Friday, May 2, 2008

Compliance with Identity Theft Laws is no longer an option for Business

John Taylor CITRMS
April 2008

We haven’t come close to over-informing the public on the subject of identity theft if that were even possible. In the training seminars I give on identity theft my biggest emphasis is on the true scope of the set of crimes called identity theft. If we were to believe the ads on TV and the offers of free services by the banks we could easily conclude that this is one crime on the run and will soon be eradicated. After all they say that its’ only a financial crime, right? If that were the case why then is identity theft still the fastest growing crime in the world? Upwards of 300 million records have gone missing or stolen in the past three years in the U.S. alone. And only a fraction of the reported victim cases are related to our finances. Our medical records, drivers license numbers, public records in our county offices, and literally hundreds of databases have sensitive information on us that if aggregated can take on many different forms of identity theft. Thieves and data sellers are finding new and easier ways to data mine, for all forms of our personal information for a wide variety of reasons. Where does the majority of this theft occur? Companies and aggregators of personal non-public information are the source of nearly all identity theft. I read in the April 25th NY Times that the newest trend in debt collection is outsourcing to companies in India. That adds another layer where data theft will most likely occur.
This brings me to the topic of this article. There have been several laws on the books for years now that are designed to protect individuals from having their personal information compromised by an organization entrusted with the information. Federal legislation, HIPAA, FACTA, the FCRA, GLB Safety Act, even S-Ox and other state level whistle-blower laws are in place to provide the language to all organizations as to how data should be safeguarded. There are regular seminars put on by corporate Privacy Chiefs, IT Managers, Risk Managers and software developers across the country that create consortium and industry practices. Our U.S. Secret Service, charged with investigating identity fraud provides mountains of data to the FTC so that patterns and methods might be established in order to catch the thieves in action. In 2006 a Task Force was created by the President to codify and identify identity theft crimes and their impact on government record keeping. The office of OMB issued a memo last year providing stringent requirements for all federal agencies to comply with the findings of the Task Force. The FTC has issued guidelines for business with clear recommendations as to how they can implement an identity theft prevention and response program. Business has largely ignored these recommendations, and generally seems reluctant to admit there is a problem despite the massive press coverage of identity theft. This is evident in the number of breaches that occur on an almost daily basis. Even with 39 individual state breach reporting laws in place incidents of data loss go unreported due to loopholes in those rules. Why is that?
What could possibly stop a company from notifying its clients or employees that their information might have been compromised?
There are several reasons that I can conclude from that phenomenon. First, and I think foremost is that if a breach is made public then the fear of a bad public perception of the company and its’ practices is dominant, and not without some reason in fact. A study commissioned by CIO Magazine shows that when a breach occurs on average 40% of the client base will cease its’ relationship taking their business elsewhere, and 10% will engage counsel in actions against the company. The second reason I believe is that a lot of businesses would rather take the risk rather than to take a pro-active position. In other words, do nothing. Inaction is the leading cause of business failure for any reason.
You can’t leave out that insurance rates and credit worthiness are also at stake but that relates to reason number one above. No business wants to have rising costs. And thirdly, there are still a significant number of business owners that don’t believe that this is a serious issue, believing instead that a lot of hyperbole is given to a subject that has little chance of actually happening. To those I would invite to speak with the roughly 10 million annual U.S. ID theft victims for their opinions. And of course there are the tens of millions of dollars in business fines, mandatory risk assessment audits, actual damage suffered by victims and other related costs. The figure for 2007 in total losses suffered by American business related to identity theft was over $48 billion.
Due to this “lack of enthusiasm” on the part of business in taking the FTC guidelines seriously the government has done what in my opinion should have been done long before. As is the case with HIPAA regulations it is now mandatory for most every organization in the country to be compliant with the laws that protect personal identifying and non-public information. The liability for loss is placed squarely on the shoulders of the organizations that maintain the data. Precedents have already been established issuing fines, criminal prosecution and allowing class actions to go forward. The new regulations also address the sharing of information with 3rd party service providers allowing that the liability follows the data. A business cannot absolve itself of responsibility simply by outsourcing certain functions such as HR or payroll, or even cleaning services that have access to offices during off hours. Compliance cannot be addressed with software alone, or contract language, or simply with firewalls, encryption, or any single-pronged approach. This is not simply an IT problem. Compliance is a multi-faceted procedure that needs to be designed to meet the needs of the particular organization and the data it keeps and uses. In other words there is no single compliance fix. As of January 1st of 2008 the so-called Red flag Rule went into effect that requires compliance prior to November 1st of this year. These new regulations are clear definitions of sections 114 and 315 of the FACT Act amendment enacted in 2005. This single law affects as many as 80% of all organizations in the U.S, regardless of the size or nature of the organization. In short it requires all organizations that maintain “covered accounts” to take steps to detect and flag account discrepancies, and to follow up the discrepancies. What is a covered account? The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. This is aimed at detecting fraud while protecting the institution from losses and the account holders who may be the victim of fraud. Financial institutions such as banks, credit unions and savings organizations are currently focusing on the data mismatch mechanisms they need to deploy, but the other requirements regarding the adoption of sensitive information policy, the hands on training on that policy, full documentation of the training process, and compliance oversight of contractors and service providers are not generally given the same attention. Still, as I go about my business of speaking with executives about these laws I still see a great deal of resistance and denial. Some business owners either don’t think they are liable or even affected mainly I believe, because they haven’t heard of these laws or, perhaps out of ignorance resist rather than to learn, again mainly in my opinion, because they haven’t heard of the laws.
What do we do? How can we inform the business and public sector employers that not only do these laws exist but also that the penalties of non-compliance can be devastating both from a financial risk and public relations risk standpoint. As with anything education is the key. First educating the business community on the responsibilities they share and the risks involved in not facing them. It’s important for them to understand why it is in their best interest to take pro-active steps. For the business owner this should really boil down to a question of economics, the price to do it as compared to the price of not doing it. With only 6% of all business reporting that they can be reasonably certain that they have not had breach issues the odds are against those who opt for the latter choice. In fact as more surveys and studies go forward it is shown that the incidents of data breach have been greatly underreported in the past several years. Secondly, and returning to my opening statement, education of the public for it is their information that is at risk. Every compliance program whether it is for sexual harassment, safety, or any number of industry specific reasons has at its’ center an education component. There is little point in enacting policy and procedures if the staff charged with implementing them is untrained and unaware of the implications. Identity theft is no different. An inadvertent email attachment containing sensitive information carries the same liability as an intentional breach or criminal theft. Loss or misuse of information is the issue. The liabilities and risks are identical regardless of the nature of the loss. It is worth noting here that I advocate an inclusive approach to this issue. Simple “checklist compliance” is not an adequate substitute for a holistic protection philosophy. The Federal Trade Commission calls this approach a “culture of security”. Well put. The employee is the person handling the information. Empowering the employee with the knowledge of the risk and the importance of following guidelines is essential to any prevention program.
Next is the assistance for the victim. Every company needs to have a plan in place detailing the company response plan to a breach of information. Containment, forensics, notification to potential victims are steps that need to take place immediately. This affirmative response can potentially turn a rather nasty event into a public relations victory if handled properly. Just recently Harvard University found a breach of faculty and student records had occurred. Harvard had a breach response plan in effect. The plan was triggered into effect within 30 minutes resulting in quick containment of the hacked servers and immediate notification of all potentially affected individuals.
The very next thing to consider is providing the victims with a reputable restoration service that will truly work on behalf of the victim in advocating for them and representing them in getting their data integrity restored. It is in the very best interest for any company to have the offering of such a service in place for all staff and employees before a breach occurs. This serves the company in two distinct ways. First, if an employee suffers from ID theft from an external source the service will assist them with the restoration process while they are more on task at work and not dealing with outside personal issues during business hours. The average time a victim spends in restoring their good name is 600 hours or 15 work/weeks! Secondly, for the business that does encounter an internal breach of employee data, the business will be able to show it has offered a mitigating service prior to the breach. We have all seen the news articles about companies that after experiencing a breach offer a “year of credit monitoring”. That can be very expensive and ineffective considering the time lag for identity theft crimes to show up. Making such services available as an employee option before a breach can cost the employer nothing and provide the employee with an ongoing protection. This kind of benefit can also be very effective in attracting key personnel.

