The President’s Identity Theft Task Force Combating ... · The President’s Identity Theft Task...
Transcript of The President’s Identity Theft Task Force Combating ... · The President’s Identity Theft Task...
The President’s Identity Theft Task Force
April 2007
Combating IDENTITY THEFT Volume II: Supplemental Information
iii
COMBATING IDENTITY THEFT A Strategic Plan
Table of ContentsGlossary of Acronyms ................................................................iv
Identity Theft Task Force Members ...............................................vii
A. FederalLawsandRegulationsRelatedtoDataSecurity..................................................................................1
B. EnforcementActionsRelatingtoDataSecurity.................................12
C. GuidanceforBusinessesonSafeguardingData..................................19
D. GuidanceforBusinessesonDataBreaches........................................27
E. FederalConsumerEducationEfforts.................................................30
F. PrivateSectorConsumerEducationEfforts.......................................39
G. RecentLawsRelatingtoIdentificationDocuments............................44
H. StateCriminalLawEnforcementEfforts............................................45
I. SentencinginFederalIdentityTheftProsecutions.............................47
J. InvestigativeApproachestoIdentityTheft:SpecialEnforcementandProsecutionInitiatives...............................50
K. HowLawEnforcementObtainsandAnalyzesIdentityTheftData......................................................55
L. FederalLawEnforcementOutreachEfforts.......................................60
M. InvestigativeApproachestoIdentityTheft:InteragencyWorkingGroupsandTaskForces...................................65
N. FederalCriminalStatutesUsedtoProsecuteIdentityTheft................69
O. TrainingForandByInvestigatorsandProsecutors.............................71
P. CurrentRemediationToolsAvailabletoVictims................................74
ENDNOTES............................................................................................78
iv
Glossary of AcronymsAAMVA–AmericanAssociationof MotorVehicleAdministrators
AARP–AmericanAssociationof RetiredPersons
ABA–AmericanBarAssociation
APWG–Anti-PhishingWorkingGroup
BBB–BetterBusinessBureau
BIN–BankIdentificationNumber
BJA–Bureauof JusticeAssistance
BJS–Bureauof JusticeStatistics
CCIPS–ComputerCrimeandIntellectualPropertySection(DOJ)
CCMSI–CreditCardMailSecurityInitiative
CFAA–ComputerFraudandAbuseAct
CFTC–CommodityFuturesTradingCommission
CIO–Chief InformationOfficer
CIP–CustomerIdentificationProgram
CIRFU–CyberInitiativeandResourceFusionCenter
CMRA–CommercialMailReceivingAgency
CMS–CentersforMedicareandMedicaidServices(HHS)
CRA–Consumerreportingagency
CVV2–CardVerificationValue2
DBFTF–DocumentandBenefitFraudTaskForce
DHS–Departmentof HomelandSecurity
DOJ–Departmentof Justice
DPPA–DriversPrivacyProtectionActof 1994
FACTAct–FairandAccurateCreditTransactionsActof 2003
FBI–FederalBureauof Investigation
FCD–FinancialCrimesDatabase
FCRA–FairCreditReportingAct
FCU Act–FederalCreditUnionAct
FDI Act–FederalDepositInsuranceAct
FDIC–FederalDepositInsuranceCorporation
FEMA–FederalEmergencyManagementAgency
FERPA–FamilyandEducationalRightsandPrivacyActof 1974
FFIEC–FederalFinancialInstitutionsExaminationCouncil
FIMSI–FinancialIndustryMailSecurityInitiative
FinCEN–FinancialCrimesEnforcementNetwork(Departmentof Treasury)
FISMA–FederalInformationSecurityManagementActof 2002
FRB–FederalReserveBoardof Governors
FSI–FinancialServices,Inc.
FTC–FederalTradeCommission
FTCAct–FederalTradeCommissionAct
GAO–GovernmentAccountabilityOffice
GLBAct–Gramm-Leach-BlileyAct
HHS–Departmentof HealthandHumanServices
HIPAA–HealthInsurancePortabilityandAccountabilityActof 1996
IACP–InternationalAssociationof Chiefsof Police
IAFCI–InternationalAssociationof FinancialCrimesInvestigators
IC3—InternetCrimeComplaintCenter
ICE–U.S.ImmigrationandCustomsEnforcement
IRS–InternalRevenueService
IRSCI–IRSCriminalInvestigationDivision
IRTPA–IntelligenceReformandTerrorismPreventionActof 2004
GLOSSARY OF ACRONYMS
v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of AcronymsISI–IntelligenceSharingInitiative(U.S.PostalInspectionService)
ISP–Internetserviceprovider
ISS LOB–InformationSystemsSecurityLineof Business
ITAC–IdentityTheftAssistanceCenter
ITCI–InformationTechnologyComplianceInstitute
ITRC–IdentityTheftResourceCenter
MCC–MajorCitiesChiefs
NAC–NationalAdvocacyCenter
NASD–NationalAssociationof SecuritiesDealers,Inc.
NCFTA–NationalCyberForensicTrainingAlliance
NCHELP–NationalCouncilof HigherEducationLoanPrograms
NCUA–NationalCreditUnionAdministration
NCVS–NationalCrimeVictimizationSurvey
NDAA–NationalDistrictAttorneysAssociation
NIH–NationalInstitutesof Health
NIST–NationalInstituteof StandardsandTechnology
NYSE–NewYorkStockExchange
OCC–Officeof theComptrollerof theCurrency
OIG–Officeof theInspectorGeneral
OJP–Officeof JusticePrograms(DOJ)
OMB–Officeof ManagementandBudget
OPM–Officeof PersonnelManagement
OTS–Officeof ThriftSupervision
OVC–OfficeforVictimsof Crime(DOJ)
PCI–PaymentCardIndustry
PIN–PersonalIdentificationNumber
PMA–President’sManagementAgenda
PRC–PrivacyRightsClearinghouse
QRP–QuestionableRefundProgram(IRSCI)
RELEAF–OperationRetailers&LawEnforcementAgainstFraud
RISS–RegionalInformationSharingSystems
RITNET–RegionalIdentityTheftNetwork
RPP–ReturnPreparerProgram(IRSCI)
SAR–SuspiciousActivityReport
SBA–SmallBusinessAdministration
SEC–SecuritiesandExchangeCommission
SMP–SeniorMedicarePatrol
SSA–SocialSecurityAdministration
SSL–SecuritySocketLayer
SSN–SocialSecuritynumber
TIGTA–TreasuryInspectorGeneralforTaxAdministration
UNCC–UnitedNationsCrimeCommission
USAPATRIOTAct–UnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoInterceptandObstructTerrorismActof 2001(Pub.L.No.107-56)
USB–UniversalSerialBus
US-CERT–UnitedStatesComputerEmergencyReadinessTeam
USPIS–UnitedStatesPostalInspectionService
USSS–UnitedStatesSecretService
VHA–VeteransHealthAdministration
VOIP–VoiceOverInternetProtocol
VPN–Virtualprivatenetwork
WEDI–WorkgroupforElectronicDataInterchange
vi
Identity Theft Task Force MembersAlberto R. Gonzales, Chairman
AttorneyGeneral
Deborah Platt Majoras, Co-ChairmanChairman,FederalTradeCommission
Henry M. PaulsonDepartmentof Treasury
Carlos M. GutierrezDepartmentof Commerce
Michael O. LeavittDepartmentof HealthandHumanServices
R. James NicholsonDepartmentof VeteransAffairs
Michael ChertoffDepartmentof HomelandSecurity
Rob PortmanOfficeof ManagementandBudget
John E. PotterUnitedStatesPostalService
Ben S. BernankeFederalReserveSystem
Linda M. SpringerOfficeof PersonnelManagement
Sheila C. BairFederalDepositInsuranceCorporation
Christopher CoxSecuritiesandExchangeCommission
JoAnn JohnsonNationalCreditUnionAdministration
Michael J. AstrueSocialSecurityAdministration
John C. DuganOfficeof theComptrollerof theCurrency
John M. ReichOfficeof ThriftSupervision
�
COMBATING IDENTITY THEFT A Strategic Plan
PART AFEDERAL LAWS AND REGULATIONS RELATED TO DATA SECURITY
Althoughthereisnosinglecomprehensivefederaldatasecuritylaw,anumberof federallaws,regulations,andguidelinesrelatetoandprotectconsumerinformation.Eachof theselawsandregulationsprovidesspecificremediesthatcanbesoughtbytheagencieswithenforcementauthority.Significantexamplesinclude:
TITLE V OF THE GRAMM-LEACH-BLILEY ACT (GLB Act), 15 U.S.C. §§ 6801-09
TheGLBActaddressesprivacyandsecurityobligationsof “financialinstitutions.”Financialinstitutionsaredefinedbroadlyasthoseentitiesengagedin“financialactivities”suchasbanking,lending,insurance,loanbrokering,andcreditreporting.12C.F.R.§§225.28,225.86.TheGLBActaddressestwodistincttypesof protectionforpersonalinformation:protectionof securityandprotectionof privacy.Variousfederalagencies,includingthefederalbankregulatoryagencies,theFederalTradeCommission(FTC),andtheSecuritiesandExchangeCommission(SEC),haveissuedregulationsorguidelinesaddressingboththesecurityandprivacyprovisionsof theGLBAct.Thesecurityprovisionsrequiretheagenciestowritestandardsforfinancialinstitutionsregardingappropriatephysical,technical,andproceduralsafeguardstoensurethesecurityandconfidentialityof customerrecordsandinformation,andtoprotectagainstanticipatedthreatsandunauthorizedaccesstosuchinformation.Theprivacyprovisionsrequirefinancialinstitutionstogivenoticetotheircustomersof theirinformation-sharingpracticesandprovidecustomerswithanopportunitytooptoutof information-sharingwithcertainunaffiliatedthirdpartiesincertaincircumstances.
REMEDIES:Thespecificremediesavailabletoeachagencyarelistedbelow.
Interagency Guidelines Establishing Information Security Standards (“Interagency Security Guidelines”)
TheInteragencySecurityGuidelines,jointlyissuedbythefederalbankregulatoryagenciesin2001,requireeachfinancialinstitutionundertheirjurisdictiontohaveawritteninformationsecurityprogramdesignedtomeetthestatutoryobjectivesof TitleVof theGLBActandSection216of theFairandAccurateCreditTransactionsActof 2003(FACTAct)regardingdisposalof consumerinformationderivedfromconsumerreports.1See12C.F.R.Part30,App.B(nationalbanks);12C.F.R.Part208,App.D-2andPart225,App.F(statememberbanksandholdingcompanies);12C.F.R.Part364,App.B(statenon-memberbanks);12C.F.R.Part570,App.B(savingsassociations);12C.F.R.Part748,App.A(creditunions).Undertheguidelines,theinstitution’sboardof directorsmustapprovetheprogramandoverseeits
�
development,implementation,andmaintenance.Theinstitutionalsomustassesstheriskstoitscustomerinformation,identifyreasonablyforeseeableinternalandexternalthreatsthatcouldresultinunauthorizeddisclosureormisuseof itscustomerinformation,andassessthelikelihoodandpotentialdamageof thesethreats,takingintoaccounttheinstitution’ssizeandcomplexity,thenatureandscopeof itsactivities,andthesensitivityof thecustomerinformationithandles.Eachof therequirementsintheguidelinesregardingproperdisposalof customerinformationalsoappliestothedisposalof consumerinformation.
Theinstitutionmustthendesignitsinformationsecurityprogramtocontroltheidentifiedrisks.Theguidelinesstipulatecertainminimumspecificsecuritymeasuresthatshouldbeconsideredandadoptedif appropriatetotheinstitution’sriskprofile.Thesemeasuresincludeaccesscontrolsoncustomerinformationsystems,encryptionof electroniccustomerinformation,monitoringsystemstodetectactualandattemptedattacksoncustomerinformationsystems,andresponseprogramsthatspecifyactionstobetakenwhenaninstitutionsuspectsordetectsunauthorizedaccesstocustomerinformation.
Eachinstitutionmustalsotrainstaff toimplementtheprogramandoverseeitsarrangementswithserviceprovidersthathaveaccesstoitscustomerinformation.Thisincludesusingduediligenceinselectingserviceproviders,requiringbycontractthatserviceprovidersimplementappropriatesafeguardmeasuresthatsatisfytheguidelines,andmonitoringtheactivitiesof serviceproviders,wherenecessary,tocontroltheriskstheinstitutionhasidentifiedthatmaybeposedbytheserviceprovider’saccesstotheinstitution’scustomerinformation.
Aninstitution’sinformationsecurityprogrammustbedynamic.Institutionsmustroutinelytesttheirsystemsandaddressanyweaknessestheydiscover.Institutionsmustadjusttheirprogramstoaddressnewthreatstocustomerinformation,changesintechnology,andnewbusinessarrangements.
REMEDIES:Thefederalbankregulatoryagencieshavecomprehensivesupervisionandexaminationauthorityoverbanks,savingsassociations,andcreditunions,andarewellpositionedtodetectviolationsof law,ensurecompliance,andapplysanctionsappropriatetothenatureandseverityof anyviolationof laworregulation.Thebankregulatoryagencieshaveawell-establishedarsenalof enforcementtoolsundersections8and39of theFederalDepositInsuranceAct(FDIAct)andsections206and216of theFederalCreditUnionAct(FCUAct),rangingfrominformaltoformalactions.Dependingonthelevelof severityof aviolation,anagencymaychoosetociteaninstitutionforaviolation,butforegoformalactionwheremanagementquicklyremediesthesituation.Inothercircumstances,formal,publicactionsarewarrantedandtheregulatorsmayseekcivilpenalties,restitution,andceaseanddesistorders.
PART A
�
COMBATING IDENTITY THEFT A Strategic Plan
Interagency Guidance on Authentication in an Internet Banking Environment (“Interagency Authentication Guidance”)
TheInteragencyAuthenticationGuidance,jointlyissuedbythefederalbankregulatoryagenciesin2005,statesthatfinancialinstitutionsregulatedbytheagenciesshouldconductrisk-basedassessments,evaluatecustomerawarenessprograms,anddevelopsecuritymeasurestoreliablyauthenticatecustomersremotelyaccessingtheirInternet-basedfinancialservices.Intheguidance,thefederalbankregulatoryagenciesstatethatfinancialinstitutionsshoulduseeffectiverisk-basedmethodstoauthenticatetheidentityof customersusingtheirproductsandservices.Single-factorauthentication,astheonlycontrolmechanism,isconsideredinadequateforhigh-risktransactionsinvolvingaccesstocustomerinformationorthemovementof fundstootherparties.Financialinstitutionsareencouragedtoimplementmultifactorauthentication,layeredsecurity,orothercontrolsreasonablycalculatedtomitigatethoserisks.
REMEDIES:Theguidancedescribespracticesthatthefederalbankregulatoryagenciesconsidertobesafeandsound.Theagenciesmaytakeenforcementactionundersection8of theFDIActandsection206of theFCUActagainstaninstitutionthatengagesinunsafeandunsoundconduct.
FTC Standards for Safeguarding Customer Information (“Safeguards Rule”), 16 C.F.R. Part 314
TheFTC’sSafeguardsRuleappliestoawidevarietyof “financialinstitutions”thatarenotsubjecttothejurisdictionof otherfederalorstateauthoritiesundertheGLBAct.AmongtheinstitutionsthatfallundertheSafeguardsRulearenon-bankmortgagelenders,loanbrokers,somestate-regulatedfinancialorinvestmentadvisers,taxpreparers,providersof realestatesettlementservices,anddebtcollectors.TheFTC’sregulationappliesonlytocompaniesthatare“significantlyengaged”insuchfinancialactivities.
LiketheInteragencySecurityGuidelines,theSafeguardsRulerequiresfinancialinstitutionstodevelopawritteninformationsecurityplanthatdescribestheirprocedurestoprotectcustomerinformation.Further,theRulerequirescoveredentitiestotakecertainproceduralsteps,including:(1)assigningemployeestooverseetheprogram;(2)conductingariskassessment;(3)designingandimplementinganinformationsafeguardsprogram;(4)contractuallyrequiringserviceproviderstoprotectcustomers’information;and(5)evaluatingandadjustingtheprograminlightof relevantcircumstances.However,giventhewidevarietyof entities(largeandsmall)thatarecovered,theRulemandatesadatasecurityplanthataccountsforeachentity’sparticularcircumstances,includingitssizeandcomplexity,thenatureandscopeof itsactivities,andthesensitivityof thecustomerinformationithandles.
�
REMEDIES:TheFTCcanseekinjunctiverelief andotherequitableremedies,includingconsumerredressordisgorgementinappropriatecases.
SEC Regulation S-P, 17 C.F.R. Part 248InJune2000,theSECadoptedRegulationS-P,whichimplementstheGLBAct’sTitleVinformationprivacyandsafeguardingrequirementsforsecuritiesbrokersanddealers,investmentcompanies,andSEC-registeredinvestmentadvisers.See65Fed.Reg.40334(June29,2000).RegulationS-Pcontainsrulesof generalapplicabilitythataresubstantivelysimilartothefinancialprivacyrulesadoptedbytheFTCandthefederalbankregulatoryagencies.Inadditiontoprovidinggeneralguidance,RegulationS-Pcontainsnumerousexamplesspecifictothesecuritiesindustrytoprovidemoremeaningfulguidancetohelpfirmsimplementitsrequirements.Italsoincludesasectionregardingprocedurestosafeguardinformation,includingthedisposalof consumerreportinformation.See17CFR248.30.Thissectionrequiressecuritiesfirmstoadoptwrittenpoliciesandproceduresthataddressadministrative,technical,andphysicalsafeguardsthatarereasonablydesignedto:(1)ensurethesecurityandconfidentialityof customerrecordsandinformation;(2)protectagainstanyanticipatedthreatsorhazardstothesecurityandintegrityof suchrecords;and(3)protectagainstunauthorizedaccesstooruseof suchrecordsorinformationthatcouldresultinsubstantialharmorinconveniencetoanycustomer.
InapublicstatementreleasedinSeptember2004,theSECstatedthatinlargeandcomplexorganizations,withthousandsof employeesandmultipleoffices,writtenpoliciesandprocedurestosafeguardcustomers’recordsandinformationgenerallyaddressproceduresatseverallevels,goingfromanorganization-widepolicystatementdowntodetailedproceduresaddressingparticularcontrols.SeeDisposalof ConsumerReportInformation,ReleaseNos.34-50361,IA-2293,IC-26596(Sept.14,2004).Morespecifically,theSECstatedthatatonelevel,thehighestlevelsof managementapproveanorganization-widepolicystatement.Atanotherlevel,morespecificpoliciesandproceduresaddressseparateareasof safeguardingrisk.Atafinallevel,detailedproceduressetoutthecontrols,managementchecksandbalances,audittrailfunctions,andotheractionsneededtoensurethatthefirm’ssafeguardingprogramisreasonablyeffectiveandverifiablebyseniormanagement.Thesewrittenpoliciesandproceduresalsogenerallydesignateaspecializedstaff of informationsecurityprofessionalstomanagetheorganization’sday-to-daysafeguardingoperations,andaninformationsecuritygovernanceframework,toensurethattheinformationsecuritypolicyisadequatelysupportedthroughouttheenterprise.Finally,thesewrittenpoliciesandproceduresgenerallymakeprovisionformeasurestoverifythesafeguardingprogram’seffectiveness,includingriskassessments,independentauditsandpenetrationtests,aswellasactivemonitoring,surveillance,anddetectionprograms.TheSECstatedthatthiscomprehensiveapproachtosafeguardingisconsistentwithwidelyacceptedstandardsadoptedby
PART A
�
COMBATING IDENTITY THEFT A Strategic Plan
governmentandprivatesectorstandard-settingbodiesandprofessionalliteratureandgenerallyleadstoreasonablewrittenpoliciesandprocedures.
REMEDIES:Aviolationof RegulationS-Pcanresultinsupervisoryaction,suchasadeficiencyletter.Inaddition,theCommissionhasauthoritytoinitiateenforcementproceedingsforviolationsof RegulationS-PundertheSecuritiesExchangeActof 1934,theInvestmentCompanyActof 1940,andtheInvestmentAdvisersActof 1940.Violationsof regulationsundertheseactscanresultininjunctiverelief,civilpenalties,orinsomecases,imprisonment.Failuretohonoracommitmenttoacustomeralsomayconstituteaviolationof aruleof aself-regulatoryorganization,suchasNationalAssociationof SecuritiesDealers(NASD)Rule2110,whichrequiresadherenceto“highstandardsof commercialhonorandjustandequitableprinciplesof trade.”
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“Incident Response Guidance”)
In2005,thefederalbankregulatoryagenciesalsoissuedguidanceforbanks,savingsassociations,andcreditunions,relatingtobreachnotification.See12C.F.R.Part30,Supp.AtoApp.B(nationalbanks);12C.F.R.Part208,Supp.AtoApp.D-2andPart225,Supp.AtoApp.F(statememberbanksandholdingcompanies);12C.F.R.Part364,Supp.AtoApp.B(statenon-memberbanks);12C.F.R.Part570,Supp.AtoApp.B(savingsassociations);12C.F.R.748,App.B(creditunions).Theguidancestatesthateachof thesefinancialinstitutionsshoulddevelopandimplementaresponseprogramtoaddressincidentsof unauthorizedaccesstooruseof customerinformationmaintainedbyoronbehalf of theinstitutionaspartof theinformationsecurityprogramrequiredbytheInteragencySecurityGuidelines.Theprogrammustcontainproceduresfor:(1)assessingthenatureandscopeof anincident,andidentifyingwhatcustomerinformationsystemsandtypesof customerinformationhavebeenaccessedormisused;(2)notifyingitsprimaryfederalregulatorassoonaspossiblewhentheinstitutionbecomesawareof anincidentinvolvingunauthorizedaccesstooruseof sensitivecustomerinformation;(3)notifyingappropriatelawenforcementauthorities,inadditiontofilingatimelySuspiciousActivitiesReport,insituationsinvolvingfederalcriminalviolationsrequiringimmediateattention,suchaswhenareportableviolationisongoing;(4)takingappropriatestepstocontainandcontroltheincidenttopreventfurtherunauthorizedaccesstooruseof customerinformation,forexample,bymonitoring,freezing,orclosingaffectedaccounts,whilepreservingrecordsandotherevidence;and(5)notifyingcustomerswhenwarranted.
TheIncidentResponseGuidancealsodescribeswhenandhowafinancialinstitutionshouldprovidenoticetocustomersaffectedbyunauthorizedaccessormisuseof sensitivecustomerinformation.Inparticular,itindicatesthat
�
oncetheinstitutionbecomesawareof anincidentof unauthorizedaccessto“sensitivecustomerinformation”asdefinedintheguidance,itshouldconductareasonableinvestigationtodeterminepromptlythelikelihoodthattheinformationhasbeenorwillbemisused.If theinstitutiondeterminesthatmisuseof customerinformationhasoccurredorisreasonablypossible,itshouldnotifyanyaffectedcustomerassoonaspossible.
Suchnoticeshouldbegiveninaclearandconspicuousmanner,anditshouldincludeadescriptionof theincident,thetypeof customerinformationaffected,thestepstakentoprotectthecustomers’informationfromfurtherunauthorizedaccess,atelephonenumberthatcustomerscancallforfurtherinformationandassistance,andotherinformationasappropriatetothesituation.Theguidancealsomakesclearthataninstitutionremainsresponsibleforprotectingcustomerinformationinthehandsof aserviceproviderandthatit,bycontract,shouldrequiretheserviceprovidertotakeappropriateactionstoaddressincidentsof unauthorizedaccesstotheinstitution’scustomerinformation,includingnotifyingtheinstitutionof securitybreachesinvolvingtheinstitution’scustomerinformation.
REMEDIES:Theguidancerepresentsthefederalbankregulatoryagencies’interpretationof thestandardssetoutintheInteragencySecurityGuidelinesdescribedabove.Remediesforbreachesarediscussedinthatsection.Inaddition,theguidancedescribespracticesthatthefederalbankregulatoryagenciesconsidertobesafeandsound.Theagenciesmaytakeenforcementactionundersection8of theFDIActandsection206of theFCUActagainstaninstitutionthatengagesinunsafeandunsoundconduct.
Privacy of Consumer Financial Information (“Privacy Rule”) ThePrivacyRule,issuedbythefederalbankregulatoryagenciesandtheFTC,implementstheprivacyprovisionsof theGLBActwithrespecttofinancialinstitutionsundertheirrespectivejurisdictions.16C.F.R.Part313(FTC);12C.F.R.Parts40(OCC),216(FRB),332(FDIC),573(OTS),and716(NCUA).Subjecttocertainexceptions,itprohibitsfinancialinstitutionsfromdisclosingnonpublicpersonalinformationtonon-affiliatedthirdpartieswithoutfirstprovidingconsumerswithnoticeandtheopportunitytooptoutof thedisclosure.Thenoticeandoptoutmustbeprovidednolaterthanwhenacustomerrelationshiparisesandannuallyforthedurationof thatrelationship,oratareasonabletimebeforethedisclosureinthecaseof non-customers.Thenoticemustbe“aclearandconspicuousnoticethataccuratelyreflects[thefinancialinstitution’s]privacypoliciesandpractices”includingpoliciesandpracticesrelatedtosecurity.
REMEDIES:PursuanttotheFTCAct,theFTCcanseekinjunctiverelief,aswellasconsumerredressordisgorgementinappropriatecases.TheGLBActprovidesthattheregulationsmaybeenforcedbythefederalbankregulatoryagenciesundersection8of theFDIActandsection206of theFCUAct,whicharediscussedindetailaboveunder“InteragencySecurityGuidelines.”
