Monday, December 29, 2008

Let's Pretend May 1st is Just Another Day in the Life of a Business.

Now you will never say you didn't know........

Businesses in the U.S. have until May 1st, 2009 to initiate an Identity Theft program.

With the enactment of the 2008 FACTA Red Flags Rule comes a responsibility for all businesses, non-profits, schools and universities, utilities, and local governments to,

  • Adopt a written identity theft policy that will address the responsibilities of employees who can have access to personally identifiable information (PII), and including a response plan in the event of PII breaches,
  • Provide ongoing awareness training for all affected staff.
    It is generally understood that the training of all staff is more effective and serves to further protect the employer from loss.
  • It also requires an oversight of the security practices of all service providers and 3rd party contractors who might have access to the non-public data you hold on clients, customers, and employees alike.

The Federal Trade Commission extended the original November 1st, 2008 deadline until May 1st to give businesses more time to implement their individual programs. The FTC has oversight of the Fair and Accurate Credit Transactions Act (FACTA). The extension was granted only to non-banking businesses.

Not to be confused with a privacy policy, this legislation requires an Identity Theft specific policy to be implemented and approved by ownership or a Board of Directors as company policy. After the May 1st date breach cases involving non-compliant organizations will result in increased fines, federal audits, and will allow more victims’ lawsuits to go forward. Neither a business’ sector nor its’ size is a factor regarding this legislation.

“Have in place and implement a breach response plan.. Ask every new employee to sign an agreement to follow your company's confidentiality and security standards for handling sensitive data... Create a culture of security by implementing a regular schedule of employee training. Make sure training includes employees at satellite offices, temporary help, and seasonal workers.
Before you outsource any of your business functions – payroll, web hosting, consumer call center operations, data processing or the like- investigate the company’s data security practices and compare their standards to yours.”
From the FTC publication, Protecting Personal Information, a guide for business.

With only 5 months remaining now is the time to get your identity theft program in place. No organization can afford the fallout from litigation, fines, and the loss of business resulting from a breach and subsequent identity theft episodes.
Happy New Year!

Tuesday, December 23, 2008

Former Cedars-Sinai employee held in identity theft, fraud

This was in today's' Los Angeles Times. Can anyone see the very obvious dichotomy in the Cedars Sinai response to the crime?

  1. Did anyone steal financial information from the hospital?
  2. Did anyone try to open new credit accounts with the information?
  3. Why then did the hospital ask the victims to monitor their credit reports?
  4. Where are insurance claims reported, credit bureaus? No they are reported to MIB group, a consortium of insurance companies, and CLUE, the Comprehensive Loss Underwriting Exchange database owned by ChoicePoint.

It is amazing how little people know about identity theft even now that it has become the number one "white collar" crime in the world. It takes my breath away when I see articles like this. You know when you watch a police drama and they cops are circling the criminal holed up in a building. "You go around back". The Detective says to the uniformed officer. "I'll go in front." They knew to protect both fronts, why don't businesses? What will these victims do while they are watching their credit reports and the thief has sold the medical info to a hundred people looking to file false insurance claims, or get health care they couldn't get otherwise? It is estimated that somewhere between 250,000 and 500,000 Americans are victimized by medical information theft each year.

Read on.....

Man is accused of taking the records of more than 1,000 patients and filing workers' compensation claims through a fictitious lab.

By Alexandra Zavis December 23, 2008 Los Angeles Times

More than 1,000 patients at Cedars-Sinai Medical Center had their personal information taken by a former employee in the hospital's billing department, according to hospital officials who said prosecutors allege that the man used the identities to steal from insurance companies.The hospital's chief financial officer warned affected patients in a letter sent last week that their information had been found during a search of the former employee's home. He urged them to monitor their credit reports and to notify the district attorney's office if they noticed anything unusual.
The allegations against James Allen Wilson, 44, of Los Angeles mark the latest in a series of privacy breaches at area hospitals, where staffers have been caught peeking at the files of celebrities as well as their co-workers and friends.In this case, hospital officials said Allen -- who last worked at Cedars-Sinai in March 2007 -- had legitimate access to the patients' records for billing purposes, but did not have permission to take identifying information home.
So far, investigators have alleged that the scheme netted Wilson at least $69,000, said Jane Robison, a spokeswoman for the Los Angeles County district attorney's office. But she said the investigation is continuing, and the scope and scale of the alleged theft could grow.
Wilson was arrested Nov. 6 by the Los Angeles County Sheriff's Department. He has pleaded not guilty to multiple felony charges, including identity theft, insurance fraud and grand theft. He remains in custody on $895,000 bail and is scheduled to be in court Jan. 22. Attempts to reach his attorney Monday were not successful.Hospitals' increasing reliance on computerized record-keeping has provided new avenues for identity theft and invasions of medical privacy. As recently as May, a Glendale man was convicted of using the names of hundreds of Los Angeles County and city employees to submit fraudulent claims for diagnostic services amounting to more than a quarter-million dollars. Cedars-Sinai officials said they are serious about their responsibility to protect patients' information."In this case, it appears the privacy breach was not the result of someone accessing information they should not have accessed, but instead the privacy breach involved an individual illegally using information that he had legitimate access to as part of his job," Chief Financial Officer Edward Prunchunas wrote in the letter that the hospital provided to The Times.Prunchunas assured the recipients that there was no immediate indication that their personal information had been used for anything other than fraudulent insurance claims. He said hospital officials had no knowledge of any illegal activity until alerted recently by prosecutors.
"We are deeply concerned and troubled about any privacy breach, and expect that you will feel similarly," Prunchunas said. "I would like to personally apologize for the fact that a former employee was apparently involved in this criminal activity." Wilson worked in Cedars-Sinai's workers' compensation accounts department from January 2003 and until March 2007, when he left the hospital for reasons unrelated to the case, Cedars-Sinai spokeswoman Elise Anderson said. She declined to elaborate, citing the hospital's obligation to protect employees' privacy.Because of the ongoing investigation, district attorney's officials refused to discuss details of the case against Wilson, including the affected insurance companies. According to the hospital's letter, prosecutors told the hospital that Wilson set up a fake laboratory company. He allegedly used the names of actual workers' compensation beneficiaries to submit claims for services that were never performed at the fictitious lab, the letter said. The insurers sent payments by check to a post office box that Wilson set up, the letter said.When investigators searched Wilson's home at the time of his arrest, they found the records of legitimate workers' compensation claims belonging to 1,005 patients, Anderson said. By Monday, few of those patients had responded to the hospital's letter. Those who contacted the hospital reported that they had suffered no personal financial losses, Anderson said.When a patient's medical records are compromised, it can hurt more than their wallets, experts warn. Victims of this kind of fraud face a greater risk of injury if doctors make treatment decisions based on incorrect information contained in their records. Many employers also demand access to medical records when making hiring, promotion or benefits decisions, according to the nonprofit Patient Privacy Rights Foundation.The wife of one man who received the letter said they felt doubly victimized, first by the injury on the job and now by the theft of his personal details. She and her husband asked not to be identified because they have both suffered work-related injuries and she is still in the process of seeking compensation for care.

