Friday, September 26, 2008

Applications and Identity Theft

In my business I spend a great deal of time orienting employees on the realities of identity theft. It's a critical step in reducing incidents of data loss and theft from businesses. I’m not talking about trade secrets but rather employee personal data and that of company customers or clients.

Major companies involved in the architecture and implementation of web applications are proposing new Internet protocol rules and passkey requirements for data access. In the web 2.0 world of cloud computing these are very important issues, and absolutely need to be addressed. Data collection becomes more ubiquitous for a variety of reasons and the trade off between our individual rights to privacy and the public right to know is under an increased scrutiny.

Beneath the radar of public discussion however, thousands of lists and databases containing yours and my personal information are ripe for the picking.
Below is an excerpt from an article in today’s New York Times.

September 25, 2008
The Fix
Applications and Identity Theft
JAY ROMANO New York Times
“CO-OP boards, condo boards and even landlords routinely ask applicants for personal data like Social Security numbers, exactly the kind of information that is used in identity theft.
According to lawyers and managing agents for co-ops, condos and rental buildings, applicants are becoming skittish about providing sensitive information. More than 14 million Americans reported being victims of identity theft in the 12 months before August 2007, according to Avivah Litan, a security analyst for the research firm Gartner.
While there is no indication that widespread theft of information has resulted from co-op and condo filings, Habitat magazine, a New York publication covering co-ops and condos, has published two articles in the last year or so dealing with identity theft.
The magazine interviewed two prospective apartment purchasers who believed that carelessness by board members led to the release of sensitive information that was used by thieves to open accounts in their names. One building worker acknowledged that he found 10 years of application packages in a board member’s trash.”

This is a classic example of the sort of database that is overlooked. Smaller local databases are extremely vulnerable to theft and loss mainly due to a lack of understanding of proper procedures and the real risks from loss. What the prevailing wisdom tends to ignore are these thousands of lists and databases that already exist with our personal information.
When someone is victimized by an identity thief in Eastern Europe who has bought his or her information for $25 in bulk and resold it to someone else who files a phony medical insurance claim, or a crack addict who sells it to someone with a criminal record who obtains employment using a stolen SSN, do you think they care which database was the source of the theft? The victim is stuck with the fallout that statistically takes from 3 to 5 years to clear up, and even then often resurfaces at a later time.

The public is essentially unaware of what identity theft is, and business has almost no clue as to their legal and moral obligation to protect and properly store and dispose of sensitive personal information. What happens for example to information kept in your dentists’ office, or your insurance agent? What are their protection and disposal procedures? How about your town and county records? Schools? American business is losing about $50B, that’s billion, in direct and indirect costs each year due to identity theft. When large databases are hacked like the Veterans’ Administration for 26.5 million records, or TJX for somewhere between 41 and 91 million records, UCLA for 800,000 records, etc, it makes the news. Complaints pile up at state and federal legislators’ mailboxes. An upward spiraling argument always follows every large breach with people demanding new laws which when enacted are ineffective in stemming the theft and sale of personal information. As long as the data has value it will continue to be a commodity for sale.

Getting back to my employee group trainings I always ask the group what they think of when they hear the terms data theft and identity theft. Almost invariably the answers are centered on credit reports, bank account and credit card misuse. While that is a significant portion of the identity theft reported to the FTC, the overwhelming majority of cases reported (70%) do not involve finances at all. Only through public awareness can the crimes of identity theft be squelched. The groups we speak with are more aware and proactive both with their own personal information and with the information they handle at work. We are all responsible for each other’s data. Creating better habits of safekeeping it will establish the “culture of security” we all seek.

Tuesday, September 23, 2008

FTC requires towns to add identity theft programs

The article was recently run in a small North Carolina newspaper. I've gone on record on the subject of identity theft policy and training more times than I can count. With all the flap about Internet privacy, discussion forums, and a lot of heady talk about personal privacy, the identity theft victims are all but forgotten. Here is an excerpt from the article by Sarah Jane Rosser.

September 15, 2008
" The Federal Trade Commission (FTC) has issued new requirements for municipalities on the adoption of identity theft programs.A release was distributed to all municipalities by the North Carolina League of Municipalities (NCLM) on Sept. 4, asking all managers, administrators, clerks, attorneys and finance officers to have written procedures in place to help protect consumer identity and fight theft of customer account information.The release stated that all municipalities with utility accounts must participate. According to the Tennessee Valley Public Power Association (TVPPA), utilities rank No. 3 as a place for identity thieves to gain information. Credit cards companies and cell phone companies are the top two.The objective of the program is to identify, detect and respond to red flags, meaning a pattern or practice of specific activity that indicates the possible existence of identity theft.Examples included in the memo were events such as the receipt of warnings from consumer reporting agencies, the presentation to the creditor of suspicious documents, the presentation to a creditor of suspicious personal identifying information and the unusual use of a covered account."

The public, that's' you and me, need to learn as much about what identity theft is, (the reality not the stuff you are fed on TV), and what we can do to prevent being a victim and minimize our risk. Education is the single most important part. That is why training on the job is critical. People who have access to personal information either as part of their job, or in the event sensitive info falls into their laps accidentally, need to know how to handle it and make certain it doesn't get lost or end up in the wrong hands.

The FTC is listening to the professionals and making policy suggestions that are extremely important for all business to follow. There is a great booklet "Protecting Personal Information, a guide for business" available at .
Everything any business entity needs to know about setting up a training and breach response plan is in the booklet. As the result of the adoption of the Red Flag Rules, sec.114 of FACTA, the entire retail banking and savings industry is compelled to comply with these practices. If local government and private industry continue to resist these steps a similar law will soon make it mandatory for all employers as is suggested in the article here.

Business has a choice, a voluntary plan to reduce risk and put training and policy in place, or a law forcing these and other steps with stiff penalties for non-compliance. As I wrote in a previous column compliance is a process. While it isn't mandatory for all, it is a matter of choosing the right course of action. Every entity that maintains personal information has an obligation and moral responsibility to protect that information from loss or theft. And when the data is no longer needed, to dispose of it responsibly. Remember, it isn't someone elses' information at stake it is yours and mine.