The President’s Identity Theft Task ForceCombating IDENTITY THEFTA Strategic PlanApril 2007

COMBATING IDENTITY THEFT A Strategic PlanTable of ContentsGlossary of Acronyms. vIdentity Theft Task Force Members. viiLetter to the President. viiiI.Executive Summary. 1A. Introduction. 1B. The Strategy. 2II.The Contours of the Identity Theft Problem. 10A. Prevalence and Costs of Identity Theft. 11B. Identity Thieves: Who They Are. 12C. How Identity Theft Happens: The Tools of the Trade. 13D. What Identity Thieves Do With the InformationThey Steal: The Different Forms of Identity Theft. 18III. A Strategy to Combat Identity Theft. 22A. Prevention: Keeping Consumer Data out of theHands of Criminals. 221. Decreasing the Unnecessary Use ofSocial Security Numbers . . 232. Data Security in the Public Sector . 27a. Safeguarding of Information in the Public Sector. 27b. Responding to Data Breaches in the Public Sector. 283. Data Security in the Private Sector. 31a. The Current Legal Landscape. 31b. Implementation of Data Security Guidelines and Rules. 32c. Responding to Data Breaches in the Private Sector. 344. Educating Consumers on ProtectingTheir Personal Information. 39B. Prevention: Making It Harder to Misuse Consumer Data. 42C. Victim Recovery: Helping Consumers Repair Their Lives. 451. Victim Assistance: Outreach and Education . 452. Making Identity Theft Victims Whole. 493. Gathering Better Information on the Effectiveness of VictimRecovery Measures. 51iii

TABLE OF CONTENTSD.Law Enforcement: Prosecuting and Punishing Identity Thieves. 521. Coordination and Intelligence/Information Sharing. 53a. Sources of Identity Theft Information. 54b. Format for Sharing Information and Intelligence. 55c. Mechanisms for Sharing Information. 552. Coordination with Foreign Law Enforcement. 583. Prosecution Approaches and Initiatives. 624. Statutes Criminalizing Identity-Theft RelatedOffenses: The Gaps. 65a. The Identity Theft Statutes. 65b. Computer-Related Identity Theft Statutes . 66c. Cyber-Extortion Statute. 66d. Sentencing Guidelines Governing Identity Theft. 675. Training of Law Enforcement Officers and Prosecutors. 696. Measuring Success of Law Enforcement Efforts. 70IV. Conclusion: The Way Forward . 72APPENDICESAppendix A: Identity Theft Task Force’s Guidance Memorandumon Data Breach Protocol. 73Appendix B: Proposed Routine Use Language. 83Appendix C: Text of Amendments to18 U.S.C. §§ 3663(b) and 3663A(b) . 85Appendix D: Text of Amendments to 18 U.S.C. §§ 2703, 2711 and 3127,and Text of New Language for 18 U.S.C. § 3512. 87Appendix E: Text of Amendments to 18 U.S.C. §§ 1028 and 1028A . 91Appendix F: Text of Amendment to 18 U.S.C. § 1032(a)(2) . 93Appendix G: Text of Amendments to 18 U.S.C. §§ 1030(a)(5), (c),and (g) and to 18 U.S.C. 2332b . 94Appendix H: Text of Amendments to 18 U.S.C. § 1030(a)(7) . 97Appendix I: Text of Amendment to United States SentencingGuideline § 2B1.1 . 98Appendix J (Description of Proposed Surveys) . 99ENDNOTESiv. 101