I feel that it is imperative to find as many ways to increase the employer and business owner awareness of this in a way that it cannot escape the radar. Again, the liability is there regardless of a business’ decision to be compliant or not. The laws are very clear on that point. And if a business has done an effective job they can greatly reduce the chance of having a breach in the first place. While nothing will eliminate the liability all companies face, compliance will greatly reduce risk from damages and law suits.. I should also mention the competitive edge that can be gained in attracting new business by publicly demonstrating the steps the company has taken to protect the information it uses.

At this writing near the first of May we have almost exactly six months for every business in the country to be in compliance. That is not much time. At this point the legal community is mostly in the dark as well so that when the client seeks counsel about this issue the attorney is not up to speed on the regulations. It is just as important to bring the legal community into this is as is the private and public business sector. What if every employer signed on to the awareness concept regardless of compliance? Could that result in a culture of security within the business community? I’ve often heard it said that knowledge is power. I would rephrase that to say that putting knowledge to action is the power. Here’s to a well informed business community!

The author is a Certified Identity Theft Risk Management Specialist engaged in assisting business to be compliant with the identity theft and consumer protection laws and bringing identity theft training to employee groups.. He is an Independent Associate with Pre-Paid Legal Services Inc. of Ada Oklahoma and has written numerous articles on identity theft and business liabilities and risks associated with data loss.2008 John Taylor