The President’s Identity Theft Task Force Strategic Plan – Privacy Implications
-
Upload
aladdin-reed -
Category
Documents
-
view
47 -
download
0
description
Transcript of The President’s Identity Theft Task Force Strategic Plan – Privacy Implications
The President’s Identity Theft Task Force Strategic
Plan – Privacy Implications
Jonathan J. RuschSpecial Counsel for Fraud Prevention
Fraud Section, Criminal DivisionU.S. Department of Justice
The Privacy Symposium – Harvard UniversityCambridge, MA
August 23, 2007
Background
Statistics
Federal Trade Commission Identity theft most frequently reported type of
fraud reported to FTC, 2004 – 2006 2006: 246,035 complaints
Javelin Strategy & Research, 2007 8.4 million U.S. adults victims of identity fraud in
preceding year
President’s Identity Theft Task Force Establishment May 10, 2006 by Executive Order Tasks
Submit to the President a coordinated strategic plan to further improve the effectiveness and efficiency of the federal government's activities in the areas of identity theft awareness, prevention, detection, and prosecution
Coordinate federal government efforts related to implementation of the policy to use federal resources effectively to deter, prevent, detect, investigate, proceed against, and prosecute unlawful use by persons of the identifying information of other persons
Provide advice on the establishment, execution, and efficiency of policies and activities to implement that policy
Promote enhanced cooperation by federal departments and agencies with state and local authorities responsible for the prevention, investigation, and prosecution of significant identity theft crimes
President’s Identity Theft Task Force
Composition Chair: Attorney General; Co-Chair: FTC Chairman Members: Five Cabinet departments; OMB;
Social Security Administration; bank supervisory agencies; and Postal Service
Issuance of Strategic Plan: April 23, 2007 Copies at http://www.idtheft.gov
Premise of Strategic Plan
Identity Theft Has At Least Three Stages in Its “Life Cycle” and Must Be Attacked at Each Stage
Identity thief attempts to acquire victim’s personal information
Identity thief attempts to misuse the information he has acquired
Identity thief has completed his crime and is enjoying the benefits, while victim is realizing the harm
Focus of Strategic Plan
Improvements in Four Key Areas Keeping sensitive consumer data out of the hands
of identity thieves through better data security and more accessible education;
Making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
Assisting victims of identity theft in recovering from the crime; and
Deterring identity theft by more aggressive prosecution and punishment of those who commit the crime
Improvements
Prevention: Keeping Consumer Data Out Of The Hands Of Criminals
Data Security in Public Sector Decrease the Unnecessary Use of Social Security Numbers in the
Public Sector by Developing Alternative Strategies for Identity Management Survey current use of SSNs by federal government Issue guidance on appropriate use of SSNs Establish clearinghouse for “best” agency practices that minimize use of
SSNs Work with state and local governments to review use of SSNs
Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance Develop concrete guidance and best practices Monitor agency compliance with data security guidance Protect portable storage and communications devices
Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies Issue data breach guidance to agencies Publish a “routine use” allowing disclosure of information after a breach to
those entities that can assist in responding to the breach
Data Security in Private Sector Establish National Standards for Private Sector Data Protection
Requirements and Breach Notice Requirements Develop Comprehensive Record on Private Sector Use of Social
Security Numbers Better Educate the Private Sector on Safeguarding Data
Hold regional seminars for businesses on safeguarding information
Distribute improved guidance for private industry Initiate Investigations of Data Security Violations Initiate a Multi-Year Public Awareness Campaign
Develop national awareness campaign Enlist outreach partners Increase outreach to traditionally underserved communities Establish “Protect Your Identity” Days
Develop Online Clearinghouse for Current Educational Resources
Improvements
Prevention: Making It Harder to Misuse Consumer Data
Gathering and Analyzing Information
Hold Workshops on Authentication Engage academics, industry, entrepreneurs, and
government experts on developing and promoting better ways to authenticate identity
Issue report on workshop findings Develop a Comprehensive Record on Private
Sector Use of SSNs
Improvements
Victim Recovery: Helping Consumers Repair Their Lives
Training and Individual Assistance
Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims Train law enforcement officers Provide educational materials for first responders that can
be used as a reference guide for identity theft victims Create and distribute an ID Theft Victim Statement of
Rights Design nationwide training for victim assistance counselors
Develop Avenues for Individualized Assistance to Identity Theft Victims
Statutory and Regulatory Issues
Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims Conduct assessment of FACT Act remedies under FCRA Conduct assessment of state credit freeze laws
Improvements
Law Enforcement: Prosecuting and Punishing Identity Thieves
Coordination and Information/Intelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report Form
Enhance Information Sharing Between Law Enforcement and the Private Sector Enhance ability of law enforcement to receive information
from financial institutions Initiate discussions with financial services industry on
countermeasures to identity theft Initiate discussions with credit reporting agencies on
preventing identity theft