COMBATING IDENTITY THEFT A Strategic PlanGlossary of AcronymsAAMVA–American Association ofMotor Vehicle AdministratorsFCU Act–Federal Credit Union ActAARP–American Association ofRetired PersonsFDIC–Federal Deposit InsuranceCorporationABA–American Bar AssociationFEMA–Federal EmergencyManagement AgencyAPWG–Anti-Phishing Working GroupBBB–Better Business BureauBIN–Bank Identification NumberBJA–Bureau of Justice AssistanceBJS–Bureau of Justice StatisticsCCIPS–Computer Crime andIntellectual Property Section (DOJ)CCMSI–Credit Card Mail SecurityInitiativeFDI Act–Federal Deposit Insurance ActFERPA–Family and Educational Rightsand Privacy Act of 1974FFIEC–Federal Financial InstitutionsExamination CouncilFIMSI–Financial Industry Mail SecurityInitiativeFinCEN–Financial Crimes EnforcementNetwork (Department of Treasury)CFAA–Computer Fraud and Abuse ActFISMA–Federal Information SecurityManagement Act of 2002CFTC–Commodity Futures TradingCommissionFRB–Federal Reserve Board ofGovernorsCIO–Chief Information OfficerFSI–Financial Services, Inc.CIP–Customer Identification ProgramFTC–Federal Trade CommissionCIRFU–Cyber Initiative and ResourceFusion CenterFTC Act–Federal Trade CommissionActCMRA–Commercial Mail ReceivingAgencyGAO–Government AccountabilityOfficeCMS–Centers for Medicare andMedicaid Services (HHS)GLB Act–Gramm-Leach-Bliley ActCRA–Consumer reporting agencyCVV2–Card Verification Value 2DBFTF–Document and Benefit FraudTask ForceDHS–Department of Homeland SecurityDOJ–Department of JusticeDPPA–Drivers Privacy ProtectionAct of 1994HHS–Department of Health and HumanServicesHIPAA–Health Insurance Portabilityand Accountability Act of 1996IACP–International Association ofChiefs of PoliceIAFCI–International Association ofFinancial Crimes InvestigatorsIC3–Internet Crime Complaint CenterFACT Act–Fair and Accurate CreditTransactions Act of 2003ICE–U.S. Immigration and CustomsEnforcementFBI–Federal Bureau of InvestigationIRS–Internal Revenue ServiceFCD–Financial Crimes DatabaseIRS CI–IRS Criminal InvestigationDivisionFCRA–Fair Credit Reporting Act

GLOSSARY OF ACRONYMSIRTPA–Intelligence Reform andTerrorism Prevention Act of 2004PIN–Personal Identification NumberISI–Intelligence Sharing Initiative (U.S.Postal Inspection Service)PRC–Privacy Rights ClearinghouseISP–Internet service providerQRP–Questionable Refund Program(IRS CI)ISS LOB–Information Systems SecurityLine of BusinessRELEAF–Operation Retailers & LawEnforcement Against FraudITAC–Identity Theft Assistance CenterRISS–Regional Information SharingSystemsITCI–Information TechnologyCompliance InstituteITRC–Identity Theft Resource CenterRITNET–Regional Identity TheftNetworkMCC–Major Cities ChiefsRPP–Return Preparer Program (IRS CI)NAC–National Advocacy CenterSAR–Suspicious Activity ReportNASD–National Association ofSecurities Dealers, Inc.SBA–Small Business AdministrationNCFTA–National Cyber ForensicTraining AllianceSEC–Securities and ExchangeCommissionSMP–Senior Medicare PatrolNCHELP–National Council of HigherEducation Loan ProgramsSSA–Social Security AdministrationNCUA–National Credit UnionAdministrationSSN–Social Security numberSSL–Security Socket LayerNCVS–National Crime VictimizationSurveyTIGTA–Treasury Inspector General forTax AdministrationNDAA–National District AttorneysAssociationUNCC–United Nations CrimeCommissionNIH–National Institutes of HealthUSA PATRIOT Act–Uniting andStrengthening America by ProvidingAppropriate Tools Required to Interceptand Obstruct Terrorism Act of 2001(Pub. L. No. 107-56)NIST–National Institute of Standardsand TechnologyNYSE–New York Stock ExchangeOCC–Office of the Comptroller of theCurrencyOIG–Office of the Inspector GeneralOJP–Office of Justice Programs (DOJ)OMB–Office of Management andBudgetviPMA–President’s Management AgendaUSB–Universal Serial BusUS-CERT–United States ComputerEmergency Readiness TeamUSPIS–United States Postal InspectionServiceUSSS–United States Secret ServiceOPM–Office of Personnel ManagementVHA–Veterans Health AdministrationOTS–Office of Thrift SupervisionVOIP–Voice Over Internet ProtocolOVC–Office for Victims of Crime (DOJ)VPN–Virtual private networkPCI–Payment Card IndustryWEDI–Workgroup for Electronic DataInterchange

