Friday, February 20, 2009

Documentation

This is the fourth post in a series of five. A program such as a risk-averse compliance program has dual purposes.

First, a business wants to protect its clients and employees from identity theft. It's the responsible thing to do. The program I outlined in my previous column will greatly reduce the incidents of data loss. While nothing is foolproof a holistic approach is far more effective than a patchwork of compliance steps. For example, the Northern California “district” of the Kaiser hospital group had a large breach of personal information very recently. Kaiser takes its’ HIPAA responsibilities seriously. Part of that responsibility is to protect the privacy of the patient files in the Kaiser system. This breach however, was of employee HR file information, and is not covered under the HIPAA compliance requirements. Had the employer included the entire administrative team, payroll, HR, accounting, etc. into a company-wide data security culture they might have prevented that breach.

The other reason to initiate a personal information security program is to lessen exposure to risk and mitigate the company liability.
That is why documentation is so important. When an organization experiences a breach either forensic investigators from the Secret Service, or agents representing the FTC or law enforcement will want to see what the business has done to protect the information prior to the incident. Just as proof of insurance affects the outcome of a traffic accident, proof of an identity theft program will affect the outcome of a breach case. A carefully documented program is key. You need to document that you have enacted the policy, that everyone on staff has been exposed to the policy and has agreed to uphold the policy. Documentation naming the person(s) responsible for administering the program needs to be in the file along with notification to all contractors and service providers that the plan is in place and the business expects a similar policy to be in place with all contractors.

In the next post I will tie all of this together and show how Pre-Paid Legal Services Inc has developed a program that connects the dots and covers each aspect of what I’ve described in the last few posts. I’m proud to say that no other service exists that provides the uniquely comprehensive and "holistic" approach as the Pre-Paid program.

Thursday, February 19, 2009

The Company

In my previous post I outlined who are the victims of identity theft, and what they might expect to encounter in resolving the fallout from being a victim. In this post let’s take a look at the companies responsible for protecting databases and files. The reason for this is to illustrate that the majority of the information that is stolen and used by identity thieves comes from data files. Either by way of insider theft or by accidental exposure of personal information, the end result is the same. I'm not forgetting that here are also a number of incidents of personal theft, “dumpster diving”, computer data theft, mailbox theft, and so forth. There are steps that everyone can take to reduce that kind of risk. I will address that later. Again, for the victim it is less important where the theft occurred, and more important how to recover.

Every business, college, state and county, hospital, non-profit, utility, frankly everyone keeps records. If not on clients then on personnel, and usually both. Names and addresses along with employee numbers, bank account numbers, SSNs, credit report files, health information, are typical and are considered non-public information. The information in those records by law needs to be protected. Over a number of years dozens of federal and state laws have been enacted that rightfully place the security responsibility on those that keep the records. When they lose that information no matter how it happens scenarios like the ones described in my Victim post can occur.

The fallout affects both the individual victim, their families, and of course the business. Several things can happen when a database is breached. First, the company will need to make a public notice to all potential victims that their information is at risk of identity theft. Statistics show that when that happens 40% of all clients will cease doing business with them, 20% will seriously consider it, and 5 to 10% will sue. I know I said I would refrain from stats but those numbers are staggering. That is just the beginning. The laws all have civil or criminal penalties, and individual and class actions could be likely.

What is a business to do?
There are a number of steps any business can take. Large and high tech companies have vast resources, and can take such steps as hiring permanent privacy and security officers to manage a data security program. Banks, S&Ls and lenders have certain extra responsibilities to insure the accounts they have are genuine and are not the result of stolen or falsified information.
Also encryption programs and procedures are required of insurance and financial organizations such as financial advisors, and accountancies. All businesses however, can take other reasonable steps given their individual resources.

These remaining reasonable steps revolve around awareness. Regardless of the size and nature of a business these are crucial in a "culture of security." Developing a written plan and strategy is the first step in any identity theft program. This policy once approved becomes the engine that drives the program. Next is naming the individuals responsible to implement the plan. Next and perhaps most importantly is to discuss the plan with all employees in general safety meetings, and make them aware of their responsibilities under the plan. This is also a good opportunity for feedback from the staff as to how the company might tighten security around record keeping and office procedures. Another important step needs to be taken in order for the plan to be effective. That is working with any contractor or service provider business to insure that the security practices of that company are of similar caliber. Lastly, make some sort of notification system available to clients and employees if possible identity theft episodes have occurred from any source, not just from the company. Any business that has performed these steps will be considered to have taken the reasonable steps required by the FTC to comply with the spirit and intention of the privacy legislation.

Wednesday, February 18, 2009

The Victim

In my last post I said that at Pre-Paid Legal Services we take into account the employee of a business, the customers of the business, the business itself, and other companies that have a business relationship with them. In this post I want to focus on the individual victim. Victims can be employees, customers or simply someone unfortunate enough to have their information stolen as the result of a breach of records, like from a county or former university for example.

I want to write this series without relying on statistics to make my point. I wade through mountains of identity theft statistics almost every day. Some are so contradictory as to negate their conclusions, and a lot of data and surveys you see from companies are simply skewed to validate preconceived ideas of the company and their product. One fact is irrefutable however. No victim of identity theft cares about statistics, only what resources they need to try and solve their problem. The effectiveness of a service to aid the client is the only statistic that matters.

First, lets’ recognize identity theft as the crime that it is. It is most assuredly not victimless as I can personally attest to. You become one of about 10 million North American victims each year. Your local police and County attorney can’t help you. The Attorney General of your state can’t help you. With very rare exeptions these agencies simply do not have the resources to help individual identity theft victims. Every victim is on their own to plow through the maze of issues they need to resolve in order to try and put the episode behind them. That bears repeating. Every victim of identity theft needs to be actively engaged in dealing with their own identity theft rescue. So, when you become the victim of identity theft you want help plain and simple. As it is with anything every victim wants to be able to pick up the phone and know that the person on the other end will help them.