“I never expected it," he said. "This is one of the best hospitals I have been treated at -- the doctors, the nurses, everybody -- and it's very sad that an employee would do something like this."Cedars-Sinai has faced previous problems with breaches of patient confidentiality. Hospital spokesman Richard Elbaum told The Times earlier this year that three or four workers are terminated annually for trying to peak at celebrity patients' records. There are also suspicions that someone at the hospital tipped the celebrity news website to a story on a medication error last year that nearly killed the infant twins of actor Dennis Quaid and his wife, Kimberly, although no one has been charged. Similar problems have surfaced at one of the hospital's major competitors, UCLA Medical Center, where at least 165 staff members have been disciplined for improperly accessing the files of more than 1,000 patients, including California First Lady Maria Shriver, actress Farrah Fawcett and singer Britney Spears.The allegations in the Wilson case, however, mark a different challenge because he was permitted access to the files as part of his job, Anderson said.Cedars-Sinai officials said that although they continually reevaluate security procedures, they plan to use the latest breach as another opportunity to review the way the hospital monitors the conduct of employees who have access to patients' information. The hospital already uses passwords, security cameras and audits to monitor who has accessed the files, among other methods. Even more security is in place in the case of high-profile patients, including limits on the employees who can view their records and real-time alerts to signal inappropriate access.If someone gets past those hurdles they will see an on-screen warning: "This patient record is restricted. All accesses are logged and audited. Inappropriate accesses are grounds for disciplinary action and/or dismissal."

Friday, December 19, 2008

Ask Yourself

I'll leave you with a question over the weekend. Can you guarantee that when your personal information is stolen and sold on any one of thousands of markets that thieves will be nice enough to only use it to open new credit accounts?

Our lives are literally controlled by two numbers, our Social Security number and our Drivers License number. When those two numbers are used by identity thieves records kept on you in any number of thousands of databases are corrupted. Once corrupted they are nearly impossible to correct, if you can find out which ones need correcting. Public records are then attached to your NCIC and credit reports driving down your FICO score. There goes your chance to get a raise, find a new job, get a loan, rent an apartment, and hundreds of other things that rely on your credit score and a clean record to determine your worthiness.

In the above scenario did anyone attempt to open a new credit account? Ladies and gentlemen, this is Identity Theft. Will a credit monitoring or credit freeze and alert service help you?

Unless something pressing happens in the next week I'm taking a few days off.

Tuesday, December 16, 2008

In my Opinion

Dear Reader,

This blog is a mix of facts, predictions, and yes, my opinions. I have never been accused of a lack of opinion. All of us have opinions but few of us have the temerity to state them. Going on record with your opinion will give away your real position and in a classic debate that could amount to capitulation, but in my blog I get to say what I feel.

Identity theft. That is the reason I began this column. I chose to approach the subject from the standpoint of the effects on business. But just as importantly, how a business should look at identity theft in my opinion, from a responsible and moral standpoint as well as a practical one.

When we are entrusted with something of value it should follow that we will do everything reasonable to protect it. If your next door neighbor asks you to look after his house, water the plants, bring in the mail, and feed the dog while he is away for a two week vacation, do you decide later on that only some of that matters? Is the dog not worthy of your attention, and maybe the neighbor won't mind if the plants die. Well, I hope you don't live next to me if you do. We all know the right position. If it matters to the neighbor we should have enough respect for him to pay equal attention to everything as though it was ours. That is the right thing to do. Now, if you go away would you then ask your neighbor to do the same for you? Of course. And you would expect him to be just as responsible as you were in protecting his home.

Can you see where this is headed? What is the difference between protecting your next door neighbors' assets and those of the people who work for you? Too many businesses think of identity theft in terms of protecting the intellectual property of the business. There is an entire legal industry surrounding IP (intellectual property). That is a subject for another day, and yes I have an opinion on that too.

While a company, or county, utility, university, etc. is caught up in covering it's rear end from computer fraud and data theft some hourly employee has posted all of the employees' Social Security numbers and home addresses in an email. Did that company take care of business? Absolutely not. Oh sure, they threw the IT Dept at it with a too small budget to install the data security program du jour around the servers, but have they trained the staff to never send sensitive and personally identifiable information in emails? Have they established a written policy delineating what constitutes sensitive information and making clear what the companies' procedures are to safeguard it? Not likely. A one hour staff training might have avoided that fateful email, or a host of other far too common errors in judgement that result in fines, audits, lawsuits, and even criminal prosecution. Can any business endure the public loss in confidence that will result from losing personal information? How about the sheer cost of litigation?

What if someone on staff experiences personal identity theft? Lets' say someone working in the county records office stole a few hundred records and among others they got one of your employees' personal information. Over the weekend they trundle down to the local flea market and sell their data loot for a couple of grand. The next week the buyers begin opening cell phone accounts, using the stolen SSN to obtain health insurance, employment, maybe a traffic ticket or two using your employees' ID. Has the company considered that the average identity theft victim spends an average of 15 work/weeks to clear up the fallout on their own? That's from from the FTC, who keeps track of such things. What does 15 work/weeks mostly during business hours away from the job look like to the company? What if ten of the employees are affected? How about twenty? Lets' see, what is twenty times 15 work/weeks?
Have you provided your employees with access to a serious identity theft program for themselves as a benefit? You see identity theft happens from all fronts. Don't forget what happens to your employees away from work can affect your business too. When you protect the personal information your company keeps you are protecting someone else, get it? When another company does it they are protecting you. But, hey that server is safe!
Have a great Holiday season, and do the right thing.

Monday, November 24, 2008

Enough is Enough

In today's' post my friends at Ephemeralaw reminded us once again about something that I am keen on. Every day there is at least one more data breach to report. It's like the sports scores two days after a weekend of games, just a bunch of numbers, but those numbers are staggering. There are no shortages of articles about the latest huge server breach, records stolen from personnel files, or about some knucklehead accidentally posting a thousand names and SSNs on the Internet, or dumping reams of data into the trash. Is there anyone left to shock? By now it is safe to say that just about everyone has heard of identity theft. I think also that we have established that identity theft is here to stay, and that for as long as non-public personal information has value to someone other than the rightful owner, it will be stolen and used.

Once the number of stolen records hit 300 million, which it did this year after just 3 short years of tracking such things, the numbers begin to have little meaning. Eight years ago someone stole my identity by opening multiple accounts in my name, and had a very good time at my expense. I really didn't care how many millions of records had been stolen, or from which database mine was stolen for that matter. All I wanted was a solution to my problem. Back when it happened to me there was little help available. The laws had not yet been passed that would have given me the tools to deal with it, and certainly the proliferation of identity theft products and services did not yet exist.

Here we are at the end of 2008. Great identity theft products do exist now. The federal and state laws in place not only afford the victim with recourse, but mainly they point out directly to the companies and other data aggregators that they are responsible for the information they are entrusted with.
Ladies and gentlemen, there are no excuses. The companies should know what to do by now. And I don't mean simply throwing software at it. That never did work. All the software in the world will not affect a culture of insecurity. You have to change the habits of the individuals who handle the data. Security is a top down policy effort and education is the key to changing the way information is treated. And every individual needs a quality identity theft service. If someone decides not to opt for a good effective service and becomes a victim of identity theft, shame on them. An identity theft program is not insurance. It is the most direct way to protect the integrity of all of your records in thousands of databases throughout the country.

Happy Thanksgiving!