PART A
�
COMBATING IDENTITY THEFT A Strategic Plan
FAIR CREDIT REPORTING ACT (FCRA), 15 U.S.C. §§ 1681-1681x, as amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), Pub. L. No. 108-159, 117 Stat. 1952
TheFCRAcontainsrequirementsdesignedtoprotecttheprivacyof consumerreportinformation,whichincludesaccount,credithistory,andemploymentinformation.UndertheFCRA,consumerreportingagenciesareprohibitedfromdistributingconsumerreportsexceptforspecified“permissiblepurposes.”Theseentitiesmustmaintainreasonableprocedurestoensurethattheyprovideconsumerreportsonlyforsuchpurposes,suchasbyverifyingtheidentitiesof personsobtainingconsumerreportsandtheirintendeduseof theinformation.TheFACTActamendmentstotheFCRAaddedanumberof newrequirements,manyof whichhavebeenorarebeingimplementedthroughrulemaking.Severalof thesenewrequirementsareintendedtopreventidentitytheftorassistvictimsintherecoveryprocess.Therulesmostrelevanttodatasecurityarediscussedbelow.2
REMEDIES:TheFCRAallowsforbothmonetaryrelief,includingcivilpenalties,andinjunctiverelief forviolationsof theAct,15U.S.C.§1681s,andprovidesforcriminalsanctionsagainstthosewhoinfringeonconsumerprivacybyunlawfullyobtainingconsumerreports.TheFCRAanditsimplementingregulationsmaybeenforcedbythefederalbankregulatoryagenciesundersection8of theFDIActandsection206of theFCUAct,whicharediscussedindetailaboveunder“InteragencySecurityGuidelines.”
Disposal of Consumer Report Information and Record Rule (“Disposal Rule”)
TheFACTActamendedtheFCRAtoincludeanumberof provisionsdesignedtoincreasetheprotectionof sensitiveconsumerinformation.OnesuchprovisionrequiredthefinancialregulatoryagenciesandtheFTCtopromulgateacoordinatedruledesignedtopreventunauthorizedaccesstoconsumerreportinformationbyrequiringallusersof suchinformationtohavereasonableprocedurestodisposeof itproperly.ThisDisposalRuletookeffectonJune1,2005.
TheRuleappliestoanyentitythatmaintainsconsumerreportsorinformationderivedfromconsumerreports.TheRuledoesnotaddresswhenentitiesmustdisposeof suchinformation,butratherhowtheymustdisposeof it:byusingdisposalpracticesthatarereasonableandappropriatetopreventtheunauthorizedaccesstooruseof informationinaconsumerreport.ThestandardisflexibleandallowstheorganizationsandindividualscoveredbytheRuletodeterminewhatmeasuresarereasonablebasedonthesensitivityof theinformation,thecostsandbenefitsof differentdisposalmethods,andchangesintechnology.Forthefederalbankregulatoryagencies,theserequirementsareincludedintheirInteragencySecurityGuidelines.TheSEC’sdisposalrulerequirementsareincludedintheSEC’sRegulationS-P(17C.F.R.§248.30(b)).
�
REMEDIES:AllremediesavailableundertheFCRA(seeabove)andremediesavailableforviolationof theSEC’sRegulationS-P(seeabove).
Identity Theft Red Flags and Address Discrepancies Rule under the FACT Act (“Red Flags Rule”), Pub. L. No. 108-159, 117 Stat. 1952, Sections 114 and 315. (Proposed)
OnJuly18,2006,thefinancialregulatoryagenciesandtheFTCissuedanoticeof proposedrulemakingfortheRedFlagsRule,anewregulationdesignedtoreduceidentitytheft.Theregulationswouldrequireeveryfinancialinstitutionandcreditortodevelopandimplementawrittenidentitytheftpreventionprogramthatincludespoliciesandproceduresfordetecting,preventing,andmitigatingidentitytheftinconnectionwithaccountopeningsandexistingaccounts.Theprogrammustberisk-basedandtailoredtothesizeandcomplexityof eachfinancialinstitutionorcreditorandthenatureandscopeof itsactivities.Creditcardanddebitcardissuersmustdeveloppoliciesandprocedurestoassessthevalidityof arequestforachangeof addressthatisfollowedcloselybyarequestforanadditionalorreplacementcard.
Inaddition,asrequiredbystatute,theproposedregulationsrequireusersof consumerreportstodevelopreasonablepoliciesandproceduresregardingnoticesof addressdiscrepanciestheyreceivefromaconsumerreportingagency(CRA).If auserof aconsumerreportreceivesnoticefromaCRAthattheaddressaconsumerhasprovidedtoobtainthereport“substantiallydiffers”fromtheconsumer’saddressintheCRA’sfile,theusermustreasonablyconfirmasaccurateanaddressfortheconsumerandprovideittotheCRA.
REMEDIES:AllremediesavailableundertheFCRA.(Seeabove.)
FEDERAL TRADE COMMISSION ACT (FTC Act), 15 U.S.C. § 45(a)
TheFTCActprohibits“unfairordeceptiveactsorpracticesinoraffectingcommerce”andgivestheFTCbroadjurisdictionoverawidevarietyof entitiesandindividualsoperatingincommerce.Prohibiteddeceptivepracticesincludemakingfalseormisleadingclaimsabouttheprivacyandsecurityprovidedforconsumerinformation.TheFTCActalsoprohibitsunfairpractices,includingunfairpracticesaffectingconsumerdata.Practicesareunfairif theycauseorarelikelytocauseconsumerssubstantialinjurythatisneitherreasonablyavoidablebyconsumersnoroffsetbycountervailingbenefitstoconsumersorcompetition.TheFTChasusedthisauthoritytochallengeavarietyof injuriouspractices,includingcompanies’failuretoprovidereasonableandappropriatesecurityforsensitiveconsumerdatasuchasSocialSecuritynumbers(SSNs)andfinancialaccountinformation.(Seediscussionof enforcementactionsbelow.)ThefederalbankregulatoryagencieshavealsoenforcedSection5of theFTCActagainstfinancialinstitutionsundertheirjurisdiction.
PART A
�
COMBATING IDENTITY THEFT A Strategic Plan
REMEDIES:Injunctiverelief,affirmativeconductrequirements,andconsumerredressordisgorgementof ill-gottengainsinappropriatecases.TheFTCActmaybeenforcedbythefederalbankregulatoryagenciesundersection8of theFDIActandsection206of theFCUAct,whicharediscussedindetailaboveunder“InteragencySecurityGuidelines.”
CUSTOMER IDENTIFICATION PROGRAM RULES Implementing Section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) , 31 U.S.C. § 5318(l)
Banks,savingsassociations,creditunions,broker-dealers,mutualfunds,andfuturescommissionmerchantsarerequiredtofollowverificationproceduresunderrulesissuedbythefederalbankregulatoryagencies,theDepartmentof Treasury,theCFTC,andtheSECundersection326of theUSAPATRIOTAct.Theimplementingrulesrequireeverycoveredentitytodesignandimplementacustomeridentificationprogram(CIP)thatincludespoliciesandproceduresforverifyingtheidentityof apersonopeninganewaccount.Whiletheprimarypurposeof theregulationsimplementingtheUSAPATRIOTActwastodeterterroristfinancingandmoneylaundering,theCIPregulationsalsoplayaroleinpreventingidentitytheft.
REMEDIES:TheDepartmentof theTreasury’sFinancialCrimesEnforcementNetwork(FinCEN)hasauthoritytoassesspenaltiesagainstfinancialinstitutionsthatviolatethisregulation.Theregulationalsoisenforcedbythefederalbankregulatoryagenciesundersection8of theFDIActandsection206of theFCUAct,whicharediscussedindetailaboveunder“InteragencySecurityGuidelines.”TheSECexaminesmutualfunds,andtheSECandrelevantself-regulatoryorganizationsexaminebroker-dealers,forcompliancewiththeregulationandmayalsobringenforcementactionsdependingonthecircumstances.TheCFTChassimilarauthorityforfuturescommissionmerchants.
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA), 42 U.S.C. § 1320d et seq.
HIPAAandtheimplementingPrivacyRuleprohibitcoveredentities(includinghealthplans,healthcareclearinghouses,andcertainhealthcareproviders)fromdisclosingtothirdpartiesanindividual’sprotectedhealthinformationwithoutpriorauthorization,subjecttosomeexceptions,suchasthedisclosureof patientrecordsbycoveredentitiesforpurposesof routinetreatment,insurance,paymentor,inlimitedcircumstances,creditreportingrelatingtoaccountinformation.45C.F.R.Part160andSubpartsAandEof Part164(“HIPAAPrivacyRule”).LiketheGLBActSafeguardsRule,the
�0
HIPAAPrivacyRulerequirescoveredentitiesunderitsjurisdictiontohaveinplace“appropriateadministrative,technical,andphysicalsafeguardstoprotecttheprivacyof protectedhealthinformation.”45C.F.R.§164.530(c).TheHIPAASecurityRulesimilarlyseekstoprotecttheconfidentiality,integrity,andavailabilityof electronicprotectedhealthinformationbyspecifyingaseriesof administrative,technical,andphysicalsecurityproceduresforcoveredentitiestousetoassurethesecurityandconfidentialityof electronicprotectedhealthinformation.45C.F.R.Part160andSubpartsAandCof Part164(“HIPAASecurityRule”).
REMEDIES:HIPAAallowsforcivilmonetarypenaltiesandcriminalsanctionsforviolationsundersomecircumstances.
THE DRIVERS PRIVACY PROTECTION ACT OF 1994 (DPPA), 18 U.S.C. §§ 2721-2725
TheDPPAprohibitsthedisclosureof adriver’spersonalinformation(i.e.,individualphotograph,SSN,anddriveridentificationnumber)obtainedinconnectionwithamotorvehiclerecord.TheDPPAcontainsexceptionsthatallowforcertaindisclosuresof suchinformation,suchasforusebyaninsurerortoprovidenoticetotheownersof towedorimpoundedvehicles.TheDPPAalsoprohibitsanindividualfromknowinglyobtainingadriver’spersonalinformationforausenotpermittedundertheAct,andfrommakingafalserepresentationtoobtainanysuchinformation.
REMEDIES:Forviolationsof theAct,theDPPAprovidesforcriminalfinesagainstindividualsand/orStateDepartmentsof MotorVehicles,civilpenaltiesforviolationsbyStateDepartmentsof MotorVehicles,andaprivaterightof actionforindividuals.
THE FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA), 20 U.S.C. § 1232g; 34 C.F.R. Part 99
FERPAprotectstheprivacyof studenteducationrecords.Thelawappliestoallschoolsthatreceivefundsunderanapplicableprogramof theU.S.Departmentof Education.FERPAgivesparentscertainrightswithrespecttotheirchildren’seducationrecords;theserightstransfertothestudentwhenheorshereachestheageof 18orattendsaschoolbeyondthehighschoollevel.UnderFERPA,aparentoraneligiblestudenthastherighttoinspectandreviewthestudent’seducationrecordsmaintainedbytheschoolandtorequestthataschoolcorrectrecordsthattheparentoreligiblestudentbelievestobeinaccurateormisleading.Furthermore,schoolsgenerallymusthavewrittenpermissionfromtheparentoreligiblestudenttoreleaseanyinformationfromastudent’seducationrecord,subjecttocertainexceptions,suchasdisclosurestoappropriatepartiesinconnectionwithfinancialaid
PART A
��
COMBATING IDENTITY THEFT A Strategic Plan
toastudent.Schoolsmaydisclose“directory”releaseinformation–includingastudent’sname,address,telephonenumber,anddateandplaceof birth–butmustprovideadvancenoticetoparentsandeligiblestudentsandallowthemareasonableamountof timetooptoutof thedisclosure.
REMEDIES:Institutionsinviolationof FERPAcanbedeniedfederaleducationalfunding.
DEPARTMENT OF VETERANS AFFAIRS INFORMATION SECURITY ACT OF 2006, 38 U.S.C. §§ 5721-28
TheDepartmentof VeteransAffairsInformationSecurityEnhancementActof 2006establishesacomprehensiveinformationsecurityprogramfortheDepartmentof VeteransAffairs(VA)andoutlinesrequirementsfortheVA’sresponsetodatabreaches.TheActprovidesthatif itappearsthatVAsensitiveinformationmayhavebeencompromised,andanindependentdatabreachanalysisdeterminesthatareasonableriskof potentialmisuseexists,thentheVAmustoffercreditprotectionservicestotherecordsubjects.ThefollowingcreditprotectionservicesmustbeprescribedinVAregulations:notificationof therecordsubjects,datamining,fraudalerts,databreachanalyses,creditmonitoring,identitytheftinsurance,andcreditprotectionservices.Inaddition,theVAmustcomplywithCongressionalnotificationrequirementsregardingdatabreaches.TheActrequiresallVAcontractsinwhichthecontractorwillhaveaccesstoVAsensitiveinformationtocontainprovisionsprohibitingthecontractorfromsharingtheinformationwithotherentitiesexcepttoperformthecontract,requiringthecontractortoreportanydatabreachestotheagency,andrequiringthecontractortopayliquidateddamagestotheVAforanydatabreachinvolvingsensitiveVAinformation.
��
PART BENFORCEMENT ACTIONS RELATING TO DATA SECURITY
Manyfederalagencieshavetakenaggressiveenforcementactionsinresponsetodatasecurityfailures.Someof thoseactionsarelistedbelow.
Federal Bank Regulatory AgenciesThefederalbankregulatoryagencieshavetakennumerousenforcementactionsagainstinstitutionsforfailuretohaveadequateprogramstosafeguardcustomerinformation.TheFDICtook17formalenforcementactionsbetweenthebeginningof 2002andtheendof 2006;theFRBhastaken14formalenforcementactionsinthepastfiveyears;theOCChastaken18formalactionssince2002;andtheOTShastaken8formalenforcementactionsinthepastfiveyears.
Thefollowingarejustafewexamplesof theformalandinformalactionstakenbythoseagenciesinrecentyears:
Afederalbankregulatoryagencyassessedcivilmoneypenaltiesagainstasubsidiaryof abankforimproperlydisposingof customerrecords.
AfederalbankregulatoryagencyissuedaceaseanddesistorderagainstaCalifornia-basedfinancialinstitution,requiring,amongotherthings,thattheinstitutionnotifycustomersof securitybreaches,afterthefederalregulator’sinvestigationrevealedthattheinstitution’sserviceproviderimproperlydisposedof hundredsof customerloanfiles.Theregulatoralsoissuedaceaseanddesistorderagainstthefinancialinstitution’sserviceprovider,andassessedhundredsof thousandsof dollarsincivilpenaltiesagainstthefinancialinstitutionanditsserviceprovider.
Afederalbankregulatoryagency,afterinvestigatingallegationsof adatacompromisebyafinancialinstitutionemployee,directedaretailcreditcardbanktonotifycustomerswhoseaccountsorinformationmayhavebeencompromised.Theregulatorwasabletodeterminethattheinformationwasusedfornefariouspurposes,afterworkingcollaborativelywiththeFTCtoreviewcomplaintsof identitytheftmadetotheFTCthroughitsIdentityTheftDataClearinghouse,withwhichtheregulatorisaninformation-sharingmember.Thefinancialregulatorimposedontheemployeealifetimeprohibitionorderfromthebankingindustryandorderedhimtopaya$25,000civilpenalty.
Afederalbankregulatoryagencydirectedalargefinancialinstitutiontoimproveitsemployeescreeningpolicies,procedures,systems,andcontrolsaftertheregulatordeterminedthatthefinancialinstitution’semployeescreeningpracticeshadinadvertentlypermittedaconvictedfelon,whoengagedinidentitytheft-relatedcrimes,togainemployment
��
COMBATING IDENTITY THEFT A Strategic Plan
atthefinancialinstitution.Deficienciesintheinstitution’sscreeningpracticescametolightthroughtheregulator’sreviewof theformeremployee’sactivities.
In2004,afederalbankregulatoryagency’sexaminationof astate-charteredbankdisclosedsignificantcomputersystemdeficienciesandinadequatecontrolstopreventunauthorizedaccesstocustomerinformation.Thefinancialinstitutionregulatorissuedanorderdirectingthebanktodevelopandimplementaninformationsecurityprogrammeetingtherequirementsof theGuidelinesEstablishingInformationSecurityStandards.Morespecifically,theorderrequiredthebanktoperformaformalriskassessmentof internalandexternalthreatsthatcouldresultinunauthorizedaccesstocustomerinformation,reviewcomputeruseraccesslevelstoensurethataccesswasrestrictedtoonlythoseindividualswithalegitimatebusinessneedtoaccessthecustomerinformation,andreviewallothersecuritycontrolstomanageandcontroltheriskstocustomerinformation.
Thefederalbankregulatoryagenciesalsohavetakendozensof enforcementactionsagainstfinancialinstitutioninsiderswhobreachedtheirdutyof trusttocustomers,wereengagedinidentitytheft-relatedactivities,orwereotherwiseinvolvedinseriousbreaches,compromises,orthemisuseof customerinformation.Theseenforcementactionshaveincluded,forexample,prohibitingindividualsfromworkinginthefinancialservicesindustry,personalceaseanddesistordersrestrictingtheuseof customerinformation,theassessmentof significantcivilmoneypenalties,andordersrequiringrestitution.
Securities and Exchange Commission (SEC)PursuanttotheRegulationS-Pstandards,theSEC’sstaff hasactivelyexaminedsecuritiesfirmstodeterminewhethertheyhavepoliciesandproceduresreasonablydesignedtoprotecttheircustomersfromidentitytheft.Specifically,theSEC,alongwiththeNASDandtheNewYorkStockExchange(NYSE),examinesregisteredfirmsforRegulationS-Pcompliancebyexaminingtheiroperationsandreviewingcustomercomplaints,andtheSECistheprimaryregulatorof investmentcompaniesandinvestmentadvisersregisteredwiththeSEC.TheSECalsoevaluatesthequalityof NASDandNYSEoversightinenforcingtheirmembers’compliancewithfederalsecuritieslaws,includingcompliancewithRegulationS-P.ThemostcommonRegulationS-Pdeficiencieshavebeenfailuretoprovideprivacynotices,lackof orinadequateprivacypolicies,andlackof orinadequatepoliciesandproceduresforsafeguardingcustomerinformation.TheSEChasnotyetfoundanydeficienciesduringitsexaminationsthatwarrantedformalenforcementactions;instead,theSECthusfarhasdealtwithRegulationS-Pcomplianceasasupervisorymatterandhasrequiredregistrantstoresolvedeficiencieswithouttakingformalaction.
��
TheSEChasconductedtwoseparateexaminationsweepprogramsreviewingsecuritiesfirms’policiesandprocedurestoprotecttheircustomersfromidentitytheft.Thefirstwasconductedin2002and2003,andthesecondisongoing.Inthefirstprogram,theSECfocusedonlargefirmswhereasignificantsecuritybreachcouldimplicatelargenumbersof customers.Theprogramincludedbroker-dealerswithmorethanhalf of allbrokerageaccountsandfundcomplexeswithapproximatelyathirdof allmutualfundassets.Inthesecondprogram,theSECselectedfirmsforreviewbasedonanumberof factorsincludingtheextenttowhichtheirbusinessmodelisdependentontheInternet,recentcomplaints,andcertainaffiliations.Inbothsweepprograms,theoverallgoalhasbeentoassessthereasonablenessof securitiesfirms’policiesandprocedurestoprotecttheircustomersfromidentitytheft.ThesesweepprogramssupplementtheSEC’sregularexaminationprogram,whichincludesexaminingsecuritiesfirms’compliancewiththeSEC’srequirementsforsafeguardingcustomerrecordsandinformation.
AttheSEC,considerationisbeinggiventothepossibilityof addingprovisionstotheSEC’sfinancialprivacyrulestoprovidemoredetailedguidance.
Federal Trade CommissionTheFTChasbrought14casesagainstfirmsthatallegedlyfailedtomaintainreasonableprocedurestoprotectthesensitiveconsumerdatatheycollected.
In the Matter of Guidance Software, Inc.,FTCFileNo.062-3057(November16,2006)(consentorder)http://www.ftc.gov/opa/2006/11/guidance.htm
TheFTCchargedthatGuidance,asellerof softwareforuseinrespondingtocomputerbreachesandothersecurityincidents,failedtotakereasonablesecuritymeasurestoprotectsensitivecustomerdatadespitepromisesmadeonitswebsite.ThecomplaintallegedthatGuidance’sfailuretoprotectthesensitivedataaspromisedconstitutedadeceptivepracticeunderSection5of theFTCAct.ThematterwassettledthroughaconsentagreementinwhichGuidanceagreedtoimplementacomprehensiveinformation-securityprogramandobtainauditsbyanindependentthird-partysecurityprofessionaleveryotheryearfor10years.
In the Matter of Card Systems Solutions, Inc. and Solidus Networks, Inc., d/b/a Pay by Touch Solutions,FTCFileNo.052-3148(Sept.8,2006)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
TheFTCchargedthatCardSystems,aprocessorof transactionsformajorcreditcards,failedtoprovidereasonablesecurityforsensitiveconsumerinformation,resultinginthebreachof creditcardinformationfortensof millionsof cardholders.ThecomplaintallegedthatthisfailurecausedorwaslikelytocausesubstantialconsumerinjuryandconstitutedanunfairpracticeunderSection5of theFTCAct.Thematterwasresolvedthrougha
PART B
��
COMBATING IDENTITY THEFT A Strategic Plan
settlementwherebyCardSystemsanditssuccessorcompanyagreedtoimplementacomprehensiveinformationsecurityprogramthatmustbecertifiedbyaqualified,independent,third-partyprofessionaleveryotheryearfor20years.
In the Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens,FTCDocketNo.C-4161(June19,2006)(consentorder)http://www.ftc.gov/os/caselist/0523117/0523117.htm
In the Matter of Superior Mortgage Corp.,FTCDocketNo.C-4153(Dec.14,2005)(consentorder)http://www.ftc.gov/os/caselist/0523136/0523136.htm
In the Matter of Nationwide Mortgage Group, Inc., and John D. Eubank,FTCDocketNo.9319(April12,2005)(consentorder)http://www.ftc.gov/os/adjpro/d9319/index.htm
In the Matter of Sunbelt Lending Services,FTCDocketNo.C-4129(Jan.3,2005)(consentorder)http://www.ftc.gov/os/caselist/0423153/04231513.htm
Inthesecases,theFTCchargedfourcompaniesintherealestatebusinesswithviolatingtheGLBSafeguardsRulebyfailingtoprovidereasonablesecuritytoprotectconsumers’confidentialfinancialinformation,includingSSNs,bankandcreditcardaccountnumbers,andcredithistories.IntheNationwideandSunbeltcases,theFTCchargedthatthecompaniesviolatedtheGLBPrivacyRulebyfailingtoproviderequiredprivacynoticestoconsumers,andintheNationwideandSuperiorcases,thatthecompaniesallegedlymisrepresentedtheirsecurityprocedures.Insettlingthesecases,thecompaniesagreedtocomplywiththevariouslawsandregulationstheyallegedlyviolatedandtoimplementacomprehensivesecurityprogramandobtainperiodicauditsfromanindependentprofessional.
In the Matter of DSW, Inc.,FTCDocketNo.C-4157(March14,2006)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
Followingabreachinvolvingaccountinformationfor1.5millioncreditcard,debitcard,andcheckingaccounts,theFTCchargedthatshoediscounterDSWengagedinanunfairpracticebyfailingtoprovidereasonablesecurityforsensitiveconsumerinformation.Insettlingthecase,asinotherFTCdatasecurityorders,DSWagreedtoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
United States v. ChoicePoint, Inc.,106-CV-0198(N.D.Ga.February15,2006)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
��
Followingabreachinvolvingthesensitiveinformation,includingthousandsof creditreports,of over160,000consumers,theFTCchargeddatabrokerChoicePointwithfailingtohavereasonableprocedurestoscreenprospectivepurchasersof theirdataproducts.AccordingtotheFTCcomplaint,ChoicePointfailedtodetectobvioussignsthatcertainpurchaserswerelyingabouttheircredentials,andasaresult,ChoicePointsoldinformationtoidentitythievesposingaslegitimatebusinesses.TheFTCchargedthatChoicePointviolatedtheFCRAbyfurnishingconsumerreportstopurchaserswhodidnothaveapermissiblepurposetoobtainthem,andbyfailingtomaintainreasonableprocedurestoverifypurchasers’identitiesandpurposesforobtainingtheinformation.TheagencyalsochargedthatChoicePointviolatedtheFTCActbyengaginginunfairpracticesandbymakingfalseandmisleadingstatementsinitsprivacypoliciesaboutitscredentialingprocedures.TheFTCallegedthatChoicePoint’spracticesledtoatleast800casesof identitytheftatthetimethecomplaintwasfiled.InitssettlementwiththeFTC,ChoicePointagreedtopay$10millionincivilpenaltiesforitsviolationsof theFCRA,and$5millioninredresstoidentitytheftvictims.ThesettlementalsorequiresChoicePointtomaintainreasonableprocedurestopreventtheprovisionof aconsumerreporttoapartywithoutapermissiblepurpose,includingspecifictypesof investigationandcertificationprocedures.
