The President’s Identity Theft Task Force Strategic

Plan – Privacy Implications

Jonathan J. RuschSpecial Counsel for Fraud Prevention

Fraud Section, Criminal DivisionU.S. Department of Justice

The Privacy Symposium – Harvard UniversityCambridge, MA

August 23, 2007

Background

Statistics

Federal Trade Commission Identity theft most frequently reported type of

fraud reported to FTC, 2004 – 2006 2006: 246,035 complaints

Javelin Strategy & Research, 2007 8.4 million U.S. adults victims of identity fraud in

preceding year

President’s Identity Theft Task Force Establishment May 10, 2006 by Executive Order Tasks

Submit to the President a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution

Coordinate federal government efforts related to implementation of the policy to use federal resources effectively to deter, prevent, detect, investigate, proceed against, and prosecute unlawful use by persons of the identifying information of other persons

Provide advice on the establishment, execution, and efficiency of policies and activities to implement that policy

Promote enhanced cooperation by federal departments and agencies with state and local authorities responsible for the prevention, investigation, and prosecution of significant identity theft crimes

President’s Identity Theft Task Force

Composition Chair: Attorney General; Co-Chair: FTC Chairman Members: Five Cabinet departments; OMB;

Social Security Administration; bank supervisory agencies; and Postal Service

Issuance of Strategic Plan: April 23, 2007 Copies at http://www.idtheft.gov

Premise of Strategic Plan

Identity Theft Has At Least Three Stages in Its “Life Cycle” and Must Be Attacked at Each Stage

Identity thief attempts to acquire victim’s personal information

Identity thief attempts to misuse the information he has acquired

Identity thief has completed his crime and is enjoying the benefits, while victim is realizing the harm

Focus of Strategic Plan

Improvements in Four Key Areas Keeping sensitive consumer data out of the hands

of identity thieves through better data security and more accessible education;

Making it more difficult for identity thieves who obtain consumer data to use it to steal identities;

Assisting victims of identity theft in recovering from the crime; and

Deterring identity theft by more aggressive prosecution and punishment of those who commit the crime

Improvements

Prevention: Keeping Consumer Data Out Of The Hands Of Criminals

Data Security in Public Sector Decrease the Unnecessary Use of Social Security Numbers in the

Public Sector by Developing Alternative Strategies for Identity Management Survey current use of SSNs by federal government Issue guidance on appropriate use of SSNs Establish clearinghouse for “best” agency practices that minimize use of

SSNs Work with state and local governments to review use of SSNs

Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance Develop concrete guidance and best practices Monitor agency compliance with data security guidance Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies Issue data breach guidance to agencies Publish a “routine use” allowing disclosure of information after a breach to

those entities that can assist in responding to the breach

Data Security in Private Sector Establish National Standards for Private Sector Data Protection

Requirements and Breach Notice Requirements Develop Comprehensive Record on Private Sector Use of Social

Security Numbers Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry Initiate Investigations of Data Security Violations Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign Enlist outreach partners Increase outreach to traditionally underserved communities Establish “Protect Your Identity” Days

Develop Online Clearinghouse for Current Educational Resources

Improvements

Prevention: Making It Harder to Misuse Consumer Data

Gathering and Analyzing Information

Hold Workshops on Authentication Engage academics, industry, entrepreneurs, and

government experts on developing and promoting better ways to authenticate identity

Issue report on workshop findings Develop a Comprehensive Record on Private

Sector Use of SSNs

Improvements

Victim Recovery: Helping Consumers Repair Their Lives

Training and Individual Assistance

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims Train law enforcement officers Provide educational materials for first responders that can

be used as a reference guide for identity theft victims Create and distribute an ID Theft Victim Statement of

Rights Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Statutory and Regulatory Issues

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims Conduct assessment of FACT Act remedies under FCRA Conduct assessment of state credit freeze laws

Improvements

Law Enforcement: Prosecuting and Punishing Identity Thieves

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector Enhance ability of law enforcement to receive information

from financial institutions Initiate discussions with financial services industry on

countermeasures to identity theft Initiate discussions with credit reporting agencies on

preventing identity theft

Coordination with Foreign Law Enforcement Encourage Other Countries to Enact Suitable

Domestic Legislation Criminalizing Identity Theft Facilitate Investigation and Prosecution of

International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Assist, Train, and Support Foreign Law Enforcement

Prosecution Approaches and Initiatives

Increase Prosecutions of Identity Theft Designate an identity theft coordinator for each