Wednesday, November 19, 2008

Employee Data More Vulnerable Than Constituent Data

Nov 14, 2008, By Hilton Collins in Government Technology

Personal information about employees is more than twice as likely to be compromised in government security breaches than is constituent data, according to an online survey released by consulting firm PricewaterhouseCoopers (PwC). The survey also found that most governments don't keep accurate inventories of where their data is stored in their organization.
PwC, in partnership with CIO and CSO magazines, conducted the Global State of Information Security 2008 survey from March 25 to June 26, 2008. It included more than 7,000 CEOs, chief financial officers, CIOs, chief security officers and other high-level respondents from 119 countries via e-mail. Five hundred fifty-three came from the public sector, but PwC would not disclose how many came from U.S. government.
Forty-two percent of the public-sector respondents reported that employee data was more likely to be impacted by security breaches than constituent data. Only 19 percent reported otherwise.
"My sense is that businesses, first and foremost, place priority on protecting their business information, which is the lifeblood of their organization," said Jack Johnson, a partner in the Washington federal practice at PwC. Johnson has previously been the chief security officer for the U.S. Department of Homeland Security, a position he held from 2003 until 2005. He was appointed by then-Homeland Security Secretary Tom Ridge. "It's not because they don't place a level of importance on employee data, but I think their priority is focused on their business information."
In his experience, more security controls are usually placed around business data than around employee data, so it's possible the path to employee data may be the one of least resistance for malicious hackers.

Other data from public-sector respondents indicates:
• 65 percent reported that their organizations didn't have accurate inventories of where personal data was collected, transmitted and stored;
• 76 percent reported that they didn't keep an inventory of third parties who handle constituent data when data sharing occurred, and 47 percent had established security baselines for external parties when handling such data;
• 70 percent believed that their users complied with privacy and information security policies, but 50 percent didn't audit or monitor the compliance, and 46 percent required employees to complete training on privacy practices.
"The organization, first and foremost, needs to perform a risk assessment around this data to determine which data is considered sensitive, or, in some cases, personally identifiable information," Johnson said. Once sensitivity and importance of data is assessed, organizations can proceed more coherently with protection in mind.
The report recommends that organizations take the following security actions:
1. Prioritize data and information assets according to risk level continuously - 27 percent of respondents said they did, 40 percent said periodically and 31 percent not at all.
2. Extend privacy protections to employee data, not just constituent data.
3. Establish a "culture of compliance" to ensure that employees adhere to organizational security protocols.
4. Develop an incident response plan to determine how to handle data breaches when they occur - 53 percent of respondents said their security policies didn't address incident response.
The report also had some good news - governments have improved in their information security efforts from two years ago.
• 65 percent of respondents had an overall information security strategy versus 42 percent in 2006.
• 75 percent employed a chief information security officer or a chief security officer, versus 56 percent in 2006.
• 72 percent leveraged secure remote access (VPN) vs. 61 percent in 2006. In a VPN, or virtual private network, security measures like encryption ensure that only authorized users can access the network

Monday, November 17, 2008

Encrypted Data

I want to pass along a link to a story posted by fellow bloggers "Ephemaralaw."

The reason for this is to point out that data stored on servers should be encrypted going forward. This breach is a classic example of exactly why. By May 1st of next year every covered business, non-profit, school district, utility, college, and local government needs to have in place a policy to address data security and identity theft prevention and response. Within that written policy there needs to be language that effectively states "All sensitive information must be encrypted when it is stored in an electronic format." Since federal legislation leaves the door open by not mandating encryption it is incumbent on business to make encryption a standard practice.
It should be noted that new Massachusetts legislation requires all businesses to encrypt data stored on servers. Other states are sure to follow. The blog article points out also that HIPAA sees encryption as an addressable standard. There are rules for addressable standards that require risk management assessments. They then require reports showing why such steps were not taken.

What is regrettable in my opinion is that a lot of businesses seem to look at this as a chore and an expense, but encryption, along with other steps, will prevent data loss, identity theft and thereby offset risk from law suits. Isn't an estimated $48 Billion loss to business and individuals an expense? That is an FTC estimate of direct and indirect cost to American business from identity theft in 2007. In a time of economic crisis is the hemorrhaging of unnecessary expenses acceptable?

Aren't we supposed to be looking for ways to prevent identity theft? If so how are we going to stem the tide of data breaches and subsequent identity theft episodes if the business community ignores the obvious? A business must do everything that the resources of the business will allow. Is encryption such a chore that initiating an encryption program is not worth the effort? Consider the possible outcome from a data breach. The loss of one valued customer or a single law suit could be enough to shut down a small business, and would likely result in many times the cost of basic encryption procedures. Anyone who is following the stories of the Southern California wildfires can see what an out of control fire can do in a very few minutes. Data breach is no different. Besides a public loss in confidence the net effect of data breach is the out of control rampant growth of data theft and misuse. After all, it isn't someone elses' information at stake. It is ours, yours and mine.


Wednesday, October 22, 2008

FTC Announces a Forbearance of the Red Flags Enforcement

Red Flags Rule Compliance Deadline Extended to
May 1, 2009

FTC Grants Six-Month Delay of Enforcement of 'Red Flags' Rule Requiring Creditors and Financial Institutions to Have Identity Theft Prevention Programs

The Federal Trade Commission will suspend enforcement of the new "Red Flags Rule" until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs.
NOTE: Today's announcement and the release of an Enforcement Policy Statement do not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.Read the announcement:

This applies to all entities with oversight from the FTC only. All financial institutions with oversight from the federal banking and financial regulatory authorities still must be compliant by November 1st of 2008.

The FTC currently estimates that approximately 11 million entities from private business to municipalities, schools and universities, and non-profits are considered to have covered accounts and need to address the "red Flags" and initiate compliance steps relevant to each organization.

Tuesday, October 7, 2008

Shell fingers IT contractor in theft of employee data

I want to remind everyone that believes a credit monitoring service will solve their identity theft issues that they are sadly misinformed. The net result of all of the identity theft TV and radio advertising is to completely confuse the public for the sake of a profit. Sound familiar? If someone misappropriates your bank account, and you report the crime within 30 days of your account statement being mailed to you, your bank will work with you and likely absorb any losses as theirs. When someone files false insurance claims in your name your Casualty and Loss database (CLUE) is altered and you may never get insurance or perhaps a job, again. Without professionals to help you with the real identity theft issues you are fighting a very difficult uphill battle filled with legal pitfalls and a complex network of red tape.

Oil company says outside IT worker used info from database to file fake unemployment claims
Robert McMillan Computerworld
October 6, 2008
(IDG News Service) Shell Oil Co. is warning its employees that an IT contractor used the personal data of four Shell workers as part of an unemployment insurance claims scam in Texas.
Shell Oil, the U.S. subsidiary of Royal Dutch Shell PLC, began notifying employees of the
data breach on Friday, via a written notice that was posted on the Houston-based company's Web site.
Shell spokeswoman
Robin Lebovitz said company officials noticed early last month that someone had used Shell employee data to file fake unemployment compensation claims with the Texas Workforce Commission (TWC). After investigating, Shell determined that an employee of a third-party contractor had misused information stored in a corporate database, Lebovitz said.
The database
includes records for a majority of current and former Shell employees in the U.S., according to Lebovitz. The notice about the breach indicated that the misused data included names, dates of birth, Social Security numbers and some financial information.
The suspected scammer filed four false claims, Lebovitz said, adding that Shell has yet to uncover any evidence that other information from the database was compromised as part of the alleged claims scheme.
Shell didn't identify the company that employed the suspect, saying only that it had been hired to work on a data indexing project involving the database. The notice to employees said that after the fraudulent claims were discovered, Shell escorted the suspect from its premises and terminated its contract with the IT company.
The alleged crime continues to be investigated by Shell, the Houston police and the TWC, Lebovitz said

Monday, October 6, 2008

New Federal Law Targets ID Theft, Cybercrime

By Brian Krebs October 1, 2008 Washington Post

"President Bush last week signed into law a bill that seeks to make it easier for prosecutors to go after cybercrooks, while ensuring that identity theft victims are compensated for their time and trouble when convicted identity thieves are forced to cough up ill-gotten gains.