Identity Theft Task Force MembersAlberto R. Gonzales, ChairmanAttorney GeneralDeborah Platt Majoras, Co-ChairmanChairman, Federal Trade CommissionHenry M. PaulsonDepartment of TreasuryCarlos M. GutierrezDepartment of CommerceMichael O. LeavittDepartment of Health and Human ServicesR. James NicholsonDepartment of Veterans AffairsMichael ChertoffDepartment of Homeland SecurityRob PortmanOffice of Management and BudgetJohn E. PotterUnited States Postal ServiceBen S. BernankeFederal Reserve SystemLinda M. SpringerOffice of Personnel ManagementSheila C. BairFederal Deposit Insurance CorporationChristopher CoxSecurities and Exchange CommissionJoAnn JohnsonNational Credit Union AdministrationMichael J. AstrueSocial Security AdministrationJohn C. DuganOffice of the Comptroller of the CurrencyJohn M. ReichOffice of Thrift Supervisionvii

LETTER TO THE PRESIDENTAlberto R. Gonzales, ChairmanAttorney GeneralDeborah Platt Majoras, Co-ChairmanChairman, Federal Trade CommissionLetter to the PresidentApril 11, 2007The Honorable George W. BushPresident of the United StatesThe White HouseWashington, D.C.Dear Mr. President:By establishing the President’s Task Force on Identity Theft by ExecutiveOrder 13402 on May 10, 2006, you launched a new era in the fight againstidentity theft. As you recognized, identity theft exacts a heavy financial andemotional toll from its victims, and it severely burdens our economy. Youcalled for a coordinated approach among government agencies to vigorouslycombat this crime. Your charge to us was to craft a strategic plan aimingto make the federal government’s efforts more effective and efficient in theareas of identity theft awareness, prevention, detection, and prosecution. Tomeet that charge, we examined the tools law enforcement can use to prevent,investigate, and prosecute identity theft crimes; to recover the proceeds ofthese crimes; and to ensure just and effective punishment of identity thieves.We also surveyed current education efforts by government agencies andthe private sector on how individuals and corporate citizens can protectpersonal data. And because government must help reduce, rather thanexacerbate, incidents of identity theft, we worked with many federal agenciesto determine how the government can increase safeguards to better secure thepersonal data that it and private businesses hold. Like you, we spoke to manycitizens whose lives have been uprooted by identity theft, and heard theirsuggestions on ways to help consumers guard against this crime and lessen theburdens of their recovery. We conducted meetings, spoke with stakeholders,and invited public comment on key issues.viii

COMBATING IDENTITY THEFT A Strategic PlanThe views you expressed in the Executive Order are widely shared. Thereis a consensus that identity theft’s damage is widespread, that it targets alldemographic groups, that it harms both consumers and businesses, and thatits effects can range far beyond financial harm. We were pleased to learn thatmany federal departments and agencies, private businesses, and universitiesare trying to create a culture of security, although some have been faster thanothers to construct systems to protect personal information.There is no quick solution to this problem. But, we believe that a coordinatedstrategic plan can go a long way toward stemming the injuries caused byidentity theft and, we hope, putting identity thieves out of business. Taken asa whole, the recommendations that comprise this strategic plan are designedto strengthen the efforts of federal, state, and local law enforcement officers;to educate consumers and businesses on deterring, detecting, and defendingagainst identity theft; to assist law enforcement officers in apprehending andprosecuting identity thieves; and to increase the safeguards employed byfederal agencies and the private sector with respect to the personal data withwhich they are entrusted.Thank you for the privilege of serving on this Task Force. Our work isongoing, but we now have the honor, under the provisions of your ExecutiveOrder, of transmitting the report and recommendations of the President’sTask Force on Identity Theft.Very truly yours,Alberto R. Gonzales, ChairmanAttorney GeneralDeborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commissionix

