Strategic Plan

The Presidents Identity Theft Task Force
April 2007
Combating
A Strategic Plan
IDENTITY THEFT
iii
COMBATING IDENTITY THEFT A Strategic Plan
Table of Contents
Glossary of Acronyms ................................................................. v
Identity Theft Task Force Members ............................................... vii
Letter to the President .............................................................. viii
I. Executive Summary .............................................................. 1
A. Introduction.................................................................................. 1
B. TheStrategy.................................................................................. 2
II. The Contours of the Identity Theft Problem ............................. 10
A. PrevalenceandCostsof IdentityTheft......................................... 11
B. IdentityThieves:WhoTheyAre.................................................. 12
C. HowIdentityTheftHappens:TheToolsof theTrade................... 13
D. WhatIdentityThievesDoWiththeInformation
TheySteal:TheDifferentFormsof IdentityTheft........................ 18
III. A Strategy to Combat Identity Theft ....................................... 22
A. Prevention:KeepingConsumerDataoutof the
Handsof Criminals..................................................................... 22
1. DecreasingtheUnnecessaryUseof
SocialSecurityNumbers........................................................ 23
2. DataSecurityinthePublicSector.......................................... 27
a. Safeguardingof InformationinthePublicSector............... 27
b. RespondingtoDataBreachesinthePublicSector.............. 28
3. DataSecurityinthePrivateSector.......................................... 31
a. TheCurrentLegalLandscape........................................... 31
b. Implementationof DataSecurityGuidelinesandRules..... 32
c. RespondingtoDataBreachesinthePrivateSector............. 34
4. EducatingConsumersonProtecting
TheirPersonalInformation..................................................... 39
B. Prevention:MakingItHardertoMisuseConsumerData.............. 42
C. VictimRecovery:HelpingConsumersRepairTheirLives............. 45
1. VictimAssistance:OutreachandEducation........................... 45
2. MakingIdentityTheftVictimsWhole..................................... 49
3. GatheringBetterInformationontheEffectivenessof Victim
RecoveryMeasures................................................................ 51
iv
D. LawEnforcement:ProsecutingandPunishingIdentityThieves.......... 52
1. CoordinationandIntelligence/InformationSharing................ 53
a. Sourcesof IdentityTheftInformation................................ 54
b. FormatforSharingInformationandIntelligence................ 55
c. MechanismsforSharingInformation................................ 55
2. CoordinationwithForeignLawEnforcement......................... 58
3. ProsecutionApproachesandInitiatives................................... 62
4. StatutesCriminalizingIdentity-TheftRelated
Offenses:TheGaps................................................................ 65
a. TheIdentityTheftStatutes................................................ 65
b. Computer-RelatedIdentityTheftStatutes......................... 66
c. Cyber-ExtortionStatute.................................................... 66
d. SentencingGuidelinesGoverningIdentityTheft................ 67
5. Trainingof LawEnforcementOfficersandProsecutors........... 69
6. MeasuringSuccessof LawEnforcementEfforts...................... 70
IV. Conclusion: The Way Forward ............................................. 72
APPENDICES
AppendixA:IdentityTheftTaskForcesGuidanceMemorandum
onDataBreachProtocol................................................................... 73
AppendixB:ProposedRoutineUseLanguage.......................................... 83
AppendixC:Textof Amendmentsto
18U.S.C.3663(b)and3663A(b)................................................... 85
AppendixD:Textof Amendmentsto18U.S.C.2703,2711and3127,
andTextof NewLanguagefor18U.S.C.3512................................ 87
AppendixE:Textof Amendmentsto18U.S.C.1028and1028A.......... 91
AppendixF:Textof Amendmentto18U.S.C.1032(a)(2)...................... 93
AppendixG:Textof Amendmentsto18U.S.C.1030(a)(5),(c),
and(g)andto18U.S.C.2332b......................................................... 94
AppendixH:Textof Amendmentsto18U.S.C.1030(a)(7).................... 97
AppendixI:Textof AmendmenttoUnitedStatesSentencing
Guideline2B1.1............................................................................ 98
AppendixJ(Descriptionof ProposedSurveys)......................................... 99
ENDNOTES ......................................................................................101
TABLE OF CONTENTS
v
Glossary of Acronyms
AAMVAAmericanAssociationof
MotorVehicleAdministrators
AARPAmericanAssociationof
RetiredPersons
ABAAmericanBarAssociation
APWGAnti-PhishingWorkingGroup
BBBBetterBusinessBureau
BINBankIdentificationNumber
BJABureauof JusticeAssistance
BJSBureauof JusticeStatistics
CCIPSComputerCrimeand
IntellectualPropertySection(DOJ)
CCMSICreditCardMailSecurity
Initiative
CFAAComputerFraudandAbuseAct
CFTCCommodityFuturesTrading
Commission
CIOChief InformationOfficer
CIPCustomerIdentificationProgram
CIRFUCyberInitiativeandResource
FusionCenter
CMRACommercialMailReceiving
Agency
CMSCentersforMedicareand
MedicaidServices(HHS)
CRAConsumerreportingagency
CVV2CardVerificationValue2
DBFTFDocumentandBenefitFraud
TaskForce
DHSDepartmentof HomelandSecurity
DOJDepartmentof Justice
DPPADriversPrivacyProtection
Actof 1994
FACT ActFairandAccurateCredit
TransactionsActof 2003
FBIFederalBureauof Investigation
FCDFinancialCrimesDatabase
FCRAFairCreditReportingAct
FCU ActFederalCreditUnionAct
FDI ActFederalDepositInsuranceAct
FDICFederalDepositInsurance
Corporation
FEMAFederalEmergency
ManagementAgency
FERPAFamilyandEducationalRights
andPrivacyActof 1974
FFIECFederalFinancialInstitutions
ExaminationCouncil
FIMSIFinancialIndustryMailSecurity
Initiative
FinCENFinancialCrimesEnforcement
Network(Departmentof Treasury)
FISMAFederalInformationSecurity
ManagementActof 2002
FRBFederalReserveBoardof
Governors
FSIFinancialServices,Inc.
FTCFederalTradeCommission
FTC ActFederalTradeCommission
Act
GAOGovernmentAccountability
Office
GLB ActGramm-Leach-BlileyAct
HHSDepartmentof HealthandHuman
Services
HIPAAHealthInsurancePortability
andAccountabilityActof 1996
IACPInternationalAssociationof
Chiefsof Police
IAFCIInternationalAssociationof
FinancialCrimesInvestigators
IC3InternetCrimeComplaintCenter
ICEU.S.ImmigrationandCustoms
Enforcement
IRSInternalRevenueService
IRS CIIRSCriminalInvestigation
Division
vi
IRTPAIntelligenceReformand
TerrorismPreventionActof 2004
ISIIntelligenceSharingInitiative(U.S.
PostalInspectionService)
ISPInternetserviceprovider
ISS LOBInformationSystemsSecurity
Lineof Business
ITACIdentityTheftAssistanceCenter
ITCIInformationTechnology
ComplianceInstitute
ITRCIdentityTheftResourceCenter
MCCMajorCitiesChiefs
NACNationalAdvocacyCenter
NASDNationalAssociationof
SecuritiesDealers,Inc.
NCFTANationalCyberForensic
TrainingAlliance
NCHELPNationalCouncilof Higher
EducationLoanPrograms
NCUANationalCreditUnion
Administration
NCVSNationalCrimeVictimization
Survey
NDAANationalDistrictAttorneys
Association
NIHNationalInstitutesof Health
NISTNationalInstituteof Standards
andTechnology
NYSENewYorkStockExchange
OCCOfficeof theComptrollerof the
Currency
OIGOfficeof theInspectorGeneral
OJPOfficeof JusticePrograms(DOJ)
OMBOfficeof Managementand
Budget
OPMOfficeof PersonnelManagement
OTSOfficeof ThriftSupervision
OVCOfficeforVictimsof Crime(DOJ)
PCIPaymentCardIndustry
PINPersonalIdentificationNumber
PMAPresidentsManagementAgenda
PRCPrivacyRightsClearinghouse
QRPQuestionableRefundProgram
(IRSCI)
RELEAFOperationRetailers&Law
EnforcementAgainstFraud
RISSRegionalInformationSharing
Systems
RITNETRegionalIdentityTheft
Network
RPPReturnPreparerProgram(IRSCI)
SARSuspiciousActivityReport
SBASmallBusinessAdministration
SECSecuritiesandExchange
Commission
SMPSeniorMedicarePatrol
SSASocialSecurityAdministration
SSLSecuritySocketLayer
SSNSocialSecuritynumber
TIGTATreasuryInspectorGeneralfor
TaxAdministration
UNCCUnitedNationsCrime
Commission
USA PATRIOT ActUnitingand
StrengtheningAmericabyProviding
AppropriateToolsRequiredtoIntercept
andObstructTerrorismActof 2001
(Pub.L.No.107-56)
USBUniversalSerialBus
US-CERTUnitedStatesComputer
EmergencyReadinessTeam
USPISUnitedStatesPostalInspection
Service
USSSUnitedStatesSecretService
VHAVeteransHealthAdministration
VOIPVoiceOverInternetProtocol
VPNVirtualprivatenetwork
WEDIWorkgroupforElectronicData
Interchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force Members
Alberto R. Gonzales, Chairman
AttorneyGeneral
Deborah Platt Majoras, Co-Chairman
Chairman,FederalTradeCommission
Henry M. Paulson
Departmentof Treasury
Carlos M. Gutierrez
Departmentof Commerce
Michael O. Leavitt
Departmentof HealthandHumanServices
R. James Nicholson
Departmentof VeteransAffairs
Michael Chertoff
Departmentof HomelandSecurity
Rob Portman
Officeof ManagementandBudget
John E. Potter
UnitedStatesPostalService
Ben S. Bernanke
FederalReserveSystem
Linda M. Springer
Officeof PersonnelManagement
Sheila C. Bair
FederalDepositInsuranceCorporation
Christopher Cox
SecuritiesandExchangeCommission
JoAnn Johnson
NationalCreditUnionAdministration
Michael J. Astrue
SocialSecurityAdministration
John C. Dugan
Officeof theComptrollerof theCurrency
John M. Reich
Officeof ThriftSupervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APriL 11, 2007
The Honorable George W. Bush
President of the United States
The White House
Washington, D.C.
Dear Mr. President:
By establishing the Presidents Task Force on Identity Theft by Executive
Order 13402 on May 10, 2006, you launched a new era in the fight against
identity theft. As you recognized, identity theft exacts a heavy financial and
emotional toll from its victims, and it severely burdens our economy. You
called for a coordinated approach among government agencies to vigorously
combat this crime. Your charge to us was to craft a strategic plan aiming
to make the federal governments efforts more effective and efficient in the
areas of identity theft awareness, prevention, detection, and prosecution. To
meet that charge, we examined the tools law enforcement can use to prevent,
investigate, and prosecute identity theft crimes; to recover the proceeds of
these crimes; and to ensure just and effective punishment of identity thieves.
We also surveyed current education efforts by government agencies and
the private sector on how individuals and corporate citizens can protect
personal data. And because government must help reduce, rather than
exacerbate, incidents of identity theft, we worked with many federal agencies
to determine how the government can increase safeguards to better secure the
personal data that it and private businesses hold. Like you, we spoke to many
citizens whose lives have been uprooted by identity theft, and heard their
suggestions on ways to help consumers guard against this crime and lessen the
burdens of their recovery. We conducted meetings, spoke with stakeholders,
and invited public comment on key issues.
Alberto R. Gonzales, Chairman
Attorney General
Deborah Platt Majoras, Co-Chairman
Chairman, Federal Trade Commission
ix
TheviewsyouexpressedintheExecutiveOrderarewidelyshared.There
isaconsensusthatidentitytheftsdamageiswidespread,thatittargetsall
demographicgroups,thatitharmsbothconsumersandbusinesses,andthat
itseffectscanrangefarbeyondfinancialharm.Wewerepleasedtolearnthat
manyfederaldepartmentsandagencies,privatebusinesses,anduniversities
aretryingtocreateacultureof security,althoughsomehavebeenfasterthan
otherstoconstructsystemstoprotectpersonalinformation.
Thereisnoquicksolutiontothisproblem.But,webelievethatacoordinated
strategicplancangoalongwaytowardstemmingtheinjuriescausedby
identitytheftand,wehope,puttingidentitythievesoutof business.Takenas
awhole,therecommendationsthatcomprisethisstrategicplanaredesigned
tostrengthentheeffortsof federal,state,andlocallawenforcementofficers;
toeducateconsumersandbusinessesondeterring,detecting,anddefending
againstidentitytheft;toassistlawenforcementofficersinapprehendingand
prosecutingidentitythieves;andtoincreasethesafeguardsemployedby
federalagenciesandtheprivatesectorwithrespecttothepersonaldatawith
whichtheyareentrusted.
Thankyoufortheprivilegeof servingonthisTaskForce.Ourworkis
ongoing,butwenowhavethehonor,undertheprovisionsof yourExecutive
Order,of transmittingthereportandrecommendationsof thePresidents
TaskForceonIdentityTheft.
Verytrulyyours,
AlbertoR.Gonzales,Chairman DeborahPlattMajoras,Co-Chairman
AttorneyGeneral Chairman,FederalTradeCommission
!
I. Executive Summary
FromMainStreettoWallStreet,fromthebackporchtothefrontoffice,from
thekitchentabletotheconferenceroom,Americansaretalkingaboutidentity
theft.Thereason:millionsof Americanseachyearsufferthefinancialand
emotionaltraumaitcauses.Thiscrimetakesmanyforms,butitinvariably
leavesvictimswiththetaskof repairingthedamagetotheirlives.Itisaprob-
lemwithnosinglecauseandnosinglesolution.
A. INTrODuCTION
Eightyearsago,CongressenactedtheIdentityTheftandAssumption
DeterrenceAct,
1
whichcreatedthefederalcrimeof identitytheftand
chargedtheFederalTradeCommission(FTC)withtakingcomplaintsfrom
identitytheftvictims,sharingthesecomplaintswithfederal,state,andlocal
lawenforcement,andprovidingthevictimswithinformationtohelpthem
restoretheirgoodname.Sincethen,federal,state,andlocalagencieshave
takenstrongactiontocombatidentitytheft.TheFTChasdevelopedthe
IdentityTheftDataClearinghouseintoavitalresourceforconsumersand
lawenforcementagencies;theDepartmentof Justice(DOJ)hasprosecuted
vigorouslyawiderangeof identitytheftschemesundertheidentitytheft
statutesandotherlaws;thefederalfinancialregulatoryagencies
2
have
adoptedandenforcedrobustdatasecuritystandardsforentitiesundertheir
jurisdiction;Congresspassed,andtheDepartmentof HomelandSecurity
issueddraftregulationson,theREALIDActof 2005;andnumerousother
federalagencies,suchastheSocialSecurityAdministration(SSA),have
educatedconsumersonavoidingandrecoveringfromidentitytheft.Many
privatesectorentities,too,havetakenproactiveandsignificantstepstoprotect
datafromidentitythieves,educateconsumersabouthowtopreventidentity
theft,assistlawenforcementinapprehendingidentitythieves,andassist
identitytheftvictimswhosufferlosses.
Overthosesameeightyears,however,theproblemof identitytheft
hasbecomemorecomplexandchallengingforthegeneralpublic,the
government,andtheprivatesector.Consumers,overwhelmedwithweekly
mediareportsof databreaches,feelvulnerableanduncertainof howto
protecttheiridentities.Atthesametime,boththeprivateandpublicsectors
havehadtograpplewithdifficult,andcostly,decisionsaboutinvestments
insafeguardsandwhatmoretodotoprotectthepublic.And,ateverylevel
of governmentfromthelargestcitieswithmajorpolicedepartmentstothe
smallesttownswithonefrauddetectiveidentitythefthasplacedincreasingly
pressingdemandsonlawenforcement.
PubliccommentshelpedtheTaskForcedefinetheissuesandchallenges
posedbyidentitytheftanddevelopitsstrategicresponses.Toensurethatthe
TaskForceheardfromallstakeholders,itsolicitedcommentsfromthepublic.
2
Inadditiontoconsumeradvocacygroups,lawenforcement,business,and
industry,theTaskForcealsoreceivedcommentsfromidentitytheftvictims
themselves.
3
Thevictimswroteof theburdensandfrustrationsassociated
withtheirrecoveryfromthiscrime.Theirstoriesreaffirmedtheneedforthe
governmenttoactquicklytoaddressthisproblem.
Theoverwhelmingmajorityof thecommentsreceivedbytheTaskForce
stronglyaffirmedtheneedforafullycoordinatedapproachtofightingthe
problemthroughprevention,awareness,enforcement,training,andvictim
assistance.ConsumerswrotetotheTaskForceexhortingthepublicand
privatesectorstodoabetterjobof protectingtheirSocialSecuritynumbers
(SSNs),andmanyof thosewhosubmittedcommentsdiscussedthechallenges
raisedbytheoveruseof SocialSecuritynumbersasidentifiers.Others,
representingcertainbusinesssectors,pointedtothebeneficialusesof SSNs
infrauddetection.TheTaskForcewasmindfulof bothconsiderations,and
itsrecommendationsseektostriketheappropriatebalanceinaddressingSSN
use.Locallawenforcementofficers,regardlessof wheretheywork,wrote
of thechallengesof multi-jurisdictionalinvestigations,andcalledforgreater
coordinationandresourcestosupporttheinvestigationandprosecutionof
identitythieves.Variousbusinessgroupsdescribedthestepstheyhavetaken
tominimizetheoccurrenceandimpactof thecrime,andmanyexpressed
supportforrisk-based,nationaldatasecurityandbreachnotification
requirements.
Thesecommunicationsfromthepublicwentalongwaytowardinforming
theTaskForcesrecommendationforafullycoordinatedstrategy.Onlyan
approachthatencompasseseffectiveprevention,publicawarenessandedu-
cation,victimassistance,andlawenforcementmeasures,andfullyengages
federal,state,andlocalauthoritieswillbesuccessfulinprotectingcitizensand
privateentitiesfromthecrime.