The Identity Theft Enforcement and Restitution Act of 2008 lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. "

Provided of course that the thief is caught and brought to justice. With less than 5% of identity thieves being nabbed this law will only help a small minority of the victims. It is a step in the right direction however.

Just as important as this new law is, actually another portion of the article really caught my eye.

"Some ID theft victims can spend thousands of dollars and months or years dealing with credit bureaus and debtors from accounts fraudulently opened in their names, but the law doesn't appear to take into account lost opportunities associated with identity theft. According to the Federal Trade Commission, some consumers victimized by identity theft may lose out on job opportunities or be denied loans for education, housing or cars because of negative information on their credit reports. In rare cases, they may even be arrested for crimes they did not commit.

It is just as important to understand that victims of identity theft are faced with the massive task of fighting nearly overwhelming obstacles in clearing up identity theft episodes. The banking system has certain measures in place to deal with fraud on bank and credit accounts. Once you leave the banking realm however, the bureaucracy of databases and information repositories can prevent a maze of challenges to clearing up false entries and records inaccuracies.

Wednesday, October 1, 2008

October 1st 2008

On January 1st 2008 the federal financial institution regulatory agencies and the Federal Trade Commission have sent to the Federal Register for publication final rules on identity theft “red flags” and address discrepancies. The final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003.

“The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program”. Institute of Fraud Risk Management report. January, 2008

There has been a good deal of conversation about what is a covered account, financial institution, and consumer account as defined by the federal authorities. The link above leads to the actual “Final Rules”. As it is currently understood and without quoting the legislation a financial institution or creditor is defined as;

  • A bank, savings institution, or personal account lender of any type.
  • Also a real estate agency, mortgage broker, auto dealership, financial planner, investment broker, or any business that sets up, initiates, or maintains a payment account of any kind with an individual for personal or household purposes.
  • Any utility company that establishes an individual payment account with its’ customers.
  • Any municipality or county that provides utilities or services and arranges for regular payment from the users of the services provided.
  • Any business that extends ongoing credit or arranges for payment accounts for its’ customers or clients. Single payments or intermittent payment arrangements do not qualify as covered accounts.

As the rules went into effect as of January 1st of 2008 all covered entities have until November 1st 2008 to initiate such a breach response and prevention plan.

Compliance is a process, and the intention of these rules is to put procedures in place that will stem the tide of identity theft. Identity theft currently costs American business over $48 billion each year directly or indirectly. It is in the interest of every business entity to address this runaway cost and the risk of litigation and fines. While not all businesses are considered to be covered under the “rules”, all business should adopt the practices and procedures.
With only 30 days to go until compliance, every business and governmental entity in the U.S. whether subject to this legislation or not, should take stock of the risk they are willing to take on this issue. I see a good deal of apathy about this from people who have not yet become victims of identity theft. When a business owner or officer takes an apathetic position they are not just gambling with their own identity issues but those of their employees, customers, vendors, constituents, etc. They are also taking a huge risk for the business. Fines and lawsuits resulting from data breaches without a breach response and identity theft prevention plan can devastate a business both financially and from a public relations perspective. Add to that, federal audits and for retailers the loss of credit card processing accounts, and you have an untenable position that can be entirely avoided with a small investment in time. While we cannot entirely eliminate identity theft we can mitigate the risk with a few simple steps.

Friday, September 26, 2008

Applications and Identity Theft

In my business I spend a great deal of time orienting employees on the realities of identity theft. It's a critical step in reducing incidents of data loss and theft from businesses. I’m not talking about trade secrets but rather employee personal data and that of company customers or clients.

Major companies involved in the architecture and implementation of web applications are proposing new Internet protocol rules and passkey requirements for data access. In the web 2.0 world of cloud computing these are very important issues, and absolutely need to be addressed. Data collection becomes more ubiquitous for a variety of reasons and the trade off between our individual rights to privacy and the public right to know is under an increased scrutiny.

Beneath the radar of public discussion however, thousands of lists and databases containing yours and my personal information are ripe for the picking.
Below is an excerpt from an article in today’s New York Times.

September 25, 2008
The Fix
Applications and Identity Theft
JAY ROMANO New York Times
“CO-OP boards, condo boards and even landlords routinely ask applicants for personal data like Social Security numbers, exactly the kind of information that is used in identity theft.
According to lawyers and managing agents for co-ops, condos and rental buildings, applicants are becoming skittish about providing sensitive information. More than 14 million Americans reported being victims of identity theft in the 12 months before August 2007, according to Avivah Litan, a security analyst for the research firm Gartner.
While there is no indication that widespread theft of information has resulted from co-op and condo filings, Habitat magazine, a New York publication covering co-ops and condos, has published two articles in the last year or so dealing with identity theft.
The magazine interviewed two prospective apartment purchasers who believed that carelessness by board members led to the release of sensitive information that was used by thieves to open accounts in their names. One building worker acknowledged that he found 10 years of application packages in a board member’s trash.”

This is a classic example of the sort of database that is overlooked. Smaller local databases are extremely vulnerable to theft and loss mainly due to a lack of understanding of proper procedures and the real risks from loss. What the prevailing wisdom tends to ignore are these thousands of lists and databases that already exist with our personal information.
When someone is victimized by an identity thief in Eastern Europe who has bought his or her information for $25 in bulk and resold it to someone else who files a phony medical insurance claim, or a crack addict who sells it to someone with a criminal record who obtains employment using a stolen SSN, do you think they care which database was the source of the theft? The victim is stuck with the fallout that statistically takes from 3 to 5 years to clear up, and even then often resurfaces at a later time.

The public is essentially unaware of what identity theft is, and business has almost no clue as to their legal and moral obligation to protect and properly store and dispose of sensitive personal information. What happens for example to information kept in your dentists’ office, or your insurance agent? What are their protection and disposal procedures? How about your town and county records? Schools? American business is losing about $50B, that’s billion, in direct and indirect costs each year due to identity theft. When large databases are hacked like the Veterans’ Administration for 26.5 million records, or TJX for somewhere between 41 and 91 million records, UCLA for 800,000 records, etc, it makes the news. Complaints pile up at state and federal legislators’ mailboxes. An upward spiraling argument always follows every large breach with people demanding new laws which when enacted are ineffective in stemming the theft and sale of personal information. As long as the data has value it will continue to be a commodity for sale.

Getting back to my employee group trainings I always ask the group what they think of when they hear the terms data theft and identity theft. Almost invariably the answers are centered on credit reports, bank account and credit card misuse. While that is a significant portion of the identity theft reported to the FTC, the overwhelming majority of cases reported (70%) do not involve finances at all. Only through public awareness can the crimes of identity theft be squelched. The groups we speak with are more aware and proactive both with their own personal information and with the information they handle at work. We are all responsible for each other’s data. Creating better habits of safekeeping it will establish the “culture of security” we all seek.

Tuesday, September 23, 2008

FTC requires towns to add identity theft programs

The article was recently run in a small North Carolina newspaper. I've gone on record on the subject of identity theft policy and training more times than I can count. With all the flap about Internet privacy, discussion forums, and a lot of heady talk about personal privacy, the identity theft victims are all but forgotten. Here is an excerpt from the article by Sarah Jane Rosser.

