotherthings,encryptalldataonmobiledevicesanduseatime-outfunctionforremoteaccessandmobiledevices.38TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayedanimportantroleinpublicsectordatasecurity.39
FederallawalsorequiresthatagenciesprepareextensivedatacollectionanalysesandreportperiodicallytoOMBandCongress.ThePresidentsManagementAgenda(PMA)requiresagenciestoreportquarterlytoOMBonselectedperformancecriteriaforbothprivacyandsecurity.AgencyperformancelevelsforbothstatusandprogressaregradedonaPMAScorecard.40
Federalagencyperformanceoninformationsecurityhasbeenuneven.Asaresult,OMBandtheagencieshaveundertakenanumberof initiativestoimprovethegovernmentsecurityprograms.OMBandDHSarelead-inganinteragencyInformationSystemsSecurityLineof Business(ISSLOB)workinggroup,exploringwaystoimprovegovernmentdatasecu-ritypractices.Thiseffortalreadyhasidentifiedanumberof keyareasforimprovinggovernment-widesecurityprogramsandmakingthemmorecost-effective.
Employeetrainingisessentialtotheeffectivenessof agencysecurityprograms.Existingtrainingprogramsmustbereviewedcontinuouslyandupdatedtoreflectthemostrecentchanges,issues,andtrends.Thiseffortincludesthedevelopmentof annualgeneralsecurityawarenesstrainingforallgovernmentemployeesusingacommoncurriculum;recommendedsecuritytrainingcurriculaforallemployeeswithsignificantsecurityresponsibilities;aninformation-sharingrepository/portalof trainingprograms;andopportunitiesforknowledge-sharing(e.g.,conferencesandseminars).Eachof thesecomponentsbuildselementsof agencysecurityawarenessandpractices,leadingtoenhancedprotectionof sensitivedata.
b. responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreachesinvolvingsensitivepersonalinformationin2006.Asistruewithprivatesectorbreaches,thelossorcompromiseof sensitivepersonalinformationbythegovernmenthasmadeaffectedindividualsfeelexposedandvulnerableandmayincreasetheriskof identitytheft.UntilthisTaskForceissuedguidanceonthistopicinSeptember2006,governmentagencieshadnocomprehensiveformalguidanceonhowtorespondto
COMBATING IDENTITY THEFT A Strategic Plan
databreaches,andinparticular,hadnoguidanceonwhatfactorstoconsiderindeciding(1)whetheraparticularbreachwarrantsnoticetoconsumers,(2)thecontentof thenotice,(3)whichthirdparties,if any,shouldbenotified,and(4)whethertoofferaffectedindividualscreditmonitoringorotherservices.
Theexperienceof thelastyearalsohasmadeonethingapparent:anagencythatsuffersabreachsometimesfacesimpedimentsinitsabilitytoeffectivelyrespondtothebreachbynotifyingpersonsandentitiesinapositiontocooperate(eitherbyassistingininformingaffectedindividualsorbyactivelypreventingorminimizingharmsfromthebreach).Forex-ample,anagencythathaslostdatasuchasbankaccountnumbersmightwanttosharethatinformationwiththeappropriatefinancialinstitutions,whichcouldassistinmonitoringforbankfraudandinidentifyingtheac-countholdersforpossiblenotification.Theveryinformationthatmaybemostnecessarytodisclosetosuchpersonsandentities,however,oftenwillbeinformationmaintainedbyfederalagenciesthatissubjecttothePriva-cyAct.Critically,thePrivacyActprohibitsthedisclosureof anyrecordinasystemof recordsunlessthesubjectindividualhasgivenwrittenconsentorunlessthedisclosurefallswithinoneof 12statutoryexceptions.
rECOMMENDATION: EDuCATE FEDErAL AGENCIES ON HOW TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH EXISTING GuIDANCE
Toensurethatgovernmentagenciesreceivespecificguidanceonconcretestepsthattheycantaketoimprovetheirdatasecuritymeasures,theTaskForcerecommendsthefollowing:
Develop Concrete Guidance and Best Practices. OMBandDHS,throughthecurrentinteragencyInformationSystemsSecurityLineof Business(ISSLOB)taskforce,should(a)outlinebestpracticesintheareaof automatedtools,training,processes,andstandardsthatwouldenableagenciestoimprovetheirsecurityandprivacyprograms,and(b)developalistof themostcommon10or20mistakestoavoidinprotectinginformationheldbythegovernment.TheTaskForcemadethisrecommendationaspartof itsinterimrecommendationstothePresident,anditshouldbeimplementedandcompletedinthesecondquarterof 2007.
Comply With Data Security Guidance. OMBalreadyhasissuedanarrayof datasecurityregulationsandstandardsaimedaturgingagenciestobetterprotecttheirdata.Giventhatdatabreachescontinuetooccur,however,itisimperativethatagenciescontinuetoreportcompliancewithitsdatasecurityguidelinesand
0
A STRATEGY TO COMBAT IDENTITY THEFT
directivestoOMB.If anyagencydoesnotcomplyfully,OMBshouldnotethatfactintheagencysquarterlyPMAScorecard.
Protect Portable Storage and Communications Devices. Manyof themostpublicizeddatabreachesinrecentmonthsinvolvedlossesof lap