B. THE STrATEGY
Althoughidentitytheftisdefinedinmanydifferentways,itis,fundamentally,
themisuseof anotherindividualspersonalinformationtocommitfraud.
Identitythefthasatleastthreestagesinitslifecycle,anditmustbeattacked
ateachof thosestages:
First, the identity thief attempts to acquire a victims personal
information.
Criminalsmustfirstgatherpersonalinformation,eitherthroughlow-tech
methodssuchasstealingmailorworkplacerecords,ordumpsterdiving
orthroughcomplexandhigh-techfrauds,suchashackingandtheuse
of maliciouscomputercodes.Thelossortheftof personalinformationby
itself,however,doesnotimmediatelyleadtoidentitytheft.Insomecases,
thieveswhostealpersonalitemsinadvertentlystealpersonalinformation
EXECUTIVE SUMMARY
3
thatisstoredinorwiththestolenpersonalitems,yetnevermakeuseof the
personalinformation.Ithasrecentlybeenreportedthat,duringthepastyear,
thepersonalrecordsof nearly73millionpeoplehavebeenlostorstolen,but
thatthereisnoevidenceof asurgeinidentitytheftorfinancialfraudasa
result.Still,becauseanylossortheftof personalinformationistroublingand
potentiallydevastatingforthepersonsinvolved,astrategytokeepconsumer
dataoutof thehandsof criminalsisessential.
Second, the thief attempts to misuse the information he has acquired.
Inthisstage,criminalshaveacquiredthevictimspersonalinformationand
nowattempttoselltheinformationoruseitthemselves.Themisuseof stolen
personalinformationcanbeclassifiedinthefollowingbroadcategories:
Existing account fraud: Thisoccurswhenthievesobtainaccount
informationinvolvingcredit,brokerage,banking,orutilityaccounts
thatarealreadyopen.Existingaccountfraudistypicallyalesscostly,
butmoreprevalent,formof identitytheft.Forexample,astolencredit
cardmayleadtothousandsof dollarsinfraudulentcharges,butthe
cardgenerallywouldnotprovidethethief withenoughinformationto
establishafalseidentity.Moreover,mostcreditcardcompanies,asa
matterof policy,donotholdconsumersliableforfraudulentcharges,
andfederallawcapsliabilityof victimsof creditcardtheftat$50.
New account fraud: Thievesusepersonalinformation,suchasSocial
Securitynumbers,birthdates,andhomeaddresses,toopennew
accountsinthevictimsname,makechargesindiscriminately,andthen
disappear.Whilethistypeof identitytheftislesslikelytooccur,it
imposesmuchgreatercostsandhardshipsonvictims.
Inaddition,identitythievessometimesusestolenpersonalinformationto
obtaingovernment,medical,orotherbenefitstowhichthecriminalisnot
entitled.
Third, an identity thief has completed his crime and is enjoying the
benefts, while the victim is realizing the harm.
Atthispointinthelifecycleof thetheft,victimsarefirstlearningof the
crime,oftenafterbeingdeniedcreditoremployment,orbeingcontactedbya
debtcollectorseekingpaymentforadebtthevictimdidnotincur.
Inlightof thecomplexityof theproblemateachof thestagesof thislife
cycle,theIdentityTheftTaskForceisrecommendingaplanthatmarshals
governmentresourcestocrackdownonthecriminalswhotrafficinstolen
identities,strengthenseffortstoprotectthepersonalinformationof our
nationscitizens,helpslawenforcementofficialsinvestigateandprosecute
identitythieves,helpseducateconsumersandbusinessesaboutprotecting
themselves,andincreasesthesafeguardsonpersonaldataentrustedtofederal
agenciesandprivateentities.
4
ThePlanfocusesonimprovementsinfourkeyareas:
keepingsensitiveconsumerdataoutof thehandsof identitythieves
throughbetterdatasecurityandmoreaccessibleeducation;
makingitmoredifficultforidentitythieveswhoobtainconsumerdatato
useittostealidentities;
assistingthevictimsof identitytheftinrecoveringfromthecrime;and
deterringidentitytheftbymoreaggressiveprosecutionandpunishment
of thosewhocommitthecrime.
Inthesefourareas,theTaskForcemakesanumberof recommendations
summarizedingreaterdetailbelow.Amongthoserecommendationsarethe
followingbroadpolicychanges:
thatfederalagenciesshouldreducetheunnecessaryuseof Social
Securitynumbers(SSNs),themostvaluablecommodityforanidentity
thief;
thatnationalstandardsshouldbeestablishedtorequireprivatesector
entitiestosafeguardthepersonaldatatheycompileandmaintainand
toprovidenoticetoconsumerswhenabreachoccursthatposesa
significantriskof identitytheft;
thatfederalagenciesshouldimplementabroad,sustainedawareness
campaigntoeducateconsumers,theprivatesector,andthepublicsector
ondeterring,detecting,anddefendingagainstidentitytheft;and
thataNationalIdentityTheftLawEnforcementCentershouldbe
createdtoallowlawenforcementagenciestocoordinatetheirefforts
andinformationmoreefficiently,andinvestigateandprosecuteidentity
thievesmoreeffectively.
TheTaskForcebelievesthatallof therecommendationsinthisstrategic
planfromthesebroadpolicychangestothesmallstepsarenecessaryto
wageamoreeffectivefightagainstidentitytheftandreduceitsincidenceand
damage.Somerecommendationscanbeimplementedrelativelyquickly;
otherswilltaketimeandthesustainedcooperationof governmententities
andtheprivatesector.Followingaretherecommendationsof thePresidents
TaskForceonIdentityTheft:
PrEVENTION: KEEPING CONSuMEr DATA OuT OF THE
HANDS OF CrIMINALS
Identitytheftdependsonaccesstoconsumerdata.Reducingtheopportuni-
tiesforthievestogetthedataiscriticaltofightingthecrime.Government,
thebusinesscommunity,andconsumershaverolestoplayinprotectingdata.
EXECUTIVE SUMMARY
5
Datacompromisescanexposeconsumerstothethreatof identitytheftor
relatedfraud,damagethereputationof theentitythatexperiencedthebreach,
andcarryfinancialcostsforeveryoneinvolved.Whileperfectsecuritydoes
notexist,allentitiesthatcollectandmaintainsensitiveconsumerinformation
musttakereasonableandappropriatestepstoprotectit.
Data Security in Public Sector
Decrease the Unnecessary Use of Social Security Numbers in the
Public Sector by Developing Alternative Strategies for Identity
Management
Surveycurrentuseof SSNsbyfederalgovernment
Issueguidanceonappropriateuseof SSNs
Establishclearinghouseforbestagencypracticesthatminimize
useof SSNs
Workwithstateandlocalgovernmentstoreviewuseof SSNs
Educate Federal Agencies on How to Protect Data; Monitor Their
Compliance with Existing Guidance
Developconcreteguidanceandbestpractices
Monitoragencycompliancewithdatasecurityguidance
Protectportablestorageandcommunicationsdevices
Ensure Effective, Risk-Based Responses to Data Breaches Suffered by
Federal Agencies
Issuedatabreachguidancetoagencies
Publisharoutineuseallowingdisclosureof informationaftera
breachtothoseentitiesthatcanassistinrespondingtothebreach
Data Security in Private Sector
Establish National Standards for Private Sector Data Protection
Requirements and Breach Notice Requirements
Develop Comprehensive Record on Private Sector Use of Social
Security Numbers
Better Educate the Private Sector on Safeguarding Data
Holdregionalseminarsforbusinessesonsafeguardinginformation
Distributeimprovedguidanceforprivateindustry
Initiate Investigations of Data Security Violations
6
Initiate a Multi-Year Public Awareness Campaign
Developnationalawarenesscampaign
Enlistoutreachpartners
Increaseoutreachtotraditionallyunderservedcommunities
EstablishProtectYourIdentityDays
Develop Online Clearinghouse for Current Educational Resources
PrEVENTION: MAKING IT HArDEr TO MISuSE
CONSuMEr DATA
Becausesecuritysystemsareimperfectandthievesareresourceful,itises-
sentialtoreducetheopportunitiesforcriminalstomisusethedatatheysteal.
Anidentitythief whowantstoopennewaccountsinavictimsnamemust
beableto(1)provideidentifyinginformationtoallowthecreditororother
grantorof benefitstoaccessinformationonwhichtobaseadecisionabout
eligibility;and(2)convincethecreditorthatheisthepersonhepurportstobe.
Authenticationincludesdeterminingapersonsidentityatthebeginningof
arelationship(sometimescalledverification),andlaterensuringthatheis
thesamepersonwhowasoriginallyauthenticated.Buttheprocesscanfail:
Identitydocumentscanbefalsified;theaccuracyof theinitialinformation
andtheaccuracyorqualityof theverifyingsourcescanbequestionable;em-
ployeetrainingcanbeinsufficient;andpeoplecanfailtofollowprocedures.
Effortstofacilitatethedevelopmentof betterwaystoauthenticateconsum-
erswithoutburdeningconsumersorbusinessesforexample,multi-factor
authenticationorlayeredsecuritywouldgoalongwaytowardpreventing
criminalsfromprofitingfromidentitytheft.
Hold Workshops on Authentication
Engageacademics,industry,entrepreneurs,andgovernment
expertsondevelopingandpromotingbetterwaystoauthenticate
identity
Issuereportonworkshopfindings
Develop a Comprehensive Record on Private Sector Use of SSNs
VICTIM rECOVErY: HELPING CONSuMErS rEPAIr
THEIr LIVES
Identitytheftcanbecommitteddespiteaconsumersbesteffortsatsecuring
information.Consumershaveanumberof rightsandresourcesavailable,
butsomesurveysindicatethattheyarenotaswell-informedastheycould
be.Governmentagenciesmustworktogethertoensurethatvictimshavethe
knowledge,tools,andassistancenecessarytominimizethedamageandbegin
therecoveryprocess.
EXECUTIVE SUMMARY
7
Provide Specialized Training About Victim Recovery to First
Responders and Others Offering Direct Assistance to Identity Theft
Victims
Trainlawenforcementofficers
Provideeducationalmaterialsforfirstrespondersthatcanbeused
asareferenceguideforidentitytheftvictims
CreateanddistributeanIDTheftVictimStatementof Rights
Designnationwidetrainingforvictimassistancecounselors
Develop Avenues for Individualized Assistance to Identity Theft
Victims
Amend Criminal Restitution Statutes to Ensure That Victims Recover
the Value of Time Spent in Trying to Remediate the Harms Suffered
Assess Whether to Implement a National System That Allows Victims
to Obtain an Identification Document for Authentication Purposes
Assess Efficacy of Tools Available to Victims
Conductassessmentof FACTActremediesunderFCRA
Conductassessmentof statecreditfreezelaws
LAW ENFOrCEMENT: PrOSECuTING AND PuNISHING
IDENTITY THIEVES
Strongcriminallawenforcementisnecessarytopunishanddeteridentity
thieves.Theincreasingsophisticationof identitythievesinrecentyearshas
meantthatlawenforcementagenciesatalllevelsof governmenthavehadto
increasetheresourcestheydevotetoinvestigatingrelatedcrimes.Theinves-
tigationsarelabor-intensiveandgenerallyrequireastaff of detectives,agents,
andanalystswithmultipleskillsets.Whenasuspectedtheftinvolvesalarge
numberof potentialvictims,investigativeagenciesoftenneedadditionalper-
sonneltohandlevictim-witnesscoordination.
Coordination and Information/Intelligence Sharing
Establish a National Identity Theft Law Enforcement Center
Develop and Promote the Use of a Universal Identity Theft Report
Form
Enhance Information Sharing Between Law Enforcement and the
Private Sector
Enhanceabilityof lawenforcementtoreceiveinformationfrom
financialinstitutions
Initiatediscussionswithfinancialservicesindustryon
countermeasurestoidentitytheft
Initiatediscussionswithcreditreportingagenciesonpreventing
identitytheft
8
Coordination with Foreign Law Enforcement
Encourage Other Countries to Enact Suitable Domestic Legislation
Criminalizing Identity Theft
Facilitate Investigation and Prosecution of International Identity
Theft by Encouraging Other Nations to Accede to the Convention on
Cybercrime
Identify the Nations that Provide Safe Havens for Identity Thieves
and Use All Measures Available to Encourage Those Countries to
Change Their Policies
Enhance the United States Governments Ability to Respond to
Appropriate Foreign Requests for Evidence in Criminal Cases
Involving Identity Theft
Assist, Train, and Support Foreign Law Enforcement
Prosecution Approaches and Initiatives
Increase Prosecutions of Identity Theft
DesignateanidentitytheftcoordinatorforeachUnitedStates
AttorneysOfficetodesignaspecificidentitytheftprogramfor
eachdistrict
Evaluatemonetarythresholdsforprosecution
Encouragestateprosecutionof identitytheft
Createworkinggroupsandtaskforces
Conduct Targeted Enforcement Initiatives
Conductenforcementinitiativesfocusedonusingunfairor
deceptivemeanstomakeSSNsavailableforsale
Conductenforcementinitiativesfocusedonidentitytheftrelatedto
thehealthcaresystem
Conductenforcementinitiativesfocusedonidentitytheftbyillegal
aliens
Review Civil Monetary Penalty Programs
EXECUTIVE SUMMARY
9
Gaps in Statutes Criminalizing Identity Theft
Close the Gaps in Federal Criminal Statutes Used to Prosecute
Identity Theft-Related Offenses to Ensure Increased Federal
Prosecution of These Crimes
Amendtheidentitytheftandaggravatedidentitytheftstatutes
toensurethatidentitythieveswhomisappropriateinformation
belongingtocorporationsandorganizationscanbeprosecuted
Addnewcrimestothelistof predicateoffensesforaggravated
identitytheftoffenses
Amendthestatutethatcriminalizesthetheftof electronicdataby
eliminatingthecurrentrequirementthattheinformationmusthave
beenstolenthroughinterstatecommunications
Penalizecreatorsanddistributorsof maliciousspywareand
keyloggers
Amendthecyber-extortionstatutetocoveradditional,alternate
typesof cyber-extortion
Ensure That an Identity Thiefs Sentence Can Be Enhanced When the
Criminal Conduct Affects More Than One Victim
Law Enforcement Training
Enhance Training for Law Enforcement Officers and Prosecutors
DevelopcourseatNationalAdvocacyCenterfocusedon
investigationandprosecutionof identitytheft
Increasenumberof regionalidentitytheftseminars
IncreaseresourcesforlawenforcementontheInternet
Reviewcurriculatoenhancebasicandadvancedtrainingon
identitytheft
Measuring the Success of Law Enforcement
Enhance the Gathering of Statistical Data Impacting the Criminal
Justice Systems Response to Identity Theft
Gatherandanalyzestatisticallyreliabledatafromidentitytheft
victims
Expandscopeof nationalcrimevictimizationsurvey
ReviewU.S.SentencingCommissiondata
Trackprosecutionsof identitytheftandresourcesspent
Conducttargetedsurveys
!0
II. The Contours of the Identity Theft Problem
THE CONTOURS OF THE
IDENTITY THEFT PROBLEM
Everyday,toomanyAmericanslearnthattheiridentitieshavebeen
compromised,ofteninwaysandtoanextenttheycouldnothaveimagined.
Identitytheftvictimsexperienceasenseof hopelessnesswhensomeonesteals
theirgoodnameandgoodcredittocommitfraud.Thesevictimsalsospeak
of theirfrustrationinfightingagainstanunknownopponent.
Identitytheftthemisuseof anotherindividualspersonalinformationto
commitfraudcanhappeninavarietyof ways,butthebasicelementsare
thesame.Criminalsfirstgatherpersonalinformation,eitherthroughlow-tech
methodssuchasstealingmailorworkplacerecords,ordumpsterdiving,
orthroughcomplexandhigh-techfraudssuchashackingandtheuseof
maliciouscomputercode.Thesedatathievesthenselltheinformationor
useitthemselvestoopennewcreditaccounts,takeoverexistingaccounts,
obtaingovernmentbenefitsandservices,orevenevadelawenforcementby
usinganewidentity.Often,individualslearnthattheyhavebecomevictims
of identitytheftonlyafterbeingdeniedcreditoremployment,orwhenadebt
collectorseekspaymentforadebtthevictimdidnotincur.
Individualvictimexperiencesbestportraythehavocthatidentitythieves
canwreak.Forexample,inJuly2001,anidentitythief gainedcontrolof a
retiredArmyCaptainsidentitywhenArmyofficialsatFortBragg,North
Carolina,issuedthethief anactivedutymilitaryidentificationcardinthe
retiredcaptainsnameandwithhisSocialSecuritynumber.Themilitary
identification,combinedwiththevictimsthen-excellentcredithistory,
allowedtheidentitythief togoonanunhinderedspendingspreelasting
severalmonths.FromJulytoDecember2001,theidentitythief acquired
goods,services,andcashinthevictimsnamevaluedatover$260,000.The
victimidentifiedmorethan60fraudulentaccountsof alltypesthatwere
openedinhisname:creditaccounts,personalandautoloans,checkingand
savingsaccounts,andutilityaccounts.Theidentitythief purchasedtwo
trucksvaluedatover$85,000andaHarley-Davidsonmotorcyclefor$25,000.
Thethief alsorentedahouseandpurchasedatime-shareinHiltonHead,
SouthCarolina,inthevictimsname.
4
Inanotherinstance,anelderlywomansufferingfromdementiawas
victimizedbyhercaregivers,whoadmittedtostealingasmuchas$200,000
fromherbeforeherdeath.Thethievesnotonlyusedthevictimsexisting
creditcardaccounts,butalsoopenednewcreditaccountsinhername,
obtainedfinancinginhernametopurchasenewvehiclesforthemselves,
and,usingafraudulentpowerof attorney,removed$176,000inU.S.Savings
Bondsfromthevictimssafe-depositboxes.