In the Matter of BJ’s Wholesale Club, Inc.,FTCDocketNo.C-4148(Sept.20,2005)(consentorder)http://www.ftc.gov/opa/2005/06/bjswholesale.htm
Followingasecuritybreachinvolvingaccountinformationforthousandsof creditanddebitcards,BJ’ssettledFTCchargesthatitsfailuretotakeappropriatesecuritymeasurestoprotectthesensitiveaccountinformationof itscustomerswasanunfairpractice.TheFTChadallegedthatanunauthorizedpersonorpersonsmademillionsof dollarsinfraudulentpurchasesusingcounterfeitcopiesof creditanddebitcardsthathadbeenusedatBJ’sstores.Insettlingthecase,asinotherFTCdatasecurityorders,BJ’sagreedtoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
In the Matter of Petco Animal Supplies, Inc.,FTCDocketNo.C-4133(March4,2005)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
PetcosettledFTCchargesthatsecurityflawsinitswww.petco.comwebsiteviolatedprivacypromisesitmadetoitscustomersandthereforewasadeceptivepracticeinviolationof theFTCAct.AccordingtotheFTCcomplaint,Petcomadesecurityclaimsonitswebsite,forexample,thatcustomers’personaldatawasencryptedand“strictlyshieldedfromunauthorizedaccess.”TheFTCallegedthat,infact,Petcodidnotencryptthedataandfailedtoimplementreasonablemeasurestoprotectsensitiveconsumerinformationfromcommonattacks.Asaresult,ahackerallegedly
PART B
��
COMBATING IDENTITY THEFT A Strategic Plan
wasabletopenetratethewebsiteandaccesscreditcardnumbersstoredinunencryptedcleartext.ThesettlementprohibitsPetcofrommisrepresentingtheextenttowhichitmaintainsandprotectssensitiveconsumerinformationand,asinotherFTCdatasecurityorders,requiresthecompanytoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
In the Matter of MTS Inc., d/b/a Tower Records/Books/Video,FTCDocketNo.C-4110(May28,2004)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
TowersettledFTCchargesthatasecurityflawintheTowerwebsiteexposedcustomers’personalinformationtootherInternetusers,inviolationof Tower’sclaimsinitsprivacypolicythatitused“state-of-the-art”securitytechnology.ThesettlementbarsTowerfrommisrepresentingtheextenttowhichitmaintainsandprotectstheprivacy,confidentiality,orsecurityof personalinformationcollectedfromoraboutconsumers.AsinotherFTCdatasecuritycases,Toweralsoagreedtoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
In the Matter of Guess?, Inc.,FTCDocketNo.C-4091(July30,2003)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
GuesssettledFTCchargesthatitexposedconsumers’personalinformation,includingcreditcardnumbers,tocommonlyknownattacksbyhackers,contrarytothecompany’sclaimsthatitwouldkeeptheinformationsecureandprotected.ThecomplaintalsoallegedthatGuessfalselyclaimedthatthepersonalinformationwasstoredinanencryptedformat.Accordingtothecomplaint,avisitortothewebsite,usingacommonattack,wasabletoread,incleartext,creditcardnumbersstoredinGuess’databases.Thesettlement,likethoseintheTowerandPetcocases,prohibitsfuturemisrepresentationsandrequiresGuesstoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
In the Matter of Microsoft Corp.,FTCDocketNo.C-4069(Dec.20,2002)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
MicrosoftsettledFTCchargesthatitmadefalserepresentationsaboutthesecurity,confidentiality,andfeaturesof its“Passport”services,includingclaimsthatpurchasesmadeusingtheserviceweregenerallysaferormoresecurethanpurchasesmadewithoutit.AccordingtotheFTCcomplaint,Microsoftfailedtoimplementsufficientsecurityprocedurestomaintainthehighlevelof securityitrepresented.Thesettlement,likethoseinTower, Petco,andGuess,prohibitsfuturemisrepresentationsandrequiresMicrosofttoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
��
In the Matter of Eli Lilly & Co.,FTCDocketNo.C-4047(May8,2002)(consentorder)http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html
LillysettledFTCchargesthatitengagedinadeceptivepracticewhenitmadeclaimsabouttheconfidentialityof personalinformationitgatheredonitswebsites,whilefailingtomaintainmeasurestoprotectthatinformation.Theseallegedfailuresledtothecompany’sdisclosureof theemailaddressesof 669subscribers,whichessentiallyrevealedthattheywereusersof Lilly’sprescriptiondrugProzac.Thesettlement,likethoseinTower, Petco, Guess,andMicrosoft,prohibitsfuturemisrepresentationsandrequiresLillytoimplementacomprehensiveinformationsecurityprogramandobtainperiodicaudits.
PART B
��
COMBATING IDENTITY THEFT A Strategic Plan
Federal Agency GuidanceWhiletheenforcementeffortsbythegovernmentarekeytosendingamessageabouttheimportanceof securingdataandpreventingidentitytheft,educationandoutreachalsocanhelptoensurethatcompaniesareawareof theirlegalobligationstoprotectthedatatheyhold.Numerousfederalagencies–includingtheFTC,thefederalbankregulatoryagencies,theNationalInstituteof StandardsandTechnology(NIST),theSmallBusinessAdministration(SBA),andtheDepartmentof HealthandHumanServices(HHS)–provideguidancetotheindustriestheyregulateonthesubjectof dataprotection.Thisguidanceisaccessiblethroughagencywebsites,writtenbrochures,speeches,workshops,andconferences.Theyincludethefollowing:
Federal Trade Commission.TheFTC’semphasisisonpreventingbreachesbeforetheyhappenbyencouragingbusinessestomakedatasecuritypartof theirregularoperationsandcorporateculture.Theagencyrecognizesthatthereisnoone-size-fits-alldatasecurity“fix,”andofferscompaniesrealisticadviceaboutadaptingold-schoolbusinesspracticestomeetnew-stylethreats.Itsrecommendationsdealwithemployeemanagementandtraining,appropriateinformationsystemssecurity,anddetectingandmanagingsystemfailuresthroughconstantmonitoringandsystemupdates.TheFTChasnumerousprogramstoinformorganizationsabouttheirlegalresponsibilitiestostrengthendatasecurity:
Publications.AmongthepublicationstheFTChasproducedforbusinessesareSecurity Check: Reducing Risks to Your Computer Systems,availableatwww.ftc.gov/bcp/conline/pubs/buspubs/security.htm;Financial Institutions and Customer Information: Complying with the Safeguards Rule,availableatwww.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm;Disposing of Consumer Report Information? New Rule Tells How,availableatwww.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm;andSecuring Your Wireless Network,availableatwww.ftc.gov/bcp/conline/pubs/online/wireless.pdf.TheFTChasrecentlyissuedanewbrochureonhowentitiescansafeguardsensitiveconsumerinformationatwww.ftc.gov/infosecurity.
OnGuardOnlinewebsite,availableatwww.onguardonline.gov.ThiswebsiteofferspracticaltipsonguardingagainstInternetfraud,securingcomputers,andprotectingpersonalinformation,aswellasresourcesforcompaniesintheeventof adatabreach,suchaslawenforcementandcreditreportingagencycontacts.ThesitehasdailyupdatesfromtheDepartmentof HomelandSecurity
PART CGUIDANCE FOR BUSINESSES ON SAFEGUARDING DATA
�0
(DHS),aswellascontentdevelopedbyITcompanies,industryassociations,andotherfederalagencies.
Workshop on “Technologies for Protecting Personal Information: The Consumer and Business Experiences.”TheFTC’seffortsondatasecuritytookrootinthisworkshop,whichexploredthechallengesconsumersandindustryfaceinsecuringtheircomputers.Theworkshopfeaturedindustryleaders,technologists,researchersonhumanbehavior,andrepresentativesfromconsumerandprivacygroupstobothidentifychallengesinsafeguardinginformationandproposesolutions,bothtechnicalandhuman.Informationaboutthisworkshopisavailableatwww.ftc.gov/bcp/workshops/technologyandwww.ftc.gov/bcp/workshops/technology/finalreport.pdf.
The Division of Privacy and Identity Protection.Recognizingtheneedtoprotectsensitiveconsumerinformationandfightagainstidentitytheft,inJanuary2006,theFTCcreatedanewDivisionof PrivacyandIdentityProtectionwithinitsBureauof ConsumerProtection.Thisdivisionaddressesconsumerprivacyanddatasecuritymattersthroughaggressiveenforcement,rulemaking,policydevelopment,andcreativeoutreachtoconsumersandbusinesses.
Federal Bank Regulatory Agencies. Thefederalbankregulatoryagenciesalsohavebeenextremelyactiveinissuingguidanceforfinancialinstitutionsrelatingtoinformationsecurityandidentitytheft,includingtheFederalFinancialInstitutionsExaminationCouncil(“FFIEC”)InformationTechnologyExaminationHandbook’sInformation Security Booklet,availableathttp://www.ffiec.gov/guides.htm;theFFIEC’sguidanceentitledAuthentication in an Internet Banking Environment,availableathttp://www.fdic.gov/consumers/consumer/fighttheft/index.html;theInteragency Informational Brochure on Internet Phishing Scams,availableatwww.fdic.gov/consumers/consumer/fighttheft/index.html;andthebankregulatoryagencies’letterentitledIdentity Theft and Pretext Calling,availableathttp://www.federalreserve.gov/boarddocs/srletters/2001/sr0111.htm.3
Securities and Exchange Commission.InJune2000,SECadoptedRegulationS-P,whichimplementstheGLBAct’sTitleVinformationprivacyandsafeguardingrequirementsforsecuritiesbrokersanddealers,investmentcompanies,andSEC-registeredinvestmentadvisers.Inadditiontoprovidinggeneralguidance,RegulationS-Pcontainsnumerousexamplesspecifictothesecuritiesindustrytoprovidemoremeaningfulguidancetohelpfirmsimplementitsrequirements.Italsoincludesasectionregardingprocedurestosafeguardinformation,includingthedisposalof consumerreportinformation.InSeptember2004theSECreleasedapublicstatementonRegulationS-P’s
PART C
��
COMBATING IDENTITY THEFT A Strategic Plan
safeguardingrequirements.SeeDisposalof ConsumerReportInformation,ReleaseNos.34-50361,IA-2293,IC-26596(Sept.14,2004).
National Credit Union Administration.TheNCUAoffersadvicetocreditunionsonissuesrelatedtodatasecurity.Ithasissuednumerousletterstocreditunionsthatprovideguidanceontheseissues(availableatwww.ncua.gov/letters/letters.html),andrepresentativesfromtheNCUAregularlyspeakoninformationsecurityissuesatcreditunionconferences.
Small Business Administration.TheSBAoffersinformationanddatasecurityguidancetargetedtowardssmallbusinesses.TheSBA’swebsite,www.sba.gov/beawareandprepare/cyber.html,servesasaportaltoprivatesectorsitesthatofferinformationforsafeguardingcomputersagainstcyberattacks,anddirectsuserstoNIST’sComputerSecurityDivision’sSmallBusinessCorner,whichprovides“CyberSecurityTips”onsubjectsincludingspyware,emailhoaxes,employeeawareness,andfirewalls(availableatsbc.nist.gov/cyber-security-tips/).TheSBAalsooffersworkshopsonsmallbusinesscomputersecurityaroundthecountry,co-sponsoredbytheSBAandtheFederalBureauof Investigation(FBI),thatallowparticipantstoexplorepracticaltoolstoassessandimprovethesecurityof theirinformation.
Department of Health and Human Services.TheDepartmentof HealthandHumanServicesprovidesentitieswithinformationtohelptheircompliancewiththePrivacyandSecurityRulesof HIPAA.TheOfficeforCivilRightsprovidesguidanceandeducationalmaterialsforentitiesrequiredtocomplywiththePrivacyRule,andtheOfficeof e-HealthStandardsandServicesintheCentersforMedicareandMedicaidServicesprovidesguidanceandeducationalmaterialsforentitiesrequiredtocomplywiththeSecurityRule.ThePrivacyRulesetsstandardsthatprotecttheprivacyof healthinformation,andtheassociatedSecurityRulesetsstandardstoassuretheconfidentiality,integrity,andavailabilityof electronicprotectedhealthinformation.
Private Sector GuidancePrivatesectorentitiesalsoprovideguidancetobusinessesthataddressessafeguardingsensitivedata,usuallytargetedtoentitiesbasedontheirindustrysectororsize.Afewexamplesinclude:
Financial Services Industry.TheFinancialServicesRoundtablehasdevelopedvoluntaryguidelinestoaddressdatasecurityconcernsinthefinancialservicesindustry,suchasincorporatingsecurityawarenessandeducationintocorporate-widetrainingprograms,encryptingsometypesof financialdataandcustomerdatawhenitistransportedonunprotectednetworksorstoredforaggregation-relatedprocesses,andusingSecureSocketLayers(SSL)whenobtainingdatafeedsforaggregation-relatedprocesses.4 Thefinancialservicesindustryalsohasproducedwhitepapersandreports,whichincludeadviceaboutnewaccount/application
��
review,“KnowYourEmployee”practicesthataredesignedtoscreencriminalsoutof financialinstitutions,andusingtechnologytoidentifyandmanagefraudandidentitytheft.5
Thepaymentcardsegmentof thefinancialservicesindustryhasadoptedasinglesetof datasecuritystandards,thePaymentCardIndustryDataSecurityStandards(PCIStandards),forallmerchantsandserviceprovidersthatstore,process,ortransmitcardholderdata.Thesestandards,whichcardcompanieshaveadoptedvoluntarily,resultedfromacollaborationbetweenVisaandMasterCard,andhavebeenendorsedbyothermajorU.S.cardcompanies.6 ThePCIStandardsaredesignedtoensuretheproperhandlingandprotectionof cardholderaccountandtransactioninformation.MajorcardcompanieshavetheirownprogramstoensuredatasecuritycomplianceinaccordancewithPCIstandards,andeachcompanyenforcesthestandardsviatheirindividualprograms.Visa,forexample,institutedaprogramcalledCardholderInformationSecurityProgramforthispurpose;informationaboutthisprogramisavailableathttp://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html.Underindividualcompanyprograms,failuretocomplywiththestandardsmaysubjectmerchantsandserviceproviderstofinesleviedbythecardcompanyandpossiblerevocationof therighttoparticipateinthecardcompany’snetwork.
Real Estate Industry.Realestateassociationsalsohaveissuedinformationsecurityguidelinesthataddresshowtheindustrycollects,shares,andprotectstheconsumerinformationitusesandreceives.Onesetof guidelinesissuedbytheNationalAssociationof Realtors(availableathttp://www.realtor.org/realtororg.nsf/files/ NARInternetSecurityGuide.pdf/$FILE/NARInternetSecurityGuide.pdf),consolidatesbestpracticesforrealestateagents,multiplelistingservices,andassociationstoimprovetheirsecuritysafeguards.Theguidelinesrecommendsettingpoliciesfortheacceptableuseof information;creatingmanagementoversight,includingsettingupaninformationsecuritymanagementcommittee;settingupaccesscontrolsona“needtoknow”basis;implementingappropriatepersonnelscreeningandregulartraining;institutingphysicalcontrolsincludinglocksandappropriatedisposaltactics;andusingtechnologyapplicationstosecuredataanddetectproblems(e.g.,cryptographiccontrols,networkintrusiondetection).
Health Care Industry.Thehealthcareindustryhasappliedsignificantresourcestowardsimprovingtheprivacyandsecurityof itsbusinesspractices.MajorindustryorganizationssuchastheAmericanHospitalAssociationandtheAmericanMedicalAssociationproducehandbooksandtoolkits,andpartnerwithvendorstoprovidesecurityandprivacyguidancetotheirmembers.WEDI(WorkgroupforElectronicDataInterchange),anindustrynonprofitdedicatedtoimprovinghealthcarethroughelectroniccommerce,hasproducedaseriesof whitepapersthat
PART C
��
COMBATING IDENTITY THEFT A Strategic Plan
provideguidanceontopicsthatincludeencryption,disasterrecovery,policiesandprocedures,andevaluation,availableatwww.wedi.org.Industry-sponsoredconferencesandseminarsfocusedonimplementingprivacyandsecurityprotectionsforhealthinformationarecommonplace.ProvidingthetoolstoenablecompliancewiththeHIPAASecurityandPrivacyRuleshasbeenthecommongoalof theseefforts.
Internet Service and Electronic Mailbox Providers.Becauseof theiruniquepositionintheinternetcommunity,internetserviceproviders(ISPs)andelectronicmailboxproviderspayparticularattentiontodatasecurityissues.GuidelinesfromtheAnti-PhishingWorkingGroup(APWG),availableatwww.antiphishing.org/reports/bestpracticesforisps.pdf,focusonhowISPsandmailboxproviderscanpreventandmitigatethedamagecausedbyphishingattacks.Theyrecommendanumberof practices,includingusinginboundandoutboundfiltrationtechnologytopreventspam,monitoringbouncedemailmessagestohelpdeterminewhenaphishingattackisunderway,disablinghyperlinksinemailsfromsourcesthatarenottrusted,andprovidingcustomersrelevant,accurateinformationaboutphishingandwhattodofollowinganattack.
Small Businesses.Organizationsalsohavemadeavailableinformationonhowtorecognizeandaddressidentitytheftandfrauddirectedtowardsmallbusinesses.TheU.S.Chamberof Commerce,forinstance,offersa“SecurityToolkit”forsmallbusinesses,availableatwww.uschamber.com/sb/security/default.htm,thatincludesinformationaboutcompliancewithPCIstandards,technologytips,aMicrosoftInteractiveSecurityVideo,asamplesecurityplan,andtechnicaltools.TheChamberisconductingaseriesof seminarsin12cities,featuringexpertsfromVisa,thatshouldhelpbusinessesthatacceptcreditordebitcardpaymentsunderstandthebasicrequirementsforhandlingsensitivecustomerdata.Informationabouttheseseminarsisavailableatwww.uschamber.com/events/visatour.
Otherorganizations,suchastheCouncilof BetterBusinessBureausandtheNationalCyberSecurityAlliance,provideguidelinesthatserveasprimersforincorporatingbasicsecurityandprivacypracticesintoeverydaybusinessoperationsthatareappropriatelytailoredforsmallercompanies.Theseguidelines,availableatwww.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdfandwww.staysafeonline.org/basics/company/basic_tips.html,emphasizetheimportanceof employeescreeningandtrainingandtheuseof physicalsafeguardsbeyondelectronicmeasurestopreventidentitytheft.Theyincludetipson:recognizingattemptsattheftandfraud;understandingtheimportanceof offlineandonlinesecurityandprivacysafeguards;developingsecurityandprivacypoliciesandcommunicatingthemtocustomers;trainingemployees;handlingandmanagingsensitive
��
information;managingemployeesastheyinteractwithcustomersandtheirpersonaldata;creditcard/debitcardsecuritysafeguards;physicallysafeguardingsystemsandaccessories;usingthelatesttechnologies;institutingcontrolstopreventphishing;andconductinginternationaltransactionssecurely.
Nonprofit Organizations.Nonprofitorganizationsalsohaveissuedguidancetobusinesses.Forexample,onenonprofitorganizationfocusedononlineprivacyhasguidelinesavailableforcompaniesdraftinginternaldatasecurityatwww.truste.org/pdf/SecurityGuidelines.pdf.Theguidelinesstressthatreasonablesecuritystandardsarenot“onesizefitsall,”andoffercompaniesanon-technicalhighleveloverviewof recommendedsecuritypracticesforconsideration.
Someprivatesectorentitiesalsohavedevelopedstandardsandguidelinesregardingspecificissuesthatraisesecurityconcerns:
Contractual Arrangements with Service Providers.Theguidancefromtheprivatesectorgenerallyrecognizesthatentitieshavearesponsibilitytoensurethattheirsecurityandprivacypoliciesareimplementedandenforced.Typically,privatesectorguidelinesrecognizetheimportanceof contractuallyrequiringallthirdpartyservicevendorswithaccesstoanorganization’ssensitivedata,suchasoutsourcedITordatamanagementoperations,toadheretothecontractingentity’ssecurityrequirements.7 Theseguidelinesalsoaddressspecificpracticesforcontractingorganizations,includingconductingasiteauditof avendor’sdatacentertodeterminetheadequacyof thesecurityinfrastructure;requiringvendorstoprovidecertificationthattheyareincompliancewiththecontractingorganization’sprivacyanddataprotectionobligations;andperformingperiodicorrandomauditsof vendorsoroutsourcers.8
Encryption.Encryptionistheprocessof convertingplaintextintociphertexttoensurethatdatacanbereadonlybytheintendedrecipient.Categoriesof informationforencryptioncommonlyincludeaccesspasswords,email,filesonlaptops,storeddata,andvirtualprivatenetworks(VPNs),whichuseapublictelecommunicationinfrastructureliketheInternettoprovideremoteuserswithsecureaccesstotheirorganization’snetwork.Anumberof industrygroupsaredevelopingnewpoliciesthatrecommendtheuseof encryptiontoenhanceinternaldatastoragesecurity.9 Inthewakeof severalhighlypublicizedsecuritybreaches,encryptionisbeingviewedasatoolforprovidingenhancedsecurityforportabledevices(laptops)andformedia(backuptapes).10
Preventing Malware.Malwareisconsideredagrowingthreattodataprivacyandsecurity.11 Spyware,atypeof malwareintendedtoviolateauser’sprivacy,isbecomingmorewidespread,andisleadingorganizationsandcomputeruserstotakenewprecautions.12 Some
PART C
��
COMBATING IDENTITY THEFT A Strategic Plan
businesseshaveadoptedindustryandgovernmentguidelinesonhowtodetectandavoidmalware,includingguidelinesdevelopedbyNIST.Althoughdevelopedforusebyfederalagencies,theNISTguidelineshavebeenadoptedvoluntarilybymanybusinessesaswell.13 NIST’srecommendationsforimprovinganorganization’smalwareincidentpreventionmeasuresinclude:planningandimplementinganapproachtomalwareincidentpreventionbasedonthemostlikelyattackpoints;ensuringthatpoliciessupportthepreventionof malwareincidentsandincludingprovisionsrelatedtoremoteworkers;andusingappropriatetechniquestopreventmalwareincidents(e.g.,patchmanagement,applicationof securityconfigurationguides).14
Employee Data.Whilesomeguidancetobusinessesisexclusivelyorprimarilyfocusedonprovidingadviceaboutsecuringcustomerdata,someorganizationsconcentratetheireffortsonguidelinesandbestpracticesforprotectingthedataof employees.Forinstance,theSocietyforHumanResourceManagementoffersitsmembersreportsandtoolkitsrelatedtoidentitytheft,datasecurity,andHIPAAprivacy,includingadviceaboutcompliancewithfederalandstateprivacylaws,onitswebsiteatwww.shrm.org.
State GuidanceManystateconsumerprotectionagenciesandAttorneysGeneralhaveinformationandguidanceforbusinessestohelpthemprotectconsumers’sensitiveinformation.Afewexamplesof statesprovidingthistypeof guidanceinclude:
California. CaliforniahascreatedanOfficeof PrivacyProtectiontopromoteandprotectconsumers’rights.Thisofficemakesavailablenumerouspublicationstoassistbusinessesincomplyingwithfederalandstatesafeguardsrequirementsaswellasimprovingtheirgeneralinformationsecuritypractices.Initspublication,A California Business Privacy Handbook(availableatwww.privacyprotection.ca.gov/recommendations/ca_business_privacy_hb.pdf),thestate’sOfficeof PrivacyProtectiondescribesbasictechniquesthatcompaniescanusetoprotectpersonalinformationandpreventidentitytheft,suchascontrollingaccesstopersonalinformationandsecurelydisposingof materialscontainingsensitiveconsumerinformation.Likewise,initsRecommended Practices for Protecting the Confidentiality of Social Security Numbers(availableatwww.privacyprotection.ca.gov/recommendations/ssnrecommendations.pdf),thestateprovidesbusinesseswithinformationonfederalandstatelawsregardingthecollection,use,andconfidentialityof SSNs,aswellasrecommendedpracticeslikereducingtheunnecessarycollectionof SSNsandeliminatingthepublicdisplayof SSNs.
��
New York.TheNewYorkStateOfficeof CyberSecurityandCriticalInfrastructureCoordinationhaspublishedBest Practices and Assessment Tools to Promote Cyber Security Awareness.Thisguideincludesadvicespecificallydirectedatcorporationsandsmallbusinesses.
Wisconsin.LikeCalifornia,Wisconsinhascreatedanagencytoaddressconsumers’privacyrights,theOfficeof PrivacyProtectionwithintheWisconsinDepartmentof Agriculture,TradeandConsumerProtectiondivision.Thisofficeprovidesguidanceforsmallbusinessesthroughitswebsite,availableatwww.privacy.wi.gov/business/business.jsp,whichrecommendsactionslikelimitingthecollectionof sensitiveinformation,andscreeningandtrainingemployees.
PART C
��
COMBATING IDENTITY THEFT A Strategic Plan
Federal GuidanceInadditiontoprovidingguidanceonsafeguardingsensitiveinformation,thefederalgovernmentoffersbusinessesguidanceonwhattodointheeventof adatabreach.Thefederalbankregulatoryagencies(theFRB,FDIC,NCUA,OCC,andOTS),forexample,haveissueddetailedguidanceonfinancialinstitutions’responseprogramsandcustomernotice,whichisdiscussedindetailinPartA,above.TheFTCoffersbusinessesguidanceonbreachnotificationsinabookletentitledInformation Compromise and the Risk of Identity Theft: Guidance for Your Business,availableathttp://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.htm.TheFTCrecommendsthatwhenadatacompromisecouldresultinharmtoapersonorbusiness,privateentitiesshouldcontactappropriatelocallawenforcementassoonaspossible.TheFTCalsorecommendsthatcompaniesconsidercontactingotherbusinessesthatmaybeimpactedbyadatabreach,suchasbanksorcreditissuers,andif namesandSSNshavebeenstolen,themajorcreditbureaus.Finally,whendecidingif orwhenindividualconsumernotificationiswarranted,theFTCrecommendsthatbusinessesconsiderthenatureof thecompromise,thetypeof informationtaken,thelikelihoodof misuse,andthepotentialdamagearisingfrommisuse.TheFTC’sbookletalsocontainsamodelletterforbusinessesnotifyingpeoplewhosenamesandSSNshavebeenstolen.
Private Sector GuidanceInlightof recenthigh-profiledatabreaches,anumberof privatesectororganizationsalsohavedevelopedguidanceregardinghowtorespondtobreachesandwhentoprovidenoticetoconsumers.Someof thisguidanceisdesignedtofacilitatecompliancewithapplicablelaws,regulations,orindustrystandards.Examplesof entitiesprovidingthisguidanceinclude:
The American Bankers Association (ABA).TheABAsponsorsconferencesonregulatorycompliancethataddressrespondingtoinformationbreaches;informationabouttheseconferencesisavailableatwww.aba.com/Events/NCS.htm.TheABAalsoprovidesonlineinformationaboutestablishingaresponseprogramandnotifyingcustomersonitswebsiteatwww.aba.com/About+ABA/datasecuritynotification.htm.
The Financial Services Roundtable.TheFinancialServicesRoundtablehasdevelopedguidelinestoaddressbreachresponseissues,availableatwww.bitsinfo.org/downloads/Publications%20Page/bitscons2005.pdf.