September 15, 2008
" The Federal Trade Commission (FTC) has issued new requirements for municipalities on the adoption of identity theft programs.A release was distributed to all municipalities by the North Carolina League of Municipalities (NCLM) on Sept. 4, asking all managers, administrators, clerks, attorneys and finance officers to have written procedures in place to help protect consumer identity and fight theft of customer account information.The release stated that all municipalities with utility accounts must participate. According to the Tennessee Valley Public Power Association (TVPPA), utilities rank No. 3 as a place for identity thieves to gain information. Credit cards companies and cell phone companies are the top two.The objective of the program is to identify, detect and respond to red flags, meaning a pattern or practice of specific activity that indicates the possible existence of identity theft.Examples included in the memo were events such as the receipt of warnings from consumer reporting agencies, the presentation to the creditor of suspicious documents, the presentation to a creditor of suspicious personal identifying information and the unusual use of a covered account."

The public, that's' you and me, need to learn as much about what identity theft is, (the reality not the stuff you are fed on TV), and what we can do to prevent being a victim and minimize our risk. Education is the single most important part. That is why training on the job is critical. People who have access to personal information either as part of their job, or in the event sensitive info falls into their laps accidentally, need to know how to handle it and make certain it doesn't get lost or end up in the wrong hands.

The FTC is listening to the professionals and making policy suggestions that are extremely important for all business to follow. There is a great booklet "Protecting Personal Information, a guide for business" available at .
Everything any business entity needs to know about setting up a training and breach response plan is in the booklet. As the result of the adoption of the Red Flag Rules, sec.114 of FACTA, the entire retail banking and savings industry is compelled to comply with these practices. If local government and private industry continue to resist these steps a similar law will soon make it mandatory for all employers as is suggested in the article here.

Business has a choice, a voluntary plan to reduce risk and put training and policy in place, or a law forcing these and other steps with stiff penalties for non-compliance. As I wrote in a previous column compliance is a process. While it isn't mandatory for all, it is a matter of choosing the right course of action. Every entity that maintains personal information has an obligation and moral responsibility to protect that information from loss or theft. And when the data is no longer needed, to dispose of it responsibly. Remember, it isn't someone elses' information at stake it is yours and mine.

Tuesday, September 16, 2008

Microsoft Seeks End To Identity Theft

I couldn't have thought this up on my own. And thanks to Microsoft and Mr. Claburn, the author of the article, my point has been driven home with no effort on my part. That point being of course that they couldn't care less about your identity theft issues, and furthermore if they actually believe this stuff then they also don't know anything about identity theft. Read this. Honestly I'm not making it up.
This was in yesterdays' InformationWeek magazine.

Microsoft is calling for the adoption of an Information Card system that provides end users with direct control of their digital identities.
By Thomas Claburn,
InformationWeek Sept. 15, 2008

"In a bid to curtail online identity-theft fraud and to broaden adoption of its digital identity system, Microsoft is urging individuals, companies, and governments to work together to implement technology, initiatives, and policy that support the secure management of online identities.
a white paper to be released on Monday, Microsoft calls for the adoption of an Information Card system that uses an interoperable vendor-neutral framework for identity management and provides end users with direct control of their digital identities.
"Personal information is becoming the new currency of crime," said Brendon Lynch, director of
privacy strategy for Microsoft's Trustworthy Computing Group. "We need to look at the root causes of identity theft and see what we can do to change the game."
Key to this vision is the
Information Card Foundation (ICF), an industry group that includes Equifax, Google, Deutsche Telecom, Intel, Microsoft, Novell, Oracle, and PayPal. The ICF, which debuted in June, aims to promote the adoption of Information Cards, a form of digital identification designed for secure, real-time e-commerce transactions. Information Cards bring a third-party ID provider into two-party transactions. This allows authentication to be done without the transmission of user names and passwords, and it allows the ID provider to present only the necessary personal information.
The group's goal is to develop open, trusted, vendor-neutral identity
infrastructure for the Internet. "Information Cards are designed to prevent data that is shared in one context from being reused in a different context," the paper explains. "This is accomplished through creating a unique set of keys for each combination of Information Card and relaying party." Microsoft already has already implemented its version of Information Cards, CardSpace, in its Windows Vista operating system. CardSpace can also be downloaded for Windows XP. Lynch estimates that there are already about 200 million CardSpace clients installed ."

Does anyone need any more proof that the corporations responsible for safekeeping your personal information are so not interested in your identity theft issues? This consortium of companies has found yet another way to create a product to trade in identity theft without ever addressing the issue of identity theft itself.

While it is important to look at the future of database security one cannot ignore the existing tens of thousands of such bases that are vulnerable to theft and misuse. One cannot ignore the current and potential victims of identity theft resulting from theft from these existing databases.

Making a broad statement like "Microsoft Seeks To End Identity Theft" is a bit over the top. Microsoft cannot end identity theft. When we see that a lawyer in Texas has tossed into a dumpster dozens of bankers boxes containing hundreds of files of personal client information, reading about Microsofts' latest security product loses something in the reading. It is up to the public to protect itself from the ravages of identity theft.

Friday, September 12, 2008

Personal Point of View

The world of professional and academic privacy specialists and practitioners is populated by persons much more qualified than I. During the last three and a half years I have read and met some remarkable people that I hold in the highest regard. I've learned a great deal from each of them as they have helped to shape my position and opinions about data safety and the trade-off between public access and personal protection. As we move into a new paradigm of computing, the so-called Web 2.0 new ideas about privacy are emerging. Some great ideas including single internet log on IDs, and anonymous IP addresses are being seriously considered. These are good proposals for the future of the online "Uber Databases" that Google and other companies are proposing to establish. The problem is that this doesn't begin to touch the problem of identity theft.

The opinions in this column are just that, my opinions. As my work takes me into the field of speaking with employee groups I see what most people perceive as identity theft based on the information they get mostly from the media. The perspective I have come away with stems largely from what I learn from the experts, but also from what I see and hear in those employee meetings. You see identity theft is a personal crime with individual victims. In preparing to speak with these groups my research often involves a lot of statistics. There are huge losses to business ranging in the billions of dollars each year, staggering figures of information loss & theft in the hundreds of millions of records, and the millions of cases of victims and their nightmarish experiences. I don't think I have met anyone in the past three years or so that doesn't know about identity theft or has a personal story about it. I am also a victim of identity theft.

One thing I have observed since I began my interest in identity theft. The companies and organizations that are entrusted to safeguard the data they have simply do not care about the persons who could become victims. I can say with certainty that almost without exception this is true. There is a mentality of separation where a company takes it for granted that the "victims" are someone else, nameless and anonymous. Company officers don't think in terms of themselves being victims or their families or employees. It is always in the abstract. The businesses that are involved in privacy and who market "solutions" for data loss are only concerned with the bottom line of the company, its' corporate data, and the public image of the business. No one seems to be interested in talking about the thousands of places where existing data lists are ripe for the taking. As I have tried to point out in previous columns the information is in lots of places, not just in big repositories. Doctors offices, personnel files, accountancys, points of sale, county records are examples of the smaller and much easier to steal records. I have not met among the professional privacy community one single person whose primary concern is with the crime of identity theft. Businesses are engaged in protecting themselves and some make money by providing protection services for other companies, but not tackling the question of identity theft. I also have never met any individual identity theft victim who really cared which database was the source of their identity theft.