5
Inthesewaysandothers,consumerslivesaredisruptedanddisplacedby
identitytheft.Whilefederalagencies,theprivatesector,andconsumers
themselvesalreadyhaveaccomplishedagreatdealtoaddressthecauses
I was absolutely heartsick
to realize our bank accounts
were frozen, our names
were on a bad check list,
and my drivers license was
suspended. I hold three
licenses in the State of
Ohiomy drivers license,
my real estate license,
and my R.N. license. After
learning my drivers license
was suspended, I was
extremely fearful that my
professional licenses might
also be suspended as a
result of the actions of my
imposter.
Maureen Mitchell
Testimony Before
House Committee on
Financial Services,
Subcommittee on
Financial Institutions and
Consumer Credit
June 24, 2003
!!
andimpactof identitytheft,muchworkremainstobedone.Thefollowing
strategicplanfocusesonacoordinatedgovernmentresponseto:strengthen
effortstopreventidentitytheft;investigateandprosecuteidentitytheft;raise
awareness;andensurethatvictimsreceivemeaningfulassistance.
A. PrEVALENCE AND COSTS OF IDENTITY THEFT
Thereisconsiderabledebateabouttheprevalenceandcostof identitytheftin
theUnitedStates.Numerousstudieshaveattemptedtomeasuretheextent
of thiscrime.DOJ,FTC,theGartnerGroup,andJavelinResearcharejust
someof theorganizationsthathavepublishedreportsof theiridentitytheft
surveys.
6
Whilesomeof thedatafromthesesurveysdiffer,thereisagreement
thatidentitytheftexactsaserioustollontheAmericanpublic.
Althoughgreaterempiricalresearchisneeded,thedatashowthatannual
monetarylossesareinthebillionsof dollars.Thisincludeslossesassociated
withnewaccountfraud,amorecostly,butlessprevalentformof identity
theft,andmisuseof existingaccounts,amoreprevalentbutlesscostlyform
of identitytheft.Businessessuffermostof thedirectlossesfrombothforms
of identitytheftbecauseindividualvictimsgenerallyarenotheldresponsible
forfraudulentcharges.Individualvictims,however,alsocollectivelyspend
billionsof dollarsrecoveringfromtheeffectsof thecrime.
Inadditiontothelossesthatresultwhenidentitythievesfraudulentlyopen
accountsormisuseexistingaccounts,monetarycostsof identitytheftinclude
indirectcoststobusinessesforfraudpreventionandmitigationof theharm
onceithasoccurred(e.g.,formailingnoticestoconsumersandupgrading
systems).Similarly,individualvictimsoftensufferindirectfinancialcosts,
includingthecostsincurredinbothcivillitigationinitiatedbycreditorsand
inovercomingthemanyobstaclestheyfaceinobtainingorretainingcredit.
Victimsof non-financialidentitytheft,forexample,health-relatedorcriminal
recordfraud,faceothertypesof harmandfrustration.
Inadditiontoout-of-pocketexpensesthatcanreachthousandsof dollarsfor
thevictimsof newaccountidentitytheft,andtheemotionaltollidentitytheft
cantake,somevictimshavetospendwhatcanbeaconsiderableamount
of timetorepairthedamagecausedbytheidentitythieves.Victimsof new
accountidentitytheft,forexample,mustcorrectfraudulentinformation
intheircreditreportsandmonitortheirreportsforfutureinaccuracies,
closeexistingbankaccountsandopennewones,anddisputechargeswith
individualcreditors.
Consumersfearsof becomingidentitytheftvictimsalsomayharmour
digitaleconomy.Ina2006onlinesurveyconductedbytheBusinessSoftware
AllianceandHarrisInteractive,nearlyoneinthreeadults(30percent)said
thatsecurityfearscompelledthemtoshoponlinelessornotatallduringthe
2005/2006holidayseason.
7
Similarly,aCyberSecurityIndustryAlliance
!2
surveyinJune2005foundthat48percentof consumersavoidedmaking
purchasesontheInternetbecausetheyfearedthattheirfinancialinformation
mightbestolen.
8
Althoughnostudieshavecorrelatedtheseattitudeswith
actualonlinebuyinghabits,thesesurveysindicatethatsecurityconcerns
likelyinhibitsomecommercialuseof theInternet.
B. IDENTITY THIEVES: WHO THEY ArE
Unlikesomegroupsof criminals,identitythievescannotbereadilyclassi-
fied.Nosurveysprovidecomprehensivedataontheirprimarypersonalor
demographiccharacteristics.Forthemostpart,victimsarenotinagood
positiontoknowwhostoletheirinformationorwhomisusedit.According
totheFTCs2003surveyof identitytheft,about14percentof victimsclaim
toknowtheperpetrator,whomaybeafamilymember,friend,orin-home
employee.
Identitythievescanactaloneoraspartof acriminalenterprise.Eachposes
uniquethreatstothepublic.
Individuals
Accordingtolawenforcementagencies,identitythievesoftenhavenoprior
criminalbackgroundandsometimeshavepre-existingrelationshipswiththe
victims.Indeed,identitythieveshavebeenknowntopreyonpeoplethey
know,includingcoworkers,seniorcitizensforwhomtheyareservingascare-
takers,andevenfamilymembers.Someidentitythievesrelyontechniquesof
minimalsophistication,suchasstealingmailfromhomeownersmailboxesor
trashcontainingfinancialdocuments.Insomejurisdictions,identitytheftby
illegalimmigrantshasresultedinpassport,employment,andSocialSecurity
fraud.Occasionally,smallclustersof individualswithnosignificantcriminal
recordsworktogetherinalooselyknitfashiontoobtainpersonalinformation
andeventocreatefalseorfraudulentdocuments.
9
Anumberof recentreportshavefocusedontheconnectionbetween
individualmethamphetamine(meth)usersandidentitytheft.
10
Law
enforcementagenciesinAlbuquerque,Honolulu,Phoenix,Sacramento,
Seattle,andothercitieshavereportedthatmethaddictsareengagingin
identityanddatatheftthroughburglaries,mailtheft,andtheftof wallets
andpurses.InSaltLakeCity,methusersreportedlyareorganizedbywhite-
supremacistgangstocommitidentitytheft.
11
Tellingly,asmethusehasrisen
sharplyinrecentyears,especiallyinthewesternUnitedStates,someof the
samejurisdictionsreportingthehighestlevelsof methusealsosufferfrom
thehighestincidenceof identitytheft.Somestatelawenforcementofficials
believethatthetwoincreasesmightberelated,andthatidentitytheftmay
serveasamajorfundingmechanismformethlabsandpurchases.
THE CONTOURS OF THE
In an article entitled
Waitress Gets Own ID
When Carding Patron, the
Associated Press reported
that a bar waitress checking
to see whether a patron was
old enough to legally drink
alcohol was handed her own
stolen drivers license, which
she reported missing weeks
earlier in Lakewood, Ohio.
The patron was later charged
with identity theft and
receiving stolen property.
In September 2005, a
defendant was sentenced by
a federal judge in Colorado
to a year and one day in
prison, and ordered to pay
$181,517.05 in restitution,
after pleading guilty to the
misuse of a Social Security
number. The defendant had
obtained the identifying
information of two
individuals, including their
SSNs, and used one such
identity to obtain a false
Missouri drivers license, to
cash counterfeit checks, and
to open fraudulent credit ac-
counts. The defendant used
the second identity to open a
fraudulent credit account and
to cash fraudulent checks.
The case was investigated by
the SSA OIG, FBI, U.S. Postal
Inspection Service, and the
St. Charles, Missouri, Police
Department.
!3
Signifcant Criminal Groups and Organizations
Lawenforcementagenciesaroundthecountryhaveobservedasteady
increaseintheinvolvementof groupsandorganizationsof repeatoffendersor
careercriminalsinidentitytheft.Someof thesegroupsincludingnational
gangssuchasHellsAngelsandMS-13areformallyorganized,havea
hierarchicalstructure,andarewell-knowntolawenforcementbecauseof
theirlongstandinginvolvementinothermajorcrimessuchasdrugtrafficking.
Othergroupsaremoreloosely-organizedand,insomecases,havetaken
advantageof theInternettoorganize,contacteachother,andcoordinatetheir
identitytheftactivitiesmoreefficiently.Membersof thesegroupsoftenare
locatedindifferentcountriesandcommunicateprimarilyviatheInternet.
Othergroupshaveareal-worldconnectionwithoneanotherandsharea
nationalityorethnicgroup.
Lawenforcementagenciesalsohaveseenincreasedinvolvementof foreign
organizedcriminalgroupsincomputer-orInternet-relatedidentitytheft
schemes.InAsiaandEasternEurope,forexample,organizedgroupsare
increasinglysophisticatedbothinthetechniquestheyusetodeceiveInternet
usersintodisclosingpersonaldata,andinthecomplexityof toolstheyuse,
suchaskeyloggers(programsthatrecordeverykeystrokeasanInternetuser
logsontohiscomputerorabankingwebsite),spyware(softwarethatcovertly
gathersuserinformationthroughtheusersInternetconnection,without
theusersknowledge),andbotnets(networksof computersthatcriminals
havecompromisedandtakencontrolof forsomeotherpurpose,ranging
fromdistributionof spamandmaliciouscomputercodetoattacksonother
computers).Accordingtolawenforcementagencies,suchgroupsalsoare
demonstratingincreasinglevelsof sophisticationandspecializationintheir
onlinecrime,evensellinggoodsandservicessuchassoftwaretemplates
formakingcounterfeitidentificationcardsandpaymentcardmagneticstrip
encodersthatmakethestolendataevenmorevaluabletothosewhohaveit.
C. HOW IDENTITY THEFT HAPPENS: THE TOOLS OF
THE TrADE
Consumerinformationisthecurrencyof identitytheft,andperhapsthemost
valuablepieceof informationforthethief istheSSN.TheSSNandaname
canbeusedinmanycasestoopenanaccountandobtaincreditorother
benefitsinthevictimsname.Otherdata,suchaspersonalidentification
numbers(PINs),accountnumbers,andpasswords,alsoarevaluablebecause
theyenablethievestoaccessexistingconsumeraccounts.
Identitytheftisprevalentinpartbecausecriminalsareabletoobtainpersonal
consumerinformationeverywheresuchdataarelocatedorstored.Homes
andbusinesses,carsandhealth-clublockers,electronicnetworks,andeven
trashbasketsanddumpstershavebeentargetsforidentitythieves.Some
In July 2003, a Russian
computer hacker was
sentenced in federal court to
a prison term of four years
for supervising a criminal
enterprise in Russia dedicated
to computer hacking, fraud,
and extortion. The defendant
hacked into the computer sys-
tem of Financial Services, Inc.
(FSI), an internet web hosting
and electronic banking
processing company located
in Glen Rock, New Jersey,
and stole 11 passwords used
by FSI employees to access
the FSI computer network as
well as a text fle containing
approximately 3,500 credit
card numbers and associated
card holder information for
FSI customers. One of the
defendants accomplices
then threatened FSI that the
hacker group would publicly
release this stolen credit card
information and hack into
and further damage the FSI
computer system unless FSI
paid $6,000. After a period
of negotiation, FSI eventually
agreed to pay $5,000.
In sentencing the defendant,
the federal judge described
the scheme as an unprec-
edented, wide-ranging,
organized criminal enterprise
that engaged in numerous
acts of fraud, extortion,
and intentional damage
to the property of others,
involving the sophisticated
manipulation of computer
data, fnancial information,
and credit card numbers.
The court found that the
defendant was responsible
for an aggregate loss to his
victims of approximately
$25 million.
!4
thievesusemoretechnologically-advancedmeanstoextractinformationfrom
computers,includingmalicious-codeprogramsthatsecretlyloginformation
orgivecriminalsaccesstoit.
Thefollowingareamongthetechniquesmostfrequentlyusedbyidentity
thievestostealthepersonalinformationof theirvictims.
Common Theft and Dumpster Diving
Whileoftenconsideredahightechcrime,datatheftoftenisnomore
sophisticatedthanstealingpaperdocuments.Somecriminalsstealdocuments
containingpersonalinformationfrommailboxes;indeed,mailtheftappears
tobeacommonwaythatmethusersandproducersobtainconsumerdata.
12
Otheridentitythievessimplytakedocumentsthrownintounprotectedtrash
receptacles,apracticeknownasdumpsterdiving.
13
Stillotherssteal
informationusingtechniquesnomoresophisticatedthanpursesnatching.
Progressisbeingmadeinreducingtheopportunitiesthatidentitythieveshave
toobtainpersonalinformationintheseways.TheFairandAccurateCredit
TransactionsActof 2003(FACTAct)
14
requiresmerchantsthataccept
THE CONTOURS OF THE
Partial display of credit cards, checks, and identifying documents seized in federal investigation of identity theft ring
in Maryland, 2005.
Source: U.S. Department of Justice
A ramp agent for a major
airline participated in a
scheme to steal fnancial
documents, including checks
and credit cards, from
the U.S. mail at Thurgood
Marshall Baltimore-Wash-
ington International Airport
and transfer those fnancial
documents to his co-
conspirators for processing.
The conspirators used the
documents to obtain cash
advances and withdrawals
from lines of credit. In
September 2005, a federal
judge sentenced the ramp
agent to 14 years in prison
and ordered him to pay $7
million in restitution.
!5
creditordebitcardstotruncatethenumbersonreceiptsthatareelectronically
printedameasurethatisintended,amongotherthings,toreducethe
abilityof adumpsterdivertoobtainavictimscreditcardnumbersimply
bylookingthroughthatvictimsdiscardedtrash.Merchantshadaperiodof
timetocomplywiththatrequirement,whichnowisinfulleffect.
15
Employee/Insider Theft
Dishonestinsiderscanstealsensitiveconsumerdatabyremovingpaper
documentsfromaworksiteoraccessingelectronicrecords.Criminalsalso
maybribeinsiders,orbecomeemployeesthemselvestoaccesssensitivedata
atcompanies.Thefailuretodisableaterminatedemployeesaccesstoa
computersystemorconfidentialdatabasescontainedwithinthesystemalso
couldleadtothecompromiseof sensitiveconsumerdata.Manyfederal
agencieshavetakenenforcementactionstopunishanddetersuchinsider
compromise.
Electronic Intrusions or Hacking
Hackersstealinformationfrompublicandprivateinstitutions,including
largecorporatedatabasesandresidentialwirelessnetworks.First,theycan
interceptdataduringtransmission,suchaswhenaretailersendspayment
cardinformationtoacardprocessor.Hackershavedevelopedtoolsto
penetratefirewalls,useautomatedprocessestosearchforaccountdataor
otherpersonalinformation,exportthedata,andhidetheirtracks.
16
Several
recentgovernmentenforcementactionshavetargetedthistypeof datatheft.
Second,hackersalsocangainaccesstounderlyingapplicationsprograms
usedtocommunicatebetweenInternetusersandacompanysinternal
databases,suchasprogramstoretrieveproductinformation.Oneresearch
firmestimatesthatnearly75percentof hackerattacksaretargetedatthe
application,ratherthanthenetwork.
17
Itisoftendifficulttodetectthe
hackersapplication-levelactivities,becausethehackerconnectstothe
websitethroughthesamelegitimaterouteanycustomerwoulduse,andthe
communicationisthusseenaspermissibleactivity.
AccordingtotheSecretService,manymajorbreachesinthecreditcard
systemin2006originatedintheRussianFederationandtheUkraine,and
criminalsoperatinginthosetwocountrieshavebeendirectlyinvolvedinsome
of thelargestbreachesof U.S.financialsystemsforthepastfiveyears.
Social Engineering: Phishing, Malware/Spyware, and Pretexting
Identitythievesalsousetrickerytoobtainpersonalinformationfrom
unwittingsources,includingfromthevictimhimself.Thistypeof deception,
knownassocialengineering,cantakeavarietyof forms.
In December 2003, the
Offce of the Comptroller
of the Currency (OCC)
directed a large fnancial
institution to improve its
employee screening policies,
procedures, systems, and
controls after fnding that the
institution had inadvertently
hired a convicted felon who
used his new post to
engage in identity theft-
related crimes. Defciencies
in the institutions screening
practices came to light
through the OCCs review
of the former employees
activities.
In December 2004, a
federal district judge in
North Carolina sentenced a
defendant to 108 months in
prison after he pleaded guilty
to crimes stemming from his
unauthorized access to the
nationwide computer system
used by the Lowes Corpora-
tion to process credit card
transactions. To carry out
this scheme, the defendant
and at least one other person
secretly compromised the
wireless network at a Lowes
retail store in Michigan and
gained access to Lowes
central computer system.
The defendant then installed
a computer program de-
signed to capture customer
credit card information on
the computer system of
several Lowes retail stores.
After an FBI investigation of
the intrusion, the defendant
and a confederate were
charged.
!6
Phishing: Phishingisoneof themostprevalentformsof socialengineering.
Phisherssendemailsthatappeartobecomingfromlegitimate,well-
knownsourcesoften,financialinstitutionsorgovernmentagencies.In
oneexample,theseemailmessagestelltherecipientthathemustverify
hispersonalinformationforanaccountorotherservicetoremainactive.
Theemailsprovidealink,whichgoestoawebsitethatappearslegitimate.
Afterfollowingthelink,thewebuserisinstructedtoenterpersonal
identifyinginformation,suchashisname,address,accountnumber,PIN,
andSSN.Thisinformationisthenharvestedbythephishers.Inavariant
of thispractice,victimsreceiveemailswarningthemthattoavoidlosing
somethingof value(e.g.,Internetserviceoraccesstoabankaccount)orto
getsomethingof value,theymustclickonalinkinthebodyof theemail
toreenterorvalidatetheirpersonaldata.Suchphishingschemesoften
mimicfinancialinstitutionswebsitesandemails,andanumberof them
haveevenmimickedfederalgovernmentagenciestoaddcredibilitytotheir
demandsforinformation.Additionally,phishingrecentlyhastakenona
newform,dubbedvishing,inwhichthethievesuseVoiceOverInternet
Protocol(VOIP)technologytospoof thetelephonecallsystemsof financial
institutionsandrequestcallersprovidetheiraccountinformation.