The Payment Card Industry (PCI).Membersof thepaymentcardindustryalsohaveissuedguidanceforbusinessestorespondtosecurity
PART DGUIDANCE FOR BUSINESSES ON DATA BREACHES
��
incidentsinordertocomplywiththePCIstandards.Forinstance,individualcardcompanieshaveissuedstep-by-stepinstructionsandworkbooksforbusinessesrespondingtoasecurityincident.15 Businessesareencouragedtocreateaninternalresponseplanthat,amongotherthings,confirms,analyzes,anddocumentsevents,andallowsforaquickresponsetomaintainandrestorebusinesscontinuity.16 Intheeventof asuspectedorconfirmedsecuritybreach,merchantsandserviceprovidersareadvisedtoimmediatelycontainthebreachandlimitpossibleexposureof consumerinformationwhilepreservinglogsandelectronicevidence.17 Affectedcompaniesareadvisedtocontacttheirinternalinformationsecuritygroupandincidentresponseteam,merchantbank,cardcompany,andthelocalofficeof theUnitedStatesSecretService(USSS).18Moreover,businessesareadvisedtoconductaforensicanalysisof theeventandmaintainlogsandevidencetoassistlawenforcementauthoritiesininvestigations.19
Nonprofit Organizations.Nonprofitorganizationsthatspecializeindatasecurityandprivacyissuesalsohavedistributedguidanceforbusinessesintheeventof adatasecuritybreach.Forinstance,theNationalCyberSecurityAllianceoffersaguideon Small Business Incident Recovery and Reporting,availableatwww.staysafeonline.org/basics/recovery/recoveryandreporting.html.Thisguideincludesinformationaboutestablishinganinternalincidentresponseteamtorespondtosecurityincidents,andaformalwrittenbreachresponseplanandprocessforreportingandescalatingincidents.TheIdentityTheftResourceCenter(ITRC)providessimilarguidanceonitswebsiteatwww.idtheftcenter.org/index.shtml.Inaddition,theCouncilof BetterBusinessBureaushascreatedguidelinesspecificallytargetedtosmallbusinesses,availableatwww.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf.Althoughnotallstatesrequirecustomernotificationintheeventof abreach,theguidanceurgescompaniestoconsidertheadvantagesof notifyingthosewhoseinformationhasbeencompromised.
Otherorganizations,includinghighereducationassociations,20professionalassociations,21andfirmsthatofferconsultingorpolicydevelopmentservicesrelatedtodatasecurity,22haveprovidedadviceandguidancetobusinessesintheeventof adatabreach.Theguidancerelatestopolicies,procedures,technicaltools,andnoticetoconsumersforbusinessesrespondingtoasecurityincident.
State GuidanceStateconsumerprotectionagenciesandAttorneysGeneralalsoofferguidanceonrespondingtodatabreaches.Amongstatesofferingsuchguidanceare:
PART D
��
COMBATING IDENTITY THEFT A Strategic Plan
California.California’sRecommended Practices on Notice of Security Breach Involving Personal Information,availableatwww.privacyprotection.ca.gov/recommendations/secbreach.pdf,hasinformationaboutthestate’sbreachnotificationlaw,aswellasrecommendedpracticesforprotectionandprevention,preparationfornotification,andnotificationitself.Thisdocumentoffersguidanceondevelopinganincidentresponseplan,withinstructionsfordevelopingwrittenproceduresforinternalnotificationprocesses,designatinganindividualresponsibleforcoordinatinginternalnotificationprocedures,andrespondingtothebreachbyprovidingnoticetoconsumersandlawenforcement.Thedocumentalsoprovidessamplebreachnoticeletters.
Wisconsin.TheWisconsinDepartmentof Agriculture,TradeandConsumerProtection,Officeof PrivacyProtection,publishesafactsheetentitledHow Small Business Can Help in the Fight Against ID Theft,(availableatwww.privacy.wi.gov./business/business.jsp),whichrecommendsthatbusinessescreateanactionplaninadvanceforrespondingtodatabreaches.Intheeventof abreach,businessesareencouragedtoinvestigateinternallywhiledevisingaplanfornotifyingpeoplethatabreachhasoccurred.
Colorado.TheColoradoAttorneyGeneral’sofficeprovidesinformationaboutdatabreachresponseplanstobusinessesonitswebsiteatwww.ago.state.co.us/idtheft/clients.cfm.Itrecommendsthatbusinesseshavepoliciesandproceduresinplacetoisolatetheinformationthathasbeencompromised,promptlynotifyallaffectedcustomersof thebreach,andpromptlynotifytheappropriatelawenforcementofficeof thebreach.
�0
Thefederalgovernmenthasproduced,promoted,anddistributedanextensivelibraryof consumereducationmaterialsinprintandelectronicformatstohelpconsumerslearnaboutvariousaspectsof identitytheft.Listedbelowaretitlesandlocationsof eachagency’sidentitytheftconsumereducationmaterials.
FEDERAL TRADE COMMISSION (FTC)www.ftc.gov
TheFTChasplayedaprimaryroleinconsumerawarenessandeducation,developinginformationthathasbeenco-brandedbyavarietyof groupsandagencies.Itswebsite,www.ftc.gov/idtheft,servesasacomprehensiveone-stopresourceinbothEnglishandSpanishforconsumers.(Spanish–www.consumer.gov/idtheft/espanol.htm.)
TheFTCalsorecentlyimplementedanationalpublicawarenesscampaigncenteredaroundthethemesof “Deter,Detect,andDefend.”Thiscampaignseekstodrivebehavioralchangeinconsumersthatwillreducetheirriskof identitytheft(Deter);encourageconsumermonitoringof theircreditreportsandaccountstoalertthemof identitytheftsoonafteritoccurs(Detect);andmitigatethedamagecausedbyidentitytheftshoulditoccur(Defend).Thiscampaign,mandatedintheFACTAct,consistsof materialwrittenforconsumersaboutidentitytheftandmaterialwrittenfororganizations,communityleaders,andlocallawenforcementonhowtocommunicateandeducatetheirconstituenciesaboutidentitytheft.www.consumer.gov/idtheft/ddd/index.html.(Spanish–www.consumer.gov/idtheft/ddd/espanol.html).
TheDeter,Detect,andDefendmaterialshavebeenadoptedanddistributedbyhundredsof entities,bothpublicandprivate,involvedinthefightagainstidentitytheft.TheNationalCouncilof HigherEducationLoanProgram,theDirectMarketingAssociation,theNationalAssociationof Realtors,theInternalRevenueService(IRS),neighborhoodassociations,andover500locallawenforcementagenciesamongothers,areusingthematerialsaspartof theirownconsumereducationefforts.TheU.S.Departmentof Justice’sOfficeforVictimsof Crimesdisseminated4,600Deter,Detect,Defendkitstothevictimservicesfieldoffices.
OtherFTCpublicationsinclude:
Fighting Back Against Identity Theftwww.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt01.htm
ID Theft: What It’s All Aboutwww.ftc.gov/bcp/conline/pubs/credit/idtheftmini.htmInSpanish—www.ftc.gov/bcp/conline/spanish/credit/s-idtheftmini.htm
PART EFEDERAL CONSUMER EDUCATION EFFORTS
��
COMBATING IDENTITY THEFT A Strategic Plan
Take Charge: Fighting Back Against Identity Theftwww.ftc.gov/bcp/conline/pubs/credit/idtheft.htmInSpanish—www.ftc.gov/bcp/conline/spanish/credit/s-idtheft.htm
“Active Duty” Alerts Help Protect Military Personnel from Identity Theftwww.ftc.gov/bcp/conline/pubs/alerts/dutyalrt.htm
What To Do If Your Personal Information Has Been Compromisedwww.ftc.gov/bcp/conline/pubs/alerts/infocompalrt.htm
Remedying the Effects of Identity Theftwww.ftc.gov/bcp/conline/pubs/credit/idtsummary.pdf InSpanish—www.ftc.gov/bcp/conline/spanish/credit/s-idtsummary.pdf
Your Access to Free Credit Reportswww.ftc.gov/bcp/conline/pubs/credit/freereports.htmInSpanish—www.ftc.gov/bcp/conline/spanish/credit/s-freereports.htm
How Not to Get Hooked by a Phishing Scam www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.htmInSpanish—www.ftc.gov/bcp/conline/spanish/alerts/s-phishingalrt.htm
Privacy Choices for Your Personal Financial Informationwww.ftc.gov/bcp/conline/pubs/credit/privchoices.htm
Medicare Part D Solicitations: Words to the Wise About Fraudwww.ftc.gov/bcp/conline/pubs/alerts/meddalrt.htm
ID Theft Audio File —Audio 1, Audio 2 www.consumer.gov/idtheft/con_pubs.htm
ID Theft Video News Release(Dial Up Version—56k)—Video 1, Video 2www.consumer.gov/idtheft/con_pubs.htm
ID Theft Video News Release(Broadband Version)—Video 1, Video 2www.consumer.gov/idtheft/con_pubs.htm
U.S. DEPARTMENT OF JUSTICE (DOJ)www.usdoj.gov
Bureau of Justice Assistance (BJA)TheJusticeDepartment’sBJA,togetherwiththeNationalCrimePreventionCouncil,createdanidentitytheftbooklet,Preventing Identity Theft: a Guide for Consumers,23 andproducedradioandtelevisionpublicserviceannouncementsaboutidentitytheft,featuringMcGruff®theCrimeDog.OtherpublicationsincludeIdentity Theft and Fraud,atwww.usdoj.gov/criminal/fraud/idtheft.html.
��
Office for Victims of Crime (OVC)TheDepartmentof Justice’sOVChasseveralwebpagesonidentitytheft,24andhasprovidedfundingtoseveralidentitytheft-relatedinitiatives,suchastheOhioIdentityTheftVerificationPassportprogram.OtherpublicationsincludeIdentity Theft,atwww.ojp.gov/ovc/help/it.htm.
Office of Justice Programs (OJP)TheDepartmentof Justice’sOJPalsohasdevelopedsomeidentitytheftresources,includingthefollowingpublications:
Justice Resource Updatewww.ncjrs.gov/jru/spring_2006/featured.html
Preventing Identity Theft: A Guide for Consumerswww.ncpc.org/cms/cms-upload/prevent/files/idtheftrev.pdf
Executive Office for United States TrusteesTheExecutiveOfficefortheUnitedStatesTrustees,acomponentof DOJ,hasdevelopedthefollowingpublicationonidentitytheft:Fraud/Identity Theft,atwww.usdoj.gov/ust/r16/fraud.htm.
United States Attorney’s Offices (www.usdoj.gov/usao)SomeUnitedStatesAttorney’sOfficesalsohavetheirownidentitytheftwebpages,forexample:www.usdoj.gov/usao/gan/citizen/idtheft.htmlandwww.usdoj.gov/usao/cac/idtheft/idtheft.html.
U.S. DEPARTMENT OF THE TREASURYwww.treas.gov
Over120,000copiesof theDepartmentof theTreasury’sDVDaboutidentitytheft,Identity Theft: Outsmarting the Crooks,havebeendistributedtothepublic.Seewww.treasury.gov/press/releases/js3083.htm.Inaddition,theDepartmentof theTreasuryhasdevelopedIdentityTheftResourcePage,whichcanbefoundatwww.treas.gov/offices/domestic-finance/financial-institution/cip/identity-theft.shtml.
TheFACTActestablishedtheFinancialLiteracyandEducationCommission(theCommission),andappointedtheSecretaryof theTreasuryashead.TheCommission,composedof 19otherfederalagenciesandbureaus,launchedawebsiteandtoll-freehotlineforfinancialliteracyin2004,www.MyMoney.govand1–888–MY–MONEY,alongwithafreetoolkit.Theseresourcesincludeconsumerinformation(availableinEnglishandSpanish)abouthowtodefendoneself againstidentitytheftandwhatvictimsshoulddotosettheirrecordsstraight.
Separately,theDepartmentof Treasury’sFinancialManagementServiceandtheFederalReserveBankssponsorGo Direct,acampaigntomotivatepeoplewhoreceivefederalbenefitcheckstousedirectdeposit.Directdepositisthe
PART E
��
COMBATING IDENTITY THEFT A Strategic Plan
bestwayforpeopletogettheirSocialSecurityandSSIpaymentsbecauseiteliminatestheriskof stolenchecks,reducesfraud,andgivesthemmorecontrolovertheirmoney.Asimpleactionlikeenrollingindirectdepositcanoffermuch-neededpeaceof mindtopeoplewhorelyonfederalbenefits,mostof whomareseniorsandpeoplewithdisabilities.
Office of the Comptroller of the Currency (www.occ.treas.gov)TheOCChasissuedanumberof publicationsonidentitytheft.Thoseincludethefollowing:
Fight Back: What You Can Do about Identity Theftwww.occ.gov/consumer/idtheft.htm
How to Avoid Becoming a Victim of Identity Theftwww.occ.treas.gov/idtheft.pdf
Internet Pirates Are Trying to Steal Your Personal Financial Informationwww.occ.gov/consumer/phishing.htm
Check Fraud: A Guide to Avoiding Losseswww.occ.treas.gov/chckfrd/chckfrd.pdf
Office of Thrift Supervision (www.ots.treas.gov) TheOTShasissuedanumberof publicationsrelatedtoidentitytheft.Thesepublicationsdealwithtopicsincludingpretextcalling,phishingandemailscams,andcustomer/consumereducation,andcanbefoundontheOTSwebsite.
Internal Revenue Service (www.irs.gov)TheIRS,anotherarmof theTreasuryDepartment,hasissuedthefollowingpublicationonidentitytheft:
Identity Theft and Your Tax Recordswww.irs.gov/individuals/article/0,,id=136324,00.html
Treasury Inspector General for Tax Administration (www.treas.gov/tigta) TIGTAhasissuedthefollowingpublicationfortaxpayersrelatingtoidentitytheft:
Computer Security Bulletin—Phishing Scamswww.treas.gov/tigta/docs/phishing_alert_2006.pdf
U.S. SECRET SERVICE (USSS) www.secretservice.gov
TheUSSS,acomponentof DHS,isactiveintheinvestigationof identitytheft.Inthatrole,italsohasissuedthefollowingguidanceonidentitytheft:
��
Financial Crimes Divisionwww.treas.gov/usss/financial_crimes.shtml
Frequently Asked Questions (FAQ): Protecting Yourselfwww.treas.gov/usss/faq.shtml#identity
FEDERAL DEPOSIT INSURANCE CORPORATION (FDIC)www.fdic.gov
TheFDIC’sDecember2004IdentityTheftStudyrecommendedthedevelopmentof aneducationalinitiativetargetedtoonlinebankingcustomersonhowtoavoidcommonscams.Thatinitiative,entitledDon’t Be an On-Line Victim,iscomprisedof threeparts:howconsumerscansecuretheircomputer;howconsumerscanprotectthemselvesfromelectronicscamsthatcanleadtoidentitytheft;andwhatconsumersshoulddoif theybecomethevictimof identitytheft.TheeducationaltoolisbeingdistributedthroughtheFDICwebsiteandviaCD-ROM.Additionally,in2005,theFDICsponsoredfouridentitytheftsymposiaentitledFighting Back Against Phishing and Account-Hijacking.Eachsymposiumincludedpresentationsbypanelsof expertsfromfederalandstategovernment,thebankingindustry,consumerorganizations,andlawenforcement.Totalattendanceatthesymposiaexceeded575.TheFDIC’s2006symposiaseries,Building Consumer Confidence in an E-Commerce World,wasacontinuationof theFDIC’seffortstofacilitatedialogueontherisksandsolutionsfore-commerceandpaymentsystemfraud.TheFDICisalsoworkingonaneducationalcampaign,scheduledforrolloutin2007,toeducateconsumersaboutonlinebankingandtheprotectionsavailabletothemthatmakeitsafe.
TheFDIC’sotherpublicationsonidentitytheftincludethefollowing:
Classic Cons... And How to Counter Themwww.fdic.gov/consumers/consumer/news/cnsprg98/cons.html
A Crook Has Drained Your Account. Who Pays?www.fdic.gov/consumers/consumer/news/cnsprg98/crook.html
When a Criminal’s Cover Is Your Identitywww.fdic.gov/consumers/privacy/criminalscover/index.html
Your Wallet: A Loser’s Manualwww.fdic.gov/consumers/consumer/news/cnfall97/wallet.html
Identity Theftwww.fdic.gov/consumers/consumer/alerts/theft.html
PART E
��
COMBATING IDENTITY THEFT A Strategic Plan
NATIONAL CREDIT UNION ADMINISTRATION (NCUA)www.ncua.gov
TheNCUA’sprimarypublicationonidentitytheft,entitledYou Can FightIdentity Theft,canbefoundatwww.ncua.gov/publications/brochures/identitytheft/phishbrochure-web.pdf.
FEDERAL RESERVE SYSTEMwww.federalreserve.gov
TheFederalReserveBankof BostonhaspublishedaconsumerbrochureentitledIdentity Theft,whichcanbefoundatwww.bos.frb.org/consumer/identity/idtheft.htm.
U.S. SOCIAL SECURITY ADMINISTRATION (SSA)www.socialsecurity.gov
TheSSAhasahotlineforreportingfraud,whichcanbefoundatwww.socialsecurity.gov/oig/guidelin.htm.Inaddition,theSSA’swebsite,www.socialsecurity.gov/pubs/idtheft.htm,provideslinkstovariousresourcestoassistvictimsof identitytheft.SSAhasseveralprintedpublications(inEnglishandSpanish)onsafeguardingtheuseof SSNsandcardstohelppreventidentitytheft.Theseincludethefollowing:
Identity Theft and Your Social Security Number (SSAPublicationNo.05-10064)www.socialsecurity.gov/pubs/10064.html
Your Social Security Number and Card(SSAPub.No.05-10002)www.socialsecurity.gov/pubs/10002.html
New Rules for Getting a Social Security Number and Card(SSAPublicationNo.05-10120)www.socialsecurity.gov/pubs/10120.html
Frequently Asked Questions on SSA’s Internet websitewww.socialsecurity.gov
SSA OIG (Office of Inspector General): When Someone Else Uses Your Social Security Number Fact Sheetwww.socialsecurity.gov/oig/hotline/when.htm
SSA OIG—Identity Theft Linkswww.socialsecurity.gov/oig/investigations/links.htm
��
U.S. POSTAL INSPECTION SERVICE (USPIS)www.usps.com
TheUSPIShasbeenactiveinengaginginoutreachactivitiesrelatedtoidentitytheft.Forexample,theUSPIS,togetherwiththeFTCandtheBetterBusinessBureau(BBB),developedthe“ShredIt&ForgetIt”campaign,whichencouragesconsumerstoshreddiscardeddocumentscontainingpersonalinformation.TheUSPISalsomaintainsanidentitytheftwebsiteandhasconductednationalcampaignsaboutInternetfraudandidentitytheft,andproducedtwoDVDsonthesesubjects–“IdentityCrisis”and“Webof Deceit”–andPublication248,“SafeguardYourPersonalInformation.”Otherpublicationsinclude:
ID Theft Posterwww.usps.com/websites/depart/inspect/idposter.pdf
Identity Theft Is America’s Fastest-Growing Crimewww.usps.com/websites/depart/inspect/idthft_ncpw.htm
Read These Tips to Protect Yourself from Identity Theftwww.usps.com/websites/depart/inspect/idtheftips.htm
Safeguard Your Personal Informationwww.usps.com/cpim/ftp/pubs/pub280/welcome.htm
Identity Theft: Stealing Your Name and Your Moneywww.usps.com/websites/depart/inspect/IDtheft2.htm
Identity Crisis—DVD www.usps.com/websites/depart/inspect/idthft_ncpw.htm
LooksTooGoodToBeTrue.com http://www.lookstoogoodtobetrue.com/fraud.aspx
U.S. DEPARTMENT OF EDUCATIONwww.ed.gov
TheDepartmentof Educationoffersmaterialsaimedatincreasingstudents’andcollegeadministrators’awarenessof identitytheftandstepstoreducingstudents’chancesof fallingvictim.TheDepartmentalsohasincludedidentitytheftpreventiontipsinthebillingstatementsthataresenttostudentborrowers.ItsFederalStudentAidwebsite,www.federalstudentaid.ed.gov,containsinformationonsafeguardingstudentaidinformationandreducingtheriskof identitytheft.25 TheDepartment’sOIG’swebsite,www.ed.gov/misused,bothoffersandcollectsinformationonidentitytheft.TheOIGalsoconductspresentationsatconferencesof financialaidprofessionals,andhasdevelopedaDVD,FSA Identity Theft—We Need Your Help,toalertthefinancialaidcommunitytotheproblem.
PART E
��
COMBATING IDENTITY THEFT A Strategic Plan
DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS)www.hhs.gov
Office of Disease Prevention and Health PromotionHHS’sOfficeof DiseasePreventionandHealthPromotionhascirculatedthefollowingpublicationrelatingtoidentitytheft:Healthfinder—Protecting Your Identity,whichcanbefoundatwww.healthfinder.gov/docs/doc09195.htm.
Centers for Medicare and Medicaid Services (www.cms.gov)HHS’sCentersforMedicareandMedicaidServiceshasreleasedthefollowingpublicationsrelatingtoidentitytheft:
Medicare and You 2006www.medicare.gov/publications/pubs/pdf/10050.pdf
Holding Ourselves to a Higher Standardwww.cms.hhs.gov/InformationSecurity/
The National Women’s Health Information Center Protecting Yourself from Cybercrimewww.girlshealth.gov/safety/internet.cybercrime.htm
Food and Drug Administration (www.fda.gov)TheFDA’spublicationsrelatingtoidentitytheftincludetheFDAConsumermagazine(July-August2005Issue),andBe Aware and Beware of Identity Theft,whichcanbefoundatwww.fda.gov/fdac/departs/2005/405_fda.html#theft.
National Institutes of Health (NIH): National Institute on AgingTheNIH’sNationalInstituteonAgingprovidesguidancetotheelderlyonmattersrelatedtoidentitytheftinapublicationentitledAge Page—Crime and Older People,whichcanbefoundatwww.niapublications.org/agepages/PDFs/Crime_and_Older_People.pdf.
Administration on AgingHHS’sAdministrationonAginghassupportedthedevelopmentof thefollowingmaterialsrelatedtoidentitytheft:
Protect Yourself from Identity Theftwww.consumerlaw.org/action_agenda/seniors_initiative/ identity_theft.shtml
What You Should Know About Your Credit Reportwww.consumerlaw.org/action_agenda/seniors_initiative/content/CFactsCreditReport.pdf
Protecting Older Americans from Telemarketing Scams: A Quick Guide for Advocateswww.consumerlaw.org/initiatives/seniors_initiative/ concerns_telemarket.shtml
��
What To Do If You’ve Become The Victim of Telemarketing Fraudwww.consumerlaw.org/initiatives/seniors_initiative/telemarketing_ fraud.shtml
Neremberg, L. (June 2003). Daily Money Management Programs— A Protection Against Elder Abuse www.elderabusecenter.org/pdf/publication/DailyMoneyManagement.pdf
Inaddition,theAdministrationonAging’sSeniorMedicarePatrol(SMP)programutilizestheskillsandexpertiseof volunteersthateducateandempowerbeneficiariestotakeanactiveroleinthedetectionandpreventionof healthcarefraudandabuse,withafocusontheMedicareandMedicaidprograms.TheNationalConsumerProtectionTechnicalResourceCenter(www.smpresource.org)providesfurtherinformationontheSMPprogramandavarietyof consumerprotectionmaterials.
SECURITIES AND ExCHANGE COMMISSION (SEC)www.sec.gov
TheSEC’sguidancetoconsumersonidentitytheftincludesapublicationentitledOnline Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information,whichcanbefoundatwww.sec.gov/investor/pubs/onlinebrokerage.htm.
PART E
��
COMBATING IDENTITY THEFT A Strategic Plan
Theprivatesectorhasproduced,promoted,anddistributedanextensivelibraryof consumereducationmaterialsinprintandelectronicformatstohelpconsumerslearnaboutvariousaspectsof identitytheft.Listedbelowaretitlesandlinkstoasampleof individualorganizations’identitytheftconsumereducationmaterials,presentedbysector.
Information Technology (IT)Materialproducedbytheinformationtechnologyindustry,mostoftendeliveredthroughtheInternet,focuseslargelyonsecureandsafecomputing,urgingconsumerstoinstallanti-spyware,anti-virus,andfirewallsoftwareontheircomputers,andeducatingthemabouttheharmthatcanresultfromphishing,malware,andspyware.Theinformationgenerallywarnsconsumersagainstrespondingtospamanddivulgingpersonalinformationinemailoronunsecuredwebsites,andprovidestipsoncreatingstrongpasswords.Forexample,theNationalCyberSecurityAlliancemaintainsStaySafeOnline,awebsitewithtipsonsafecomputingforadultsandchildren.26Inaddition,muchof thematerialisdirectedtowarningconsumersabouttheexistenceof phishingattacksandassistingconsumersinspottingsuspectemailsandwebsites.MicrosoftandBestBuy,alongwithseveralotherprivateandpublicpartners,sponsortheGetNetSafeTour,inwhichexpertsvisitschools,holdassemblies,parentsnights,localcommunityandseniorevents,andInternetfairstodiscussgeneralInternetsafety,includingtopicsrelatedtoidentitytheft.Similarly,AmericansforTechnologyLeadership,acoalitionof technologyprofessionals,consumers,andorganizations,conductsTakeBackTheNetcybersecurityworkshops,whichincludediscussionsof phishingandotheridentitytheft-relatedtopics,forconsumersthroughoutthecountry.
