mopdf.com

COMBATING IDENTITY THEFT A Strategic PlanThe views you expressed in the Executive Order are widely shared. Thereis a consensus that identity theft’s damage is widespread, that it targets alldemographic groups, that it harms both consumers and businesses, and thatits effects can range far beyond financial harm. We were pleased to learn thatmany federal departments and agencies, private businesses, and universitiesare trying to create a culture of security, although some have been faster thanothers to construct systems to protect personal information.There is no quick solution to this problem. But, we believe that a coordinatedstrategic plan can go a long way toward stemming the injuries caused byidentity theft and, we hope, putting identity thieves out of business. Taken asa whole, the recommendations that comprise this strategic plan are designedto strengthen the efforts of federal, state, and local law enforcement officers;to educate consumers and businesses on deterring, detecting, and defendingagainst identity theft; to assist law enforcement officers in apprehending andprosecuting identity thieves; and to increase the safeguards employed byfederal agencies and the private sector with respect to the personal data withwhich they are entrusted.Thank you for the privilege of serving on this Task Force. Our work isongoing, but we now have the honor, under the provisions of your ExecutiveOrder, of transmitting the report and recommendations of the President’sTask Force on Identity Theft.Very truly yours,Alberto R. Gonzales, ChairmanAttorney GeneralDeborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commissionix

COMBATING IDENTITY THEFT A Strategic PlanI.Executive SummaryFrom Main Street to Wall Street, from the back porch to the front office, fromthe kitchen table to the conference room, Americans are talking about identitytheft. The reason: millions of Americans each year suffer the financial andemotional trauma it causes. This crime takes many forms, but it invariablyleaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.A. IntroductionEight years ago, Congress enacted the Identity Theft and AssumptionDeterrence Act,1 which created the federal crime of identity theft andcharged the Federal Trade Commission (FTC) with taking complaints fromidentity theft victims, sharing these complaints with federal, state, and locallaw enforcement, and providing the victims with information to help themrestore their good name. Since then, federal, state, and local agencies havetaken strong action to combat identity theft. The FTC has developed theIdentity Theft Data Clearinghouse into a vital resource for consumers andlaw enforcement agencies; the Department of Justice (DOJ) has prosecutedvigorously a wide range of identity theft schemes under the identity theftstatutes and other laws; the federal financial regulatory agencies2 haveadopted and enforced robust data security standards for entities under theirjurisdiction; Congress passed, and the Department of Homeland Securityissued draft regulations on, the REAL ID Act of 2005; and numerous otherfederal agencies, such as the Social Security Administration (SSA), haveeducated consumers on avoiding and recovering from identity theft. Manyprivate sector entities, too, have taken proactive and significant steps to protectdata from identity thieves, educate consumers about how to prevent identitytheft, assist law enforcement in apprehending identity thieves, and assistidentity theft victims who suffer losses.Over those same eight years, however, the problem of identity thefthas become more complex and challenging for the general public, thegovernment, and the private sector. Consumers, overwhelmed with weeklymedia reports of data breaches, feel vulnerable and uncertain of how toprotect their identities. At the same time, both the private and public sectorshave had to grapple with difficult, and costly, decisions about investmentsin safeguards and what more to do to protect the public. And, at every levelof government—from the largest cities with major police departments to thesmallest towns with one fraud detective—identity theft has placed increasinglypressing demands on law enforcement.Public comments helped the Task Force define the issues and challengesposed by identity theft and develop its strategic responses. To ensure that theTask Force heard from all stakeholders, it solicited comments from the public.

EXECUTIVE SUMMARYIn addition to consumer advocacy groups, law enforcement, business, andindustry, the Task Force also received comments from identity theft victimsthemselves.3 The victims wrote of the burdens and frustrations associatedwith their recovery from this crime. Their stories reaffirmed the need for thegovernment to act quickly to address this problem.The overwhelming majority of the comments received by the Task Forcestrongly affirmed the need for a fully coordinated approach to fighting theproblem through prevention, awareness, enforcement, training, and victimassistance. Consumers wrote to the Task Force exhorting the public andprivate sectors to do a better job of protecting their Social Security numbers(SSNs), and many of those who submitted comments discussed the challengesraised by the overuse of Social Security numbers as identifiers. Others,representing certain business sectors, pointed to the beneficial uses of SSNsin fraud detection. The Task Force was mindful of both considerations, andits recommendations seek to strike the appropriate balance in addressing SSNuse. Local law enforcement officers, regardless of where they work, wroteof the challenges of multi-jurisdictional investigations, and called for greatercoordination and resources to support the investigation and prosecution ofidentity thieves. Various business groups described the steps they have takento minimize the occurrence and impact of the crime, and many expressedsupport for risk-based, national data security and breach notificationrequirements.These communications from the public went a long way toward informingthe Task Force’s recommendation for a fully coordinated strategy. Only anapproach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engagesfederal, state, and local authorities will be successful in protecting citizens andprivate entities from the crime.B. The StrategyAlthough identity theft is defined in many different ways, it is, fundamentally,the misuse of another individual’s personal information to commit fraud.Identity theft has at least three stages in its “life cycle,” and it must be attackedat each of those stages:First, the identity thief attempts to acquire a victim’s personalinformation.Criminals must first gather personal information, either through low-techmethods—such as stealing mail or workplace records, or “dumpster diving”—or through complex and high-tech frauds, such as hacking and the useof malicious computer codes. The loss or theft of personal information byitself, however, does not immediately lead to identity theft. In some cases,thieves who steal personal items inadvertently steal personal information