18
Malware/Spyware/Keystroke Loggers: Criminalsalsocanusespywareto
illegallygainaccesstoInternetuserscomputersanddatawithouttheusers
permission.Oneemail-basedformof socialengineeringistheuseof enticing
emailsofferingfreepornographicimagestoagroupof victims;byopening
theemail,thevictimlaunchestheinstallationof malware,suchasspywareor
keystrokeloggers,ontohiscomputer.Thekeystrokeloggersgatherandsend
informationontheusersInternetsessionsbacktothehacker,includinguser
namesandpasswordsforfinancialaccountsandotherpersonalinformation.
Thesesophisticatedmethodsof accessingpersonalinformationthrough
THE CONTOURS OF THE
Phishing Email and Associated Website Impersonating National Credit
Union Administration Email and Website
Source: Anti-Phishing Working Group
At the beginning of the 2006
tax fling season, identity
thieves sent emails that pur-
ported to originate from the
IRSs website to taxpayers,
falsely informing them that
there was a problem with
their tax refunds. The emails
requested that the taxpayers
provide their SSNs so that
the IRS could match their
identities to the proper tax
accounts. In fact, when the
users entered their personal
information such as their
SSNs, website usernames
and passwords, bank or
credit-card account numbers
and expiration dates, among
other things the phishers
simply harvested the data
at another location on the
Internet. Many of these
schemes originated abroad,
particularly in Eastern
Europe. Since November
2005, the Treasury Inspector
General for Tax Administra-
tion (TIGTA) and the IRS
have received over 17,500
complaints about phishing
scams, and TIGTA has
identifed and shut down
over 230 phishing host sites
targeting the IRS.
!7
malwarehavesupplementedotherlong-establishedmethodsbywhich
criminalsobtainvictimspasswordsandotherusefuldatasuchassniffing
Internettraffic,forexample,bylisteningtonetworktrafficonashared
physicalnetwork,oronunencryptedorweaklyencryptedwirelessnetworks.
Pretexting: Pretexting
19
isanotherformof socialengineeringusedtoobtain
sensitiveinformation.Inmanycases,pretexterscontactafinancialinstitution
ortelephonecompany,impersonatingalegitimatecustomer,andrequestthat
customersaccountinformation.Inothercases,thepretextisaccomplished
byaninsideratthefinancialinstitution,orbyfraudulentlyopeninganonline
accountinthecustomersname.
20
Stolen Media
Inadditiontoinstancesof deliberatetheftof personalinformation,dataalso
canbeobtainedbyidentitythievesinanincidentalmanner.Criminals
frequentlystealdatastoragedevices,suchaslaptopsorportablemedia,that
containpersonalinformation.
21
Althoughthecriminaloriginallytargeted
thehardware,hemaydiscoverthestoredpersonalinformationandrealizeits
valueandpossibilityforexploitation.Unlessadequatelysafeguardedsuch
asthroughtheuseof technologicaltoolsforprotectingdatathisinformation
canbeaccessedandusedtostealthevictimsidentity.Identitythievesalso
mayobtainconsumerdatawhenitislostormisplaced.
Failure to Know Your Customer
Databrokerscompileconsumerinformationfromavarietyof publicand
privatesourcesandthenofferitforsaletodifferententitiesforarangeof
purposes.Forexample,governmentagenciesoftenpurchaseconsumer
informationfromdatabrokerstolocatewitnessesorbeneficiaries,orfor
lawenforcementpurposes.Identitythieves,however,canstealpersonal
informationfromdatabrokerswhofailtoensurethattheircustomershavea
legitimateneedforthedata.
TheFairCreditReportingAct(FCRA)andtheGramm-Leach-BlileyAct
(GLBAct)imposespecificdutiesoncertaintypesof databrokersthat
disseminateparticulartypesof information.
22
Forexample,theFCRA
requiresdatabrokersthatareconsumerreportingagenciestomakereasonable
effortstoverifytheidentityof theircustomersandtoensurethatthose
customershaveapermissiblepurposeforobtainingtheinformation.The
GLBActlimitstheabilityof afinancialinstitutiontoresellcoveredfinancial
information.
Existinglaws,however,donotreacheverykindof personalinformation
collectedandsoldbydatabrokers.Inaddition,whendatabrokersfailto
complywiththeirstatutoryduties,theyopenthedoortocriminalswhocan
accessthepersonalinformationheldbythedatabrokersbyexploitingpoor
customerverificationpractices.
In January 2006, the FTC
settled a lawsuit against
data broker ChoicePoint,
Inc., alleging that it violated
the FCRA when it failed to
perform due diligence in
evaluating and approving
new customers. The FTC
alleged that ChoicePoint
approved as customers
for its consumer reports
identity thieves who lied
about their credentials and
whose applications should
have raised obvious red
fags. Under the settlement,
ChoicePoint paid $10 million
in civil penalties and $5 mil-
lion in consumer redress and
agreed to implement new
procedures to ensure that it
provides consumer reports
only to legitimate businesses
for lawful purposes, to
establish a comprehensive
information security pro-
gram, and to obtain audits
by an independent security
professional every other year
until 2026.
!8
Skimming
Becauseitispossibletousesomeonescreditaccountwithouthavingphysical
accesstothecard,identitytheftiseasilyaccomplishedwhenacriminal
obtainsareceiptwiththecreditaccountnumber,orusesothertechnologyto
collectthataccountinformation.
23
Forexample,overthepastseveralyears,
lawenforcementauthoritieshavewitnessedasubstantialincreaseintheuse
of devicesknownasskimmers.Askimmerisaninexpensiveelectronic
devicewithaslotthroughwhichapersonpassesorskimsacreditordebit
card.Similartothedevicelegitimatebusinessesuseinprocessingcustomer
cardpayments,theskimmerreadsandrecordsthemagneticallyencoded
dataonthemagneticstripeonthebackof thecard.Thatdatathencan
bedownloadedeithertomakefraudulentcopiesof realcards,ortomake
purchaseswhenthecardisnotrequired,suchasonline.Aretailemployee,
suchasawaiter,caneasilyconcealaskimmeruntilacustomerhandshim
acreditcard.Onceheisoutof thecustomerssight,hecanskimthecard
throughthedevice,andthenswipeitthroughtherestaurantsowncardreader
togenerateareceiptforthecustomertosign.Thewaiterthencanpassthe
recordeddatatoanaccomplice,whocanencodethedataonblankcardswith
magneticstripes.Avariationof skimminginvolvesanATM-mounteddevice
thatisabletocapturethemagneticinformationontheconsumerscard,as
wellastheconsumerspassword.
D. WHAT IDENTITY THIEVES DO WITH THE INFOrMATION
THEY STEAL: THE DIFFErENT FOrMS OF IDENTITY THEFT
Oncetheyobtainvictimspersonalinformation,criminalsmisuseitinendless
ways,fromopeningnewaccountsinthevictimsname,toaccessingthe
victimsexistingaccounts,tousingthevictimsnamewhenarrested.Recent
surveydatashowthatmisuseof existingcreditaccounts,however,represents
thesinglelargestcategoryof fraud.
Misuse of Existing Accounts
Misuseof existingaccountscaninvolvecredit,brokerage,banking,orutility
accounts,amongothers.Themostcommonform,however,involvescredit
accounts.Thisoccurswhenanidentitythief obtainseithertheactualcredit
card,thenumbersassociatedwiththeaccount,ortheinformationderived
fromthemagneticstriponthebackof thecard.Becauseitispossibleto
makechargesthroughremotepurchases,suchasonlinesalesorbytelephone,
identitythievesareoftenabletocommitfraudevenasthecardremainsinthe
consumerswallet.
THE CONTOURS OF THE
A skimmer
Source: Durham, Ontario Police
In March 2006, a former
candidate for the presidency
of Peru pleaded guilty in
a federal district court to
charges relating to a large-
scale credit card fraud and
money laundering conspiracy.
The defendant collected
stolen credit card numbers
from people in Florida who
had used skimmers to
obtain the information from
customers of retail busi-
nesses where they worked,
such as restaurants and
rental car companies. He
used some of the credit card
fraud proceeds to fnance
various trips to Peru during
his candidacy.
!9
Recentcomplaintdatasuggestanincreasingnumberof incidentsinvolving
unauthorizedaccesstofundsinvictimsbankaccounts,includingchecking
accountssometimesreferredtoasaccounttakeovers.
24
ThePostal
InspectionServicereportsthatithasseenanincreaseinaccounttakeovers
originatingoutsidetheUnitedStates.Criminalsalsohaveattemptedtoaccess
fundsinvictimsonlinebrokerageaccounts.
25
Federallawlimitstheliabilityconsumersfacefromexistingaccountmisuse,
generallyshieldingvictimsfromdirectlossesduetofraudulentchargesto
theiraccounts.Nevertheless,consumerscanspendmanyhoursdisputingthe
chargesandmakingothercorrectionstotheirfinancialrecords.
26
New Account Fraud
Amoreserious,if lessprevalent,formof identitytheftoccurswhenthieves
areabletoopennewcredit,utility,orotheraccountsinthevictimsname,
makechargesindiscriminately,andthendisappear.Victimsoftendonotlearn
of thefrauduntiltheyarecontactedbyadebtcollectororareturneddownfor
aloan,ajob,orotherbenefitbecauseof anegativecreditrating.Whilethisis
alessprevalentformof fraud,itcausesmorefinancialharm,islesslikelyto
bediscoveredquicklybyitsvictims,andrequiresthemosttimeforrecovery.
Criminals skimmer, mounted and colored to resemble exterior of real ATM. A pinhole camera is mounted inside a
plastic brochure holder to capture customers keystrokes.
Source: University of Texas Police Department
In December 2005, a highly
organized ring involved in
identity theft, counterfeit
credit and debit card fraud,
and fencing of stolen
products was shut down
when Postal Inspectors
and detectives from the
Hudson County, New Jersey,
Prosecutors Offce arrested
13 of its members. The
investigation, which began in
June 2005, uncovered more
than 2,000 stolen identities
and at least $1.3 million
worth of fraudulent transac-
tions. The investigation
revealed an additional $1
million in fraudulent credit
card purchases in more than
30 states and fraudulent
ATM withdrawals. The ac-
count information came from
computer hackers outside
the United States who were
able to penetrate corporate
databases. Additionally, the
ring used counterfeit bank
debit cards encoded with
legitimate account numbers
belonging to unsuspecting
victims to make fraudulent
withdrawals of hundreds of
thousands of dollars from
ATMs in New Jersey, New
York, and other states.
20
Whencriminalsestablishnewcreditcardaccountsinothersnames,the
solepurposeistomakethemaximumuseof theavailablecreditfromthose
accounts,whetherinashorttimeoroveralongerperiod.Bycontrast,when
criminalsestablishnewbankorloanaccountsinothersnames,thefraud
oftenisdesignedtoobtainasingledisbursementof fundsfromafinancial
institution.Insomecases,thecriminaldepositsacheckdrawnonanaccount
withinsufficientfunds,orstolenorcounterfeitchecks,andthenwithdraws
cash.
Brokering of Stolen Data
Lawenforcementhasalsowitnessedanincreaseinthemarketingof personal
identificationdatafromcompromisedaccountsbycriminaldatabrokers.For
example,certainwebsites,knownascardingsites,trafficinlargequantities
of stolencredit-carddata.Numerousindividuals,oftenlocatedindifferent
countries,participateinthesecardingsitestoacquireandreviewnewly
acquiredcardnumbersandsupervisethereceiptanddistributionof those
numbers.TheSecretServicecalculatedthatthetwolargestcurrentcarding
sitescollectivelyhavenearly20,000memberaccounts.
Immigration Fraud
Invariouspartsof thecountry,illegalimmigrantsusefraudulentlyobtained
SSNsorpassportstoobtainemploymentandassimilateintosociety.In
extremecases,anindividualSSNmaybepassedontoandusedbymany
illegalimmigrants.
27
Althoughvictimsof thistypeof identitytheftmay
notnecessarilysufferfinancialharm,theystillmustspendhouruponhour
attemptingtocorrecttheirpersonalrecordstoensurethattheyarenot
mistakenforanillegalimmigrantorcheatedoutof agovernmentbenefit.
Medical Identity Theft
Recentreportshavebroughtattentiontotheproblemof medicalidentity
theft,acrimeinwhichthevictimsidentifyinginformationisusedtoobtain
ormakefalseclaimsformedicalcare.
28
Inadditiontothefinancialharm
associatedwithothertypesof identitytheft,victimsof medicalidentity
theftmayhavetheirhealthendangeredbyinaccurateentriesintheirmedical
records.Thisinaccurateinformationcanpotentiallycausevictimstoreceive
impropermedicalcare,havetheirinsurancedepleted,becomeineligiblefor
healthorlifeinsurance,orbecomedisqualifiedfromsomejobs.Victimsmay
notevenbeawarethatathefthasoccurredbecausemedicalidentitytheft
canbedifficulttodiscover,asfewconsumersregularlyreviewtheirmedical
records,andvictimsmaynotrealizethattheyhavebeenvictimizeduntilthey
receivecollectionnotices,ortheyattempttoseekmedicalcarethemselves,
onlytodiscoverthattheyhavereachedtheircoveragelimits.
THE CONTOURS OF THE
Federal identity theft charges
were brought against 148
illegal aliens accused of
stealing the identities of law-
ful U.S. citizens in order to
gain employment. The aliens
being criminally prosecuted
were identifed as a result of
Operation Wagon Train, an
investigation led by agents
from U.S. Immigration and
Customs Enforcement (ICE),
working in conjunction with
six U.S. Attorneys Offces.
Agents executed civil search
warrants at six meat
processing plants. Numer-
ous alien workers were
arrested, and many were
charged with aggravated
identity theft, state identity
theft, or forgery. Many of
the names and Social
Security numbers being
used at the meat processing
plants were reported stolen
by identity theft victims to
the FTC. In many cases,
victims indicated that they
received letters from the
Internal Revenue Service
demanding back taxes for
income they had not reported
because it was earned by
someone working under their
name. Other victims were
denied drivers licenses,
credit, or even medical
services because someone
had improperly used their
personal information before.
2!
Other Frauds
Identitytheftisinherentinnumerousotherfraudsperpetratedbycriminals,
includingmortgagefraudandfraudschemesdirectedatobtaininggovernment
benefits,includingdisasterrelief funds.TheIRSsCriminalInvestigation
Division,forexample,hasseenanincreaseintheuseof stolenSSNstofile
taxreturns.Insomecases,thethief filesafraudulentreturnseekingarefund
beforethetaxpayerfiles.Whentherealtaxpayerfiles,theIRSmaynotaccept
hisreturnbecauseitisconsideredaduplicatereturn.Evenif thetaxpayer
ultimatelyismadewhole,thegovernmentsuffersthelossfrompaying
multiplerefunds.
Withtheadventof theprescriptiondrugbenefitof MedicarePartD,the
Departmentof HealthandHumanServicesOfficeof theInspectorGeneral
(HHSOIG)hasnotedagrowingincidenceof healthcarefraudsinvolving
identitytheft.Thesefraudsincludetelemarketerswhofraudulentlysolicit
potentialMedicarePartDbeneficiariestodiscloseinformationsuchas
theirHealthInsuranceClaimNumber(whichincludestheSSN)andbank
accountinformation,aswellasmarketerswhoobtainidentitiesfromnursing
homesandotheradultcarefacilities(includingdeceasedbeneficiariesand
severelycognitivelyimpairedpersons)andusethemfraudulentlytoenroll
unwillingbeneficiariesinalternatePartDplansinordertoincreasetheirsales
commissions.Thetypesof fraudthatcanbeperpetratedbyanidentitythief
arelimitedonlybytheingenuityandresourcesof thecriminal.
Robert C. Ingardia, a
registered representative
who had been associated
with several broker-dealers,
assumed the identity of his
customers. Without authori-
zation, Mr. Ingardia changed
the address information for
their accounts, sold stock
in the accounts worth more
than $800,000, and, in an
effort to manipulate the
market for two thinly-traded
penny stock companies,
used the cash proceeds of
the sales to buy more than
$230,000 worth of stock
in the companies. The
SEC obtained a temporary
restraining order against
Mr. Ingardia in 2001, and a
civil injunction against him
in 2003 after the United
States Attorneys Offce for
the Southern District of New
York obtained a criminal
conviction against him
in 2002.
In July 2006, DOJ charged
a defendant with 66 counts
of false claims to the
government, mail fraud,
wire fraud, and aggravated
identity theft, relating to
the defendants allegedly
fraudulent applications for
disaster assistance from
the Federal Emergency
Management Agency (FEMA)
following Hurricane Katrina.
Using fctitious SSNs and
variations of her name, the
defendant allegedly received
$277,377 from FEMA.
22
A STRATEGY TO COMBAT
IDENTITY THEFT
III. A Strategy to Combat Identity Theft
Identitytheftisamulti-facetedproblemforwhichthereisnosimplesolution.
Becauseidentitythefthasseveralstagesinitslifecycle,itmustbeattacked
ateachof thosestages,including:
whentheidentitythief attemptstoacquireavictimspersonal
information;
whenthethief attemptstomisusetheinformationhehas
acquired;and
afteranidentitythief hascompletedhiscrimeandisenjoyingthe
benefits,whilethevictimisrealizingtheharm.
Thefederalgovernmentsstrategytocombatidentitytheftmustaddresseach
of thesestagesby:
keepingsensitiveconsumerdataoutof thehandsof identity
thievesinthefirstplacethroughbetterdatasecurityandby
educatingconsumersonhowtoprotectit;
makingitmoredifficultforidentitythieves,whentheyareableto
obtainconsumerdata,tousetheinformationtostealidentities;
assistingvictimsinrecoveringfromthecrime;and
deterringidentitytheftbyaggressivelyprosecutingandpunishing
thosewhocommitthecrime.
Agreatdealalreadyisbeingdonetocombatidentitytheft,butthereare
severalareasinwhichwecanimprove.TheTaskForcesrecommendations,
asdescribedbelow,arefocusedonthoseareas.