Coordination with Foreign Law Enforcement Encourage Other Countries to Enact Suitable
Domestic Legislation Criminalizing Identity Theft Facilitate Investigation and Prosecution of
International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime
Identify Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies
Assist, Train, and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft Designate an identity theft coordinator for each
United States Attorney’s Office to design a specific identity theft program for each district
Evaluate monetary thresholds for prosecution Encourage state prosecution of identity theft Create/expand working groups and task forces
Prosecution Approaches and Initiatives
Conduct Targeted Enforcement Initiatives Conduct enforcement initiatives focused on using
unfair or deceptive means to make SSNs available for sale
Conduct enforcement initiatives focused on identity theft related to the health care system
Conduct enforcement initiatives focused on identity theft by illegal aliens
Review Civil Monetary Penalty Programs
Gaps in Statutes Criminalizing Identity Theft Close Gaps in Criminal Statutes
Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted
Add new crimes to the list of predicate offenses for aggravated identity theft offenses
Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications
Penalize creators and distributors of malicious spyware and keyloggers
Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion
Ensure That an Identity Thief’s Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors Develop course at National Advocacy Center
focused on investigation and prosecution of identity theft
Increase number of regional identity theft seminars
Increase resources for law enforcement on the Internet
Review curricula to enhance basic and advanced training on identity theft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal Justice System’s Response to Identity Theft Gather and analyze statistically reliable data from
identity theft victims Expand scope of National Crime Victimization
Survey Review U.S. Sentencing Commission data Track prosecutions of identity theft and resources
spent Conduct targeted surveys
Privacy Implications of Strategic Plan
Key Privacy Interests Privacy: How do the recommendations affect
individuals’ ability to control how personal information about them is collected, used, or shared? Recommendations are designed to provide greater control
over personal data, through keeping data out of criminals’ hands and increasing the difficulty of successful use by criminals Decreasing unnecessary use of SSNs in public sector Education on data security for public and private sectors
But recommendations also are intended to facilitate information-sharing among affected agencies in event of data breach or other theft “Routine” use notices to allow disclosure to agencies that
can assist in responding to data breach
Key Privacy Interests
Confidentiality: How do the recommendations affect rules and practices that protect the confidentiality of personal information once it has been collected?
Recommendations do not seek to gather new information from consumers, other than in context of investigation involving abuse of personal data
Existing rules that constrain law enforcement (e.g., grand jury secrecy rule) continue to apply
Other information-gathering from consumers is designed to better measure incidence of identity theft and obtain more data on victimization (e.g., BJS surveys)
Key Privacy Interests
Seclusion: Does the program use or foster surveillance? Recommendations neither use nor foster surveillance
Key Privacy Interests Fairness: How do the recommendations affect fair
treatment of individuals at every step? Data Quality:
How do recommendations address – Data collection directly from the subject of the information? The use of accurate, timely, and relevant data? Individuals’ access and correction rights? Propagation of corrections throughout the system?
Recommendations are intended to provide fairer treatment of identity-theft victims Recommendations do not seek to collect data directly from
consumers other than victims They do seek to expedite information-sharing between private
sector and law enforcement in context of criminal investigation Recommendations include individualized assistance (e.g., pro
bono representation) for victims that would improve their ability to use existing measures for access and correction and to seek systematic corrections
Key Privacy Interests
Notice: How do the recommendations affect provision of adequate notice to individuals of data collection, use, disclosure, and redress policies? In general, recommendations are not geared to
gathering new data (other than victim- and crime-related data)
On data breaches, recommendations are intended to foster improved notice to consumers
Key Privacy Interests
Individual Participation and Accountability: Does the program provide due process through redress mechanisms wherever a person may suffer an adverse action or determination? Recommendations include provisions to assist victims
in recovery
Key Privacy Interests
Transparency: Do the recommendations involve proposals that are open to public scrutiny, understanding, and participation? Recommendations, and process leading to them,
involve transparency By their nature, most elements of recommendations (other
than law enforcement-sensitive programs and techniques) are transparent
Opportunity for public to comment before issuance of Strategic Plan
Key Privacy Interests
Liberty: Does the program limit individual freedom in some dimension? None of recommendations seek to limit individual or
organizational freedom Number of recommendations are geared to improving
protection of consumer data and protection of consumers
Contact Data
Email: [email protected] Phone: 202-514-0631 Fax: 202-514-7021 Mail: 10th Street and Constitution Avenue,
N.W., Bond Building, Room 4300, Washington, DC 20530