COMBATING IDENTITY THEFT A Strategic Planthat is stored in or with the stolen personal items, yet never make use of thepersonal information. It has recently been reported that, during the past year,the personal records of nearly 73 million people have been lost or stolen, butthat there is no evidence of a surge in identity theft or financial fraud as aresult. Still, because any loss or theft of personal information is troubling andpotentially devastating for the persons involved, a strategy to keep consumerdata out of the hands of criminals is essential.Second, the thief attempts to misuse the information he has acquired.In this stage, criminals have acquired the victim’s personal information andnow attempt to sell the information or use it themselves. The misuse of stolenpersonal information can be classified in the following broad categories:Existing account fraud: This occurs when thieves obtain accountinformation involving credit, brokerage, banking, or utility accountsthat are already open. Existing account fraud is typically a less costly,but more prevalent, form of identity theft. For example, a stolen creditcard may lead to thousands of dollars in fraudulent charges, but thecard generally would not provide the thief with enough information toestablish a false identity. Moreover, most credit card companies, as amatter of policy, do not hold consumers liable for fraudulent charges,and federal law caps liability of victims of credit card theft at 50.New account fraud: Thieves use personal information, such as SocialSecurity numbers, birth dates, and home addresses, to open newaccounts in the victim’s name, make charges indiscriminately, and thendisappear. While this type of identity theft is less likely to occur, itimposes much greater costs and hardships on victims.In addition, identity thieves sometimes use stolen personal information toobtain government, medical, or other benefits to which the criminal is notentitled.Third, an identity thief has completed his crime and is enjoying thebenefits, while the victim is realizing the harm.At this point in the life cycle of the theft, victims are first learning of thecrime, often after being denied credit or employment, or being contacted by adebt collector seeking payment for a debt the victim did not incur.In light of the complexity of the problem at each of the stages of this lifecycle, the Identity Theft Task Force is recommending a plan that marshalsgovernment resources to crack down on the criminals who traffic in stolenidentities, strengthens efforts to protect the personal information of ournation’s citizens, helps law enforcement officials investigate and prosecuteidentity thieves, helps educate consumers and businesses about protectingthemselves, and increases the safeguards on personal data entrusted to federalagencies and private entities.

EXECUTIVE SUMMARYThe Plan focuses on improvements in four key areas:keeping sensitive consumer data out of the hands of identity thievesthrough better data security and more accessible education;making it more difficult for identity thieves who obtain consumer data touse it to steal identities;assisting the victims of identity theft in recovering from the crime; anddeterring identity theft by more aggressive prosecution and punishmentof those who commit the crime.In these four areas, the Task Force makes a number of recommendationssummarized in greater detail below. Among those recommendations are thefollowing broad policy changes:that federal agencies should reduce the unnecessary use of SocialSecurity numbers (SSNs), the most valuable commodity for an identitythief;that national standards should be established to require private sectorentities to safeguard the personal data they compile and maintain andto provide notice to consumers when a breach occurs that poses asignificant risk of identity theft;that federal agencies should implement a broad, sustained awarenesscampaign to educate consumers, the private sector, and the public sectoron deterring, detecting, and defending against identity theft; andthat a National Identity Theft Law Enforcement Center should becreated to allow law enforcement agencies to coordinate their effortsand information more efficiently, and investigate and prosecute identitythieves more effectively.The Task Force believes that all of the recommendations in this strategicplan—from these broad policy changes to the small steps—are necessary towage a more effective fight against identity theft and reduce its incidence anddamage. Some recommendations can be implemented relatively quickly;others will take time and the sustained cooperation of government entitiesand the private sector. Following are the recommendations of the President’sTask Force on Identity Theft:PREVENTION: Keeping Consumer Data Out of theHands of CriminalsIdentity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government,the business community, and consumers have roles to play in protecting data.