Nearly every U.S. state has enacted breach reporting laws designed in part to notify potential victims that their information may have been compromised. In the vast majority of data breach cases the potential victims are not notified due to loopholes in the statutes, and when they are notified the letters are often misleading, promising that no real danger exists but to check their bank statements anyway. On occasion they will offer simple credit monitoring, again misleading the public that monitoring alone is a safeguard.

Laws will not prevent identity theft any more than any other crime. Federal legislation and now state legislation have completely failed to stem the tide, and most predictions are for a sharp upswing in identity theft activity. The solution can only be found in arming the public with the correct information about the crimes we call identity theft and giving each one the tools to protect themselves. There cannot be any other solution. As long as there is value in the data thieves will continue to steal it, sell it, and profit from it.

Tuesday, September 2, 2008

Why Train Employees?

Below is an article I came across today. If any employer wants a good reason the train staff on identity theft, read this. Privacy professionals across the board agree that staff training should be mandatory for every company regardless of compliance mandates. This illustrates the point very well.

September 02, 2008
Mandatory Training, Fines for ID Theft Exposure
In the wake of identity theft scandals, two Texas employers, a health care provider and a retailer, have now entered agreements with Texas Attorney General Greg Abbott which require them to undertake mandatory employee training annually for the next 5 years.
Employees of Radio Shack and Select Medical Texas L.P. will learn about identity theft, its costs to patients/customers, and the importance of complying with new document disposal procedures, which were implemented as part of the agreements. To further ensure compliance with the new procedures, the two employers must post, at each of their locations, signs describing the record storage and disposal requirements and maintain certification records showing each employee's compliance with the training requirements. Additionally, Radio Shack has also agreed to conduct unannounced compliance audits at all of its Texas stores at least twice a year.
Select Medical came to the attorney general's attention after the Levelland Police Department reported that more than 4,000 documents containing customers' sensitive information were found in garbage containers behind the Levelland office of Select Physical Therapy Texas Limited Partnership. The state's enforcement action against Radio Shack began when state investigators learned that the retailer's Portland location exposed thousands of customers' personal identifying information by dumping sensitive records into a publicly accessible trash can.
Abbott's office prosecuted the two employers under the state's Identity Theft Enforcement and Protection Act. As a result of the prosecution, in addition to the mandatory training, Select Medical agreed to pay the state $990,000 and Radio Shack, $630,000. After the deduction of attorney's fees, the remaining sums will be appropriated for the investigation and prosecution of future identity theft cases.

Training is the single most basic and effective step any organization can take to stem the loss or theft of sensitive materials. Had these two employers initiated pro-active employee identity theft training these cases resulting in over $1.5 million in fines might have been avoided.

Friday, August 29, 2008

"Because the computer said so."

In the last couple of posts I made reference to the Data-Based You graphic on this blog. This wasn't my invention but rather a friend and colleague, Mr. john Gardner, a trial lawyer and author from South Carolina. John has an uncanny ability to grasp the big picture often when a lot of us are struggling with the information in front of us.

In the Data-Based You John shows by way of a simple graphic that the world sees all of us as a series of reports and scores. No matter how we dress, change our hair color, try to distinguish ourselves in any number of ways, we are judged, thats' right judged by our data when we deal with the world at large.

  • Want a loan? Credit history.
  • Rent an apartment? Credit score.
  • Get on an airplane? TSA checks your drivers' license against federal watchlists and for warrants.
  • Open a new bank account or purchase a car? Credit reports, SSA, IRS. Your records are compared to those and other databases for inconsistancies.
  • Get some health insurance? MIB, doctor health records.
  • Home, income loss, medical, or auto insurance claims? C.L.U.E. MIB, etc.
  • Want a new job? How about the credit bureaus, your credit score, social networking sites, college records, criminal records, and more. You say you don't have a criminal record? Prove it.

    That's just a sketch. The reality is that no matter what we do our records are checked to verify and to validate what we say and claim to be. We all rely on the record keepers to not let the information they have fall into the wrong hands. Let someone get hold of your info and commit crimes. They give your identifying info to the police and your records are altered. If you think it is easy to correct that, I hope you're sitting down. Often it takes 5 to 10 years to correct criminal record mistakes, sometimes never. What does the victim do in the meantime? Getting or maintaining a good job is not going to be easy. There are literally thousands of cases where wrongful criminal activity is tied to completely innocent people who were victims of identity theft. When the computer says you're guilty try explaining that to authorities. You can't limit a discussion on identity theft to illegal credit card use and credit reports. When personal records are altered by identity theft it can actually require an act of Congress to correct them. Refer to the bottom of this blog page for the Data-Based You graphic.

    The Data-Based You shows us a window into how we are percieved, real or not.

Thursday, August 28, 2008

More data breaches so far than in all '07

Wednesday, August 27, 2008 (SF Chronicle)
article by; Brian Krebs, Washington Post

In a previous post titled "Where does all that stolen information come from?" I wrote that data breaches are on the rise. In spite of the federal regulations and state laws enacted over the last 5 years data breach is on a steep rise. And it should be no surprize that the reported cases of identity theft in all its many forms is also increasing.

According to the article, More data breaches so far than in all '07 "The Identity Theft Resource Center of San Diego found that 449 U.S. businesses, government agencies and universities have reported a loss or theft of consumer data this year. Last year, the center tallied 446 breaches involving 127 million consumer records. About 90 million of those records were attributed to a single retail chain, TJX, which operates T.J. Maxx, Marshalls and HomeGoods stores.

It is unclear how accurate a gauge these numbers are "Officials said they do not know whether there have been more breaches this year or there is better reporting of the incidents.

What is not in dispute is the inescapable fact that the frequency of these events has been increasing for the past several years.

Again, back to the article "So far this year, at least 22 million consumer records have been the
target of data breaches, according to the report. But resource center founder Linda Foley cautioned that the true number of records affected is probably far higher, noting that in 41 percent of the cases, the number of consumer records affected was not disclosed. What's more, Foley said, many businesses are not reporting data breaches or are not aware of them.
In addition, she said, a single breach report often involves data belonging to multiple businesses."

In order for me to make my case for lowering data value it is important to establish certain facts.
So far we have established that;

  • Every statistic and bit of information about us is in databases.
  • Wherever data is held there is a significant risk of loss or theft that can and often does result in identity theft.
  • There are over 10 million domestic victims of identity theft per year.
  • Identity theft complaints that relate to our credit card and banking accounts comprise only about 30% of all identity theft cases. The other 70% involves our Social Security, drivers license, medical, criminal, and other records.
  • In everything we do from seeking employment, loans, insurance, renting or buying a home, our very freedom, etc., our database information plays a huge role in determining the outcome. Often we are seen by others as a sum of our reports and records.
  • The incidents of data theft are increasing steadily each year, with no end in sight.

Wednesday, August 20, 2008

Chapter Two, data use

In my last post I attempted to point out some of the sources of data that identity thieves can use to gain access to personal and sensitive information. As I mentioned in closing there are as many sources for stolen data as there are sources of data. Now I would like to take a moment to sketch out some of the things they do with it after they get it.

Sadly, another form of identity theft is at home, or more specifically by family members. Family passions can run high sometimes and retribution can take many forms. One of those forms is stealing personal information of someone in the family and using it as a weapon to cash in on their bank accounts, medical insurance, or to commit criminal acts. This is happening at an alarming rate, and often goes unreported since people are usually reluctant to prosecute family members. Once again, for as long as the data has value it will be stolen for a number of reasons. Now, on to the subject of this column.