A. PrEVENTION: KEEPING CONSuMEr DATA OuT OF THE
HANDS OF CrIMINALS
Identitythievescanplytheirtradeonlyif theygetaccesstoconsumer
data.Reducingtheopportunitiesforidentitythievestoobtainthedatain
thefirstplaceisthefirststeptoreducingidentitytheft.Government,the
businesscommunity,andconsumersallplayaroleinprotectingdata.
Datacompromisescanexposeconsumerstothethreatof identitytheft
orrelatedfraud,damagethereputationof theentitythatexperiencedthe
breach,andimposetheriskof substantialcostsforallpartiesinvolved.
Althoughthereisnosuchthingasperfectsecurity,someentitiesfailto
adoptevenbasicsecuritymeasures,includingmanythatareinexpensive
andreadilyavailable.
Thelinkbetweenadatabreachandidentitytheftoftenisunclear.
23
Dependingonthenatureof thebreach,thekindsof information
breached,andotherfactors,aparticularbreachmayormaynotposeasig-
nificantriskof identitytheft.Littleempiricalevidenceexistsontheextent
towhich,andunderwhatcircumstances,databreachesleadtoidentity
theft,andsomestudiesindicatethatdatabreachesandidentitytheftmay
notbestronglylinked.
29
Nonetheless,becausedatathievessearchforrich
targetsof consumerdata,itiscriticalthatorganizationsthatcollectand
maintainsensitiveconsumerinformationtakereasonablestepstoprotect
itandexplorenewtechnologiestopreventdatacompromises.
1. Decreasing the Unnecessary Use of social
secUrity nUmbers
TheSSNisespeciallyvaluabletoidentitythieves,becauseoftenitis
thekeypieceof informationusedinauthenticatingtheidentitiesof
consumers.Anidentitythief withavictimsSSNandcertainother
informationgenerallycanopenaccountsorobtainotherbenefitsinthe
victimsname.AslongasSSNscontinuetobeusedforauthentication
purposes,itisimportanttopreventthievesfromobtainingthem.
SSNsarereadilyavailabletocriminalsbecausetheyarewidelyusedas
consumeridentifiersthroughouttheprivateandpublicsectors.Although
originallycreatedin1936totrackworkersearningsforsocialbenefits
purposes,useof SSNshasproliferatedoverensuingdecades.In1961,the
FederalCivilServiceCommissionestablishedanumericalidentification
systemforallfederalemployeesusingtheSSNastheidentification
number.Thenextyear,theIRSdecidedtobeginusingtheSSNasits
taxpayeridentificationnumber(TIN)forindividuals.Indeed,theuseby
federalagenciesof SSNsforthepurposesof employmentandtaxation,
employmentverification,andsharingof dataforlawenforcement
purposes,isexpresslyauthorizedbystatute.
Thesimplicityandefficiencyof usingaseeminglyuniquenumberthat
mostpeoplealreadypossessedencouragedwidespreaduseof theSSNas
anidentifierbybothgovernmentagenciesandprivateenterprises,especial-
lyastheyadaptedtheirrecord-keepingandbusinesssystemstoautomated
dataprocessing.Theuseof SSNsisnowcommoninoursociety.
EmployersmustcollectSSNsfortaxreportingpurposes.Doctorsor
hospitalsmayneedthemtofacilitateMedicarereimbursement.SSNs
alsoareusedininternalsystemstosortandtrackinformationabout
individuals,andinsomecasesaredisplayedonidentificationcards.
In2004,anestimated42millionMedicarecardsdisplayedtheentire
SSN,asdidapproximately8millionDepartmentof Defenseinsurance
cards.Inaddition,althoughtheVeteransHealthAdministration(VHA)
discontinuedtheissuanceof VeteransIdentificationCardsthatdisplay
SSNsinMarch2004,andhasissuednewcardsthatdonotdisplaySSNs,
In June 2006, a federal judge
in Massachusetts sentenced
a defendant to fve years in
prison after a jury convicted
him of passport fraud, SSN
fraud, aggravated identity
theft, identifcation docu-
ment fraud, and furnishing
false information to the
SSA. The defendant had
assumed the identity of a
deceased individual and then
used fraudulent documents
to have the name of the
deceased legally changed
to a third name. He then
used this new name and
SSN to obtain a new SSN
card, drivers licenses, and
United States passport. The
case was initiated based
on information from the
Joint Terrorism Task Force in
Springfeld, Massachusetts.
The agencies involved in the
investigation included SSA
OIG, Department of State,
Massachusetts State Police,
and the Springfeld and
Boston police departments.
24
IDENTITY THEFT
theVHAestimatesthatbetween3millionand4millionpreviouslyissued
cardscontainingSSNsremainincirculationwithveteransreceivingVA
healthcareservices.SomeuniversitiesstillusetheSSNasthestudents
identificationnumberforarangeof purposes,fromadministeringloans
totrackinggrades,andmayplaceitonstudentsidentificationcards,
althoughusageforthesepurposesisdeclining.
SSNsalsoarewidelyavailableinpublicrecordsheldbyfederalagencies,
states,localjurisdictions,andcourts.Asof 2004,41statesandthe
Districtof Columbia,aswellas75percentof U.S.counties,displayed
SSNsinpublicrecords.
30
Althoughthenumberandtypeof recordsin
whichSSNsaredisplayedvarygreatlyacrossstatesandcounties,SSNs
aremostoftenfoundincourtandpropertyrecords.
Nosinglefederallawregulatescomprehensivelytheprivatesectoror
governmentuse,display,ordisclosureof SSNs;instead,thereareavariety
of lawsgoverningSSNuseincertainsectorsorinspecificsituations.
Withrespecttotheprivatesector,forexample,theGLBActrestrictsthe
redisclosuretothirdpartiesof non-publicpersonalinformation,such
asSSNs,thatwasoriginallyobtainedfromcustomersof afinancial
institution;theHealthInsurancePortabilityandAccountabilityAct
(HIPAA)limitscoveredhealthcareorganizationsdisclosureof SSNs
withoutpatientauthorization;andtheDriversPrivacyProtectionAct
prohibitsstatemotorvehicledepartmentsfromdisclosingSSNs,subject
to14permissibleuses.
31
Inthepublicsector,thePrivacyActof 1974
requiresfederalagenciestoprovidenoticeto,andobtainconsentfrom,
individualsbeforedisclosingtheirSSNstothirdparties,exceptforan
establishedroutineuseorpursuanttoanotherPrivacyActexception.
32
Anumberof statestatutesrestricttheuseanddisplayof SSNsincertain

contexts.
33
Evenso,areportbytheGovernmentAccountabilityOffice
(GAO)concludedthat,despitetheselaws,thereweregapsinhowtheuse
andtransferof SSNsareregulated,andthatthesegapscreateariskthat
SSNswillbemisused.
34
Therearemanynecessaryorbeneficialusesof theSSN.SSNsoftenare
usedtomatchconsumerswiththeirrecordsanddatabases,includingtheir
creditfiles,toprovidebenefitsanddetectfraud.Federal,state,andlocal
governmentsrelyextensivelyonSSNswhenadministeringprogramsthat
deliverservicesandbenefitstothepublic.
AlthoughSSNssometimesarenecessaryforlegalcomplianceortoenable
disparateorganizationstocommunicateaboutindividuals,otherusesare
moreamatterof convenienceorhabit.Inmanycases,forexample,it
maybeunnecessarytouseanSSNasanorganizationsinternalidentifier
ortodisplayitonanidentificationcard.Inthesecases,adifferentunique
identifiergeneratedbytheorganizationcouldbeequallysuitable,but
withouttheriskinherentintheSSNsuseasanauthenticator.
In September 2006, a
defendant was sentenced
by a federal judge in
Pennsylvania to six months
in prison after pleading
guilty to Social Security card
misuse and possession of a
false immigration document.
The defendant provided
a fraudulent Permanent
Resident Alien card and a
fraudulent Social Security
card to a state trooper as
evidence of authorized stay
and employment in the
United States. The case
was investigated by the
SSAs Offce of Inspector
General (OIG), ICE, and the
Pennsylvania State Police.
25
Someprivatesectorentitiesandfederalagencieshavetakenstepstore-
duceunnecessaryuseof theSSN.Forexample,withguidancefromthe
SSAOIG,theInternationalAssociationof Chiefsof Police(IACP)adopt-
edaresolutioninSeptember2005toendthepracticeof displayingSSNs
inpostersandotherwrittenmaterialsrelatingtomissingpersons.Some
healthinsuranceprovidersalsohavestoppedusingSSNsasthesubscrib-
ersidentificationnumber.
35
Additionally,theDepartmentof Treasurys
FinancialManagementServicenolongerincludespersonalidentification
numbersonthechecksthatitissuesforbenefitpayments,federalincome
taxrefundpayments,andpaymentstobusinessesforgoodsandservices
providedtothefederalgovernment.
Moremustbedonetoeliminateunnecessaryusesof SSNs.Inparticular,
itwouldbeoptimaltohaveaunifiedandeffectiveapproachorstandard
foruseordisplayof SSNsbyfederalagencies.TheOfficeof Personnel
Management(OPM),whichissuesandusesmanyof thefederalforms
andproceduresusingtheSSN,andtheOfficeof ManagementandBudget
(OMB),whichoverseesthemanagementandadministrativepracticesof
federalagencies,canplaypivotalrolesinrestrictingtheunnecessaryuse
of SSNs,offeringguidanceonbettersubstitutesthatarelessvaluableto
identitythieves,andestablishinggreaterconsistencywhentheuseof SSNs
isnecessaryorunavoidable.
rECOMMENDATION: DECrEASE THE uNNECESSArY uSE OF
SOCIAL SECurITY NuMBErS IN THE PuBLIC SECTOr
Tolimittheunnecessaryuseof SSNsinthepublicsector
andtobegintodevelopalternativestrategiesforidentity
managementtheTaskForcerecommendsthefollowing:
Complete review of use of SSNs.AsrecommendedintheTask
Forcesinterimrecommendations,OPMundertookareviewof
theuseof SSNsinitscollectionof humanresourcedatafrom
agenciesandonOPM-basedpapersandelectronicforms.Based
onthatreview,whichOPMcompletedin2006,OPMshould
takestepstoeliminate,restrict,orconcealtheuseof SSNs
(includingassigningemployeeidentificationnumberswhere
practicable),incalendaryear2007.If necessarytoimplement
thisrecommendation,ExecutiveOrder9397,effectiveNovember
23,1943,whichrequiresfederalagenciestouseSSNsinany
systemof permanentaccountnumberspertainingtoindividuals,
shouldbepartiallyrescinded.Theusebyfederalagenciesof
SSNsforthepurposesof employmentandtaxation,employment
verification,andsharingof dataforlawenforcementpurposes,
however,isexpresslyauthorizedbystatuteandshouldcontinue
tobepermitted.
When purchasing advertising
space in a trade magazine
in 2002, a Colorado man
wrote his birth date and
Social Security number on
the payment check. The
salesman who received
the check then used this
information to obtain surgery
in the victims name. Two
years later, the victim
received a collection notice
demanding payment of over
$40,000 for the surgery
performed on the identity
thief. In addition to the
damage this caused to
his credit rating, the thiefs
medical information
was added to the victims
medical records.
26
IDENTITY THEFT
Issue Guidance on Appropriate use of SSNs.Basedonits
inventory,OPMshouldissuepolicyguidancetothefederal
humancapitalmanagementcommunityontheappropriateand
inappropriateuseof SSNsinemployeerecords,includingthe
appropriatewaytorestrict,conceal,ormaskSSNsinemployee
recordsandhumanresourcemanagementinformationsystems.
OPMshouldissuethispolicyincalendaryear2007.
require Agencies to review use of SSNs.OMBhassurveyedall
federalagenciesregardingtheiruseof SSNstodeterminethe
circumstancesunderwhichsuchusecanbeeliminated,restricted,
orconcealedinagencybusinessprocesses,systems,andpaper
andelectronicforms,otherthanthoseauthorizedorapprovedby
OPM.OMBshouldcompletetheanalysisof thesesurveysinthe
secondquarterof 2007.
36
Establish a Clearinghouse for Agency Practices that Minimize Use

of SSNs. BasedonresultsfromOMBsreviewof agencypractices
ontheuseof SSNs,theSSAshoulddevelopaclearinghouse
foragencypracticesandinitiativesthatminimizeuseand
displayof SSNstofacilitatesharingof bestpracticesincluding
thedevelopmentof anyalternativestrategiesforidentity
managementtoavoidduplicationof effort,andtopromote
interagencycollaborationinthedevelopmentof moreeffective
measures.Thisshouldbeaccomplishedbythefourthquarter
of 2007.
Work with State and Local Governments to review use of SSNs.
Inthesecondquarterof 2007,theTaskForceshouldbeginto
workwithstateandlocalgovernmentsthroughorganizations
suchastheNationalGovernorsAssociation,theNational
Associationof AttorneysGeneral,theNationalLeagueof Cities,
theNationalAssociationof Counties,theU.S.Conferenceof
Mayors,theNationalDistrictAttorneysAssociation,andthe
NationalAssociationforPublicHealthStatisticsandInformation
Systemstohighlightanddiscussthevulnerabilitiescreatedby
theuseof SSNsandtoexplorewaystoeliminateunnecessaryuse
anddisplayof SSNs.
rECOMMENDATION: DEVELOP COMPrEHENSIVE rECOrD ON
PrIVATE SECTOr uSE OF SSNs
SSNsareanintegralpartof ourfinancialsystem.Theyare
essentialinmatchingconsumerstotheircreditfile,andthus
essentialingrantingcreditanddetectingfraud,buttheir
availabilitytoidentitythievescreatesapossibilityof harm
27
toconsumers.Beginningin2007,theTaskForceshould
developacomprehensiverecordontheusesof theSSNinthe
privatesectorandevaluatetheirnecessity.Specifically,the
TaskForcememberagenciesthathavedirectexperiencewith
theprivatesectoruseof SSNs,suchasDOJ,FTC,SSA,and
thefinancialregulatoryagencies,shouldgatherinformation
fromstakeholdersincludingthefinancialservicesindustry,
lawenforcementagencies,theconsumerreportingagencies,
academics,andconsumeradvocates.TheTaskForceshouldthen
makerecommendationstothePresidentastowhetheradditional
specificstepsshouldbetakenwithrespecttotheuseof SSNs.
AnysuchrecommendationsshouldbemadetothePresidentby
thefirstquarterof 2008.
2. Data secUrity in the PUblic sector
Whileprivateorganizationsmaintainconsumerinformationfor
commercialpurposes,publicentities,includingfederalagencies,collect
personalinformationaboutindividualsforavarietyof purposes,such
asdeterminingprogrameligibilityanddeliveringefficientandeffective
services.Becausethisinformationoftencanbeusedtocommitidentity
theft,agenciesmustguardagainstunauthorizeddisclosureormisuseof
personalinformation.
a. Safeguarding of Information in the Public Sector
Twosetsof lawsandassociatedpoliciesframethefederalgovernments
responsibilitiesintheareaof datasecurity.Thefirstspecificallygoverns
thefederalgovernmentsinformationprivacyprogram,andincludessuch
lawsasthePrivacyAct,theComputerMatchingandPrivacyProtection
Act,andprovisionsof theE-GovernmentAct.
37
Theotherconcernsthe
informationandinformationtechnologysecurityprogram.TheFederal
InformationSecurityManagementAct(FISMA),theprimarygoverning
statuteforthisprogram,establishesacomprehensiveframeworkforensur-
ingtheeffectivenessof informationsecuritycontrolsoverinformationre-
sourcesthatsupportfederaloperationsandassets,andprovidesfordevel-
opmentandmaintenanceof minimumcontrolsrequiredtoprotectfederal
informationandinformationsystems.FISMAassignsspecificpolicyand
oversightresponsibilitiestoOMB,technicalguidanceresponsibilitiesto
theNationalInstituteof StandardsandTechnology(NIST),implementa-
tionresponsibilitiestoallagencies,andanoperationalassistanceroleto
theDepartmentof HomelandSecurity(DHS).FISMArequiresthehead
of eachagencytoimplementpoliciesandprocedurestocost-effectively
reduceinformationtechnologysecurityriskstoanacceptablelevel.It
furtherrequiresagencyoperationalprogramofficials,Chief Informa-
tionOfficers(CIOs),andInspectorsGeneral(IGs)toconductannual
28
IDENTITY THEFT
reviewsof theagencyinformationsecurityprogramandreporttheresults
toOMB.Additionally,aspartof itsoversightrole,OMBissuedseveral
guidancememorandalastyearonhowagenciesshouldsafeguardsensitive
information,includingamemorandumaddressingFISMAoversightand
reporting,andwhichprovidedachecklistdevelopedbyNISTconcerning
protectionof remotelyaccessedinformation,andthatrecommendedthat
agencies,amongotherthings,encryptalldataonmobiledevicesanduse
atime-outfunctionforremoteaccessandmobiledevices.
38
TheUnited
StatesComputerEmergencyReadinessTeam(US-CERT)hasalsoplayed
animportantroleinpublicsectordatasecurity.
39
Federallawalsorequiresthatagenciesprepareextensivedatacollection
analysesandreportperiodicallytoOMBandCongress.ThePresidents
ManagementAgenda(PMA)requiresagenciestoreportquarterlyto
OMBonselectedperformancecriteriaforbothprivacyandsecurity.
Agencyperformancelevelsforbothstatusandprogressaregradedona
PMAScorecard.
40
Federalagencyperformanceoninformationsecurityhasbeenuneven.As
aresult,OMBandtheagencieshaveundertakenanumberof initiatives
toimprovethegovernmentsecurityprograms.OMBandDHSarelead-
inganinteragencyInformationSystemsSecurityLineof Business(ISS
LOB)workinggroup,exploringwaystoimprovegovernmentdatasecu-
ritypractices.Thiseffortalreadyhasidentifiedanumberof keyareasfor
improvinggovernment-widesecurityprogramsandmakingthemmore
cost-effective.