COMBATING IDENTITY THEFT A Strategic PlanI.Executive SummaryFrom Main Street to Wall Street, from the back porch to the front office, fromthe kitchen table to the conference room, Americans are talking about identitytheft. The reason: millions of Americans each year suffer the financial andemotional trauma it causes. This crime takes many forms, but it invariablyleaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.A. IntroductionEight years ago, Congress enacted the Identity Theft and AssumptionDeterrence Act,1 which created the federal crime of identity theft andcharged the Federal Trade Commission (FTC) with taking complaints fromidentity theft victims, sharing these complaints with federal, state, and locallaw enforcement, and providing the victims with information to help themrestore their good name. Since then, federal, state, and local agencies havetaken strong action to combat identity theft. The FTC has developed theIdentity Theft Data Clearinghouse into a vital resource for consumers andlaw enforcement agencies; the Department of Justice (DOJ) has prosecutedvigorously a wide range of identity theft schemes under the identity theftstatutes and other laws; the federal financial regulatory agencies2 haveadopted and enforced robust data security standards for entities under theirjurisdiction; Congress passed, and the Department of Homeland Securityissued draft regulations on, the REAL ID Act of 2005; and numerous otherfederal agencies, such as the Social Security Administration (SSA), haveeducated consumers on avoiding and recovering from identity theft. Manyprivate sector entities, too, have taken proactive and significant steps to protectdata from identity thieves, educate consumers about how to prevent identitytheft, assist law enforcement in apprehending identity thieves, and assistidentity theft victims who suffer losses.Over those same eight years, however, the problem of identity thefthas become more complex and challenging for the general public, thegovernment, and the private sector. Consumers, overwhelmed with weeklymedia reports of data breaches, feel vulnerable and uncertain of how toprotect their identities. At the same time, both the private and public sectorshave had to grapple with difficult, and costly, decisions about investmentsin safeguards and what more to do to protect the public. And, at every levelof government—from the largest cities with major police departments to thesmallest towns with one fraud detective—identity theft has placed increasinglypressing demands on law enforcement.Public comments helped the Task Force define the issues and challengesposed by identity theft and develop its strategic responses. To ensure that theTask Force heard from all stakeholders, it solicited comments from the public.

EXECUTIVE SUMMARYIn addition to consumer advocacy groups, law enforcement, business, andindustry, the Task Force also received comments from identity theft victimsthemselves.3 The victims wrote of the burdens and frustrations associatedwith their recovery from this crime. Their stories reaffirmed the need for thegovernment to act quickly to address this problem.The overwhelming majority of the comments received by the Task Forcestrongly affirmed the need for a fully coordinated approach to fighting theproblem through prevention, awareness, enforcement, training, and victimassistance. Consumers wrote to the Task Force exhorting the public andprivate sectors to do a better job of protecting their Social Security numbers(SSNs), and many of those who submitted comments discussed the challengesraised by the overuse of Social Security numbers as identifiers. Others,representing certain business sectors, pointed to the beneficial uses of SSNsin fraud detection. The Task Force was mindful of both considerations, andits recommendations seek to strike the appropriate balance in addressing SSNuse. Local law enforcement officers, regardless of where they work, wroteof the challenges of multi-jurisdictional investigations, and called for greatercoordination and resources to support the investigation and prosecution ofidentity thieves. Various business groups described the steps they have takento minimize the occurrence and impact of the crime, and many expressedsupport for risk-based, national data security and breach notificationrequirements.These communications from the public went a long way toward informingthe Task Force’s recommendation for a fully coordinated strategy. Only anapproach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engagesfederal, state, and local authorities will be successful in protecting citizens andprivate entities from the crime.B. The StrategyAlthough identity theft is defined in many different ways, it is, fundamentally,the misuse of another individual’s personal information to commit fraud.Identity theft has at least three stages in its “life cycle,” and it must be attackedat each of those stages:First, the identity thief attempts to acquire a victim’s personalinformation.Criminals must first gather personal information, either through low-techmethods—such as stealing mail or workplace records, or “dumpster diving”—or through complex and high-tech frauds, such as hacking and the useof malicious computer codes. The loss or theft of personal information byitself, however, does not immediately lead to identity theft. In some cases,thieves who steal personal items inadvertently steal personal information