In contrast to all the overwhelming statistics on the subject the majority still believes that this is a financial crime and that somehow identity theft is inextricably tied to their credit report. Although this is not true it is a good place to start.

Often thieves are a local ring, petty opportunists, and increasingly drug users who need a constant supply of cash. They figure that they can get away with raiding a victims' bank accounts and credit accounts rapidly and moving on to other victims before they are caught. Far less than 10% of them are ever caught making it a pretty safe bet that they will get away with it. About half of those criminals also use the information they steal to perpetrate other acts such as filing false insurance claims for example, or receiving medical treatments using the victim's insurance information. As to the financial side of this type of theft you can see just how important it is to look closely at bank statements immediately and to report anything that looks out of place or unknown charges to the bank or credit card companies. Consumer protections in place can limit your liability.

There are approximately 10 million victims of identity theft in this country each year and according to FTC complaint records less then 30% of them are related to banking or credit issues. The vast majority relate to all the other forms of illegal data use I mentioned previously.
This brings me to the ubiquitous international crime rings that work in various ways to traffic in data theft and resale. Most often they are not the end users but mostly broker data for profit. The end users run the gamut from immigrants to terrorists and scam artists. Once your information is in their hands it is sold and resold and re aggregated so that your social security number might be used by hundreds of immigrants while your drivers license might be forged by 20 different criminals. There can be an exponential spread of your information that once it is out there and used, will no longer be recognizable as yours until you discover that you are wanted by police or that the IRS is receiving notices from a hundred companies that you have applied for work. I should point out that the lack of international agreements on the trade of stolen personal information makes the capture and prosecution of these identity thieves nearly impossible. There was a story very recently of a soldier who upon returning from the war zone in the Middle East found that he had been victimized criminally, financially, was wanted by police to pay child support, and a myriad of cell phone contracts that had been opened in his name, all while he was away on assignment. All of this was the result of identity theft.

Another group are the data miners who, after quietly depositing routines in your computer, can record your computer usage from anywhere in the world. From that information not only can they monitor what you do but also gather enough information to scam you into giving them more by posing as legitimate online businesses. Once that information is gathered up it is sold on another black market that deals in "cyber crime". A classic example of that are the infamous Nigerian scams who solicited capitol by posing as attorneys who ask your help to regain fortunes lost in a civil war or some other similar story.

Also, as I wrote in my last column a lot of theft happens in the workplace. Employees who have access to information can be solicited by thieves to trade data for cash. This is especially lucrative for drug addicts who can quickly convert information into cash by draining credit and bank accounts, and opening new accounts in the name of their victim. There have also been many cases of people who get (mostly temp) jobs specifically to steal data from their employers. Others simply steal for their own use.

As you can see not only can your information be stolen from almost any source, it can also be used for any number of reasons. My mantra has become, "As long as your information has value it will be stolen". Again the graphic Data Based You at the bottom of this column will give you an idea of how many sources there are for getting to our personal information.

Tuesday, August 12, 2008

Chapter One, where does all that stolen info come from?

As we begin to close in on a discussion of lowering the value of data to identity thieves and illegal data brokers it is important to look at the sources of data loss and theft. Remember also that the term Identity Theft means that someone has stolen your identity, not simply your credit card numbers. A person who has sublimated their own identity and assumed your information to pose as you is an identity thief. Now, let’s look at some of the major sources of data theft and breaches as I have attempted to define them.

First and the most familiar to most consumers is personal theft. The theft of wallets, and purses can result in a thief getting your credit cards, your Social Security card, Drivers License, checkbook, and so forth. Perhaps you have an unpaid bill or other document that has banking information, SSN, or other useful information in your car that can be stolen in an instant. Another easy place for this kind of theft is outgoing mail left unattended, or at the receptionists desk at work.
This kind of theft often results in quick attacks on your bank accounts, and new accounts being opened. The long-term effect is having the stuff sold on the open data market, which results in many forms of ID theft, often over the course of several years.

The next most familiar but least understood forms of identity theft take place over the internet. What generally comes to mind is scams like "phishing" and "pretexting" which take the form of legitimate websites but in reality are simply gathering your personal information for illegal use. Internet ID theft however is a much larger subject and involves your very right to privacy.

Workplace theft. That’s’ right, another big source of data is company records of employee and customer data. There was a statistic out last year that said that over 65% of all lost personal data from businesses was the result of an employee spiriting the data out for profit or even for retribution. Nearly every day errors in judgment occur that compromise your personal information at work. Mistakes such as E-mails, internet postings, and un-shredded trash containing employee and customer sensitive info happen daily due to lack of training. Another source of workplace theft is the loss of laptop computers or flash drives containing important information.

Your college or university and local school districts. This has become a major issue within the past several years. About once a week in the U.S. there are notices of schools being hacked of tens of thousands of student, former student, and faculty records containing personal and financial information, or losing the information altogether.

Hospitals and clinics. Medical records and especially health insurance information are a goldmine for thieves. One source is underpaid medical clerks that establish a source of revenue from stealing records for profit. Medical and insurance records can be used to create a new identity, file false insurance claims, and receive medical services, for example.

Public records (city, county, and state). We have seen in the first six months of 2008 alone the loss of nearly 100,000 data records by way of theft and the wrongful posting of personal information by local governments across the country.

Retail databases. TJX, need I say more about that. The single biggest known theft of personal information in U.S. history. Just recently an international ring of thieves were charged in that case for stealing over 41 million identities. And that is only one of hundreds of similar cases since these records have been tracked starting in 2005.

Public databases like ChoicePoint, Lexis Nexis, the credit bureaus, etc. Called Specialty Databases these comprise the largest databases in the world and to date in total have been compromised to the tune of 50 to 60 million records in the past 3 years. In 2005 ChoicePoint accidentally sold personal data to thieves posing as a legitimate business.

Tax and financial planners. I heard a story recently of a financial planner who had the server containing all of his clients’ records literally stolen from the rack in his office. I believe he had just installed anti-hacking software prior to the server theft. A lot of good that does when the thieves have the hardware.

War driving is a provocative scheme where ID thieves drive by businesses, hospitals, and other sources of data and simply log onto unsecured networks from the comfort of their car. I am amazed at the number of unsecured networks in industrial parks and office buildings everywhere. Thieves can pull into a parking lot, and in just a few minutes find an unsecured network, and download personal and company data.

This list is far from complete and could go on. Look at the Data Based You graphic at the bottom of this column for more sources. The point I’m trying to make here is that everywhere records are kept, from our desk at home to our workplace to everything we have ever done that leaves a record is a potential source for stolen data. It is important for each of us to fully understand this fundamental and inescapable fact, and that this is the real price of data convenience. Nothing about the above is theoretical. I am talking about losses that have already occurred. Where is the trend going? One thing is certain, it is on the increase. Just how much is the subject of speculation. On the low side some say as little as 10% per year nationally. On the high side estimates are as much as a 20 fold increase within the next 24 months! No matter how you look at it there is no end in sight to data theft. As long as there is a market, there will be data theft.

Wednesday, August 6, 2008

11 Charged in Theft of 41 Million Card Numbers

  • New York Times Aug 5, 2008 "Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed."

    There seems to be a disparity between the estimated 90+ million records reported stolen in the case originally and the 41 million records these 11 are being charged with. Perhaps there were other perpetrators still on the loose, or possibly the original estimates were way off. Only time will tell.
    Some facts bear noting:
  • These breaches were discovered in 2006.
  • The perpetrators are from several countries.
  • The data they accessed has been re-aggregated and sold many times all over the world.