Employeetrainingisessentialtotheeffectivenessof agencysecurity
programs.Existingtrainingprogramsmustbereviewedcontinuouslyand
updatedtoreflectthemostrecentchanges,issues,andtrends.Thiseffort
includesthedevelopmentof annualgeneralsecurityawarenesstraining
forallgovernmentemployeesusingacommoncurriculum;recommended
securitytrainingcurriculaforallemployeeswithsignificantsecurity
responsibilities;aninformation-sharingrepository/portalof training
programs;andopportunitiesforknowledge-sharing(e.g.,conferencesand
seminars).Eachof thesecomponentsbuildselementsof agencysecurity
awarenessandpractices,leadingtoenhancedprotectionof sensitivedata.
b. responding to Data Breaches in the Public Sector
Severalfederalgovernmentagenciessufferedhigh-profilesecuritybreaches
involvingsensitivepersonalinformationin2006.Asistruewithprivate
sectorbreaches,thelossorcompromiseof sensitivepersonalinformation
bythegovernmenthasmadeaffectedindividualsfeelexposedand
vulnerableandmayincreasetheriskof identitytheft.UntilthisTask
ForceissuedguidanceonthistopicinSeptember2006,government
agencieshadnocomprehensiveformalguidanceonhowtorespondto
29
databreaches,andinparticular,hadnoguidanceonwhatfactorsto
considerindeciding(1)whetheraparticularbreachwarrantsnoticeto
consumers,(2)thecontentof thenotice,(3)whichthirdparties,if any,
shouldbenotified,and(4)whethertoofferaffectedindividualscredit
monitoringorotherservices.
Theexperienceof thelastyearalsohasmadeonethingapparent:an
agencythatsuffersabreachsometimesfacesimpedimentsinitsability
toeffectivelyrespondtothebreachbynotifyingpersonsandentitiesina
positiontocooperate(eitherbyassistingininformingaffectedindividuals
orbyactivelypreventingorminimizingharmsfromthebreach).Forex-
ample,anagencythathaslostdatasuchasbankaccountnumbersmight
wanttosharethatinformationwiththeappropriatefinancialinstitutions,
whichcouldassistinmonitoringforbankfraudandinidentifyingtheac-
countholdersforpossiblenotification.Theveryinformationthatmaybe
mostnecessarytodisclosetosuchpersonsandentities,however,oftenwill
beinformationmaintainedbyfederalagenciesthatissubjecttothePriva-
cyAct.Critically,thePrivacyActprohibitsthedisclosureof anyrecordin
asystemof recordsunlessthesubjectindividualhasgivenwrittenconsent
orunlessthedisclosurefallswithinoneof 12statutoryexceptions.
rECOMMENDATION: EDuCATE FEDErAL AGENCIES ON HOW
TO PrOTECT THEIr DATA AND MONITOr COMPLIANCE WITH
EXISTING GuIDANCE
Toensurethatgovernmentagenciesreceivespecificguidanceon
concretestepsthattheycantaketoimprovetheirdatasecurity
measures,theTaskForcerecommendsthefollowing:
Develop Concrete Guidance and Best Practices. OMBandDHS,
throughthecurrentinteragencyInformationSystemsSecurity
Lineof Business(ISSLOB)taskforce,should(a)outlinebest
practicesintheareaof automatedtools,training,processes,and
standardsthatwouldenableagenciestoimprovetheirsecurity
andprivacyprograms,and(b)developalistof themostcommon
10or20mistakestoavoidinprotectinginformationheldby
thegovernment.TheTaskForcemadethisrecommendation
aspartof itsinterimrecommendationstothePresident,andit
shouldbeimplementedandcompletedinthesecondquarterof
2007.
Comply With Data Security Guidance. OMBalreadyhasissuedan
arrayof datasecurityregulationsandstandardsaimedaturging
agenciestobetterprotecttheirdata.Giventhatdatabreaches
continuetooccur,however,itisimperativethatagenciescontinue
toreportcompliancewithitsdatasecurityguidelinesand
30
IDENTITY THEFT
directivestoOMB.If anyagencydoesnotcomplyfully,OMB
shouldnotethatfactintheagencysquarterlyPMAScorecard.
Protect Portable Storage and Communications Devices. Many
of themostpublicizeddatabreachesinrecentmonthsinvolved
lossesof laptopcomputers.Becausegovernmentemployees
increasinglyrelyonlaptopsandotherportablecommunications
devicestoconductgovernmentbusiness,nolaterthanthe
secondquarterof 2007,allChief InformationOfficersof federal
agenciesshouldremindtheagenciesof theirresponsibilities
toprotectlaptopsandotherportabledatastorageand
communicationdevices.If anyagencydoesnotfullycomply,
thatfailureshouldbereflectedontheagencysPMAscorecard.
rECOMMENDATION: ENSurE EFFECTIVE, rISK-BASED
rESPONSES TO DATA BrEACHES SuFFErED BY FEDErAL
AGENCIES
Toassistagenciesinrespondingtothedifficultquestionsthat
arisefollowingadatabreach,theTaskForcerecommendsthe
following:
Issue Data Breach Guidance to Agencies. TheTaskForce
developedandformallyapprovedasetof guidelines,reproduced
inAppendixA,thatsetsforththefactorsthatshouldbe
consideredindecidingwhether,how,andwhentoinform
affectedindividualsof thelossof personaldatathatcan
contributetoidentitytheft,andwhethertoofferservicessuch
asfreecreditmonitoringtothepersonsaffected.Intheinterim
recommendations,theTaskForcerecommendedthatOMBissue
thatguidancetoallagenciesanddepartments.OMBissuedthe
guidanceonSeptember20,2006.
Publish a routine use Allowing Disclosure of Information
Following a Breach.Toallowagenciestorespondquicklytodata
breaches,includingbysharinginformationaboutpotentially
affectedindividualswithotheragenciesandentitiesthatcan
assistintheresponse,federalagenciesshould,inaccordance
withthePrivacyActexceptions,publisharoutineusethat
specificallypermitsthedisclosureof informationinconnection
withresponseandremediationeffortsintheeventof adata
breach.Sucharoutineusewouldservetoprotecttheinterests
of thepeoplewhoseinformationisatriskbyallowingagencies
totakeappropriatestepstofacilitateatimelyandeffective
response,therebyimprovingtheirabilitytoprevent,minimize,
orremedyanyharmsthatmayresultfromacompromiseof data
maintainedintheirsystemsof records.Thisroutineuseshould
3!
notaffecttheexistingabilityof agenciestoproperlydisclose
andshareinformationforlawenforcementpurposes.TheTask
ForceofferstheroutineusethatisreproducedinAppendixB
asamodelforotherfederalagenciestouseindevelopingand
publishingtheirownroutineuses.
41
DOJhasnowpublishedsuch
aroutineuse,whichbecameeffectiveasof January24,2007.
TheproposedroutineuselanguagereproducedinAppendixB
shouldbereviewedandadaptedbyagenciestofittheirindividual
systemsof records.
3. Data secUrity in the Private sector
Dataprotectionintheprivatesectoristhesubjectof numerouslegal
requirements,industrystandardsandguidelines,privatecontractual
arrangements,andconsumerandbusinesseducationinitiatives.Butno
systemisperfect,anddatabreachescanoccurevenwhenentitieshave
implementedappropriatedatasafeguards.
a. The Current Legal Landscape
Althoughthereisnogenerallyapplicablefederallaworregulationthat
protectsallconsumerinformationorrequiresthatsuchinformationbe
secured,avarietyof specificstatutesandregulationsimposedatasecurity
requirementsforparticularentitiesincertaincontexts.Theseinclude
TitleVof theGLBAct,anditsimplementingrulesandguidance,which
requirefinancialinstitutionstomaintainreasonableprotectionsforthe
personalinformationtheycollectfromcustomers
42
;
Section5of the
FTCAct,whichprohibitsunfairordeceptivepractices
43
;
theFCRA,
44
whichrestrictsaccesstoconsumerreportsandimposessafedisposal
requirements,amongotherthings
45
;
HIPAA,whichprotectshealth
information
46
;
Section326of theUnitingandStrengtheningAmerica
byProvidingAppropriateToolsRequiredtoInterceptandObstruct
Terrorism(USAPATRIOT)Act,
47
whichrequiresverificationof the
identityof personsopeningaccountswithfinancialinstitutions;andthe
DriversPrivacyProtectionActof 1994(DPPA),whichprohibitsmost
disclosuresof driverspersonalinformation.
48
SeeVolumeII,PartA,for
adescriptionof federallawsandregulationsrelatedtodatasecurity.
ThefederalbankregulatoryagenciestheFederalDepositInsurance
Corporation(FDIC),FederalReserveBoard(FRB),NationalCredit
UnionAdministration(NCUA),Officeof theComptrollerof theCur-
rency(OCC),andtheOfficeof ThriftSupervision(OTS)andtheFTC
andSEC,amongothers,havepursuedactiveregulatoryandenforcement
programstoaddressthedatasecuritypracticesof thoseentitieswithin
theirrespectivejurisdictions.Dependingontheseverityof aviolation,the
financialregulatoryagencieshavecitedinstitutionsforviolations,without
takingformalactionwhenmanagementquicklyremediedthesituation.
BJs Wholesale Club, Inc.
suffered a data breach that
led to the loss of thousands
of credit card numbers
and millions of dollars
in unauthorized charges.
Following the breach, the
FTC charged the company
with engaging in an unfair
practice by failing to provide
reasonable security for credit
card information. The FTC
charged that BJs stored the
information in unencrypted
clear text without a business
need to do so, failed to
defend its wireless systems
against unauthorized
access, failed to use strong
credentials to limit access
to the information, and
failed to use adequate
procedures for detecting
and investigating intrusions.
The FTC also charged that
these failures were easy
to exploit by hackers, and
led to millions of dollars in
fraudulent charges.
32
IDENTITY THEFT
Incircumstanceswherethesituationwasnotquicklyremedied,thefinan-
cialregulatoryagencieshavetakenformal,publicactionsandsoughtcivil
penalties,restitution,andceaseanddesistorders.TheFDIChastaken17
formalenforcementactionsbetweenthebeginningof 2002andtheend
of 2006;theFRBhastaken14formalenforcementactionssince2001;the
OCChastaken18formalactionssince2002;andtheOTShastakeneight
formalenforcementactionsinthepastfiveyears.Remediesinthesecases
haveincludedsubstantialpenaltiesandrestitution,consumernotification,
andrestrictionsontheuseof customerinformation.Additionally,the
FTChasobtainedordersagainst14companiesthatallegedlyfailedtoim-
plementreasonableprocedurestosafeguardthesensitiveconsumerinfor-
mationtheymaintained.Mostof thesecaseshavebeenbroughtinthelast
twoyears.TheSECalsohasbroughtdatasecuritycases.SeeVolumeII,
PartB,foradescriptionof enforcementactionsrelatingtodatasecurity.
Inadditiontofederallaw,everystateandtheDistrictof Columbiahasits
ownlawstoprotectconsumersfromunfairordeceptivepractices.More-
over,37stateshavedatabreachnoticelaws,
49
andsomestateshavelaws
relevanttodatasecurity,includingsafeguardsanddisposalrequirements.
Tradeassociations,industrycollaborations,independentorganizations
withexpertiseindatasecurity,andnonprofitshavedevelopedguidance
andstandardsforbusinesses.Topicsinclude:incorporatingbasic
securityandprivacypracticesintoeverydaybusinessoperations;
developingprivacyandsecurityplans;employeescreening,training,and
management;implementingelectronicandphysicalsafeguards;employing
threatrecognitiontechniques;safeguardinginternationaltransactions;and
creditanddebitcardsecurity.
50
Someentitiesthatuseserviceprovidersalsohavebegunusingcontractual
provisionsthatrequirethird-partyservicevendorswithaccesstothe
institutionssensitivedatatosafeguardthatdata.
51
Generally,these
provisionsalsoaddressspecificpracticesforcontractingorganizations,
includingconductinginitialandfollow-upsecurityauditsof avendors
datacenter,andrequiringvendorstoprovidecertificationthatthey
areincompliancewiththecontractingorganizationsprivacyanddata
protectionobligations.
52
b. Implementation of Data Security Guidelines and rules
Manyprivatesectororganizationsunderstandtheirvulnerabilitiesand
havemadesignificantstridesinincorporatingdatasecurityintotheir
operationsorimprovingexistingsecurityprograms.SeeVolumeII,Part
C,foradescriptionof educationeffortsforbusinessesonsafeguarding
data.Forexample,manycompaniesandfinancialinstitutionsnow
regularlyrequiretwo-factorauthenticationforbusinessconductedvia
In April 2004, the New
York Attorney General
settled a case with
Barnes&Noble.com, fning
the company $60,000 and
requiring it to implement
a data security program
after an investigation
revealed that an alleged
design vulnerability in
the companys website
permitted unauthorized
access to consumers
personal information and
enabled thieves to make
fraudulent purchases. In
addition, California, Vermont,
and New York settled a
joint action with Ziff Davis
Media, Inc. involving security
shortcomings that exposed
the credit card numbers and
other personal information of
about 12,000 consumers.
In 2006, the Federal Reserve
Board issued a Cease and
Desist Order against an
Alabama-based fnancial
institution for, among other
things, failing to comply with
an existing Board regulation
that required implementation
of an information security
program.
33
computerortelephone;senddualconfirmationswhencustomerssubmit
achangeof address;limitaccesstonon-publicpersonalinformationto
necessarypersonnel;regularlymonitorwebsitesforphishingandfirewalls
forhacking;performassessmentsof networksecuritytodeterminethe
adequacyof protectionfromintrusion,viruses,andotherdatasecurity
breaches;andpostidentitythefteducationmaterialsoncompanywebsites.
Additionally,manyfirmswithintheconsumerdataindustryofferservices
thatprovidecompanieswithcomprehensivebackgroundcheckson
prospectiveemployeesandtenantsaspermittedbylawundertheFCRA,
andhelpcompaniesverifytheidentityof customers.
Yet,asthereportsof databreachincidentscontinuetoshow,further
improvementsarenecessary.Inasurveyof financialinstitutions,95per-
centof respondentsreportedgrowthintheirinformationsecuritybudget
in2005,with71percentreportingthattheyhaveadefinedinformation
securitygovernanceframework.
53
Butmanyorganizationsalsoreportthat
theyareintheearlystagesof implementingcomprehensivesecurityproce-
dures.Forinstance,inasurveyof technologydecisionmakersreleasedin
2006,85percentof respondentsindicatedthattheirstoreddatawaseither
somewhatorextremelyvulnerable,whileonly22percenthadimplement-
edastoragesecuritysolutiontopreventunauthorizedaccess.
54
Thesame
surveyrevealedthat58percentof datamanagersrespondingbelievedtheir
networkswerenotassecureastheycouldbe.
55
Smallbusinessesfaceparticularchallengesinimplementingeffectivedata
securitypoliciesforreasonsof costandlackof expertise.A2005survey
foundthatwhilemanysmallbusinessesareacceleratingtheiradoption
anduseof informationtechnologyandtheInternet,manydonothave
basicsecuritymeasuresinplace.
56
Forexample,of thesmallbusinesses
surveyed,
nearly20percentdidnotusevirusscansforemail,abasic
informationsecuritysafeguard;
over60percentdidnotprotecttheirwirelessnetworkswitheven
thesimplestof encryptionsolutions;
over70percentreportedexpectationsof amorechallenging
environmentfordetectingsecuritythreats,butonly30percent
reportedincreasinginformationsecurityspendingin2005;and
74percentreportedhavingnoinformationsecurityplaninplace.
Furthercomplicatingmattersisthefactthatsomefederalagenciesare
unabletoreceivedatafromprivatesectorentitiesinanencryptedform.
Therefore,someprivatesectorentitiesthathavetotransmitsensitivedata
tofederalagenciessometimespursuanttolaworregulationsissued
byagenciesareunabletofullysafeguardthetransmitteddatabecause
theymustdecryptthedatabeforetheycansendittotheagencies.The
In 2005, the FTC settled a
law enforcement action
with Superior Mortgage, a
mortgage company, alleging
that the company failed
to comply with the GLB
Safeguards Rule. The FTC
alleged that the companys
security procedures were
defcient in the areas of
risk assessment, access
controls, document
protection, and oversight
of service providers. The
FTC also charged Superior
with misrepresenting
how it applied encryption
to sensitive consumer
information. Superior
agreed to undertake a
comprehensive data security
program and retain an
independent auditor to
assess and certify its security
procedures every two years
for the next 10 years.
34
IDENTITY THEFT
E-AuthenticationPresidentialInitiativeiscurrentlyaddressinghow
agenciescanmoreuniformlyadoptappropriatetechnicalsolutionstothis
problembasedonthelevelof riskinvolved,including,butnotlimitedto,
encryption.
c. responding to Data Breaches in the Private Sector
Althoughthelinkbetweendatabreachesandidentitytheftisunclear,
reportsof privatesectordatasecuritybreachesaddtoconsumersfear
of identitythievesgainingaccesstosensitiveconsumerinformationand
undermineconsumerconfidence.PursuanttotheGLBAct,thefinancial
regulatoryagenciesrequirefinancialinstitutionsundertheirjurisdiction
toimplementprogramsdesignedtosafeguardcustomerinformation.In
addition,thefederalbankregulatoryagencies(FDIC,FRB,NCUA,OCC,
andOTS)haveissuedguidancewithrespecttobreachnotification.In
addition,37stateshavelawsrequiringthatconsumersbenotifiedwhen
theirinformationhasbeensubjecttoabreach.
57
Someof thelawsalso
requirethattheentitythatexperiencedthebreachnotifylawenforcement,
consumerreportingagencies,andotherpotentiallyaffectedparties.
58
Noticetoconsumersmayhelpthemavoidormitigateinjurybyallowing
themtotakeappropriateprotectiveactions,suchasplacingafraudalert
ontheircreditfileormonitoringtheiraccounts.Insomecases,the
organizationexperiencingthebreachhasofferedadditionalassistance,
includingfreecreditmonitoringservices.Moreover,promptnotification
tolawenforcementallowsfortheinvestigationanddeterrenceof identity
theftandrelatedunlawfulconduct.