AOLMoney&Finance—IdentityTheftmoney.aol.com/creditdebt/identity/
MicrosoftSecurityatHome:ProtectYourself www.microsoft.com/athome/security/privacy/default.mspx
EarthlinkEarthlinkIdentityProtectionCenterwww.earthlink.net/mysecurity/identity/
E-bayTutorial:Spoof (fake)E-mailswww.pages.ebay.com/education/spooftutorial/
PART FPRIVATE SECTOR CONSUMER EDUCATION EFFORTS
�0
The National Cyber Security AllianceDon’tTaketheBait!AvoidGettingHookedBy“Phishers”TryingtoStealYourPersonalInformationwww.staysafeonline.org/basics/pharming_tips.html
The Anti-Phishing Working Groupwww.antiphishing.org/phishing_archive.html
ConsumerAdvice:WhatToDoIf You’veGivenOutYourPersonalFinancialInformationwww.antiphishing.org/consumer_recs2.html
GetNetWisewww.getnetwise.org
The Business Software Alliance / CybersafetyPhishing:Doyouknowif someoneistryingtostealyouridentity?www.bsacybersafety.com/index.cfm
Financial Institutions and Credit ProvidersThefinancialservicessectorprovidesagreatdealof informationaboutcommonfraudsrelatedtoidentitytheft,suchasphishing,pharming,spoofing,pretextcalling,anddumpsterdiving.Manyinstitutionsandcreditcardserviceprovidersalsooffertheircustomersinformationaboutidentitytheftpreventionandremediationthroughstatementstuffers,mailers,andwebsites.Theinformationoftenincludesexplanationsof commonterminologyanddefinitionsrelatedtothesefrauds,aswellasexplanationsabouthowtheywork.TheTexasBankersAssociation,forexample,producesinserts,posters,andwalletcardsaboutidentitytheftfordistributiontocustomersbyTexasbanks.27 TheSecuritiesIndustryAssociationpublishesabookletthatinformsinvestorsof howtoavoididentitytheftandwhattodoif theyarethevictimof identitytheft.28 Securitiesself-regulatoryorganizations(SROs),suchastheNASDandtheNYSE,alsopublishguidancerelatingtoidentitytheft.Forexample,NASDhaspublished“Phishing and Other Online Identity Theft Scams: Don’t Take the Bait.”29
MasterCardIdentityTheftwww.mastercard.com/us/personal/en/securityandbasics/identitytheft/index.html
Visa USAProtectYourself www.usa.visa.com/personal/security/protect_yourself/index.html
Bank of AmericaIdentityTheftandYourRightswww.bankofamerica.com/privacy/Control.do?body=privacy secur_idprotect
PART F
��
COMBATING IDENTITY THEFT A Strategic Plan
Capital OneFindOutHowToProtectYourself FromFraudAndIdentityTheftwww.capitalone.com/fraud/
ChaseIdentityTheftwww.chase.com/ccp/index.jsp?pg_name=ccpmapp/shared/assets/page/Identity_Theft
CitiProtectYourself www.citibank.com/us/cards/cm/theft01.htm
Columbia CreditUnionSecurityandIdentityTheftwww.columbiacu.org/identity/identity_tips.html
Commerce BankIdentityTheftandFraudwww.commercebank.com/about/privacy/identity.asp
U.S. Bank OnlineSecuritywww.usbank.com/cgi_w/cfm/about/online_security/index.cfm
Virginia Credit UnionSecurityandIdentityTheftwww.vacu.org/education/security.asp
Wells FargoIdentityTheft www.wellsfargo.com/privacy_security/fraud/operate/idtheft
Health Care IndustryThehealthcareindustryalsoprovidesinformationspecificallyabout“medicalidentitytheft,”whichoccurswhenanunauthorizedindividualusessomeone’spersonalinformationeithertoobtainmedicaltreatment,prescriptionmedications,orothermedicalgoodsortomakefalseclaimsformedicalservices.Whilethistypeof identitytheftisdetrimentaltothevictim’sfinancialstatus,italsocanresultintheexhaustionof healthinsurancecoverageandtheadditionof falseentriestothevictim’smedicalrecord,incorrectmedicaltreatment,oreventhelossof ajobif employersrequirephysicalexamsandmedicalhistorychecks.30 Minneapolis-basedhealthsystemAllinaHospitalsandClinics,targetedbyanidentitytheftring,producedabooklettoalertphysiciansandtheirstaff onhowtopreventpatientidentitytheft,andtoprovidetipsformedicalprofessionalstoprotectthemselvesfrombecomingidentitytheftvictims.
��
“MedicalIdentityTheft:theinformationcrimethatcankillyou,”Dixon,Pam.WorldPrivacyForum,Spring2006.www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf
ECRI—OperatingRoomRiskManagement,HealthcareIdentitytheft:PreventionandResponse.Mar.2006.www.ecri.org/MarketingDocs/0306news.pdf
Educational InstitutionsForavarietyof reasons,collegestudentsarefrequenttargetsof identitythieves.Collegesanduniversitiesstorevastamountsof personalinformationaboutstudents.Accordingtoonereport,one-half toone-thirdof allreportedpersonalinformationbreachesin2006occurredatcollegesanduniversities.31 Thestudentlifestylealsomaycontributetothehighrateof identitytheftinthisagegroup.Collegestudentstendtokeeppersonalinformationunguardedinshareddormrooms.Inrecognitionof theincreasedvulnerabilityof thecollegepopulation,manyuniversitiesareprovidinginformationtotheirstudentsabouttherisksof identitytheftthroughwebsites,orientationcampaigns,andseminars.TheUniversityof Michiganundertookawide-scaleeffort,launchingIdentityWeb,acomprehensivesitebasedontherecommendationsof agraduateclassinthefallof 2003.32 TheStateUniversityof NewYork’sOrangeCountyCommunityCollegeoffersidentitytheftseminars,theresultof astudentwhofellvictimtoascam.AvideoatstudentorientationsessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof identitytheftonsocialnetworkingsites.BowlingGreenStateUniversityinOhioemailscampus-wide“fraudalerts”whenitsuspectsthatascamisbeingtargetedtoitsstudents.Inrecentyears,morecollegesanduniversitieshavehiredchief privacyofficers,focusinggreaterattentionontheharmsthatcanresultfromthemisuseof students’information.
Thehighereducationcommunity,includingassociationsandfinancialinstitutions,alsohasconductedoutreachtofinancialaidcounselors,students,parents,andborrowers.Forinstance,theNationalCouncilof HigherEducationLoanPrograms(NCHELP)reachedouttoitsconstituentsandencouragedthemtotakeadvantageof identitytheftresourcesproducedbytheFTCandsharethemwithstudents.Manycollegebookstoresnowprovidetheseeducationalmaterialstostudentspurchasingtextbooks.Thefollowinglinksprovideexamplesof universities’educationalinformationonidentitytheft.
Harvardwww.hupd.harvard.edu/id_theft.php
Northwestern Universitywww.it.northwestern.edu/security/protectingprivacy/index.html
PART F
��
COMBATING IDENTITY THEFT A Strategic Plan
Pennsylvania State Universityconsumerissues.cas.psu.edu/PDFs/CreditPrivacyIdentity.pdf
Tulane Universitywww.tuhscpd.tulane.edu/Safety/idtheft.htm
University of California—Los Angeleswww.ucpd.ucla.edu/ucpd/programs_persafe.html
University of Kansas www.privacy.ku.edu/idtheft/
University of Michiganidentityweb.umich.edu/
University of Minnesotasafecomputing.umn.edu/safepractices/idtheft.html
University of Missouri—Kansas City www.umkc.edu/adminfinance/police/tips/Identity.asp
University of Oklahomawww.ou.edu/oupd/idtheft.htm
Universityof Utahwww.it.utah.edu/leadership/security/identity.html
Yalewww.yale.edu/security/goodmeasures/ProtectingYourIdentity.html
��
Since2004,twomajorfederallawshaveimposedsignificantnewrequirementsrelatingtoidentificationdocuments.First,theIntelligenceReformandTerrorismPreventionAct(IRTPA)of 200433improvesidentificationinformationsecurityandrequiresanationalstrategyforcombatinginternationalterroristtravel.Aspartof thisplan,thelawcontainsprovisionsforrobusttraveldocumentscreeningandauthenticationandforimprovedtrainingforavarietyof federalofficialswhocomeintocontactwithfraudulentidentificationdocuments.Thelawalsorequiresthatpartof thestrategicplanwillbetodisruptterrorists’productionanduseof falsetraveldocuments.ItalsorequiresthatthePresidentleadinternationaleffortstoprovideforthedetectionof counterfeitorstolenforeigntraveldocumentsandtocriminallypunishthoseinvolvedinsuchcrimes.
Onesectionof thelawfocusesonbiometrics.Thelawrequiresthatbiometricidentifiertechnologybestudied,includedinairportaccesscontrols,andincorporatedintoanew,uniformlawenforcementofficercredential.Thelawalsorequiresthataplanbedevelopedtoacceleratethefullimplementationof anautomatedbiometricentryandexitsystem.
Thelawalsofocusesonimprovingidentificationdocuments,fromrequiringthatimprovedpilots’licensesbedevelopedtoprovidingforthecreationof federalstandardsforbirthcertificates,drivers’licenses,andpersonalidentificationcards.ThelawincludedsecurityenhancementsforSocialSecuritycards,suchasrestrictingtheissuanceof multiplereplacementcardsandestablishingminimumstandardsforverificationof documents.Additionally,thelawprohibitstheuseof SSNsondrivers’licenses.
Inaddition,theRealIDActof 200534supplementstherequirementsof statedrivers’licensesandidentificationcardsforusebyfederalagencies.Thelawrequiresanumberof verificationmeasuresbeforesuchanidentificationisissued,includingthatthestateverifythevalidityof supportingdocuments.Thelawalsomandatesthatidentificationcardsusedforfederalpurposesexpireeveryeightyearsandbeproducedinsecureenvironmentsbypersonnelwithappropriateclearances.Itfurtherrequiresthatstateidentificationcardsthatdonotmeetthefederalsecurityrequirementsstatesoontheirface,andthatallstatesprovideelectronicaccesstootherstatesof theirmotorvehicledatabases.
Numerousgovernmentinitiativesrelatingtoauthenticationmethodsaredescribedatwww.biometrics.gov.
PART GRECENT LAWS RELATING TO IDENTIFICATION DOCUMENTS
��
COMBATING IDENTITY THEFT A Strategic Plan
All50statesandtheDistrictof Columbiahavesomeformoflegislationthatprohibitsidentitytheft,andinallof thosejurisdictions,exceptforMaine,identitytheftcanbeafelony.Ingeneral,11statesappeartouseanarrowerapproachtocriminalizingidentitytheftbyfocusingontheuseof personalidentifyinginformationwithintenttodefraud.Otherstatesuseabroaderapproachtocriminalizationthatoftenincludesnotonlyunauthorizeduse,butalsopossession,creation,recording,obtaining,selling,giving,ortransmittingof personallyidentifiableinformation.
Statelawconcerningidentitytheftischangingrapidly.Asoneindication,severalstateshaveamendedtheircriminalidentitytheftprovisionswithinthelastyear.Oneof thetrendshasbeentomakecriminallawmorespecific,forexample,makingitaseparatecrimetotrafficinstolenidentitiesortoengageinphishing.
Datafromthe2005NationalSurveyof StateCourtProsecutorsindicatethatstateandlocalprosecutorsareactivelyengagedinprosecutingidentitytheft.Accordingtothesurvey,69percentof allprosecutorssurveyed,and97percentof prosecutorssurveyedfromareaswithpopulationsof 1millionormore,hadlitigatedatleastonecomputer-relatedidentitytheftcase.Inaddition,80percentof allprosecutorssurveyed,and91percentof prosecutorssurveyedfromareaswithpopulationsof 1millionormore,hadlitigatedacomputer-relatedcredit-cardfraudcase.35
Thesearejustafewexamplesof stateandlocalidentitytheftprosecutions:
TheArizonaAttorneyGeneralannouncedthearrestof aPhoenixresident,onsuspicionof usingGreenBayPackersquarterbackBrettFavre’screditcardmorethan40times.Thedefendantwaschargedwithfourfelonychargesandtwoothermenwerechargedwithforgery.Theunauthorizedchargestothecreditcardtotaledmorethan$10,000,andtheuseof Favre’scardissuspectedtobepartof alargeidentitytheftschemerunbytheothertwomen.
TheFloridaAttorneyGeneralannouncedthattwodefendantspleadedguiltytoidentitytheftformanufacturingcounterfeitFloridadrivers’licensesandchecksinnamesthatbelongedtorealandfictitiousindividuals.
TheMichiganAttorneyGeneralfiledchargesagainsttwoformernursinghomeemployeeswhoallegedlyobtainedaresident’spersonalinformationandusedtheinformationtoobtainaComcastaccount.
PART HSTATE CRIMINAL LAW ENFORCEMENT EFFORTS
��
TheMissouriAttorneyGeneralandtheJeffersonCountyProsecutingAttorneychargedanindividualwithtwocountsof identitytheft.Thedefendantallegedlystoletheidentitiesof Missouriansonlinetopurchaseandobtainthousandsof dollarsworthof merchandiseandgiftcards.
TheNewYorkAttorneyGeneralannouncedtheindictmentof anindividualforhisroleinanidentitytheftschemethatdefraudedfinancialinstitutionsof morethan$1.5million.Thedefendantallegedlyobtainedthepersonalidentifyinginformationof twoStatenIslandresidentsand,usingtheirhomeascollateral,appliedforandobtainedhomeequityloansandlinesof credit.
PART H
��
COMBATING IDENTITY THEFT A Strategic Plan
TheUnitedStatesSentencingCommissionhastreatedtheproblemof identitytheftseriously.Amongotherthings,theSentencingCommissionimplementedatwo-partsentencingguidelineamendmentinresponsetotheIdentityTheftPenaltyEnhancementActof 2004.36 First,theSentencingCommissionpromulgatedanewguidelineatGuidelinesSection2B1.6foraggravatedidentitytheft,effectiveNovember1,2005.Theguidelineprovidesthatoffendersconvictedundertheaggravatedidentitytheftstatutearetobesentencedtothetermrequiredbystatute.InFiscalYears2005and2006,theSentencingCommissionreceived55and163casesrespectively,withatleastoneconvictionundertheaggravatedidentitytheftstatute.37 TheaggravatedidentitytheftcasesinFiscalYears2005and2006hadaveragesentencesimposedof 33and44months,respectively.38
Second,theSentencingCommissionexpandedtheapplicabilityof aSentencingGuidelinesprovisionthatisaimedatenhancingthesentencesof thosedefendantswhoabuseapositionof trustoruseaspecialskilltocommitthecrime.Specifically,theSentencingCommissionexpandedtheenhancementtoapplytoanydefendantwho“...exceedsorabusestheauthorityof hisorherpositioninordertoobtainunlawfully,orusewithoutauthority,anymeansof identification.”39 InFiscalYear2006,0.6percentof 18U.S.C.§1028(a)(7)offendersreceivedoffenselevelincreasesunderthisprovision.
TheU.S.SentencingCommissionmaintainsacomprehensive,computerizeddatacollectionsystemthatformsthebasisforitsclearinghouseof federalsentencinginformation.SentencingCommissiondatashowthatmorethan1,000offendershavebeensentencedforconvictionsundertheidentitytheftstatute,18U.S.C.§1028(a)(7),sinceitwasenactedinOctober1998.Therehasbeenasubstantialincreaseinthenumberof sentencedcaseswithatleastonecountof convictionunder18U.S.C.§1028(a)(7)eachyear,from12casesinFiscalYear1999to195casesinFiscalYear2006.Averagesentencesfortheseidentitytheftcaseshaveincreasedsteadilyfromanaverageof 16monthsof confinementinFiscalYear1999toanaverageof 25monthsof confinementinFiscalYear2006.40
PART ISENTENCING IN FEDERAL IDENTITY THEFT PROSECUTIONS
��
Thefollowingaresomeexamplesof identitytheftcasesprosecutedbyDOJinwhichfederalcourtshaveimposedsubstantialtermsof imprisonment:
OnMay12,2006,theU.S.DistrictCourtfortheWesternDistrictof Missourisentencedamanto10yearsimprisonmentandorderedhimtopay$126,180inrestitution,forparticipatinginanidentitytheft-relatedwirefraudconspiracythatinvolvedmorethan50victimsin17states.Theconspiracyinvolvedstealingtheidentitiesof victimsandusingtheircreditcardinformationtoreceivemoneywiredbyWesternUnion.BoththedefendantandacodefendanttargetedCitibankcreditcardholdersandWesternUnionagents.Whentargetingindividualcardholders,thedefendantwouldcallWesternUnion,posingasthecreditcardholder,andrequestamoneytransfer.Priortomakingthiscall,heusedhisextensiveknowledgeof howthetelecommunicationsnetworkoperatedtohavethevictim’shometelephonelineforwardedtoalocationwherehecouldposeasthevictimcardholderwhenWesternUnioncalledbacktoverifythewiretransfer.WhentargetingbusinessesthatservedasWesternUnionagents,thedefendantwouldcallWesternUnionposingasanemployeeof aWesternUnionagent,toinitiateafraudulentandfictitiouswiretransferthatwouldbepickedupbyeitherof thedefendants.Tofacilitatethescheme,thedefendantsometimesposedasa“fraudearlywarning”employeeof theCitibankcreditcardcompanyinordertoobtaininformationontrueCitibankcreditcardholders.41
InDecember2004,threedefendantsweresentencedforinstallingacomputerprogramonthenationwidecomputersystemusedbyLowe’sinordertostealcreditcardaccountnumbers.Tocarryoutthisscheme,thedefendantssecretlycompromisedthewirelessnetworkataLowe’sretailstoreinSouthfield,Michigan,andtherebygainedunauthorizedaccesstoLowe’sCompanies,Inc.’scentralcomputersysteminNorthWilkesboro,NorthCarolinaand,ultimately,tocomputersystemslocatedinLowe’sretailstoresaroundtheUnitedStates.Havinggainedthisunauthorizedaccess,thedefendantstheninstalledacomputerprogramonthecomputersystemof severalLowe’sretailstores,whichwasdesignedtocapturethecreditcardinformationof customersconductingtransactionswiththosestores.Theleaddefendantinthecasereceivedasentenceof 108monthsimprisonment.
OnJune23,2006,intheU.S.DistrictCourtfortheEasternDistrictof Missouri,theleaderandorganizerof anidentitytheftringandhertwodaughtersweresentenced(respectively)to70monthsimprisonment;2yearsand1dayimprisonment;and4yearsprobation(withhomeconfinement)onaggravatedidentitytheft,identitytheft,andrelatedfraudcharges,inaschemetousestolenidentitiestoopencreditaccountsandpurchasemerchandise.Someof thedocumentsseizedduringtheinvestigationcamefrompatientrecordsthroughonedaughter’semploymentataSt.Louisareadentaloffice.Theentire
PART I
��
COMBATING IDENTITY THEFT A Strategic Plan
schemeresultedinlossesexceeding$47,000asaresultof morethan252fraudulentcreditapplications.Morethan67individualshadtheiridentitiescompromisedasaresultof thefraud.
InOctober2004,theSecretServicearrested21individualsonchargesrelatingtotheirinvolvementin“Shadowcrew.”“Shadowcrew”wasaninternationalcriminalorganizationwithnumerousmembersthatpromotedandfacilitatedvariouscriminalactivitiesincludingtheelectronictheftof personalidentifyinginformation,credit-cardanddebit-cardfraud,andtheproductionandsaleof falseidentificationdocuments.Theorganizationoperatedawebsitewithapproximately4,000membersthatwasdedicatedtofacilitatingmaliciouscomputerhackinganddisseminatingstolencreditcard,debitcard,andbankaccountnumbers,andcounterfeitidentificationdocuments,suchasdriver’slicenses,passports,andSocialSecuritycards.InJuly2006,oneof theparticipantsinShadowcrewwassentencedto90monthsimprisonment.42
InDecember2005,aCaliforniamanconvictedof orchestratingacredit-cardfraudschemethatinvolvedskimmingwassentencedto87monthsimprisonmentandorderedtopay$140,000inrestitutiontomorethan50identifiedvictimsof hisscheme.Inthiscase,whichtheSecretServiceinvestigated,thedefendantemployedawaitresswhoworkedattworestaurantstousea“skimmer”deviceandothermeanstoobtaincredit-cardinformation.Whenfederalagentssearchedthedefendant’shome,theyfoundmorethan1,500stolencredit-cardaccountnumbersandsoftwareandhardwaretodownloadtheaccountinformationontoblankcreditcardstock.43
TheIRShaspursuedanumberof identitytheftprosecutions.ForFiscalYear2005,in25identitytheftcaseswheredefendantswereconvictedandsentenced,theaverageprisonsentenceimposedwas41months.ForFiscalYear2006(throughJune30,2006),18personswereconvictedandsentencedincasesinvolvingidentitytheft,andtheaverageprisonsentencereceivedwas38months.
�0
PART JINVESTIGATIVE APPROACHES TO IDENTITY THEFT: SPECIAL ENFORCEMENT AND PROSECUTION INITIATIVES
Eachagencyresponsiblefortheinvestigationof identitythefttracksitsidentitytheftcasesindependently.Byanymeasure,however,itisclearthatthefederalinvestigativeagencieshavebeenaggressivelypursuingidentitytheft.TheFBIreportsthatasof September30,2006,ithad1,274pendingidentitytheft-relatedcases,andthatitopened493identitytheft-relatedcasesinFiscalYear2006.TheUSPISreportsthatitopened1,269identitytheftcasesandmade1,647arrestsinFiscalYear2006.TheUSSSreportsthatitmade3,402identitytheftarrestsinFiscalYear2006.TheSocialSecurityAdministration(SSA)Officeof theInspectorGeneral’s(OIG)Officeof Investigationsreportsthatitopened1,482casesinvolvingSSNmisuse44inFiscalYear2006,and412casesinvolvingSSNmisusefromOctober1,2006throughJanuary31,2007inFY2007.
SPECIAL ENFORCEMENT INITIATIVESManyagenciesinvolvedintheinvestigationof identitythefthavealsoundertakenspecialenforcementinitiativesinrecentyears,includingthefollowing:
FBITheFBICyberDivisionhasconductedanumberof investigativeinitiativesintovarioustypesof onlinecrimethatinvolveidentitytheft:
Operation “Retailers & Law Enforcement Against Fraud” (RELEAF):RELEAFisaninternationalinvestigativeinitiativedirectedattherelatedproblemsof “reshipping”(i.e.,theuseof oneormorepeopletoreceivemerchandisethatcriminalshavefraudulentlyorderedfromretailers,oftenusingothers’creditcards,andshipthatmerchandisetootherparticipantsinthefraudschemetoevadedetectionbyretailersandlawenforcement)andmoneylaundering.Thisinitiativeinvolvesmorethan100privatesectorparticipantsandnumerouslawenforcementagenciesandhasproducedmorethan150investigations.
Digital Phishnet:DigitalPhishnetisaphishingandidentitytheftinitiativeinvolvingmorethan60organizations(banks,ISPs,andecommercecompanies)thatassistedinthedevelopmentof morethan100investigations.
Operation Slam Spam:OperationSlamSpamisacriminalspamandmaliciouscodeinvestigativeinitiativethatissupporteddailybymorethan20smallandmediumenterprises.Ananti-spamemaillistprovidedintelligenceoncurrentcybercrimes,whichinvolvedover95industrymembers.Inaddition,12industriesprovidedanalystswhoareco-
��
COMBATING IDENTITY THEFT A Strategic Plan
locatedwiththeInternetCrimeComplaintCenter(IC3)andCyberInitiativeandResourceFusionUnit(CIRFU)tosupportthisproject,whichresultedinmorethan100investigations.
Inaddition,asidentitytheftbecomesmoreglobalinscopeandimpact,theFBIhasprovidedsomeforeignlawenforcementagencieswithidentitytheft-relatedassistanceandtrainingintheexecutionof specificenforcementinitiatives.Initialeffortsinthiscontexthavealreadyprovedhighlyproductive,andincludethefollowing:
TheFBILegalAttachéinBucharestcontributedtothedevelopmentandlaunchingof www.efrauda.ro,aRomaniangovernmentwebsiteforthecollectionof fraudcomplaintsbasedontheIC3model.TheIC3alsoprovidedthisLegalAttachéwithcomplaintsreceivedbyU.S.victimswhoweretargetsof aRomanianInternetcrimering.ThecomplaintformsprovidedtoRomanianauthoritiesviatheLegalAttachéassistedtheRomanianpoliceandMinistryof JusticetoprosecuteRomaniansubjects.
Followinguponthesuccessof IC3’sOperationRELEAF,IC3andFBICyberUnitsdevelopedandpresenteda“Cyber101”coursetolawenforcementofficialsinGhanaandNigeria.Thiscoursehadimmediateresults,intheformof aggressiveforeignlawenforcementactiontosupportFBIinvestigations,includingtheseizureof millionsof dollarsinstolenmerchandiseandfraudulentcashier’schecks.
United States Secret ServiceTheUSSShasapproximately15onlineundercoverinvestigationstargetingsuspectswhoaretraffickingingovernment-issueddocuments(driver’slicenses,SocialSecuritycards,U.S.andforeignpassportsandvisas).ThesesuspectsresidebothwithintheUnitedStatesandabroad.Inthenextyear,theSecretServiceintendstocontinueitsundercoveroperationstargetingthesegroups,increaseitsarrestsof thesesuspects,anddisrupttheonlinesaleanddistributionof stolenpersonalandfinancialinformation.
Internal Revenue Service—Criminal InvestigationIRSCI’sQuestionableRefundProgram(QRP)andReturnPreparerProgram(RPP)arefocusedonidentifyingandstoppingfraudulenttaxrefundclaimsschemes.Theseschemesofteninvolvehundredsof returns,withrefundstotalinghundredsof thousandsorevenmillionsof dollarsof revenueatstake.Theseschemescancreatesignificantproblemsforlegitimatetaxpayersbydenyingthemrefundstowhichtheywouldbeentitled.Investigatingandprosecutingthoseresponsiblefortheseambitiousschemesranksamongtheseprograms’highestpriorities.Althoughidentitytheftisnotacomponentof allfraudulentrefundschemes,theriseof identitythefthashelpedfuelanincreaseinfraudulentrefundschemesandothertaxfrauds,specificallyemploymenttaxfraud.InFiscalYear2006,IRS-CIhad77casesinvolvingidentitytheftunderactiveinvestigation.TheIRSisalsodevelopingimprovedscreeninganddetectionprocessestomoreeffectivelyidentifyfuturefraudulentrefundschemes.
��
Treasury Inspector General for Tax AdministrationTIGTA’sroleincombatingidentitytheftisprotectingtheprivacyandsecurityof confidentialtaxpayerdataentrustedtotheIRS.Theintegrityof IRS’sinformationsystemsisfundamentaltofederaltaxadministration.Abreachof IRScomputerdatabasesleadingtoidentitytheftwouldbedevastatingtothenation’svoluntarytaxsystemandthegovernment’sabilitytocollecttaxes.TIGTA’sStrategicEnforcementDivision(SED)utilizesbothproactiveandreactiveinvestigativemethodstodetectanddeterunauthorizedaccesses(UNAX)totaxpayerinformationbyIRSemployeesandbythosewhotrytohackintoIRScomputerdatabases.SEDadministersavarietyof audittrailandcomputermatchingtoolstoproactivelyidentifyUNAXviolationsthatcouldleadtoidentitytheft.TIGTA’sSystemIntrusionNetworkAttackResponseTeam(SINART)wasformedtodetectandinvestigateintrusionsintoIRSsystemsandinformationtechnologyequipment.Infiscalyear2006,TIGTAinitiated488investigationsintosuspectedUNAXviolations,anditsinvestigationsinfiscalyear2006resultedin385referralstoDOJforcriminalprosecutionand409administrativedisciplinaryactions.