COMBATING IDENTITY THEFT A Strategic Planthat is stored in or with the stolen personal items, yet never make use of thepersonal information. It has recently been reported that, during the past year,the personal records of nearly 73 million people have been lost or stolen, butthat there is no evidence of a surge in identity theft or financial fraud as aresult. Still, because any loss or theft of personal information is troubling andpotentially devastating for the persons involved, a strategy to keep consumerdata out of the hands of criminals is essential.Second, the thief attempts to misuse the information he has acquired.In this stage, criminals have acquired the victim’s personal information andnow attempt to sell the information or use it themselves. The misuse of stolenpersonal information can be classified in the following broad categories:Existing account fraud: This occurs when thieves obtain accountinformation involving credit, brokerage, banking, or utility accountsthat are already open. Existing account fraud is typically a less costly,but more prevalent, form of identity theft. For example, a stolen creditcard may lead to thousands of dollars in fraudulent charges, but thecard generally would not provide the thief with enough information toestablish a false identity. Moreover, most credit card companies, as amatter of policy, do not hold consumers liable for fraudulent charges,and federal law caps liability of victims of credit card theft at 50.New account fraud: Thieves use personal information, such as SocialSecurity numbers, birth dates, and home addresses, to open newaccounts in the victim’s name, make charges indiscriminately, and thendisappear. While this type of identity theft is less likely to occur, itimposes much greater costs and hardships on victims.In addition, identity thieves sometimes use stolen personal information toobtain government, medical, or other benefits to which the criminal is notentitled.Third, an identity thief has completed his crime and is enjoying thebenefits, while the victim is realizing the harm.At this point in the life cycle of the theft, victims are first learning of thecrime, often after being denied credit or employment, or being contacted by adebt collector seeking payment for a debt the victim did not incur.In light of the complexity of the problem at each of the stages of this lifecycle, the Identity Theft Task Force is recommending a plan that marshalsgovernment resources to crack down on the criminals who traffic in stolenidentities, strengthens efforts to protect the personal information of ournation’s citizens, helps law enforcement officials investigate and prosecuteidentity thieves, helps educate consumers and businesses about protectingthemselves, and increases the safeguards on personal data entrusted to federalagencies and private entities.

EXECUTIVE SUMMARYThe Plan focuses on improvements in four key areas:keeping sensitive consumer data out of the hands of identity thievesthrough better data security and more accessible education;making it more difficult for identity thieves who obtain consumer data touse it to steal identities;assisting the victims of identity theft in recovering from the crime; anddeterring identity theft by more aggressive prosecution and punishmentof those who commit the crime.In these four areas, the Task Force makes a number of recommendationssummarized in greater detail below. Among those recommendations are thefollowing broad policy changes:that federal agencies should reduce the unnecessary use of SocialSecurity numbers (SSNs), the most valuable commodity for an identitythief;that national standards should be established to require private sectorentities to safeguard the personal data they compile and maintain andto provide notice to consumers when a breach occurs that poses asignificant risk of identity theft;that federal agencies should implement a broad, sustained awarenesscampaign to educate consumers, the private sector, and the public sectoron deterring, detecting, and defending against identity theft; andthat a National Identity Theft Law Enforcement Center should becreated to allow law enforcement agencies to coordinate their effortsand information more efficiently, and investigate and prosecute identitythieves more effectively.The Task Force believes that all of the recommendations in this strategicplan—from these broad policy changes to the small steps—are necessary towage a more effective fight against identity theft and reduce its incidence anddamage. Some recommendations can be implemented relatively quickly;others will take time and the sustained cooperation of government entitiesand the private sector. Following are the recommendations of the President’sTask Force on Identity Theft:PREVENTION: Keeping Consumer Data Out of theHands of CriminalsIdentity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government,the business community, and consumers have roles to play in protecting data.