Thestateshavetakenavarietyof approachesregardingwhennotice
toconsumersisrequired.Somestatesrequirenoticetoconsumers
wheneverthereisunauthorizedaccesstosensitivedata.Otherstates
requirenotificationonlywhenthebreachof informationposesariskto
consumers.Noticeisnotrequired,forexample,whenthedatacannot
beusedtocommitidentitytheft,orwhentechnologicalprotections
preventfraudstersfromaccessingdata.Thisapproachrecognizesthat
excessivebreachnotificationcanoverwhelmconsumers,causingthemto
ignoremoresignificantincidents,andcanimposeunnecessarycostson
consumers,theorganizationthatsufferedthebreach,andothers.Under
thisapproach,however,organizationsstruggletoassesswhethertherisks
aresufficienttowarrantconsumernotification.Factorsrelevanttothat
assessmentoftenincludethesensitivityof thebreachedinformation,the
extenttowhichitisprotectedfromaccess(e.g.,byusingtechnological
toolsforprotectingdata),howthebreachoccurred(e.g.,whetherthe
informationwasdeliberatelystolenasopposedtoaccidentallymisplaced),
andanyevidencethatthedataactuallyhavebeenmisused.
Anumberof billsestablishingafederalnoticerequirementhavebeen
introducedinCongress.Manyof thestatelawsandthebillsinCongress
In 2004, an FDIC examination
of a state-chartered bank
disclosed signifcant
computer system defciencies
and inadequate controls to
prevent unauthorized access
to customer information.
The FDIC issued an order
directing the bank to
develop and implement an
information security program,
and specifcally ordered the
bank, among other things,
to perform a formal risk
assessment of internal and
external threats that could
result in unauthorized access
to customer information.
The bank also was ordered to
review computer user access
levels to ensure that access
was restricted to only those
individuals with a legitimate
business need to access the
information.
35
addresswhoshouldbenotified,whennoticeshouldbegiven,what
informationshouldbeprovidedinthenotice,hownoticeshouldbe
effected,andthecircumstancesunderwhichconsumernoticeshouldbe
delayedforlawenforcementpurposes.
Despitethesubstantialeffortundertakenbythepublicandprivatesectors
toeducatebusinessesonhowtorespondtodatabreaches(seeVolume
II,PartD,foradescriptionof educationforbusinessesonrespondingto
databreaches),thereisroomforimprovementbybusinessesinplanning
forandrespondingtodatabreaches.Surveysof largecorporationsand
retailersindicatethatfewerthanhalf of themhaveformalbreachresponse
plans.Forexample,anApril2006cross-industrysurveyrevealedthatonly
45percentof largemultinationalcorporationsheadquarteredintheU.S.
hadaformalprocessforhandlingsecurityviolationsanddatabreaches.
59
Fourteenpercentof thecompaniessurveyedhadexperiencedasignificant
privacybreachinthepastthreeyears.
60
AJuly2005surveyof largeNorth
Americancorporationsfoundthatalthough80percentof responding
companiesreportedhavingprivacyordata-protectionstrategies,only31
percenthadaformalnotificationprocedureintheeventof adatabreach.
61
Moreover,onesurveyfoundthatonly43percentof retailershadformal
incidentresponseplans,andevenfewerhadtestedtheirplans.
62
rECOMMENDATION: ESTABLISH NATIONAL STANDArDS
EXTENDING DATA PrOTECTION SAFEGuArDS rEQuIrEMENTS
AND BrEACH NOTIFICATION rEQuIrEMENTS
Severalexistinglawsmandateprotectionforsensitiveconsumer
information,butanumberof privateentitiesarenotsubjectto
thoselaws.TheGLBAct,forexample,appliestofinancial
institutions,butgenerallynottootherentitiesthatcollect
andmaintainsensitiveinformation.Similarly,existingfederal
breachnotificationstandardsdonotextendtoallentitiesthat
holdsensitiveconsumerinformation,andthevariousstatelaws
thatcontainbreachnotificationrequirementsdifferinvarious
respects,complicatingcompliance.Accordingly,theTask
Forcerecommendsthedevelopmentof (1)anationalstandard
imposingsafeguardsrequirementsonallprivateentitiesthat
maintainsensitiveconsumerinformation;and(2)anational
standardrequiringentitiesthatmaintainsensitiveconsumer
informationtoprovidenoticetoconsumersandlawenforcement
intheeventof abreach.Suchnationalstandardsshouldprovide
clarityandpredictabilityforbusinessesandconsumers,and
shouldincorporatethefollowingimportantprinciples.
Covered data. Thenationalstandardsfordatasecurityand
forbreachnotificationshouldcoverdatathatcanbeusedto
When an online retailer
became the target of an
elaborate fraud ring, the
company looked to one of
the major credit reporting
agencies for assistance.
By using shared data
maintained by that agency,
the retailer was able to
identify applications with
common data elements and
fag them for further scrutiny.
By using the shared applica-
tion data in connection with
the activities of this fraud
ring, the company avoided
$26,000 in fraud losses.
36
IDENTITY THEFT
perpetrateidentitytheftinparticular,anydataorcombination
of consumerdatathatwouldallowsomeonetouse,loginto,
oraccessanindividualsaccount,ortoestablishanewaccount
usingtheindividualsidentifyinginformation.Thisidentifying
informationincludesaname,address,ortelephonenumber
pairedwithauniqueidentifiersuchasaSocialSecuritynumber,
adriverslicensenumber,abiometricrecord,orafinancial
accountnumber(togetherwithaPINorsecuritycode,if such
PINorcodeisrequiredtoaccessanaccount)(hereinafter
covereddata).Thestandardsshouldnotcoverdata,suchasa
nameandaddressalone,thatbyitself typicallywouldnotcause
harm.Thedefinitionsof covereddatafordatasecurityanddata
breachnotificationrequirementsshouldbeconsistent.
Covered entities. Thenationalstandardsfordatasecurityand
breachnotificationshouldcoveranyprivateentitythatcollects,
maintains,sells,transfers,disposesof,orotherwisehandles
covereddatainanymedium,includingelectronicandpaper
formats.
unusable data.Nationalstandardsshouldrecognizethat
renderingdataunusabletooutsidepartieslikelywouldprevent
acquisitionof thedata,andthusordinarilywouldsatisfyan
entityslegalobligationstoprotectthedataandwouldnottrigger
notificationof abreach.Thestandardsshouldnotendorsea
specifictechnologybecauseunusabilityisnotastaticconceptand
theeffectivenessof particulartechnologiesmaychangeovertime.
Risk-based standard for breach notifcation. Thenationalbreach
notificationstandardshouldrequirethatcoveredentitiesprovide
noticetoconsumersintheeventof adatabreach,butonlywhen
theriskstoconsumersarerealthatis,whenthereisasignificant
riskof identitytheftduetothebreach.Thissignificantriskof
identitythefttriggerfornotificationrecognizesthatexcessive
breachnotificationcanoverwhelmconsumers,causingthem
totakecostlyactionswhenthereislittlerisk,orconversely,to
ignorethenoticeswhentherisksarereal.
Notifcation to law enforcement. Thenationalbreachnotification
standardshouldprovidefortimelynotificationtolaw
enforcementandexpresslyallowlawenforcementtoauthorize
adelayinrequiredconsumernotice,eitherforlawenforcement
ornationalsecurityreasons(andeitheronitsownbehalf oron
behalf of stateorlocallawenforcement).
relationship to current federal standards. Thenationalstandards
fordatasecurityandbreachnotificationshouldbedraftedtobe
consistentwithandsoasnottodisplaceanyrules,regulations,
37
guidelines,standards,orguidanceissuedundertheGLBActby
theFTC,thefederalbankregulatoryagencies,theSEC,orthe
CommodityFuturesTradingCommission(CFTC),unlessthose
agenciessodetermine.
Preemption of state laws. Toensurecomprehensivenational
requirementsthatprovideclarityandpredictability,while
maintaininganeffectiveenforcementroleforthestates,the
nationaldatasecurityandbreachnotificationstandardsshould
preemptstatedatasecurityandbreachnotificationlaws,but
authorizeenforcementbythestateAttorneysGeneralforentities
notsubjecttothejurisdictionof thefederalbankregulatory
agencies,theSEC,ortheCFTC.
rulemaking and enforcement authority.Coordinatedrulemaking
authorityundertheAdministrativeProcedureActshouldbe
giventotheFTC,thefederalbankregulatoryagencies,the
SEC,andtheCFTCtoimplementthenationalstandards.
Thoseagenciesshouldbeauthorizedtoenforcethestandards
againstentitiesundertheirrespectivejurisdictions,andshould
specificallybeauthorizedtoseekcivilpenaltiesinfederaldistrict
court.
Private right of action. Thenationalstandardsshouldnotprovide
fororcreateaprivaterightof action.
Standardsincorporatingsuchprincipleswillpromptcovered
entitiestoestablishandimplementadministrative,technical,and
physicalsafeguardstoensurethesecurityandconfidentialityof
sensitiveconsumerinformation;protectagainstanyanticipated
threatsorhazardstothesecurityorintegrityof suchinformation;
andprotectagainstunauthorizedaccesstooruseof suchinfor-
mationthatcouldresultinsubstantialharmorinconvenienceto
anyconsumer.Becausethecostsassociatedwithimplementing
safeguardsorprovidingbreachnoticemaybedifferentforsmall
businessesandlargerbusinesses,ormaydifferbasedonthetype
of informationheldbyabusiness,thenationalstandardshould
expresslycallforactionsthatarereasonablefortheparticular
coveredentityandshouldnotadoptaone-size-fits-allapproach
totheimplementationof safeguards.
rECOMMENDATION: BETTEr EDuCATE THE PrIVATE SECTOr
ON SAFEGuArDING DATA
Althoughmuchhasbeendonetoeducatetheprivatesector
onhowtosafeguarddata,thecontinuedproliferationof data
breachessuggeststhatmoreneedstobedone.Whilethereisno
perfectdatasecuritysystem,acompanythatissensitizedtothe
When a major consumer
lending institution
encountered a problem
when the loss ratio on many
of its loans including
mortgages and consumer
loansbecame excessively
high due to fraud, the bank
hired a leading provider of
fraud prevention products
to authenticate potential
customers during the
application process prior to
extending credit. The result
was immediate: two million
dollars of confrmed fraud
losses were averted within
the frst six months
of implementation.
38
IDENTITY THEFT
importanceof datasecurity,understandsitslegalobligations,
andhastheinformationitneedstosecureitsdataadequately,is
lesslikelytosufferadatacompromise.TheTaskForcetherefore
makesthefollowingrecommendationsconcerninghowtobetter
educatetheprivatesector:
Hold regional Seminars for Businesses on Safeguarding
Information. Bythefourthquarterof 2007,thefederalfinancial
regulatoryagenciesandtheFTC,withsupportfromother
TaskForcememberagencies,shouldholdregionalseminars
anddevelopself-guidedandonlinetutorialsforbusinessesand
financialinstitutions,aboutsafeguardinginformation,preventing
andreportingbreaches,andassistingidentitytheftvictims.The
seminarsleadersshouldmakeeffortstoincludesmallbusinesses
inthesesessionsandaddresstheirparticularneeds.These
seminarscouldbeco-sponsoredbylocalbarassociations,the
BetterBusinessBureaus(BBBs),andothersimilarorganizations.
Self-guidedtutorialsshouldbemadeavailablethroughtheTask
Forcesonlineclearinghouseatwww.idtheft.gov.
Distribute Improved Guidance for Private Industry. Inthesecond
quarterof 2007,theFTCshouldexpandwrittenguidanceto
privatesectorentitiesthatarenotregulatedbythefederalbank
regulatoryagenciesortheSEConstepstheyshouldtaketo
safeguardinformation.Theguidanceshouldbedesignedtogive
amoredetailedexplanationof thebroadprinciplesencompassed
inexistinglaws.LiketheInformationTechnologyExamination
HandbooksInformationSecurityBookletissuedunderthe
auspicesof theFederalFinancialInstitutionsExamination
Council,
63
theguidanceshouldberisk-basedandflexible,in
recognitionof thefactthatdifferentprivatesectorentitieswill
warrantdifferentsolutions.
rECOMMENDATION: INITIATE INVESTIGATIONS OF DATA
SECurITY VIOLATIONS
Beginningimmediately,appropriategovernmentagenciesshould
initiateinvestigationsof and,if appropriate,takeenforcement
actionsagainstentitiesthatviolatethelawsgoverningdatasecu-
rity.TheFTC,SEC,andfederalbankregulatoryagencieshave
usedregulatoryandenforcementeffortstorequirecompaniesto
maintainappropriateinformationsafeguardsunderthelaw.Fed-
eralagenciesshouldcontinueandexpandtheseeffortstoensure
thatsuchentitiesusereasonabledatasecuritymeasures.Where
appropriate,theagenciesshouldshareinformationaboutthose
enforcementactionsonwww.idtheft.gov.
A leading payment
processing and bill
payment company recently
deployed an automated
fraud detection and case
management system to
more than 40 fnancial
institutions. The system
helps ensure that receiving
and paying bills online
remains a safe practice for
consumers. To mitigate
risk and reduce fraud for
banks and consumers before
it happens, the system
combines the companys
cumulative knowledge of
payment patterns and a
sophisticated analytics
engine to help fnancial
services organizations
detect and stop unauthorized
payments.
39
4. eDUcating consUmers on Protecting their Personal
information
Thefirstlineof defenseagainstidentitytheftoftenisanawareandmoti-
vatedconsumerwhotakesreasonableprecautionstoprotecthisinforma-
tion.Everyday,unwittingconsumerscreateriskstothesecurityof their
personalinformation.Fromfailingtoinstallfirewallprotectiononacom-
puterharddrivetoleavingpaidbillsinamailslot,consumersleavethe
dooropentoidentitythieves.Consumereducationisacriticalcomponent
of anyplantoreducetheincidenceof identitytheft.
Thefederalgovernmenthasbeenaleadingproviderof consumerinfor-
mationaboutidentitytheft.Numerousdepartmentsandagenciestarget
identitytheft-relatedmessagestorelevantpopulations.SeeVolumeII,
PartE,foradescriptionof federalconsumereducationefforts.TheFTC,
throughitsIdentityTheftClearinghouseandongoingoutreach,playsa
primaryroleinconsumerawarenessandeducation,developinginforma-
tionthathasbeenco-brandedbyavarietyof groupsandagencies.Its
website,www.ftc.gov/idtheft servesasacomprehensiveone-stopresource
inbothEnglishandSpanishforconsumers.TheFTCalsorecentlyimple-
mentedanationalpublicawarenesscampaigncenteredaroundthethemes
of Deter,Detect,andDefend,whichseekstodrivebehavioralchanges
inconsumersthatwillreducetheirriskof identitytheft(Deter);encourage
themtomonitortheircreditreportsandaccountstoalertthemof identity
theftassoonaspossibleafteritoccurs(Detect);andmitigatethedamage
causedbyidentitytheftshoulditoccur(Defend).Thiscampaign,man-
datedintheFACTAct,consistsof directmessagingtoconsumersaswell
asmaterialwrittenfororganizations,communityleaders,andlocallaw
enforcement.TheDeter,Detect,andDefendmaterialshavebeenadopted
anddistributedbyhundredsof entities,bothpublicandprivate.
TheSSAandthefederalregulatoryagenciesareamongthemanyother
governmentbodiesthatalsoplayasignificantroleineducatingconsum-
ersonhowtoprotectthemselves.Forexample,theSSAaddedames-
sagetoitsSSNverificationprintoutwarningthepublicnottosharetheir
SSNswithothers.Thiswarningwasespeciallytimelyintheaftermathof
HurricaneKatrina,whichnecessitatedtheissuanceof alargenumberof
thoseprintouts.Similarly,theSeniorMedicarePatrol(SMP)program,
fundedbyU.S.AdministrationonAgingintheDepartmentof Health
andHumanServices,usesseniorvolunteerstoeducatetheirpeersabout
protectingtheirpersonalinformationandpreventingandidentifyingcon-
sumerandhealthcarefraud.TheSMPprogramalsohasworkedclosely
withtheCentersforMedicareandMedicaidServicestoprotectseniors
fromnewscamsaimedatdefraudingthemof theirMedicarenumbersand
otherpersonalinformation.AndtheU.S.PostalInspectionServicehas
producedanumberof consumereducationmaterials,includingseveral
videos,alertingthepublictotheproblemsassociatedwithidentitytheft.
40
IDENTITY THEFT
Significantconsumereducationeffortsalsoaretakingplaceatthestate
level.Nearlyallof thestateAttorneysGeneralofferinformationon
thepreventionandremediationof identitytheftontheirwebsites,and
severalstateshaveconductedconferencesandworkshopsfocusedon
educationandtraininginprivacyprotectionandidentitytheftprevention.
Overthepastyear,theAttorneyGeneralof IllinoisandtheGovernors
of NewMexicoandCaliforniahavehostedsummitmeetings,bringing
togetherlawenforcement,educators,victimscoordinators,consumer
advocates,andthebusinesscommunitytodevelopbetterstrategiesfor
educatingthepublicandfightingidentitytheft.TheNationalGovernors
AssociationconvenedtheNationalStrategicPolicyCouncilonCyberand
ElectronicCrimeinSeptember2006totriggeracoordinatededucation
andpreventioneffortbyfederal,state,andlocalpolicymakers.The
NewYorkStateConsumerProtectionBoardhasconductedConsumer
ActionDays,withfreeseminarsaboutidentitytheftandotherconsumer
protectionissues.
Policedepartmentsalsoprovideconsumereducationtotheircommunities.
Manydepartmentshavedevelopedmaterialsandmakethemavailable
inpolicestations,incitygovernmentbuildings,andonwebsites.