Department of State—Bureau of Diplomatic SecuritySince2005,theStateDepartment’sBureauof DiplomaticSecurity(DS)hasbeenworkingonaninitiativetoaddresstheuseof identitiesof deceasedpeopletoobtainU.S.passports.Aspartof thisinitiative,someof theDSfieldofficeshavehadseveralarrestsandsuccessfulprosecutions,includingsomeassetforfeiturecases.Someof theseinvestigationsresultedinthearrestsof fugitiveswhohadassumedtheidentitiesof othersmanyyearsearliertofleejustice.DSplanstoexpandthisinitiativetoallof itsfieldoffices.
Oneexampleof thevalueof thisinitiativeinvolvestheprosecutionof ChristopherJ.Clarkson.OnMarch15,2006,ClarksonpleadedguiltyinFloridatobankfraudandwasrequiredtoforfeit$500,000inassets.Clarksonwasamemberof awidelyknowngangof bankrobberswhoreportedlyrobbedmorethan100banksandarmoredcarsinthe1970sand1980sinbothCanadaandtheUnitedStates.Fornearly30years,Clarksonusedtheidentityof StephenDuffy,aboywholivedinCaliforniaanddiedthereatage4in1948.UsingDuffy’sidentity,whichheapparentlyhadstoleninthelate1970s,ClarksonlivedinHollywood,Florida,andworkedasasuccessfulrealestatebroker.DSinvestigatorsfoundirregularitiesin“Duffy’s”Californiadriver’slicensebecauseof theyearof thetrueDuffy’sdeath.Furtherinvestigation,includingthediscoverythatClarksonhadappliedforapassportinDuffy’sname,ledDSagentsandFloridalawenforcementtoarrestClarksoninOctober2005.
SPECIAL PROSECUTION INITIATIVESSince2002,DOJhasconductedanumberof enforcementinitiativestargetingidentitytheft.Thefirstof theseinitiatives,inMay2002,involved73criminalprosecutionsbyUnitedStatesAttorney’sOfficesagainst135individualsin24
PART J
��
COMBATING IDENTITY THEFT A Strategic Plan
districts.Thecasesinthatinitiativecoveredabroadrangeof fraudschemessuchasmortgagefraudandsecuritiesfraud.Sincethen,identitythefthasplayedanintegralpartinseveralinitiativesthatDOJandotheragencieshavedirectedatonlineeconomiccrime.Forexample,“OperationCyberSweep,”aNovember2003initiativeonInternet-relatedeconomiccrime,resultedinthearrestorconvictionof morethan125individualsandthereturnof indictmentsagainstmorethan70peopleinvolvedinvarioustypesof Internet-relatedfraudandeconomiccrime.ThecasesinCyberSweepincludedphishingschemesandothereffortstousestolencreditcardstobuycomputerequipmentonline.45
Inadditiontothesegeneralenforcementinitiatives,variousUnitedStatesAttorney’sOfficeshaveestablishedtheirownidentitytheftinitiatives:
“Fast Track” Program.TheDistrictof Oregonhasanidentitytheftfasttrackprogramthatrequireseligibledefendantsbothtopleadguiltytoaggravatedidentitytheftunder18U.S.C.§1028A(a)(1)andtoagree,withoutlitigation,toa24monthminimummandatorysentence.Inexchangefortheirpleasof guilty,defendantsarenotchargedwiththepredicateoffensewhichwouldotherwiseresultinaconsecutivesentenceundertheUnitedStatesSentencingGuidelines.Theprogramisintendedtocapturecasesthataresmallerthanthetypicalfederalidentitytheftcases,butlargerthantypicalstate-levelcases.Generally,inorderforadefendanttobeeligiblefortheprogram,theactualorintendedloss,whicheverishigher,mustbemorethan$5,000andlessthan$70,000.If thelossislessthan$5,000,thedefendantmustbeamanufacturerof fraudulentidentificationdocumentsorthedefendant’scriminalactivitymustcreateadisproportionatelyadverseimpactinthecommunity.Theoffensemusthave10ormorevictims,butlessthan50victims,frommultiplejurisdictions.Finally,theremustbenoapplicableorganizer,leader,manager,orsupervisoradjustmentsundersection3B1.1of thefederalSentencingGuidelines.Theprogramreliesuponanetworkof localinvestigatorsandprosecutorstoidentifyeligibledefendants,referringthemtoagentsof theFBI,USSS,andtheUSPISforfollow-upwork,andultimatelytodesignatedAssistantU.S.Attorneysforfederalprosecution.
“Operation Checkmate.”TwoUnitedStatesAttorney’sOfficeshavecollaboratedonaspecialinitiativetocombatpassportfraud,knownasOperationCheckmate.Becauseapproximatelyone-quarterof the8.8millionpassportsissuedbytheStateDepartmentin2004wereissuedattheNationalPassportCenterinPortsmouth,NewHampshire,theUnitedStatesAttorney’sOfficefortheDistrictof NewHampshireinitiatedOperationCheckmateincollaborationwiththeStateDepartment’sBureauof DiplomaticSecurity,ICE,andSSAOIG.OperationCheckmateaimstodeterpassportfraudbyimprovingfrauddetectioneffortsanddedicatingresourcestoprosecutingthesecrimes.
��
MostevidenceandwitnessesarelocatedwherethefraudulentpassportapplicationsaredetectedbyStateDepartmentpassportadjudicators.Districtsthatarehometoadjudicationcentersthereforearelogicalchoicesforprosecutingpassportfraudcases,inadditiontothedistrictswheretheperpetratorstemporarily,andoftenillegally,reside.Forthesereasons,theUnitedStatesAttorney’sOfficesinNewHampshireandSouthCarolina,wherethelargestpassportcentersarelocated,agreedtosupplytheadditionalprosecutorialresourcesnecessarytosupportincreasedenforcementefforts.
PART J
��
COMBATING IDENTITY THEFT A Strategic Plan
Withtheincreasedattentiongiventoidentitytheftinrecentyears,federallawenforcementagencieshaverecognizedtheimportanceof thetimelyreceipt,analysis,andreferralof identitytheftinformation,includingcomplaintsbyidentitytheftvictims.Currently,therearemanydifferentsourcesof identitytheftdata,andseveraldifferentwaysinwhichthatdataisbeinganalyzed.
THE GENERAL PUBLIC AS A SOURCE OF INFORMATION
Identity Theft Data Clearinghouse (FTC)TheIdentityTheftandAssumptionDeterrenceActof 1998directedtheFTCtodevelopthefederalgovernment’scentralizededucationandassistanceprogram.Now,theFTCprovidesafederal“one-stopshop”forconsumersandvictims.
Asaresult,awidevarietyof entitiesreferconsumerstotheFTCthroughitsidentitytheftwebsiteandtoll-freehelpline.Thecreditreportingagencies,creditcardissuers,financialinstitutions,severalfederalagencies,severalstates’AttorneysGeneral,andnumerouslocallawenforcementagenciesallreferconsumerstotheFTC.In2006,theFTCrecordedmorethan4.2millionvisitstoitsIdentityTheftwebsite(www.ftc.gov/idtheft)andmorethan590,000visitstothewebversionof itsvictimrecoveryguide,Take Charge: Fighting Back Against Identity Theft,aswellas113,000visitstoitsSpanish-languagewebsite(www.consumer.gov/idthet/espanol.htm),and55,000visitstotheSpanish-languageversionof itsvictimrecoveryguide.
Thenumberof identitytheftvictimsfilingcomplaintswiththeFTCissimilarlysubstantial.In2006,theFTCloggedin246,035newidentitytheftcomplaints.ThecomplaintsarepromptlyaddedtotheClearinghouse,whichcurrentlycontainsmorethanonemillionconsumercomplaints.AnalystsfromtheFBIandtheUSPISroutinelyworkonsiteattheFTCtominetheClearinghousedatatoidentifynewleadsorexpanduponexistingleads.
TheFTCalsoprovidesremoteaccesstotheClearinghousedata,andactivelyencourageslawenforcementatalllevelstouseitscomplaintsfortheirinvestigationsandanalysis.Local,state,andfederallawenforcementofficerscanremotelyaccesstheClearinghousebyasecureonlineconnection.Officersandagentscanquerythedatatoidentifysignificantclusters,leadingtosuspectedperpetratorsandtargets,aswellastodetectpatternsandtrendsforfurtherinvestigation.Inaddition,userscansettheClearinghouse’s“Autoquery”programtonotifythemanytimenewdataisenteredthatmatchestheirspecifiedparameters.TheClearinghousealsohasadeconflictiontool:theofficercanplacean“Alert”oninformationrelatingtotheirinvestigationstonotifyotherusersthattheofficerisworkingwiththisinformationandwouldliketobecontacted.
PART KHOW LAW ENFORCEMENT OBTAINS AND ANALYZES IDENTITY THEFT DATA
��
TheFTCcontinuestoworktosimplifythevictim’srecoveryprocess.OneexampleistheIdentityTheftAffidavit,whichispostedonitswebsite.TheIdentityTheftAffidavitwastheresultof theFTCworkingwithindustryandconsumeradvocatestocreateastandardformforvictimstouseindisputingidentitytheftaccounts.Sinceitsinceptionin2001,morethan1.5millionhitstotheEnglishversionandmorethan62,000hitstotheSpanishversionhavebeenrecorded.
Internet Crime Complaint Center (IC3) (FBI/National White Collar Crime Center) and Cyber Initiative and Resource Fusion Unit (CIRFU)Anotherconduitforcomplaintsaboutinternet-relatedfraudandidentitytheftistheIC3.IC3isajointventurebetweentheFBIandtheNationalWhiteCollarCrimeCenter(anonprofitorganization,fundedbytheDOJ’sBJA,that,amongotherthings,disseminatesinformationoncybercrimeandactionablecyber-relatedinvestigativeleadstostateandlocallawenforcement).TheIC3providesanimportantmeansof collecting,analyzing,anddisseminatingtolawenforcementinformationaboutcrimescommittedovertheInternet.TheIC3receivesmorethan20,000complaintspermonthfromInternetusers.ForInternetvictims,theIC3providesaconvenientandeasymeansof alertingauthoritiestoasuspectedcriminalviolation,includingonlineidentitytheft.Forlawenforcementandregulatoryagencies,itoffersacentralrepositoryforcomplaintsrelatedtoInternetcrimesandallowsthemtousetheinformationtoobtaintimelystatisticaldataandcurrentcrimetrends.
Aspecialcomponentof theFBIthatworkscloselywiththeIC3istheCIRFU.TheCIRFU,basedinPittsburgh,ishousedwithintheNationalCyberForensicTrainingAlliance(NCFTA),apublic/privateallianceandfusioncenter.TheCIRFUandNCFTAmaximizeintelligencedevelopmentandanalyticalcapabilitiesbycombiningresourcesfromlawenforcementwiththoseof criticalindustrypartners.Suchresourcesareutilizedtosubstantiallyenhancethedevelopmentandsupportof jointinitiativesaimedatnewand/orhigh-profilecybercrimeproblems.Italsofostersthedevelopmentof public/privatealliancesandjointtraininginsupportof theseinvestigativeinitiatives.
Other Government AgenciesOtherfederallawenforcementagenciesalsohaveprocessestoreceiveandanalyzecomplaintsfromthepublic.Forexample,theUSPISusestheFinancialCrimesDatabase(FCD),aweb-basednationaldatabasethatisavailabletoallinspectorsforuseinanalyzingmailtheftandidentitytheftcomplaintsreceivedfromvarioussources,including,butnotlimitedto,thefinancialindustry(AmericanExpress,Discover,MasterCard,Visa);majormailers(Netflix,Blockbuster,GameFly);theIdentityTheftAssistanceCenter(ITAC)complaints;on-linemailtheftcomplaints,USPISfieldoffices,CorporateCustomerContact(1-800-ASK-USPS)telephonecomplaints;andU.S.TreasuryChecks.TheUSPISreceivesapproximately1,000identitytheftcomplaintspermonththatareenteredintotheFCD.Additionally,theSEC’s
PART K
��
COMBATING IDENTITY THEFT A Strategic Plan
EnforcementComplaintCenterreceivesapproximately5,000to7,000complaintsperdayonalltypesof securitieslawviolations,includingthosethatinvolveaccountintrusionandidentitytheft.
WhenHHSreceivescomplaintsthatinvolveallegationsof telemarketingfraudandmisuseof PartDbeneficiaries’personalinformationforunauthorizedbanktransactions,itrefersmanyof themtotheFBIbecausetheHHSOIGdoesnothaveprimaryjurisdictionovertheidentitytheftoffense(18U.S.C.§1028)orthewirefraudoffense(18U.S.C.§1343).Eventhoughbeneficiariesmayvoluntarilydisclosetheirpersonalinformationinconnectionwithatransactiontheybelievetheyareauthorizing,anyunauthorizedandfraudulentusebythetelemarketersof thebeneficiaries’informationmayconstituteidentitytheft.HHSalsoreferstotheCriminalDivisionof DOJandtotheFBIcomplaintsthatraisethepossibilityof identitytheftfromsourcesotherthanMedicareoritsotherpaymentprograms.ThesecomplaintsarereceivedbyHHSpursuanttoitsadministrativeenforcementof theHIPAAPrivacyandSecurityRules.
Public and Private Sector CollaborationsToimproveinformationsharingandcooperationbetweenlawenforcementandprivatesectorentitiesononlineidentitytheftandfraudmatters,IC3andCIRFUrepresentativeshavebeenmeetingwithrepresentativesfromanumberof industrycoalitionscombatingonlinefraud,including:theMerchantsRiskCouncil,theBusinessSoftwareAlliance,aswellasnumerousfinancialservicesandothere-commercestakeholders,regardingco-locationof analystsatbothlocations.TargetCorporation(whichinadditiontobeingamerchantisalsoabankandcreditcardissuer)andtheUSPIShaveassignedfull-timefraudinvestigatorstoworkatbothIC3and/orCIRFU,witheBayandotherorganizationsagreeingtorotatepersonnelthroughIC3and/orCIRFU.Otherlawenforcementagencieshavebeeninvitedtoplacepersonnelinbothlocationstofurtherenhancecooperationamongsuchagencies.
TheSecretServicehostsaportalcalledthee-Informationsystemformembersof thelawenforcementandbankingcommunities.Thissystemprovidesaforumformemberstopostthelatestinformationonscams,counterfeitchecks,fraudsandswindles,andupdatedBankIdentificationNumbers(BINs).Itiswidelyusedandreceivesatremendousamountof positivecommentsfromusers.
In2005,theUSPIScreatedtheIntelligenceSharingInitiative(ISI),awebsitethatallowstheInspectionServiceandfraudinvestigatorsrepresentingretailandfinancialinstitutions,aswellasmajormailers,toopenlyshareinformationpertainingtomailtheft,identitytheft,financialcrimes,investigations,andpreventionmethods.ISIinteractswiththeFinancialCrimesDatabaseandgeneratesAlertReports.Thesereportsarepostedtoassisttheindustryinidentifying“highrisk”areas,closingsuspectaccounts,andsavingthousandsof dollarsinpotentialfraud.
��
ISIalsogivestheusersaccesstothe“HotAddressesList,”i.e.,alistof addresseslocatedthroughouttheUnitedStatesandCanadalinkedtoavarietyof fraudschemes,includingfraudulentapplicationschemes,accounttakeoverschemes,mailorderschemes,andreshippingschemes.The“HotAddressesList”ispublishedmonthlyanddistributedbypostalinspectorstotheretailandfinancialindustry,federallawenforcement,andgovernmentagenciesandisalsopostedontheFTC’sIdentityTheftDataClearinghouseforlawenforcementuse.Thisintelligencesharinghasresultedinareductioninfraudschemesandsignificantsavingstotheretailandfinancialindustries.
PRIVATE SECTOR AS A SOURCE OF INFORMATION
Financial Services IndustryThefinancialservicesindustryisanimportantsourceof identitytheftdataforlawenforcementagencies.Thefinancialservicesindustryprovidesthatinformationinanumberof differentways,someof whicharedetailedbelow.
Suspicious Activity ReportsAsignificantsourceof identitytheftinformationisalreadyavailabletofederallawenforcementthroughSuspiciousActivityReports(SARs).Ingeneral,afederallyregulatedfinancialinstitutionisrequiredtofileSARswiththeDepartmentof theTreasury’sFinCENforcertainsuspectedviolationsof thelaw,includingidentitytheft,andforsuspicioustransactionsinvolvingfundsorassetsof atleast$5,000(e.g.,transactionsthatinvolvepotentialmoneylaunderingorBankSecrecyActviolations).
Tomakemoreeffectiveuseof SARdata,theFBIhasbegunaSARExploitationProject.TheProjectisdesignedtoidentifyfinancialpatternsandcriminalgroupsassociatedwithidentitytheft,financialinstitutionfraud,andotheraberrantfinancialactivities.UsingSARdatafromFinCEN,theProjectanalyzesfinancialinformationthatisavailablebutnotreadilyexploitableforFBIinvestigatorstogenerateleadsforthefieldinvestigators.Analyticalsoftwareenablesanalyststovisualizefinancialpatterns,linkdiscretecriminalactivities,anddisplaytheactivitiesonlinkcharts.Leadsdevelopedfromanalysisof SARactivitymaybeinstrumentalin“connectingthedots”forcross-programinvestigationsof criminal,terroristandintelligencenetworks,allof whichrelyonfinancialtransactionstooperate.TheSecretServiceisalsousingSARdatatoinvestigateidentitytheftcrimes.
Identity Theft Assistance Center (ITAC)TheITACisanationwidecooperativeinitiativeof thefinancialservicesindustrythatprovidesafreevictimassistanceserviceforcustomersof membercompanies.ITACisrunbytheIdentityTheftAssistanceCorporation,anot-for-profitmembershipcorporationsponsoredbytwootherprivate-sectororganizations,TheFinancialServicesRoundtableandBITS.Currently,48financialservicesindustrycompaniesparticipateinITAC.ITAC
PART K
��
COMBATING IDENTITY THEFT A Strategic Plan
helpsvictimsof identitytheftbyfacilitatingtherecoveryprocess.First,theidentitytheftvictimandtheITACmembercompanyresolveanyissuesatthatcompany.AnITACcounselorwalkstheconsumerthroughhisorhercreditreporttofindsuspiciousactivity,notifiestheaffectedcreditors,andplacesfraudalertswiththecreditbureaus.Inaddition,ITACsharesinformationwithlawenforcementandtheFTCtohelpcatchandconvictthecriminalsresponsibleforidentitytheft.SinceopeningitsdoorsinAugust2004,ITAChashelpedapproximately13,000consumersrestoretheirfinancialidentities.
ITAChasdatasharingagreementswiththeUSPISandtheFTCunderwhichitprovidesthoseagencies,onaweeklybasis,withinformationaboutvictimsandthecircumstancesof theiridentitytheftincidents.TheUSPIShasloadedinformationintoitsFinancialCrimeDatabase,andtheFTCaddstheITACdatatoitsIdentityTheftDataClearinghouse.46
Credit Reporting AgenciesSection621(f)(3)of theFairCreditReportingAct(FCRA)requiresthatthenationwideconsumerreportingagencies(CRAs)submitanannualsummaryreporttotheFTC“onconsumercomplaintsreceivedbytheagencyonidentitytheftorfraudalerts.”ThethreenationwideCRAs—Experian,Equifax,andTransUnion—haverecentlysubmittedtheirfirstsetof annualreportstotheCommissioncoveringthe13-monthperiodfromDecember1,2004,theeffectivedateof theFACTActprovision,throughDecember31,2005.Reviewof thedatabyFTCstaff isunderway.Section621(f)(3)of theFCRAdoesnotrequiretheFTCtoreportonthedatasubmittedtoitbytheCRAs.
Thefirstsetof reportsincludesfivecategoriesof information:(1)thenumberof initialfraudalertsplaced;(2)thenumberof extendedfraudalertsplaced;(3)thenumberof activedutyalertsplaced;(4)thenumberof inaccuratetradelinesoritemsblockedfromconsumers’creditreportsasaresultof theconsumerprovidingan“IdentityTheftReport”;and(5)thenumberof accountsoritemsdisputedasinaccurateasaresultof identitytheftorfraud.
Reports of Database Intrusions Mandated by Federal and State LawAnotherpotentialsourceof reportsonidentitytheftarereportsthatvariousstatelawsmandatefordatabaseintrusions.Inaddition,underfederalsecuritiesandfinancialreportinglaws,suchastheSarbanes-OxleyActof 2002,publiclytradedcompaniesmaybeobligatedtoreportanyknowninstancesof breaches,intrusions,orcompromisesof personaldatathattheycontrol.Asanexampleof howasimilarregulatoryregimemayoperateinothercountries,inJanuary2006,thecorporateownerof theBahamianhotelresortAtlantisfiledadocumentwiththeBahamasSEC,reportingthatdataonapproximately55,000customersof AtlantisweremissingfromAtlantis’scomputerdatabase.Thedata,whichincludednames,addresses,creditcardandbankaccountinformation,SSNs,anddriver’slicensenumbers,werereportedlyobtainedbyahacker.47
�0
Federallawenforcementagencieshavebeensupportiveof theneedtoinvolvestateandlocallawenforcementandtheprivatesectorincombatingidentitytheft.TheFBI,theUSSS,theUSPIS,andICE,forexample,allconductoutreachtoandworkwithstateandlocallawenforcementagenciesonidentity-theftmatters,whetherthroughinteragencytaskforcesordirectcontactsfromfieldoffices.Additionally,severalagencieshavepartneredwithprivatesectorentitiestodooutreachtoconsumersandothers.Thoseeffortsincludethefollowing:
“Operation: Identity Crisis.”In2003,theUSPISpartneredwiththeFTCandtheUSSS(withsupportfromvariousotheragencies)toeducateAmericanconsumersabouttheeasewithwhichidentitytheftoccursandhowtopreventit.Amulti-mediaeffortincludedadvertisementsin17newspapers;a3millionpieceeducationalmailing;publicserviceannouncements;postersdisplayedin38,000PostOfficelobbiesaswellasinlobbiesof policedepartments,banks,andotherfinancialinstitutionsthroughoutthecountry;andreleaseof aUSPISpreventionDVDentitled“Identity Crisis.”
“Operation Identity Shield.”In2005,theFBI,theUSPIS,IC3,theNationalWhiteCollarCrimeCenter,theFTC,Merchants’RiskCouncil,Monster.com,andTargetbegananinitiativetoeducateU.S.consumersabouthowtoprotectthemselvesandtheirpersonalinformationfromthereachof onlinescamartists.Amulti-mediaeffortincludedthereleaseof afreeUSPISpreventionDVD,“Web of Deceit,”toupdateandinformconsumersaboutnewandevolvingidentitytheftschemesthattheymayencounter;apostingof ajointlawenforcement/industrywebsite,www.LooksTooGoodToBeTrue.com,toprovideeducationalandpreventioninformation;magazineadswithacombinedcirculationof over22million;newspaperandradiospots;banneradsoneachmagazine’swebsitewithlinkstotheUSPISwebsite;messageinsertsinstampfulfillmentorders;andafull-pageadplacedintheOctoberissueof thePolice Chiefmagazine.Thisinitiativealsoallowsconsumerstoprovidelawenforcementauthoritieswithvaluableintelligencetoassistincombatingtheproblem.
Identity Theft Enterprise Strategy.TheIRSIdentityTheftProgramOfficehasadoptedtheIdentityTheftEnterpriseStrategyasacomprehensiveapproachtocombatingidentitytheftbyfocusingonoutreach,prevention,andvictimassistance.Theoutreachcomponentseekstoalertandinformtaxprofessionals,taxpayers,andotherinterestedpartiesof thethreatthatidentitytheftposestotaxadministration.Thepreventioncomponent’sobjectiveistoproactively
PART LFEDERAL LAW ENFORCEMENT OUTREACH EFFORTS
��
COMBATING IDENTITY THEFT A Strategic Plan
addressidentitytheftwithinthecontextof taxadministration.Anexampleof theseactivitiesistheIRS’seffortstoidentifyanddeter“phishing”schemesbeforetaxpayersarevictimized.Thethirdcomponentof thestrategyisvictimassistance,theimportanttaskof mitigatingandcorrectingtheharmsufferedbytaxpayerswhoarevictimsof identitytheft.
Toaddressidentitytheftrelatingtohealthcare,HHSCentersforMedicareandMedicaidServices(CMS)usesConsumerAlerts,pressreleases,speechestobeneficiary,provider,andhealthcareindustryassociations,andcabletelevisionprogramstoeducatethebeneficiaryandprovidercommunitiesandalertthemtoemergingproblems.CMSAlertspublicizethetelephonenumberforvictimstocalltoreportMedicarescams(1-800-HHS-TIPS)andprescriptiondrugfraud(1-877-7SAFERXor1-877-772-3379),andcontainspecifictipsforpeoplewithMedicaretoprotectthemselvesagainstscams.CMSalsoissuesreminderstoitscontractors,providers,andbeneficiaries,similartointernaldepartmentalreminderstoHHSemployees,toinformthemof theirresponsibilitytoprotectprivateinformationandof actionstheyshouldtaketokeepdatasecure.CMSrecentlyissuedprescriptiondrugcomplianceguidancesimilartothatpreviouslyissuedbyHHSOIGforotherhealthcareproviders(e.g.,hospitals,nursinghomes,homehealthagencies,physiciansinprivatepractice,laboratories,anddurablemedicalequipmentsuppliers)thatincludessafeguardingof beneficiaryandproviderinformation.Finally,CMSstaff speakatnationalandlocalprovider,beneficiary,andprescriptiondrugplanassociationsandpartnerwiththeU.S.AdministrationonAging,AreaAgenciesonAging,andcommunityoutreachagenciestospreadthewordaboutscamsandhowtoreportcomplaints.CMSregularlyparticipatesinconferencessponsoredbytheNationalHealthCareAnti-FraudAssociationwithfederal,public,andprivatesectorrepresentativesinvolvedinhealthcarefraudandabuse.