COMBATING IDENTITY THEFT A Strategic PlanData compromises can expose consumers to the threat of identity theft orrelated fraud, damage the reputation of the entity that experienced the breach,and carry financial costs for everyone involved. While “perfect security” doesnot exist, all entities that collect and maintain sensitive consumer informationmust take reasonable and appropriate steps to protect it.Data Security in Public SectorDecrease the Unnecessary Use of Social Security Numbers in thePublic Sector by Developing Alternative Strategies for IdentityManagement Survey current use of SSNs by federal government Issue guidance on appropriate use of SSNs Establish clearinghouse for “best” agency practices that minimizeuse of SSNs Work with state and local governments to review use of SSNsEducate Federal Agencies on How to Protect Data; Monitor TheirCompliance with Existing Guidance Develop concrete guidance and best practices Monitor agency compliance with data security guidance Protect portable storage and communications devicesEnsure Effective, Risk-Based Responses to Data Breaches Suffered byFederal Agencies Issue data breach guidance to agencies Publish a “routine use” allowing disclosure of information after abreach to those entities that can assist in responding to the breachData Security in Private SectorEstablish National Standards for Private Sector Data ProtectionRequirements and Breach Notice RequirementsDevelop Comprehensive Record on Private Sector Use of SocialSecurity NumbersBetter Educate the Private Sector on Safeguarding Data Hold regional seminars for businesses on safeguarding information Distribute improved guidance for private industryInitiate Investigations of Data Security Violations

EXECUTIVE SUMMARYInitiate a Multi-Year Public Awareness Campaign Develop national awareness campaign Enlist outreach partners Increase outreach to traditionally underserved communities Establish “Protect Your Identity” DaysDevelop Online Clearinghouse for Current Educational ResourcesPREVENTION: Making It Harder To MisuseConsumer DataBecause security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal.An identity thief who wants to open new accounts in a victim’s name mustbe able to (1) provide identifying information to allow the creditor or othergrantor of benefits to access information on which to base a decision abouteligibility; and (2) convince the creditor that he is the person he purports to be.Authentication includes determining a person’s identity at the beginning ofa relationship (sometimes called verification), and later ensuring that he isthe same person who was originally authenticated. But the process can fail:Identity documents can be falsified; the accuracy of the initial informationand the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses—for example, multi-factorauthentication or layered security—would go a long way toward preventingcriminals from profiting from identity theft.Hold Workshops on Authentication Engage academics, industry, entrepreneurs, and governmentexperts on developing and promoting better ways to authenticateidentity Issue report on workshop findingsDevelop a Comprehensive Record on Private Sector Use of SSNsVICTIM RECOVERY: Helping Consumers RepairTheir LivesIdentity theft can be committed despite a consumer’s best efforts at securinginformation. Consumers have a number of rights and resources available,but some surveys indicate that they are not as well-informed as they couldbe. Government agencies must work together to ensure that victims have theknowledge, tools, and assistance necessary to minimize the damage and beginthe recovery process.

COMBATING IDENTITY THEFT A Strategic PlanProvide Specialized Training About Victim Recovery to FirstResponders and Others Offering Direct Assistance to Identity TheftVictims Train law enforcement officers Provide educational materials for first responders that can be usedas a reference guide for identity theft victims Create and distribute an ID Theft Victim Statement of Rights Design nationwide training for victim assistance counselorsDevelop Avenues for Individualized Assistance to Identity TheftVictimsAmend Criminal Restitution Statutes to Ensure That Victims Recoverthe Value of Time Spent in Trying to Remediate the Harms SufferedAssess Whether to Implement a National System That Allows Victimsto Obtain an Identification Document for Authentication PurposesAssess Efficacy of Tools Available to Victims Conduct assessment of FACT Act remedies under FCRA Conduct assessment of state credit freeze lawsLAW ENFORCEMENT: Prosecuting and PunishingIdentity ThievesStrong criminal law enforcement is necessary to punish and deter identitythieves. The increasing sophistication of identity thieves in recent years hasmeant that law enforcement agencies at all levels of government have had toincrease the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents,and analysts with multiple skill sets. When a suspected theft involves a largenumber of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.Coordination and Information/Intelligence SharingEstablish a National Identity Theft Law Enforcement CenterDevelop and Promote the Use of a Universal Identity Theft

SSA–Social Security Administration SSL–Security Socket Layer SSN–Social Security number TIGTA–Treasury Inspector General for Tax Administration UNCC–United Nations Crime Commission USA PATRIOT Act–Uniting and Strengthening America by Providing Appropriate Tools Required to Int