This is a lot more than working with your bank to get your account straight, although that can be difficult enough. I've often said that victims of financial (bank account), identity theft are fortunate! It is the easiest type of the crime to resolve. However, identity theft might involve representation with the IRS in the event your SSN has been used to obtain employment, or to make false tax filings to get refunds, or not paying taxes at all. Your situation might involve the use of your medical insurance to file false claims, or receive medical services leaving you stuck with the bill and incorrect medical records. It might be one of using your identity in the commission of a crime, or a number of circumstances where an attorney will be your best advocate. Remember, identity theft is a crime, and crime is a legal issue

You will also need your records scrubbed of false entries after the fact. It will likely involve the credit bureaus, but also many other local, federal and private databases that can contain untrue entries and documents depending on the nature of the crime. You will need to have those records restored to their pre-theft status. That can take years.

In my next post we will look at those databases and the businesses that keep them.

Tuesday, February 17, 2009

What do I do?

After writing this column for over a year it seemed a good idea to share exactly what it is that I do in the field of identity theft. Over the next few posts I hope to lay out what it is that makes our suite of products and services uniquely better suited to deal with identity theft. And then how I fit into it.

The company that I represent is Pre-Paid Legal Services Inc.. A Couple of years after being victimized by identity theft in 2000 I found this company. When I saw what they offer to customers I realized right away that they had the best answer to identity theft.
There are a lot of products flooding the market that say they can, “stop identity theft in it’s tracks”, or “track down the perpetrator”, “prevent the crime from happening”, “insure your losses”, and all sorts of claims. The truth is all of them are simply selling you a product. The good news is that most all of them have at least some merit, and a few are very good. I am not going to comment on the claims you see in their ads, nor will I go into any kind of comparison here, I’ll leave that up to you.

What I want to accomplish in the next few posts is to explain how the products and services of Pre-Paid can be the most elegant, solution-oriented products that take in to account the company that might have data to protect, the employees of that company, the clients or customers of that company and the other businesses that do business with that company. And also the future of identity theft no matter what direction it takes.

FAA Employee Database Hacked

And the beat goes on....

The Associated Press reported last week that hackers broke into a Federal Aviation Administration employee database accessing the personally identifiable information of 45,000 employees and retirees. The break-in was disclosed by the FAA in an announcement to union representatives. An FAA representative confirmed that the event took place last week.

Tom Waters , president of American Federation of State, County and Municipal Employees Local 3290 said union leaders were told hackers gained access to two files. One file had the names and Social Security numbers of 45,000 employees and retirees on the FAA's rolls as of February 2006. Social security numbers can be used to steal identities for illicit purposes.
Waters said the other file contained medical information that was encrypted.

An FAA contracts attorney complained that federal computer systems "should be the best in the world" and not vulnerable to hackers; the FAA said this was the first incident of its kind to affect the agency.

Monday, February 16, 2009

And Now Another Perspective

Every so often I manage to shake my head out of it's identity theft mode and think about other things. I suppose one of the advantages of having your own soapbox is using it for whatever comes to mind. Thus the following thoughts from long ago...

Feb 2005
" It’s no wonder that a lot of writers live in Northern California. We have that long period of cold, dark, rainy weather that makes us go inside ourselves. The mix is just exactly perfect to grow writers in. It’s not like it is like that all the time either. At about the time when the gloom of rain and chills seem to be permanent it all shifts. The long warmish, May to November days make the whole thing new again allowing us once again to pursue the outside, and feel the sun on our faces.


I lived in central Belgium where the names of places drip with double vowels betraying the guttural sound of the words. Rain is a way of life in Belgium, hardly noticed, it’s only the way the air is. House painters go about their daily rituals, scaffolding goes up, beers open, and at the end of the day there is a new coat of paint. I don’t know how they do it but the rain somehow has no effect on Belgian housepaint.


Belgian people with short legs and a low center of gravity live in low buildings, sit for hours in bars staring at the gray gloom and declaring it a nice day. There’s something about a country that you can drive through in less than three hours and claims to make over three hundred kinds of beer with names like “Sudden Death” and pictures of grinning Trappist Monks on the labels. It tells me that these people have adapted to their climate. Their cities like their stature are low and firm, no frills.


I lived in Sint (Saint) Giles in a Brussels townhouse, its blue stone fa├žade carved in crisp Nouveau shapes. On one side lived an English antique dealer who specialized in ancient documents. Our relationship consisted of getting each other’s mail. We were, after all both native English speakers; the mix up in the mail was easy to understand. The routine went something like standing on his doorstep both of us silently sorting through the mail and performing a perfect handoff, “one for you, one for me”, like that. On the other side was a legally blind movie critic. We never actually met for if we had surely I would have put that claim to a test. Maybe it was a special gift, or maybe she would go to her screenings with a group of trusted friends and debrief them afterwards in lavish “apres’-cinema” parties at the local brasserie. More likely someone in her family owned the paper. Funny how reality isn’t quite so romantic.

Belgium is the country that gave us Communism; bred in small apartments over roaring fires to keep that damned cold at bay. What else can one do in a place that has rain on average 260 days a year but to sit around plotting new schemes to offset the dreary reality just outside the window? Funny how Belgium never actually became a communist country. As I write this on a mid-February Northern California morning the wet has left us temporarily giving rise to the possibility of better days ahead. We have that balance of wet and dry days, all clumped together long enough to forget that the other really exists. "


Thanks for indulging me.

John