    Did anyone see this one by E. Scott Reckard and Joseph Menn, Los Angeles Times Staff Writers August 2, 2008?
    "The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants.The breach in security, which occurred over a two-year period though July, was one of the largest in years, experts said."
    Look at the Dataloss link on this page for a more comprehensive list of breaches of data.

    No top down fix is going to stop the intentional theft of valuable data. Companies and governments cannot protect you from identity theft. The public needs to be fully aware that the only way to protect each individual is to obtain the services of a reputable company to provide them with an early warning of the illicit use of their data, not only for outright financial theft but the use of personally identifiable information to obtain employment, health insurance, file false medical claims, obtain passports, create new identities for a variety of reasons, and much more. This company must also provide professional representation and restoration services.
    I can tell you from personal experience that with identity theft you must prove yourself innocent beyond a doubt. That can take years. No one wants to endure that mentally and physically draining nightmare on their own. By being pro-active and having such a service in place before the fact can save inestimable time, money, and anguish. Your states' Attorney General cannot help you. In most states the AGs office is inundated with ID theft claims that taken one at a time would simply overwhelm their offices' ability to react. Local authorities are equally unable to help. It is up to each and every one of us to take the pro-active steps on our own. Remember "cheap insurance" in a previous post in this column? This is a classic example. Look at the worst case. Remember, it is possible no matter how remote you feel it might be to you. Ask your employer if they offer identity theft services as a benefit. Seek everything you can find on the subject before signing on to yearly contracts. Most of the services available are very ineffective and only address a small segment of ID theft, and can tie you into contracts.
    I firmly believe that the services that I represent are by far the best and most comprehensive available in the world. I represent them because they are good. There is no hidden language, no offer of reimbursement insurance, no claims that they can prevent ID theft, only the reputation of the worlds' foremost forensic accounting and fraud risk management company. They promise only one thing, to fully represent you and take you through the steps of restoration for all forms of identity theft. As a victim of identity theft I can tell you without reservation that no other company could have helped me with my case. I only wish it had been available then.

    I urge everyone reading this column to find a service that is real and solid, and will truly help you in the event this happens to you. Look at them all of you wish, but please read between the lines of their claims before you sign.


Thursday, July 31, 2008

DV>DR = Success

DV>DR= Success. Where D=Data, V= value, and R=risk. An interesting formula. One of the nations' most respected privacy professionals and fortunately for me a friend is now using this as a part of her blog signature. It's a great way to remind us all that it is our job as privacy professionals to strive to lower the risk of data misuse while at the same time using technological channels for their intended purpose, communication.

I have added another factor to the formula called the mitigating Factor (mF) and reworked the formula as below;
mF/DR < DV = success
Where we never want to actually devalue the data I think it is imperative to lower the resale value in order to reduce the risk. The mitigating factor is the N value or unknown. I'm working on that one.

In my opinion it has been demonstrated time and again that we cannot prevent data theft as long as there is a resale value. No amount of technological roadblocks in the form of red flag (mismatch) protocols, encryption algorithms, or any other plug-in solution can prevent the clever thief from accessing data if the value is high enough. So we need to think in terms of removing the financial motive from thieves.

mF/DR< DV= success

Friday, July 25, 2008

Pardon me

I'd like to get off subject for a bit. This is a column about identity theft but I would like to think that it is also a column about common sense. When we are confronted with a new situation or a new set of problems what is the most productive way to solve it? Well, the most common way to look at new problems is through the lens of history. A response like "history tells us" or "conventional wisdom is" and so forth is pretty common. That means comparing new situations to previous ones. Quite impossible to do. A healthier way to tackle a new problem is to consider the results you want and think "What if history doesn't repeat itself?"
In the turmoil of our current economic crisis we seem to be applying old remedies to new problems. Look at the lending institutions as an example. Not every bank is going to fail. The institutions that will most likely fail are the ones that did not concern themselves with the probabilities that the lending economy might not be able to sustain itself without some dramatic changes. There are plenty of organizations both small and global that saw this likelihood however. JP Morgan, for example divested from loans to the government bond market. As the mortgage crisis grew they found themselves, as predicted, doing better rather than worse. What does this tell us about conventional thinking? In the simplest terms it means that we need to look at the worst case scenario and weigh that against the likelihood of it occurring. One will mitigate the other every time. The worst case is always possible and the likelihood will raise or lower the possibility, but the possibility always exists. This means one thing must be done. Get cheap insurance. Always hedge your liability with a tool. History will not repeat itself. If you don't count on the past to predict the future but instead guard against the worst case you cannot fail.

As most of you know I represent Pre-Paid Legal Service plans for small businesses and families. I speak with HR managers who due to the economy are increasingly concerned that their constituents can't afford or most likely won't want to participate in a Pre-Paid Legal plan for their families due to the cost. I understand the concerns they have. The real cost is obvious. So is the investment value, and it is that value I feel we must stress.
What do you think would have happened if the majority of the homeowners with an ARM who are faced with foreclosure had used an attorney to look over their loan documents before they signed? Do you think that at least some of them might have listened to counsel and not signed on to something they could not afford? That is just one example that in times such as these using an attorney is even more critical than ever. This amounts to cheap insurance. History will not repeat itself. Every situation we encounter is new and requires a new solution. Contrary to conventional belief there is no longer a correlation between a persons' assets and using lawyers. The risk of making mistakes is the same, and the downside is relative. Scale is merely that, a scale. There is no difference between JP Morgan and operating a family of four living on a tight budget except scale. When Morgan saw the coming crisis they sought the counsel of experts and made a prudent decision. That one decision effectively separated them from Bear Stearns, which Morgan eventually bought at a few cents on the dollar. When a family seeks counsel before making a major decision they are doing exactly the same thing. We ought to be preparing for the future not relying on the past. Now more than ever a good understanding of the law and individual rights and options is crucial. Over the last few years my family has saved several thousands simply by utilizing the counsel and help of our attorneys not to chase law suits but to seek counsel and be aware of our rights and exercise them when it became necessary.
This also relates to identity theft. In case you haven't noticed you have no privacy. Everything there is to know about a person is readily available for a price. From the day we were born to the present most every thing we have done is in a database somewhere. those databases have proved over the years to be sieves, leaking their contents to anyone who wants them. Do you know anyone foolish enough to try to plug up a sieve? We cannot apply old solutions to new issues.

Thursday, July 24, 2008

Before I go on

I know in my last post I said I would talk about the value of our data to thieves but I wanted to weigh in on one other subject first.
When it comes to a company initiating a policy regarding sensitive information and employee responsibilities I repeatedly run into the issue of corporate or management participation.
It is absolutely essential for management, whether a board of directors, company president, or owner, to totally commit to the implementation of the policy. The policy must be a part of the business' commitment to excellence and be an integral part of daily procedure. The policy needs to be understood by everyone in the company in order for the "culture of security" to work.

I like to rant on about training but there is a reason. When it comes to data security the human factor is the most critical link. Staff needs to understand both the what and the why of the procedures they are supposed to follow. Management will set the tone by their participation. If management is ambivalent then the employees will take the same attitude. If management is engaged then so will the employees. Fortunately more executives are seeing the benefit of a non-public information policy and training. It will greatly enhance the business' confidence that everything that can be done is being done to avoid data loss and theft.
With all of the national press about identity theft the public is very wary of business losing important information. The savvy business owner can actually benefit in the market place by showing the attention they are giving to this issue in ads and press releases.