United States Attorney’s Office to design a specific identity theft program for each district

Evaluate monetary thresholds for prosecution Encourage state prosecution of identity theft Create/expand working groups and task forces

Prosecution Approaches and Initiatives

Conduct Targeted Enforcement Initiatives Conduct enforcement initiatives focused on using

unfair or deceptive means to make SSNs available for sale

Conduct enforcement initiatives focused on identity theft related to the health care system

Conduct enforcement initiatives focused on identity theft by illegal aliens

Review Civil Monetary Penalty Programs

Gaps in Statutes Criminalizing Identity Theft Close Gaps in Criminal Statutes

Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted

Add new crimes to the list of predicate offenses for aggravated identity theft offenses

Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications

Penalize creators and distributors of malicious spyware and keyloggers

Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion

Ensure That an Identity Thief’s Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Law Enforcement Training

Enhance Training for Law Enforcement Officers and Prosecutors Develop course at National Advocacy Center

focused on investigation and prosecution of identity theft

Increase number of regional identity theft seminars

Increase resources for law enforcement on the Internet

Review curricula to enhance basic and advanced training on identity theft

Measuring the Success of Law Enforcement

Enhance the Gathering of Statistical Data Impacting the Criminal Justice System’s Response to Identity Theft Gather and analyze statistically reliable data from

identity theft victims Expand scope of National Crime Victimization

Survey Review U.S. Sentencing Commission data Track prosecutions of identity theft and resources

spent Conduct targeted surveys

Privacy Implications of Strategic Plan

Key Privacy Interests Privacy: How do the recommendations affect

individuals’ ability to control how personal information about them is collected, used, or shared? Recommendations are designed to provide greater control

over personal data, through keeping data out of criminals’ hands and increasing the difficulty of successful use by criminals Decreasing unnecessary use of SSNs in public sector Education on data security for public and private sectors

But recommendations also are intended to facilitate information-sharing among affected agencies in event of data breach or other theft “Routine” use notices to allow disclosure to agencies that

can assist in responding to data breach

Key Privacy Interests

Confidentiality: How do the recommendations affect rules and practices that protect the confidentiality of personal information once it has been collected?

Recommendations do not seek to gather new information from consumers, other than in context of investigation involving abuse of personal data

Existing rules that constrain law enforcement (e.g., grand jury secrecy rule) continue to apply

Other information-gathering from consumers is designed to better measure incidence of identity theft and obtain more data on victimization (e.g., BJS surveys)

Key Privacy Interests

Seclusion: Does the program use or foster surveillance? Recommendations neither use nor foster surveillance

Key Privacy Interests Fairness: How do the recommendations affect fair

treatment of individuals at every step? Data Quality:

How do recommendations address – Data collection directly from the subject of the information? The use of accurate, timely, and relevant data? Individuals’ access and correction rights? Propagation of corrections throughout the system?

Recommendations are intended to provide fairer treatment of identity-theft victims Recommendations do not seek to collect data directly from

consumers other than victims They do seek to expedite information-sharing between private

sector and law enforcement in context of criminal investigation Recommendations include individualized assistance (e.g., pro

bono representation) for victims that would improve their ability to use existing measures for access and correction and to seek systematic corrections

Key Privacy Interests

Notice: How do the recommendations affect provision of adequate notice to individuals of data collection, use, disclosure, and redress policies? In general, recommendations are not geared to

gathering new data (other than victim- and crime-related data)

On data breaches, recommendations are intended to foster improved notice to consumers

Key Privacy Interests

Individual Participation and Accountability: Does the program provide due process through redress mechanisms wherever a person may suffer an adverse action or determination? Recommendations include provisions to assist victims

in recovery

Key Privacy Interests

Transparency: Do the recommendations involve proposals that are open to public scrutiny, understanding, and participation? Recommendations, and process leading to them,

involve transparency By their nature, most elements of recommendations (other

than law enforcement-sensitive programs and techniques) are transparent

Opportunity for public to comment before issuance of Strategic Plan

Key Privacy Interests

Liberty: Does the program limit individual freedom in some dimension? None of recommendations seek to limit individual or

organizational freedom Number of recommendations are geared to improving

protection of consumer data and protection of consumers

Contact Data

Email: Jonathan.Rusch2@usdoj.gov Phone: 202-514-0631 Fax: 202-514-7021 Mail: 10th Street and Constitution Avenue,

N.W., Bond Building, Room 4300, Washington, DC 20530