Inaddition,federallawenforcementagencieshavefrequentlyestablisheddirectlinesof communicationsonfraudandidentitytheftissueswithvariouscompaniesandfinancialinstitutionsinvariouscitiesthroughouttheUnitedStates:
TheFBI,forexample,hasestablishedInfragard,anationalinformationsharingnetworkbetweentheFBI,anassociationof businesses,academicinstitutions,stateandlocallawenforcementagencies,andotherparticipantsdedicatedtoincreasingthesecurityof UnitedStatesinfrastructures.Infragardhasmorethan11,800membersin79chaptersthroughouttheUnitedStates.Infragard’sgoals,atboththenationalandlocallevels,includeincreasingthelevelof informationandreportingbetweenInfraGardmembersandtheFBIonmattersrelatedtocounterterrorism,cybercrime,andothermajorcrimeprograms,
��
andincreasinginteractionandinformationsharingamongInfraGardmembersandtheFBIregardingthreatstothecriticalinfrastructures,vulnerabilities,andinterdependencies.
U.S.ImmigrationandCustomsEnforcement(ICE)conductsoutreachprogramstoemployerstoprovidethemwithtraininginidentifyingfraudulentdocuments.
Oneof themostproductiveapproachesthatthepublicandcommercialsectorshavebeenusingtodealwithidentitytheftandidentityfraudissuesisthecreationof multi-sectoralworkinggroups,organizedbyprivatecompanies,thatprovideacommonforumfordiscussionof technologicalandothersolutionstoidentityfraudwitheachotherandwithgovernmentagencies.Thefollowingdescriptionsof twomulti-sectoralworkinggroupsinterestedinidentitytheftindicatethetypesof approachesthatsuchgroupscandeveloptoaddressvariousaspectsof identityfraud:
Anti-Phishing Working Group.TheAPWGisanindustryassociationfocusedoneliminatingtheidentitytheftandfraudthatresultfromthegrowingproblemof phishingandemailspoofing.TheAPWGhasmorethan2,300membersandmorethan1,500companiesandgovernmentagenciesparticipatingintheAPWG’sactivities.Itprovidesaforumtodiscussphishingissues,definethescopeof thephishingproblemintermsof hardandsoftcosts,andshareinformationandbestpracticesforeliminatingtheproblem.Whereappropriate,theAPWGwillalsolooktosharethisinformationwithlawenforcement.Membershipisopentoqualifiedfinancialinstitutions,onlineretailers,ISPs,thelawenforcementcommunity,andsolutionsproviders.Certainmembersof theAPWGhaveworkedcloselywithfederallawenforcementonotherinitiatives,suchasDigitalPhishnet.
Liberty Alliance.FormedinSeptember2001,theLibertyAllianceisaglobalconsortiumof morethan150leadingmerchants,serviceproviders,technologyvendors,andgovernmentorganizationsthatworktogethertoaddressthetechnicalandbusinessissuesassociatedwithdevelopinganopenstandardforfederatednetworkidentity.TheAllianceisengagedintheongoingreleaseof opentechnicalspecificationsaswellasbusinessandpolicyguidelinestohelpcompaniesdeployfederatedidentityservicesacrossabroadrangeof products,services,anddevices.48 Recently,theAlliancehasheldworkshopsonidentitytheftpreventioninChicago,Illinois,andTysonsCorner,Virginia.Theseworkshopsbroughttogetherlawenforcementandprivatesectorrepresentativestoexplorepotentialtechnologicalandproceduralsolutionstotheproblemof identityfraud.
Othergroupsandinitiativesthatfacilitateproductivediscussionsbetweenlawenforcementandtheprivatesectorinclude:
PART L
��
COMBATING IDENTITY THEFT A Strategic Plan
International Association of Financial Crimes Investigators.TheInternationalAssociationof FinancialCrimesInvestigators(IAFCI)isanon-profitinternationalorganizationthatengagesintrainingandinformation-sharingaboutfinancialfraud,fraudinvestigation,andfraudpreventionmethods.Itsmembersaredrawnfromlawenforcement,thebankingandcredit-cardsectors,andothercompanies.IAFCImembershaveaccesstotheIAFCINetwork,asecureinternationalelectronicfraudinformationnetworkthatallowsthemtobroadcastwarningstoallparticipatingmembersandrequestinvestigativeassistance;acompleteInternationalMembershipDirectorylistinginvaluableinvestigativecontactsworldwide;quarterlynewslettersthatalertIAFCImemberstothelatestschemesof fraudcriminals;andtheIAFCIInternationalAnnualTrainingSeminar,wherememberscanlearnavarietyof fraudpreventiontechniques,aswellasthelatesttechnologicaladvancesandin-the-fieldinstructionstostopfraud.
Financial Industry Mail Security Initiative.In1992,theUSPISstartedaCreditCardMailSecurityInitiative(CCMSI)inanefforttoworkmoreeffectivelywiththecreditcardindustry.Acoordinatedcrimepreventioneffortwasneededtoreducefraudlossesandallowlawenforcementtoconcentrateinvestigativeattentiononorganizedcriminals.Resultswereimmediate;non-receiptfraudlosseswerereduced35percentin1993whencomparedwith1992.Thisreductioninlosstrendhascontinuedinto2006.In2003,theUSPISbroadenedthescopeof themeetingsandincludedothersignificanttrendsthatweretakingplace,suchascounterfeitcheckschemes,internetfraud,andbankfraudschemes.Sincethefocusexpanded,thenameof thegroupwaschangedfromtheCreditCardMailSecurityInitiativetotheFinancialIndustryMailSecurityInitiative(FIMSI).Thisgroupmeetsthreetimesannuallyandprovidesaforuminwhichagencyrepresentativescanidentifyandsharetrenddata.Representativesfromtheretail/financialindustry,andfederal,state,andlocallawenforcementagenciesparticipateinthesemeetings.Timelypresentationsoncurrenttrendsaregivenatthesemeetingsbyexpertsintheirrespectivefields.
Workinggroupsarecreatedfromthesemeetingstoaddressspecificproblemsandsharebestbusinesspractices.Examplesof theseworkinggroupsincludeNon-Receipt,PlantSecurity,IdentityTheft,ConvenienceChecks,NigerianCrimes,Skimming,InternetFraud,andAddressValidation.Throughtheseworkinggroups,theUSPIShasbeenresponsibleforseveralpreventiveinitiatives.Someof thoseinitiativesareCardActivationwheretheconsumermustcalltoactivateacreditcardthathereceivesthroughthemail;andtheInspectionService’sfulluseof theNationalChangeof AddressserviceandAddressChangeServicetotheCreditCardIndustry,whichpreventsthefraudulentuseof changesof address.ItalsoidentifiedaddressesbelongingtoCommercialMailReceivingAgenciesandothermaildrops.Theseservices
��
reducedtheriskof sendingcreditcardsandotheraccessdevicestofraudulentaddressesandvacantproperties.
Workinggroupswerealsoresponsibleforthedevelopmentandpublicationof theIdentityTheftBrochure,Publication280,Identity Theft: Safeguard Your Personal Information,andthepublicationof thebestpracticesguide,Fighting Identity Theft, Best Practices for the Financial Industry, Law Enforcement Agencies, Prosecutors, and Consumer Awareness Groups.Inaddition,theUSPISpublishesaFIMSInewsletterthreetimesannuallyforlawenforcementandthefinancialservicesandretailindustries.Itcontainsinformationof relevancetofinancialcrimesinvestigators,significantinvestigations,upcomingtraining,identity-theftarticles,andanationwidelistof USPIScoordinators.Thesemeetingshaveidentifiedanumberof newpreventionstrategies.Manyof thesestrategieswereimplementedbythefinancialindustryandhaveresultedinreducedfraudlossesforthem.
Finally,variousagencieshavehadsomesuccessinsharingidentitytheftinformationwithstateandlocallawenforcementauthoritiesthroughforumsotherthanmultiagencytaskforces.HHSOIG,forexample,participatesinaninformationsharingnationalteleconferencethathasproducedanumberof helpfultipstostateAttorneysGeneralbyprovidingthemwith800numbers,namesusedandthenamesof organizationsbehindtelemarketingfraudschemesdirectedatPartDbeneficiaries,aswellasprocessorsof theelectronictransfersthroughwhichthoseschemeswereconducted.
PART L
��
COMBATING IDENTITY THEFT A Strategic Plan
Anumberof federal,state,andlocallawenforcementauthoritieshavefoundmulti-agencytaskforcesorworkinggroupsespeciallyvaluableininvestigatingidentitytheft.Taskforcestypicallyshareintelligenceandinvestigativeinformationaboutleadingidentitytheftactivities,groups,andoffendersintheirregion,facilitatecoordinationamonglawenforcementagenciesinthesamearea,andenableparticipatingagenciestomakethemostefficientuseof theirrespectiveresourcestopursuesignificantidentitytheftcases.Inaddition,afewof thesetaskforceshavededicatedofficespace,whereagentsfromdifferentagenciescanmeettoexchangeinformationandworktogether,andaprosecutorwhoisregularlyassignedtohandletaskforcecases.
Federalauthoritiesleadorco-leadmorethan90taskforcesandworkinggroupsdevoted(inwholeorinpart)toidentitytheft:
United States Attorney’s Offices:U.S.Attorneysleadapproximately17identitythefttaskforcesandworkinggroupsincitiessuchasPhiladelphia,St.Louis,andEugene,Oregon.Approximately27U.S.Attorney’sOfficesparticipateinidentitythefttaskforcesorworkinggroups,oneU.S.Attorney’sOfficeparticipatesonataskforcethatinvestigatesidentitytheft,butalsootherwhitecollarcrime,andotherU.S.Attorney’sOfficesareintheprocessof forminganidentitythefttaskforceorworkinggroup.
FBI:TheFBIleadsfouridentitythefttaskforces,andparticipatesin21identitytheft/financialcrimestaskforcesorworkinggroupsinmostof themajormetropolitanareas.Inaddition,theFBI’sCyberDivisionhasmorethan90taskforcesandmorethan80workinggroups,consistingof federal,state,andlocallawenforcementpersonnel,thatinvestigateallcybercrimeviolations,includingidentitytheftandInternetfraud.
U.S. Secret Service:TheSecretServicehas29FinancialCrimesTaskForcesand24ElectronicCrimesTaskForcesthatfocus,tovaryingdegrees,onidentitytheft-relatedcrimes.TheFinancialCrimesTaskForcesarecontrolledthroughSecretServiceofficesinAtlanta,Austin,Baltimore,Charlotte,Chicago,Cleveland,Dallas,Ft.Myers,Houston,Jacksonville,KansasCity,LasVegas,LittleRock,Memphis,Miami,NewOrleans,Newark,Norfolk,OklahomaCity,Omaha,Orlando,Riverside,SanAntonio,SanDiego,St.Louis,Springfield,Tampa,Tulsa,andWashington,D.C.TheElectronicCrimesTaskForcesarelocatedinAtlanta,Baltimore,Birmingham,Boston,Buffalo,Charlotte,Chicago,Cleveland,Columbia(SouthCarolina),Dallas,Houston,LasVegas,LosAngeles,Louisville,Miami,Minneapolis,NewYorkCity,
PART MINVESTIGATIVE APPROACHES TO IDENTITY THEFT: INTERAGENCY WORKING GROUPS AND TASK FORCES
��
OklahomaCity,Orlando,Philadelphia,Pittsburgh,SanFrancisco,Seattle,andWashington,D.C.49
U.S. Postal Inspection Service:ThePostalInspectionServiceactivelyleads14FinancialCrimesTaskForces/WorkingGroupsinthefollowingplaces:Atlanta,Birmingham,Boston,Hawaii,LosAngeles,Memphis,NewYork,NorthernKentucky,Philadelphia,Phoenix,Pittsburgh,Richmond,Springfield,andSt.Louis.ThePostalInspectionServiceisalsotheco-leaderof taskforcesinChicago,SaltLakeCity,St.Paul/Minneapolis,andOklahomaCity.
U.S. Immigration and Customs Enforcement (ICE):ICEhasestablishedDocumentandBenefitFraudTaskForces(DBFTFs)in11citiesacrossthecountrytoenhanceinteragencycommunicationsandimproveeachagency’seffectivenessinfraudinvestigations.TheDBFTFsconsistof federal,state,andlocalagencies,andareco-locatedatICEfacilities.TheDBFTFscombinetheresources,authorities,andexpertiseof eachof theirpartnerstodisruptanddismantleorganizationsthatcommitvarioustypesof fraudandtodetertheperpetrationof fraud.TheDBFTFsaggressivelypursuemanytypesof fraudthat,bytheirnature,encompassidentitytheft.Additionally,ICEisaggressivelyfocusingitsanti-identitythefteffortsintheareaof worksiteenforcement,andICEisworkingwithotherdepartmentsandagenciestoestablishacomprehensiveapproachforemployerstoidentifyandemployauthorizedworkersandreducetheuseof counterfeitidentification.
Otheragenciesdonotlead,butactivelyparticipateinidentitythefttaskforces.Examplesinclude:
SSA OIG.SSAOIG’sOfficeof Investigationsspecialagentsparticipateinmorethan100varioustaskforces,manydevotedspecificallytoidentitytheft.
IRS Criminal Investigation Division (IRS CI).Approximatelyone-quarterof IRSCI’s30fieldofficeshaverepresentativesonidentitythefttaskforces.Somefieldofficeshaverepresentativesinmultiplejudicialdistricts.
State Department Diplomatic Security.TheStateDepartment’sBureauof DiplomaticSecurityisestablishinganidentityfraudtaskforcewiththePuertoRicanPoliceDepartment.TheBureau’s31fieldandresidentofficesparticipateinmulti-agencyidentitythefttaskforcesintheirregions.
Thefollowingaresomeexamplesof interagencyworkinggroupsandtaskforces:
PART M
��
COMBATING IDENTITY THEFT A Strategic Plan
Intwoareasof thecountrywheretheuseof compromisedidentitiesarecommon,theHHSOIGhasteamedwiththeFBI,theDOJ,theMedicaidFraudControlUnit,theSSAOIG,andrepresentativesof theCMStotargettheperpetrators.Thisisaneffectiveprogramtoidentifythosewhocommitfraudagainstthegovernment.
TheRegionalIdentityTheftWorkingGroup(theRITGroup)intheEasternDistrictof Pennsylvaniahasthefollowingpurposes:(1)informationsharinganddeconflictionof investigations;(2)identificationof newidentitytheftschemesandkeyidentitythefttargets;and(3)hostingof discussionsaboutidentitytheftprevention.Inordertoincreasefederalprosecutionsforidentitytheft,monetarythresholdsarereducedforcasesinvolvingorganizations,andforindividualswhoserveincertainleadershiproles.Inordertoincreasesanctionsforsuchcases,AssistantUnitedStatesAttorneysregularlyseekupwarddeparturesincriminaldefendants’sentenceswhenthedefendantsdisruptedvictims’lives.TheRITGroupisalsodevelopinganonlinedatabasetofosterbettercommunicationbetweenlawenforcementagenciesaboutidentitytheftinvestigations.
TheIdentityTheftCrimesWorkingGroupintheDistrictof NewHampshireishighlyinclusiveof bothfederalandstateagencies,includinganumberof regulatoryagenciesforbanking,insurance,andsecurities.ItalsomonitorsandusesinformationfromtheFTCConsumerSentinelwebsitetoidentifyidentitytheftcomplaintsoverwhichitmayhavejurisdictionforthepurposeof generatingnewcases.
TheLosAngelesIdentityTheftandEconomicCrimesTaskForce,ledbytheUSPIS,includestheUSSS,theFBI,theLosAngelesPoliceDepartment,andtheLosAngelesCountyProbationDepartment.Thistaskforcealsohasaworkingrelationshipwithotherfederallawenforcementcomponents,includingICE,IRS-CI,andtheSSAOIG.
Numeroussuccessstoriesreflecttheimpactof thesetaskforceefforts.Forexample,beginninginFebruary2005,theUSPIS-ledIdentityTheftEconomicCrimesTaskForce(ITEC)inLosAngelesreceivedinformationfromSears/Citibankregardingthefraudulentaccounttakeoversof morethan300linkedSearscreditcardstotalingmorethan$1millioninfraudlosses.Allof theaccountaddresseswerefraudulentlychangedthroughSears/CitibanktovariousCommercialMailReceivingAgencies(CMRAs)locatedthroughoutSouthernCalifornia.SubsequentinvestigationbyITECrevealedthattwoNigeriannationalsobtainedthecreditcardsfromthevariousCMRAs.Theseindividualsthenusedthecreditcardsandcorrespondingfraudulentidentificationtoconductfraudulentbalancetransfersandcashadvances.TheyalsouseddatasearchenginessuchasChoicePointandMerlintoobtainthenecessaryinformationonthevictimstofacilitatetheaccounttakeovers.
��
OnJuly19,2005,membersof ITECexecutedfederalsearchwarrantsatthesuspects’residences,vehicles,andstorageunits.FraudulentCaliforniaidentificationcardsandNigerianpassportsbearingtheindividuals’photographsbutissuedinvariousnameswererecoveredduringthesearchof theresidences.Thenamesontheidentificationcardscorrespondedwiththeaccountholderinformationonmorethan30recoveredcreditcards.Alsorecoveredduringthesearchwereanumberof printoutsbearingcorrespondingvictiminformationissuedfromMerlinandIntelius.Recoveredfromthestorageunitwereseveralhundredcreditcardsandmorethan3,000ChoicePointsearchprintouts,manyof whichborehandwrittennotationsindicatingcreditcardsissuedinthoseidentitiesthatwereshippedtoCMRAsundertheircontrol.Thesuspectsweretakenintocustodypursuanttofederalarrestwarrantsforviolationsof conspiracytocommitaccessdevicefraud.BothdefendantspleadedguiltyinUnitedStatesDistrictCourttoconspiracyandaccessdevicefraud,andonedefendantpleadedguiltytoanadditionalcountof computerintrusion.
PART M
��
COMBATING IDENTITY THEFT A Strategic Plan
Federallawenforcementofficersrelyonawiderangeof federalcriminalstatutestoinvestigateandprosecuteidentitytheft.Thetwofederalstatutesthatmostdirectlyprohibitidentitytheftaretheidentitytheft(18U.S.C.§1028(a)(7))andaggravatedidentitytheft(18U.S.C.§1028A(a))statutes.Theidentitytheftstatutegenerallyprohibitsknowinglytransferring,possessing,orusingameansof identificationof anotherpersoninconnectionwithanyunlawfulactivitythatconstitutesaviolationof federallaw,orthatconstitutesafelonyunderanyapplicablestateorlocallaw.50 Similarly,theaggravatedidentitytheftstatute(18U.S.C.§1028A(a)(1))prohibitsknowinglytransferring,possessing,orusingameansof identificationof anotherperson,duringandinrelationtoanyof numerousspecifiedfederalfelonieslistedinthatsection.Federalprosecutorshavebeenmakingsubstantialuseof theidentitytheftandaggravatedidentitytheftstatutesinpursuingidentitytheftcases.
Inadditiontousingtheidentitytheftandaggravatedidentitystatutes,DOJoftenchargesotheroffensesthatmaybecommittedinthecourseof identitytheftandfraud.Someof themostfrequentlyusedstatutesinthisregardaremailfraud(18U.S.C.§1341);wirefraud(18U.S.C.§1343);financialinstitutionfraud(18U.S.C.§1344);accessdevicefraud(18U.S.C.§1029);andSSNfraud(42U.S.C.§408(a)(7)(B)).Incasesinvolvingfalsedocuments,suchasvisas,passports,orotherdocumentsrelatingtoidentification,federalprosecutorsalsocanchargeavarietyof identificationdocumentoffenses.Theseincludeidentificationdocumentfraud(18U.S.C.§1028(a)(1)-(6));falsestatementinapplicationanduseof passport(18U.S.C.§1542);forgeryorfalseuseof passport(18U.S.C.§1543);misuseof passport(18U.S.C.§1544);andfraudandmisuseof visas,permits,andotherdocuments(18U.S.C.§1546).Insomecasesinvolving“pretexting”(i.e.,fraudulentmisrepresentationstoobtaincustomerdata)directedatoraffectingfinancialinstitutions,theGLBAct51mayapply.
Threeotherfederalstatutesmayalsoapplytocomputer-relatedidentitytheft.First,theComputerFraudandAbuseAct(CFAA),18U.S.C.§1030(a)(4),generallyprohibitstheunauthorizedaccessingof acomputerwithintenttodefraudandthusfurtheringthefraudandobtaininganythingof value.Thisstatutehasbeenusedeffectivelytochargedefendantsengaginginidentitytheftbyunlawfulaccessingof computerswheretheevidenceshowsthatthedatawastakenaspartof afraudscheme.Second,18U.S.C.§1030(a)(2)generallyprohibitsthetheftof informationfromacomputer,butlimitsafederalcourt’sjurisdictiontoinstancesinwhichthethief usesaninterstatecommunicationtoaccessthatcomputer(unlessthecomputerbelongstothefederalgovernmentorafinancialinstitution).Third,18U.S.C.§1030(a)(5)prohibitsactionsthatcause“damage”tocomputers—thatis,actionsthatimpairthe“integrityoravailability”of dataorcomputersystems.52 Absent
PART NFEDERAL CRIMINAL STATUTES USED TO PROSECUTE IDENTITY THEFT
�0
specialcircumstances,however,thelosscausedbytheconductmustexceed$5,000inorderforittoconstituteafederalcrime.
Anotherfederalcriminaloffensethatmayapplyinsomecomputer-relatedidentitytheftcasesisthe“cyber-extortion”provisionof theComputerFraudandAbuseAct,18U.S.C.§1030(a)(7).Thissubsectionprohibitsthetransmissionof athreat“tocausedamagetoaprotectedcomputer.”53 Subsection1030(a)(7)isused,forexample,toprosecutecriminalswhothreatentodeletedata,crashcomputers,orknockcomputersoff of theInternetusingadenialof serviceattack.Thisprovisionprovidestheelectroniccounterparttotraditionalextortionstatutesthatgenerallyrequireathreattocausebodilyharmorthedestructionof physicalproperty.
Inaddition,prosecutorsoftenutilizestatutesrelatedtotheprogramsandoperationsof theSSA,whicharelocatedintitle42of theUnitedStatesCode,toprosecuteidentitytheft-relatedcrimes.Oneof thesestatutes,42U.S.C.§408,specificallyaddressesfraudrelatingtoaSSNandSocialSecuritycard.Itprovidescriminalpenaltiesforanindividualwhofraudulentlyobtains,uses,orrepresentsaSSNtobetheirs.Thisstatutealsoprovidesforcriminalpenaltiesforanindividualwhofraudulentlybuys,sells,orpossessesaSocialSecuritycardwithintenttoselloralter.Itisalsoaviolationof thisstatutetodisclose,use,orcompelthedisclosureof theSSNof anypersoninviolationof thelawsof theUnitedStates.
Finally,HIPAAcanbeusedtoprosecuteidentitytheft-relatedoffenses.HIPAAprovidesforcriminalsanctionsagainstahealthplan,healthcareclearinghouse,orhealthcareprovidersubjecttoitsprovisionsthatwrongfullyusesorcausestobeusedauniquehealthidentifier,orthatwrongfullyobtainsindividuallyidentifiablehealthinformationrelatingtoanindividual,orwhichwrongfullydisclosessuchindividuallyidentifiableinformationtoanotherparty.42U.S.C.§1320d-6(a).Violatorsmaybefinednotmorethan$50,000andimprisonednotmorethanoneyear;or,if theoffenseiscommittedunderfalsepretenses,befinedupto$100,000and/orimprisonednotmorethanfiveyears;or,if theoffenseiscommittedwithintenttosell,transfer,oruseindividuallyidentifiablehealthinformationforcommercialadvantage,personalgain,ormaliciousharm,befinednotmorethan$250,000andbeimprisoneduptotenyears.
PART M
��
COMBATING IDENTITY THEFT A Strategic Plan
AttheNationalAdvocacyCenter(NAC)inColumbia,SouthCarolina,theDOJofferstrainingonidentityfraudaspartof othercourses,includingcybercrimeandwhite-collarcrimecourses.TheNationalDistrictAttorneysAssociation(NDAA)alsohasatrainingprogramattheNAC,whereitconductscoursesonidentitytheftandcybercrime.
Anumberof otherlawenforcemententitiesalsoprovidetraining,notonlytotheirowninvestigators,butalsototheprivatesector:
United States Attorney’s Offices TheU.S.Attorney’sOfficefortheEasternDistrictof Pennsylvania
organizedaconferenceforhospitals,utilities,universities,banks,andcorporationsondatasecurity.Inadditiontotechnicaldatamanagementandemployeescreeningsessions,theconferenceaddressedthepitfallsof poorinformationsecurity,suchascivilliability.
TheU.S.Attorney’sOfficefortheSouthernDistrictof WestVirginiahasimplementedtheIdentityTheft/DocumentFraudInitiativetotrainprosecutors,lawenforcementofficers,Departmentof MotorVehicleemployees,otherstateandfederalagencies,andthebankingindustryaboutthepreventionanddetectionof documentfraud.TheInitiativeinvolvesanextensivetrainingplanforeachmemberagency,andincludestheIRS-CI,SSA’sOIG,USSS,FBI-JointTerrorismTaskForce,ICE,WestVirginiaStatePolice,WestVirginiaDepartmentof MotorVehicles,Bureauof Prisons,WestVirginiaBankersAssociation,andtheSouthernDistrictof WestVirginia’sAnti-TerrorismAdvisoryCouncil.
TheU.S.Attorney’sOfficefortheDistrictof Oregonsponsorsanannualfinancialcrimesconferencethatserveslawenforcement,financialfraudinvestigatorsforfinancialinstitutions,andinternalauditorsforpublicagencies.Itprovidesinvestigatorsandprosecutorswhohandlefinancialcrimes,andprivate-sectorpersonnelwhoassistthem,toolstoassistintheprevention,detection,investigation,andprosecutionof fraudandidentitytheft.Itregularlyincludessectionsonassettracing,investigativetechniquesinvolvingdigitaltechnology,basicdatarecovery,searchandseizurelaws,pertinentfinancialprivacyandregulatoryprovisions,andtrendsassociatedwitheconomicfraud.
FBI TheFBIhasprovidedin-servicetrainingonidentitythefttoitsagents,
andalsoincludesidentitytheftinformationinothertrainingsessionsforFBIpersonnel.Withrespecttoidentitytheftandhealthcare,theFBIandtheCMSarepresentingPartDlawenforcementtraininginseveralcities,whichfocusesonidentitytheftandscamsthatfacilitateprescriptiondrugfraud.