COMBATING IDENTITY THEFT A Strategic PlanData compromises can expose consumers to the threat of identity theft orrelated fraud, damage the reputation of the entity that experienced the breach,and carry financial costs for everyone involved. While “perfect security” doesnot exist, all entities that collect and maintain sensitive consumer informationmust take reasonable and appropriate steps to protect it.Data Security in Public SectorDecrease the Unnecessary Use of Social Security Numbers in thePublic Sector by Developing Alternative Strategies for IdentityManagement Survey current use of SSNs by federal government Issue guidance on appropriate use of SSNs Establish clearinghouse for “best” agency practices that minimizeuse of SSNs Work with state and local governments to review use of SSNsEducate Federal Agencies on How to Protect Data; Monitor TheirCompliance with Existing Guidance Develop concrete guidance and best practices Monitor agency compliance with data security guidance Protect portable storage and communications devicesEnsure Effective, Risk-Based Responses to Data Breaches Suffered byFederal Agencies Issue data breach guidance to agencies Publish a “routine use” allowing disclosure of information after abreach to those entities that can assist in responding to the breachData Security in Private SectorEstablish National Standards for Private Sector Data ProtectionRequirements and Breach Notice RequirementsDevelop Comprehensive Record on Private Sector Use of SocialSecurity NumbersBetter Educate the Private Sector on Safeguarding Data Hold regional seminars for businesses on safeguarding information Distribute improved guidance for private industryInitiate Investigations of Data Security Violations

EXECUTIVE SUMMARYInitiate a Multi-Year Public Awareness Campaign Develop national awareness campaign Enlist outreach partners Increase outreach to traditionally underserved communities Establish “Protect Your Identity” DaysDevelop Online Clearinghouse for Current Educational ResourcesPREVENTION: Making It Harder To MisuseConsumer DataBecause security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal.An identity thief who wants to open new accounts in a victim’s name mustbe able to (1) provide identifying information to allow the creditor or othergrantor of benefits to access information on which to base a decision abouteligibility; and (2) convince the creditor that he is the person he purports to be.Authentication includes determining a person’s identity at the beginning ofa relationship (sometimes called verification), and later ensuring that he isthe same person who was originally authenticated. But the process can fail:Identity documents can be falsified; the accuracy of the initial informationand the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses—for example, multi-factorauthentication or layered security—would go a long way toward preventingcriminals from profiting from identity theft.Hold Workshops on Authentication Engage academics, industry, entrepreneurs, and governmentexperts on developing and promoting better ways to authenticateidentity Issue report on workshop findingsDevelop a Comprehensive Record on Private Sector Use of SSNsVICTIM RECOVERY: Helping Consumers RepairTheir LivesIdentity theft can be committed despite a consumer’s best efforts at securinginformation. Consumers have a number of rights and resources available,but some surveys indicate that they are not as well-informed as they couldbe. Government agencies must work together to ensure that victims have theknowledge, tools, and assistance necessary to minimize the damage and beginthe recovery process.

COMBATING IDENTITY THEFT A Strategic PlanProvide Specialized Training About Victim Recovery to FirstResponders and Others Offering Direct Assistance to Identity TheftVictims Train law enforcement officers Provide educational materials for first responders that can be usedas a reference guide for identity theft victims Create and distribute an ID Theft Victim Statement of Rights Design nationwide training for victim assistance counselorsDevelop Avenues for Individualized Assistance to Identity TheftVictimsAmend Criminal Restitution Statutes to Ensure That Victims Recoverthe Value of Time Spent in Trying to Remediate the Harms SufferedAssess Whether to Implement a National System That Allows Victimsto Obtain an Identification Document for Authentication PurposesAssess Efficacy of Tools Available to Victims Conduct assessment of FACT Act remedies under FCRA Conduct assessment of state credit freeze lawsLAW ENFORCEMENT: Prosecuting and PunishingIdentity ThievesStrong criminal law enforcement is necessary to punish and deter identitythieves. The increasing sophistication of identity thieves in recent years hasmeant that law enforcement agencies at all levels of government have had toincrease the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents,and analysts with multiple skill sets. When a suspected theft involves a largenumber of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.Coordination and Information/Intelligence SharingEstablish a National Identity Theft Law Enforcement CenterDevelop and Promote the Use of a Universal Identity Theft

SSA–Social Security Administration SSL–Security Socket Layer SSN–Social Security number TIGTA–Treasury Inspector General for Tax Administration UNCC–United Nations Crime Commission USA PATRIOT Act–Uniting and Strengthening America by Providing Appropriate Tools Required to Int