PART OTRAINING FOR AND BY INVESTIGATORS AND PROSECUTORS
��
United States Secret Service TheSecretServiceprovidesasubstantialamountof trainingtolocal
andstatelawenforcementcounterparts,aswellasprovidingsupportinavarietyof ways—suchasforensicanalysisandexperttestimonyinsupportof localcases.Inconnectionwithaninteragencyworkinggrouponidentitytheft,theSecretService,thePostalInspectionService,andtheFTC,inconjunctionwiththeInternationalAssociationof Chiefsof Police,developedaroll-callvideoonidentitytheftforpolicedepartmentstoshowtotheirofficers.Thisvideowasprovidedtopolicedepartmentsthroughoutthecountry.Inaddition,theSecretService’sElectronicCrimesSectionhastrainedover150stateandlocalofficersfromacrosstheUnitedStatestoconductcomputerinvestigationsaswellascomputerforensicanalysis.TheSecretServicehasalsopartneredwiththeNationalDistrictAttorneysAssociation’sNationalCenterfortheProsecutionof IdentityCrimetoprovidetrainingforlocalprosecutorsfocusedprimarilyonidentitycrimes.
TheSecretServiceprovidessixtrainingseminarsannuallyforU.S.AttorneysfromacrosstheUnitedStates.TheseseminarsarehostedandcoordinatedbySecretServicepersonnel,andhaveincludedablockof instructionfromtheDepartmentof Justice’sComputerCrimeandIntellectualPropertySection(CCIPS)insomeof theseminars.Thetopicscoveredinthistrainingincluded:CounterfeitCurrency,EurasianHacking,IdentityTheft,ElectronicCrimesTaskForcesandPrivateSectorPartnerships,CyberLaw,andCyberProsecutions.TheseminarsareintendedtoprovideaneducationontheSecretService’scoreviolationsandcurrenttrendsobservedinitsdailyinvestigationsandinvestigationsinvolvingtheInternet.
National White Collar Crime Center TheNationalWhiteCollarCrimeCenter(NW3C),anonprofit
organizationthatprovidestrainingprogramsandotherassistancetostateandlocallawenforcementinpartnershipwiththeBureauof JusticeAssistance,hascompletedthedevelopmentof athree-dayidentitytheftcourse.Thecurriculumincludestopicssuchasinvestigativetools,techniques,andresourcesforinvestigatingidentitytheftcrimes;“criminaltoolsof thetrade”;thebasicsof identitytheftforfinancialgainorconcealment(e.g.,forterrorismoravoidanceof prosecution);andproactiveandreactiveapproachestoidentitytheftthatprovidestudentswithpracticalinvestigativeexperience.NW3Chasalsoincludedmodulesonidentitytheftinothercoursesitconducts,whichincludemethodsof followingthefinancialtrailof thesetypesof crimes.
PART O
��
COMBATING IDENTITY THEFT A Strategic Plan
American Prosecutors Research Institute Anonprofitaffiliateof theNDAA,theAmericanProsecutorsResearch
Institute,hasanestablishedWhiteCollarCrimeUnit.Withstart-upfundingfromtheBJA,theunitprovidestrainingtolocalprosecutorsandlawenforcementonavarietyof issuesincludingcybercrime,telemarketingfraud,andfinancialexploitationof theelderly.Trainingsoccuratspecificsitesacrossthecountryandaspartof NDAA’strainingprogramattheNAC.
NDAArecentlyestablishedtheNationalCenterfortheProsecutionof IdentityCrimestotrainlocalprosecutors,lawenforcement,andmembersof thefinancialindustryintheinvestigationandprosecutionof identitycrimes.TheCenterhasconductedaFinancialIdentityFraudtraininginLasVegasandpresentedanIdentityTheftFallConferenceattheNAC.TheCentercontemplatesconductingseveralmoreconferencesandprovidingclearinghouseservicesinthefuture.
Regional Information Sharing Systems (RISS) ThroughtheRISSprogram,inpartnershipwithBJA,severaladditional
classesincludingidentitythefthavebeentaughtforstateandlocallawenforcement.Forexample,theMid-StatesOrganizedCrimeInformationCenterco-sponsoredaFinancialRecordsExaminationandAnalysiscourse(presentedbyNW3C)thatincludedidentitytheftasoneof thetopics.
National Consortium for Justice Information and Statistics (SEARCH) ThroughapartnershipwithBJA,SEARCHtrainsstateandlocallaw
enforcementon“CoreSkillsfortheInvestigationof ComputerCrime,”whichcoversthebasicsof investigatingthemisuseof identitiesonline.
Other Multi-Agency Training Since2002,severalfederallawenforcementagencies—theDOJ,the
USPIS,theUSSS,theFTC,andtheFBI—andtheAmericanAssociationof MotorVehicleAdministrators(AAMVA)havejointlysponsoredaseriesof morethan20regionaltrainingseminarsonidentityfraudforstateandlocallawenforcementagenciesinnumerousstatesacrosstheUnitedStates.Theseone-dayseminars,whichareprovidedfreeof chargetostateandlocallawenforcement,providebasicinformationtoolsandguidancewithinvestigators’andprosecutors’perspectivesonpursuingidentitytheftcases.
��
Federalandstatelawsoffervictimsof identitytheftanarrayof toolstoavoidormitigatethedamagetheyincur.Numerousresourcesandwebsitesadviseconsumersof thestepstotakeif theyhavebecomevictimsof identitytheft,orif theirpersonalinformationhasbeenbreached.Consumersshouldtakespecificactionsassoonastheysuspectthattheyhavebeenorareabouttobecomeavictimof identitytheft.Thefollowingoptionsareavailabletoidentitytheftvictims:
Place Fraud Alerts Onceaconsumersuspectsthatheorshehasbeenormaybecomea
victimof identitytheft,forinstance,if theirwalletwasstolenortheyarenotifiedthattheirpersonalinformationwascompromisedbyadatabreach,theymayplace,atnocost,an“initialfraudalert”ontheircreditreportbymakingarequesttoanyoneof thethreenationalCRAs—Experian,Equifax,orTransUnion.54 Fraudalertscanhelppreventanidentitythief fromopeninganyaccountsintheconsumer’sname.Thepresenceof afraudalertrequirescreditorstoconfirmtheconsumer’sidentitybeforeopeningnewaccountsormakingchangestoexistingaccounts.55 Aninitialfraudalertremainsinplacefor90days,butmayberenewed.56 If anidentitytheftoccurs,thevictimmayplaceanextendedseven-yearalert.57
File a Police Report Victimsof identitytheftshouldfileareportwithlawenforcement
officialsassoonastheylearnof thecrime.Thisisanecessarystepinobtaininganextendedfraudalertorblockingfraudulenttradelinesonacreditreport,andcanhelpwithcreditorswhomaywantproof of acrime.Becausemanypolicedepartments,asamatterof policyand/orpractice,donotroutinelytakeidentitytheftreports,consumersoftenmustbepersistentintheirrequestsforpolicereports.Victimscanprintacopyof theonlineformandprovideittotheirlocalpolicedepartment.Thepolicecanusethecompletedformasthefoundationof apolicereport.
Report the Theft to the FTC’s Identity Theft Data Clearinghouse Consumerswhoexperienceidentitytheftshouldreporttheeventtothe
FTCeitherthroughtheonlinecomplaintform(www.ftc.gov/idtheft)orthetollfreehotline(877IDTHEFT).TheFTCmaintainsthefederalclearinghouseforcomplaintsbyvictimsof identitytheft.IdentitytheftreportsareavailablethroughtheFTC’sConsumerSentinelNetworktolawenforcementofficialsacrossthecountryforuseintheirinvestigations.
PART PCURRENT REMEDIATION TOOLS AVAILABLE TO VICTIMS
��
COMBATING IDENTITY THEFT A Strategic Plan
Asnotedabove,victimsof identitytheftshouldfileareportwithlawenforcementofficialsassoonastheylearnof thecrime.
Obtain Document Related to Fraudulent Transactions Undersection609(e)of theFCRA,58victims,orlawenforcement
officersactingontheirbehalf,canobtainrecordsandapplicationinformationfromfinancialinstitutionsthathavehandledtransactionsthatidentitythievesconductedinthevictims’names.(Somelawenforcementofficials,however,reportthattheiragentshavehaddifficultyindoingsobecausecertainfinancialinstitutionpersonnelarenotfamiliarwiththerelevantprovisionsof theFCRA.)
Close Fraudulently Opened or Compromised Accounts Consumersshouldcloseanyaccounts,suchasbankaccountsand/or
creditcardsthatwereestablishedfraudulentlyorappeartohavebeencompromised.Aconsumermayberequiredtoprovideevidence,includingapolicereportandothersupportingdocuments,beforeacreditorclosestheaccountorforgivesthefraudulentdebt.
Order a Credit Report Allconsumersareentitledtoreceiveafreecopyof theirconsumer
reportfromeachof thethreenationalCRAs(Experian,Equifax,andTransUnion),aswellasfromvariousothernationwidespecialtyCRAs,everytwelvemonths.59 Additionally,placingafraudalertentitlesconsumerstoimmediatelyrequestfreecopiesof theircreditreportsregardlessof thetimingof theirpreviousrequests.60 Consumerswhohavehadanextendedfraudalertplacedontheircreditreportsareentitledtorequesttwofreecopiesof theircreditreportfromeachof theCRAsinthetwelvemonthsfollowingthedatetheextendedalertwasplaced.61
Blocking Fraudulent Information on Credit Reports Whenacreditreportcontainsfraudulentinformationasaresultof
identitytheft,theconsumercanaskthattheinformationbeblockedfromthecreditreport.CRAsblockfraudulentinformationfromacreditreportwhentheconsumerprovidescertaininformationincludingacopyof apolicereportandastatementthattheinformationdoesnotrelatetoanytransactionmadeorauthorizedbytheconsumer.62
Seek Assistance from Information Furnishers An“informationfurnisher”isanyentitythatprovidesinformationto
theCRAs.Forexample,adepartmentstorethatopensastoreaccountforaconsumerwouldfurnishinformationaboutthatcreditaccountto
��
thethreeCRAs.WhenaCRAnotifiesaninformationfurnisherthatithasblockedfraudulentinformationaboutacredittransactionbythatfurnisher,theinformationfurnishermaynotcontinuetoreportthatinformationtotheCRAs,andmaynothiresomeonetocollectthedebtthatrelatestothefraudulentaccount,orsellthedebttosomeoneelsewhowouldtrytocollectit.63
Receive an Accounting of Disclosures Made By Health Care Providers and Health Plans
Allconsumerscanprotectthemselvesagainstaformof identitytheft,medicalidentitytheft,byrequestingfromtheirhealthcareprovidersorhealthplansaccountingsof anydisclosuremadeof theirprotectedhealthinformationduringtheprecedingsixyears,otherthanthosethatrelate,amongotherexceptions,totreatment,payment,andhealthcareoperations.45C.F.R.§164.528.TheHIPAAPrivacyRulerequireshealthplans,healthcareclearinghouses,andcoveredhealthcareproviderstoprovideonefreeaccountingperyearupontherequestof theconsumer.
Seek Assistance from IRS Insomecasesof identitytheft,thesuspecteitherobtainsarefundor
incurstaxliabilityinthevictim’sname.Insuchcases,thevictimmayneedtoobtainassistancefromtheIRS.TheIRSisupdatingprocedurestoprovidenoticesandassistancetotaxpayerswhosenameandSSNwereusedbyanidentitythief foremploymentpurposes.TheIdentityTheftProgramOfficecanprovidefurtherinformationregardingthiscomprehensiveeffort.
Dispute Fraudulent Debts with Debt Collectors Consumersalsohaverightsif theyarecontactedbydebtcollectorsabout
debtsincurredintheirnamebyidentitythieves.Theconsumercanstopcontactsbyadebtcollectorbysendingaletterwithin30daysof beingcontacted,informingthecollectorthatthedebtisnottheirs.Thedebtcollectormaynotcontacttheconsumeragainuntilitsendsproof of thedebttotheconsumer.Afteradebtcollectorisnotifiedthatadebtistheresultof identitytheft,itisrequiredtoinformthecreditorforwhomitiscollectingthattheconsumerdisputesthedebt.
Pursue State Remedies Somestatesprovideadditionalprotectionstoidentitytheftvictimsby
allowingthemtorequesta“creditfreeze,”whichpreventsconsumers’creditreportsfrombeingreleasedwithouttheirexpressconsent.Becausemostcompaniesobtainacreditreportfromaconsumerbeforeextendingcredit,acreditfreezewilllikelypreventtheextensionof creditinaconsumer’snamewithouttheconsumer’sexpresspermission.
PART P
��
COMBATING IDENTITY THEFT A Strategic Plan
Contact Identity Theft Victim File Programs Identitythieveshavesometimescommittedcrimesusinganother’sname.
Victimswhoexperiencethisformof identitytheftoftenmustestablishthattheyarenotthepersonwho,intheirname,committedthecrime.SeveralstatesandtheFTChaveprogramsthataddressthisserioussituation.Forexample,Californiamaintainsaregistryof individualswhoseidentitieshavebeenusedinthecommissionof acrime.Theregistryisusedtohelpconsumersestablishthattheywerenotresponsibleforcrimescommittedintheirname.64 Similarly,Ohio’sPASSPORTsystemforidentitytheftvictimsissuesacardtoidentitytheftvictimsthatcanbeusedtoverifytheiridentitiestolawenforcementofficersandcreditors.Severalotherstates,too,havebeguntouse“passport”programslikethese.TheFBIhasasimilarprogram,whichismanagedthroughtheCriminalJusticeInformationService.
Consider Private Sector Assistance Theprivatesectorandnot-for-profitentitiesalsoprovidetoolsfor
victimstorepairthedamagecausedbyidentitytheft.Forexample,boththeITRCandthePrivacyRightsClearinghouse(PRC)providedirectconsumerassistanceundercertaincircumstances.Otherorganizationsofferrecoveryprogramsforafeethatpromisetorepairthedamagecausedbytheidentitythief.65 CRAsandothercompaniesoffercreditmonitoringservicesthatclaimtoprovideearlywarningof identitytheft.66
Inaddition,aconsortiumof dozensof largefinancialinstitutionscreatedthenot-for-profitITACin2004,toprovidefree,one-on-oneassistancetoconsumerswhoexperienceidentitytheftthroughoneof thememberentities.IdentitytheftvictimswhocontactanITACmembercompanyfirsttrytoresolvetheirdisputewiththatcompany,andthencanchoosetorefertheiridentitytheftcasetotheITAC.
Consider Whether to Seek a New Social Security Number Inlimitedcircumstances,theSSAmayassignanewSSNtoavictim
whoprovidesevidenceof SSNmisuseand,despiteeffortstoresolvetheproblem,continuestobedisadvantagedbythemisuse.AmajordrawbacktogettinganewSSNisthatanindividualmayhaveadifficulttimere-establishinganidentityunderthenewSSN,includingacredit,educational,andmedicalhistory.(SSAwillcross-refertheoldandnewSSNsinSSArecordstoensurepropercreditingof earnings.)
��
1. Gramm-Leach-BlileyAct§501(b),15U.S.C.§6801;FairCreditReportingAct§628,15U.S.C.§1681w.
2. TheFACTActalsoincludesrestrictionsonthecircumstancesunderwhichconsumerreportingagenciesmayfurnishconsumerreportsthatcontainmedicalinformationaboutconsumers.Inparticular,aconsumerreportingagencymaynotfurnishaconsumerreportthatcontainsmedicalinformationaboutaconsumerexceptundercertaindelineatedcircumstancesinvolvingconsumerconsenttothefurnishingof thereport,orif theinformationislimitedtoaccountstatusandisreportedinamannerthatdoesnotrevealthenatureof themedicaltreatment.
3. See alsoIdentityTheftandPretextCalling,BoardSRLetter01-11(Supp)(Apr.26,2001),OCCAL2001-4(April30,2001),OTSCEOMemorandum#139(May4,2001),FDICFIL-39-2001;ThreatsfromFraudulentBankWebSites:RiskMitigationandResponseGuidanceforWebSiteSpoofingIncidents,OCCBulletin2005-24(July1,2005);PhishingandE-mailScams,OTSCEOMemorandum#193(Mar.8,2004);Phishing,OTSCEOMemorandum#205(Sep.8,2004);Phishing,FDICFIL-103-2004;BankUseof Foreign-BasedThird-PartyServiceProviders,OCCBulletin2002-16(May15,2002);ThirdPartyArrangements,OTSThriftBulletin82a(September2,2004);InfrastructureThreats—IntrusionRisks,OCCBulletin2000-14(May15,2000);VoiceOverInternetProtocol-FDICFIL-69-2005;Spyware-FDICFIL-66-2005;FDICIdentityTheftStudySupplement-FDICFIL-59-2005;FDICIdentityTheftStudy-FDICFIL-132-2004;SoftwareDueDiligence-FDICFIL-121-2004;InstantMessaging-FDICFIL-84-2004;VirusProtection-FDICFIL-62-2004;InternetFraud-FDICFIL-27-2004;PatchManagement-FDICFIL-43-2003;Wireless-FDICFIL-8-2002.Thefinancialinstitutionregulatorsalsoissuealertsfromtimetotime,suchasCustomerIdentityTheft:E-MailRelatedFraudThreats,OCCAlert2003-11(September12,2003),andNetworkSecurityVulnerabilities,OCCAlert2001-4(April24,2001).
4. See,e.g.,TheFinancialServicesRoundtable,Voluntary Guidelines for Consumer Confidence in Online Financial Services,www.bitsinfo.org/downloads/Publications%20Page/bitsconscon.pdf;BITS Voluntary Guidelines for Aggregation Services,www.bitsinfo.org/downloads/Publications%20Page/bitsaggguide2004.pdf.
5. See“BITS,”theTechnologyGroupof theFinancialServicesRoundtable,www.bitsinfo.org/downloads/Publications%20Page/bitsidtheftwhitepaper.pdf,FinancialIdentityTheft:PreventionandConsumerAssistance,June2003.
6. Seehttp://usa.visa.com/business/accepting_visa/ops_risk_management/ cisp.html.
7. Seethedatasecurityguidelinesof Truste.org,atwww.truste.org/pdf/SecurityGuidelines.pdf.
8. See id.
9. See id.
ENDNOTES
��
COMBATING IDENTITY THEFT A Strategic Plan
10.See id.
11.See PeterMelletal., Guide to Malware Incident Prevention and Handling: Recommendations of the National Institute of Standards and Technology at ES-1(Nov.2005),http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf.
12.Id.
13.Id.
14.Id.
15.See, e.g.,VisaUSACardholderInformationSecurityProgram,WhatToDoIf Compromised(Nov.14,2005),http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf,AmericanExpress,Data Compromise Workbook(2006).
16.AmericanExpress,Data Compromise Workbook(2006),at6-8.
17.VisaUSACardholderInformationSecurityProgram,What To Do If Compromised(Nov.14,2005),at3.
18.Id.
19.AmericanExpress,Data Compromise Workbook(2006),at10.
20.Forinstance,Educause,anonprofitthatemphasizestechnologyandinformationsecurityforinstitutionsof highereducation,hascreatedaDataIncidentNotificationToolkit,whichprovidesuserswithinformationaboutlegalobligations,policiesandprocedures,thresholdsfornotification,andnotificationtemplates.SeeEducause,Data Incident Notification Toolkit,availableathttp://www.educause.edu/DataIncidentNotificationToolkit/9320.
21.TheITComplianceInstitute(ITCI)hasprovidedsomekeyrecommendationsforcompaniestoconsiderintheeventof asecurityincident.Seehttp://www.itcinstitute.com/display.aspx?id=1731.First,ITCIrecommendsthatcompaniesdevelopagoodcommunicationsstrategyandensurethatonlypre-approvedpublicrelationspersonnelspeakaboutanyincident.Also,regardlessof statelaws,itadvisesthatcompaniesshouldprovidenationwidenoticetoconsumersof apotentialdatabreachusingmultipleconsumernotificationtechniques,suchasacombinationof telephoneandletter.Anynotificationprovidedbyabusinessshouldquickly,clearly,andthoroughlycommunicatetoitscustomerswhathappened,thepotentialharmforthecustomer,whatthecompanyisdoingtohelp,andhowitplanstopreventfuturebreaches.Finally,ITCIrecommendsprovidingessentialinformationandstepsthatcustomersshouldtaketoprotectthemselves.ITComplianceInstitute,Data Breach Damage Control(May16,2006),availableatwww.itcinstitute.com/display.aspx?id=1731.
�0
22.Somecompanieshaveprovidedtechnicaladvice,suchastheuseof specificbackupandencryptiontechnologies,intheeventof lostorstolenmedia,aswellasspecifictypesof datacollectionandanalysissoftwarethatcompaniesshoulduseforforensicinvestigations.Othersassistmembersandothersindevelopingandimplementinginformationsecurityaswellasbreachresponseprograms.
23.Availableatwww.ncpc.org/cms/cms-upload/prevent/files/idtheftrev.pdf.
24.Seehttp://www.ojp.gov/ovc/help/it.htm.
25.Availableathttp://studentaid.ed.gov/PORTALSWebApp/students/english/idtheft.jsp.
26.Seehttp://www.staysafeonline.org/basics/consumers.html.
27.Seehttp://www.texasbankers.com/pdfs/StopIDtheft.pdf.
28.See“IdentityTheft:HowToAvoidTheftAndWhatToDoIf ItHappensToYou,”availableatwww.sia.com/publications/pdf/Identity_Theft.pdf.
29.Availableatwww.nasd.com/InvestorInformation/InvestorAlerts/FraudsandScams/PhishingandOtherOnlineIdentityTheftScamsDontTaketheBait/index.htm.
30.“MedicalIdentityTheft:TheInformationCrimeThatCanKillYou,”Dixon,Pam.WorldPrivacyForum,Spring2006,www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf,at6.
31.“Collegesaretextbookcasesof cybersecuritybreaches”,USATODAY,August1,2006,availableatwww.usatoday.com/tech/news/computersecurity/hacking/ 2006-08-01-college-hack_x.htm?POE=TECISVA.
32.Seehttp://identityweb.umich.edu/.
33.Pub.L.108-458.
34.Pub.L.109-13.
35.SeeBureauof JusticeStatisticsBulletin,ProsecutorsinStateCourts,2005(July2006),availableathttp://www.ojp.usdoj.gov/bjs/pub/pdf/psc05.pdf.
36.Pub.L.108-275,July15,2004,188Stat.831.
37.Nocaseswithaconvictionunder18U.S.C.§1028AwerereceivedbytheCommissioninFiscalYear2004.Caseswithincompleteinformationonstatutorysubsectionand/orapplicablestatutoryminimumwereexcluded.
38.AveragesentencesincludeprisonandalternativeconfinementasdefinedinUSSG§5C1.1.Caseswithsentencesof 470months(ormore,includinglife)orprobationwereincludedintheaveragesentencecalculationsas470monthsandzeromonths,respectively.
39.See Guidelines ManualUSSG§3B1.3App.Note2(B)forfulltextincludingexamples.
ENDNOTES
��
COMBATING IDENTITY THEFT A Strategic Plan
40.AveragesentencesincludeprisonandalternativeconfinementasdefinedinUSSG§5C1.1.Caseswithsentencesof 470months(ormore,includinglife)orprobationwereincludedintheaveragesentencecalculationsas470monthsandzeromonths,respectively.
41.Seekansascity.fbi.gov/dojpressrel/pressrel06/identitytheft051006.htm.
42.SeeU.S.Departmentof Justice,PressRelease(July11,2006),availableatwww.usdoj.gov/opa/pr/2006/July/06_crm_424.html.
43.See UnitedStatesAttorney’sOffice,CentralDistrictof California,PressRelease(December15,2005),availableathttp://www.usdoj.gov/usao/cac/pr2005/ 170.html.
44.SSNmisuseincludesbothidentitytheftandidentityfraudnotinvolvinganotherrealperson’sidentity,e.g.,whenanindividualfraudulentlyobtainsasecondSSN.
45.SeeDepartmentof Justice,PressRelease(November20,2003),availableathttp://www.fbi.gov/dojpressrel/pressrel03/cyber112003.htm.
46.SeePreparedStatementof AnneWallace,ExecutiveDirector,IdentityTheftAssistanceCorporation,BeforetheSubcommitteeonCrime,TerrorismandHomelandSecurityof theHouseof RepresentativesCommitteeontheJudiciary,June11,2006,availableathttp://www.identitytheftassistance.org/resources/Wallace.ITAC.pdf.
47.SeeReuters,IDs of 50,000 Bahamas resort guests stolen,NewZealandHerald,January9,2006,availableathttp://www.nzherald.co.nz/location/story.cfm?l_id=520&ObjectID=10362953.
48.SeeLibertyAlliance,http://www.projectliberty.org/.
49.SeeU.S.SecretService,PressRelease(May23,2006),availableathttp://www.secretservice.gov/press/gpa0613.pdf.
50.18U.S.C.§1028(d)(7).
51.15U.S.C.§§6821and6823.
52.See18U.S.C.§1030(e)(8).
53.18U.S.C.§1030(a)(7).
54.FairCreditReportingAct§605A,15U.S.C.§1681c-1.
55.FCRA§605A(h)(1)(B),15U.S.C.§1681c-1(h)(1)(B).
56.FCRA§605A(a)(1)(A),15U.S.C.§1681c-1(a)(1)(A).
57.FCRA§605A(h)(1)(B),15U.S.C.§1681c-1(h)(2)(B).
58.FCRA§609(e),15U.S.C.§1681g(e).
59.FCRA§612(a),15U.S.C.§1681j(1).
��
60.FCRA§605A(a)(2),15U.S.C.§1681c-1(a)(2).
61.FCRA§605A(b)(2)(A),15U.S.C.§1681c-1(b)(2)(A).
62.FCRA§605B(a);15U.S.C.§1681c-1(a).
63.FCRA§623(a)(6)(A),15U.S.C.§1681s-2(a)(6)(A).
64.Seehttp://ag.ca.gov/idtheft/general.htm.
65.See,e.g.,http://inova.org./inovapublic.srt/eap/idtheft.jsp?tStatus=5 www.identitytheft911.com/home.htm.
66.Seehttp://www.fightidentitytheft.com/credit-monitoring.html.
ENDNOTES