64
Asof
thiswriting,morethan500localpolicedepartmentsareusingtheFTCs
Deter,Detect,Defendcampaignmaterialstoteachtheircommunities
aboutidentitytheft.Othergroups,includingtheNationalApartment
AssociationandtheNationalAssociationof Realtors,alsohavepromoted
thiscampaignbydistributingthematerialstotheirmembership.
Althoughmosteducationalmaterialisdirectedatconsumersingeneral,
someisaimedatandtailoredtospecifictargetgroups.Onesuchgroup
iscollegestudents.Forseveralreasonsincludingthevastamountsof
personaldatathatcollegesmaintainaboutthemandtheirtendencyto
keeppersonaldataunguardedinshareddormitoryroomsstudentsare
frequenttargetsof identitythieves.Accordingtoonereport,one-third
toone-half of allreportedpersonalinformationbreachesin2006have
occurredatcollegesanduniversities.
65
Inrecognitionof theincreased
vulnerabilityof thispopulation,manyuniversitiesareproviding
informationtotheirstudentsabouttherisksof identitytheftthroughweb
sites,orientationcampaigns,andseminars.
66
Federal,state,andlocalgovernmentagenciesprovideagreatdealof iden-
titytheft-relatedinformationtothepublicthroughtheInternet,printed
materials,DVDs,andin-personpresentations.Themessagestheagencies
providehowtoprotectpersonalinformation,howtorecognizeapoten-
tialproblem,wheretoreportatheft,andhowtodealwiththeaftermath
areechoedbyindustry,lawenforcement,advocates,andthemedia.See
VolumeII,PartF,foradescriptionof privatesectorconsumereducation
efforts.Butthereislittlecoordinationamongtheagenciesoncurrentedu-
cationprograms.Disseminationinsomecasesisrandom,informationis
4!
limited,andevaluationof effectivenessisalmostnonexistent.Althougha
greatdealof usefulinformationisbeingdisseminated,theextenttowhich
themessagesarereaching,engaging,ormotivatingconsumersisunclear.
rECOMMENDATION: INITIATE A MuLTI-YEAr PuBLIC
AWArENESS CAMPAIGN
Becauseconsumereducationisacriticalcomponentof any
plantoreducetheincidenceof identitytheft,theTaskForce
recommendsthatmemberagencies,inthethirdquarterof
2007,initiateamulti-yearnationalpublicawarenesscampaign
thatbuildsontheFTCscurrentAvoIDTheft:Deter,Detect,
Defendcampaign,developedpursuanttodirectionintheFACT
Act.Thiscampaignshouldincludethefollowingelements:
Develop a Broad Awareness Campaign. Bybroadeningthecurrent
FTCcampaignintoamulti-yearawarenesscampaign,andby
engagingtheAdCouncilorsimilarentitiesaspartners,important
andempoweringmessagesshouldbedisseminatedmorewidely
andbymorepartners.Thecampaignshouldincludepublic
serviceannouncementsontheInternet,radio,andtelevision,and
innewspapersandmagazines,andshouldaddresstheissuefrom
avarietyof perspectives,frompreventionthroughmitigationand
remediation,andreachavarietyof audiences.
Enlist Outreach Partners.Theagenciesconductingthecampaign
shouldenlistasoutreachpartnersnationalorganizationseither
thathavebeenactiveinhelpingconsumersprotectthemselves
againstidentitytheft,suchastheAARP,theIdentityTheft
ResourceCenter(ITRC),andthePrivacyRightsClearinghouse
(PRC),orthatmaybewell-situatedtohelpinthisarea,such
astheWhiteHouseOfficeof Faith-BasedandCommunity
Initiatives.
Increase Outreach to Traditionally underserved Communities.
Outreachtounderservedcommunitiesshouldinclude
encouraginglanguagetranslationsof existingmaterialsand
involvingcommunity-basedorganizationsaspartners.
Establish Protect Your Identity Days. Thecampaignshould
establishProtectYourIdentityDaystopromotebetterdata
securitybybusinessesandindividualcommitmenttosecurity
byconsumers.TheseProtectYourIdentityDaysshould
alsobuildonthepopularityof communityshred-insby
encouragingcommunityandbusinessorganizationstoshred
documentscontainingpersonalinformation.
42
IDENTITY THEFT
rECOMMENDATION: DEVELOP AN ONLINE CLEArINGHOuSE
FOr CurrENT EDuCATIONAL rESOurCES
TheTaskForcerecommendsthatinthethirdquarterof 2007,the
TaskForcememberagenciesdevelopanonlineclearinghouse
forcurrentidentitythefteducationalresourcesforconsumers,
businesses,andlawenforcementfromavarietyof sourcesat
www.idtheft.gov.Thiswouldmakethematerialsimmediately
availableinoneplacetoanypublicorprivateentitywillingto
launchaneducationprogram,andtoanycitizeninterestedin
accessingtheinformation.Ratherthanrecreatecontent,entities
couldlinkdirectlytotheclearinghousefortimelyandaccuratein-
formation.Educationalmaterialsshouldbeaddedtothewebsite
onanongoingbasis.
B. PrEVENTION: MAKING IT HArDEr TO MISuSE
CONSuMEr DATA
Keepingvaluableconsumerdataoutof thehandsof criminalsisthe
firststepinreducingtheincidenceof identitytheft.But,becauseno
securityisperfectandthievesareresourceful,itisessentialtoreducethe
opportunitiesforcriminalstomisusethedatatheydomanagetosteal.
Anidentitythief whowantstoopennewaccountsinavictimsname
mustbeableto(1)provideidentifyinginformationtoenablethecreditor
orothergrantorof benefitstoaccessinformationonwhichtobasean
eligibilitydecision,and(2)convincethecreditororothergrantorof
benefitsthatheis,infact,thepersonhepurportstobe.Forexample,a
creditcardgrantorprocessinganapplicationforacreditcardwillusethe
SSNtoaccesstheconsumerscreditreporttocheckhiscreditworthiness,
andmayrelyonphotodocuments,theSSN,and/orotherproof toaccess
othersourcesof informationintendedtoverifytheapplicantsidentity.
Thus,theSSNisacriticalpieceof informationforthethief,anditswide
availabilityincreasestheriskof identitytheft.
Identitysystemsfollowatwo-foldprocess:first,determining
(identification)andsetting(enrollment)theidentityof an
individualattheonsetof therelationship;andsecond,laterensuring
thattheindividualisthesamepersonwhowasinitiallyenrolled
(authentication).Withtheexceptionof banks,savingsassociations,
creditunions,somebroker-dealers,mutualfunds,futurescommission
merchants,andintroducingbrokers(collectively,financialinstitutions),
thereisnogenerally-applicablelegalobligationonprivatesectorentities
touseanyparticularmeansof identification.Financialinstitutionsare
requiredtofollowcertainverificationprocedurespursuanttoregulations
promulgatedbythefederalbankregulatoryagencies,theDepartmentof
43
Treasury,theSEC,andtheCFTCundertheUSAPATRIOTAct.
67
The
regulationsrequirethesefinancialinstitutionstoestablishaCustomer
IdentificationProgram(CIP)specifyingidentifyinginformationthatwill
beobtainedfromeachcustomerwhenaccountsareopened(whichmust
include,ataminimum,name,dateof birth,address,andanidentification
numbersuchasanSSN).TheCIPrequirementisintendedtoensure
thatfinancialinstitutionsformareasonablebelief thattheyknowthe
trueidentityof eachcustomerwhoopensanaccount.Thegovernment,
too,ismakingeffortstoimplementnewidentificationmechanisms.For
example,REALIDisanationwideeffortintendedtopreventterrorism,
reducefraud,andimprovethereliabilityandaccuracyof identification
documentsthatstategovernmentsissue.
68
SeeVolumeII,PartG,fora
descriptionof recentlawsrelatingtoidentificationdocuments.
Theverificationprocesscanfail,however,inanumberof ways.First,
identitydocumentsmaybefalsified.Second,checkingtheidentifying
informationagainstotherverifyingsourcesof informationcanproduce
varyingresults,dependingontheaccuracyof theinitialinformationpre-
sentedandtheaccuracyorqualityof theverifyingsources.Theprocess
alsocanfailbecauseemployeesaretrainedimproperlyorfailtofollow
properprocedures.Identitythievesexploiteachof theseopportunitiesto
circumventtheverificationprocess.
69
Onceanindividualsidentityhasbeenverified,itmustbeauthenticated
eachtimehewantstheaccessforwhichhewasinitiallyverified,suchas
accesstoabankaccount.Generally,businessesauthenticateanindividual
byrequiringhimtopresentsomesortof credentialtoprovethatheisthe
sameindividualwhoseidentitywasoriginallyverified.Acredentialis
generallyoneormoreof thefollowing:
Somethingapersonknowsmostcommonlyapassword,butalso
maybeaquerythatrequiresspecificknowledgeonlythecustomer
islikelytohave,suchastheexactamountof thecustomers
monthlymortgagepayment.
Somethingapersonhasmostcommonlyaphysicaldevice,such
asaUniversalSerialBus(USB)token,asmartcard,orapassword-
generatingdevice.
70
Somethingapersonismostcommonlyaphysicalcharacteristic,
suchasafingerprint,iris,face,andhandgeometry.Thistypeof
authenticationisreferredtoasbiometrics.
71
Someentitiesuseasingleformof authenticationmostcommonlya
passwordbutif itiscompromised,therearenootherfail-safesinthe
system.Toaddressthisproblem,thefederalbankregulatoryagencies
issuedguidancepromotingstrongercustomerauthenticationmethods
forcertainhigh-risktransactions.Suchmethodsaretoincludetheuse
of multi-factorauthentication,layeredsecurity,orothersimilarcontrols
44
IDENTITY THEFT
reasonablycalculatedtomitigatetheexposurefromanytransactions
thatareidentifiedashigh-risk.Theguidancemorebroadlyprovides
thatbanks,savingsassociations,andcreditunionsconductrisk-based
assessments,evaluatecustomerawarenessprograms,anddevelopsecurity
measurestoreliablyauthenticatecustomersremotelyaccessingInternet-
basedfinancialservices.
72
Financialinstitutionscoveredbytheguidance
wereadvisedthattheagenciesexpectedthemtohavecompletedtherisk
assessmentandimplementedriskmitigationactivitiesbyyear-end2006.
73
Alongwiththefinancialservicesindustry,otherindustrieshavebegun
toimplementnewauthenticationproceduresusingdifferenttypesof
credentials.
SSNshavemanyadvantagesandarewidelyusedinourcurrent
marketplacetomatchconsumerswiththeirrecords(includingtheir
creditfiles)andaspartof theauthenticationprocess.Keepingthe
authenticationprocessconvenientforconsumersandcreditgrantors
withoutmakingittooeasyforcriminalstoimpersonateconsumers
requiresafinebalance.Notwithstandingimprovementsincertain
industriesandcompanies,effortstofacilitatethedevelopmentof better
waystoauthenticateconsumerswithoutundueburdenwouldhelpprevent
criminalsfromprofitingfromtheircrime.
rECOMMENDATION: HOLD WOrKSHOPS ON
AuTHENTICATION
Becausedevelopingmorereliablemethodsof authenticatingthe
identitiesof individualswouldmakeitharderforidentitythieves
toopennewaccountsoraccessexistingaccountsusingother
individualsinformation,theTaskForcewillholdaworkshop
orseriesof workshops,involvingacademics,industry,and
entrepreneurs,focusedondevelopingandpromotingimproved
meansof authenticatingtheidentitiesof individuals.These
expertswilldiscusstheexistingproblemandexaminethe
limitationsof currentprocessesof authentication.Withthat
information,theTaskForcewillprobeviabletechnologicaland
othersolutionsthatwillreduceidentityfraud,andidentifyneeds
forfutureresearch.Suchworkshopshavebeensuccessfulin
developingcreativeandtimelyresponsestoconsumerprotection
issues,andtheworkshopsareexpectedtobeusefulforboththe
privateandpublicsectors.Forexample,thefederalgovernment
hasaninterestasafacilitatorof thedevelopmentof new
technologiesandinimplementingtechnologiesthatbetterprotect
thedataithandlesinprovidingbenefitsandservices,andasan
employer.
45
AsnotedintheTaskForcesinterimrecommendationstothe
President,theFTCandotherTaskForcememberagencieswill
hostthefirstsuchworkshopinthesecondquarterof 2007.
TheTaskForcealsorecommendsthatareportbeissuedor
subsequentworkshopsbeheldtoreportonanyproposalsorbest
practicesidentifiedduringtheworkshopseries.
rECOMMENDATION: DEVELOP COMPrEHENSIVE rECOrD
ON PrIVATE SECTOr uSE OF SSNs
AsnotedinSectionIIIA1,above,theTaskForcerecommends
developingacomprehensiverecordontheusesof theSSNinthe
privatesectorandevaluatingtheirnecessity.
C. VICTIM rECOVErY: HELPING CONSuMErS rEPAIr
THEIr LIVES
Becauseidentitytheftcanbecommitteddespitethebestof precautions,an
essentialstepinthefightagainstthiscrimeisensuringthatvictimshave
theknowledge,tools,andassistancenecessarytominimizethedamage
andbegintherecoveryprocess.Currently,consumershaveanumberof
rightsandavailableresources,buttheymaynotbeawareof them.
1. victim assistance: oUtreach anD eDUcation
Federalandstatelawsoffervictimsof identitytheftanarrayof toolsto
avoidormitigatetheharmstheysuffer.Forexample,undertheFACT
Act,victimscan:(1)placealertsontheircreditfiles;(2)requestcopiesof
applicationsandotherdocumentsusedbythethief;(3)requestthatthe
creditreportingagenciesblockfraudulenttradelinesoncreditreports;and
(4)obtaininformationonthefraudulentaccountsfromdebtcollectors.
Insomecases,therecoveryprocessisrelativelystraightforward.Consum-
erswhosecreditcardnumbershavebeenusedtomakeunauthorizedpur-
chases,forexample,typicallycangetthechargesremovedwithoutundue
burden.Inothercases,however,suchasthoseinvolvingnew-account
fraud,recoverycanbeanordeal.
Widely-availableguidanceadvisesconsumersof stepstotakeif theyhave
becomevictimsof identitytheft,orif theirpersonalinformationhasbeen
breached.Forexample,theFTCswebsite,www.ftc.gov/idtheft,contains
step-by-steprecoveryinformationforvictims,aswellasforthosewhomay
beatriskfollowingacompromiseof theirdata.Manyotheragenciesand
organizationslinkdirectlytotheFTCsiteandthemselvesprovideeduca-
tionandassistancetovictims.
46
IDENTITY THEFT
Fair and Accurate Credit Transaction Act (FACT Act) rights
The Fair and Accurate Credit Transactions Act of 2003 added new sections to the Fair
Credit Reporting Act that provide a number of new tools for victims to recover from
identity theft. These include the right to place a fraud alert with the credit reporting
agencies and receive a free copy of the credit report. An initial alert lasts for 90 days.
A victim with an identity theft report documenting actual misuse of the consumer
information is entitled to place a 7-year alert on his fle. In addition, under the FACT Act,
victims can request copies of documents relating to fraudulent transactions, and can
obtain information from a debt collector regarding a debt fraudulently incurred in the
victims name. Victims who have a police report also can ask that fraudulent accounts be
blocked from their credit report, and can prevent businesses from reporting information
that resulted from identity theft to the credit reporting agencies.
Identity theft victims, and consumers who suspect that they may become victims
because of lost data, are advised to act quickly to prevent or minimize harm. The
steps are straightforward:
Contact one of the three major credit reporting agencies to place a fraud alert
on their credit fle. The agencies are required to transmit this information to the
other two companies. Consumers who place this 90-day alert are entitled to a
free copy of their credit report. Fraud alerts are most useful when a consumers
SSN is compromised, creating the risk of new account fraud.
Contact any creditors where fraudulent accounts were opened or charges were
made to dispute these transactions, and follow up in writing.
Report actual incidents of identity theft to the local police department and obtain
a copy of the police report. This document will be essential to exercising other
remedies.
Report the identity theft incident to the ID Theft Data Clearinghouse by fling
a complaint online at ftc.gov/idtheft, or calling toll free 877 ID THEFT. The
complaint will be entered into the Clearinghouse and shared with the law
enforcement agencies who use the database to investigate and prosecute
identity crimes.
Some states provide additional protections to identity theft victims by allowing
them to request a credit freeze, which prevents consumers credit reports from
being released without their express consent. Because most companies obtain a
credit report from a consumer before extending credit, a credit freeze will likely
prevent the extension of credit in a consumers name without the consumers
express permission.
Stategovernmentsalsoprovideassistancetovictims.Stateconsumer
protectionagencies,privacyagencies,andstateAttorneysGeneralprovide
victiminformationandguidanceontheirwebsites,andsomeprovide
personalassistanceaswell.Anumberof stateshaveestablishedhotlines,
counseling,andotherassistanceforvictimsof identitytheft.Forexample,
theIllinoisAttorneyGeneralsofficehasimplementedanIdentityTheft
Hotline;eachcallerisassignedaconsumeradvocatetoassistwiththe
recoveryprocessandtohelppreventfurthervictimization.
47
Anumberof privatesectororganizationsalsoprovidecriticalvictim
assistance.Not-for-profitgroupssuchasthePrivacyRightsClearinghouse
(PRC)andtheIdentityTheftResourceCenter(ITRC)offercounseling
andassistanceforidentitytheftvictimswhoneedhelpingoingthrough
therecoveryprocess.TheIdentityTheftAssistanceCenter(ITAC),a
victimassistanceprogramestablishedbythefinancialservicesindustry,
hashelpedapproximately13,000victimsresolveproblemswithdisputed
accountsandotherfraudrelatedtoidentitytheftsinceitsfoundingin
2004.Finally,manyindividualcompanieshaveestablishedhotlines,
distributedmaterials,andprovidedspecialservicesforcustomerswhose
informationhasbeenmisused.Indeed,somecompaniesrelyontheir
identitytheftservicesasmarketingtools.
Despitethissubstantialeffortbythepublicandprivatesectorstoeducate
andassistvictims,thereisroomforimprovement.Manyvictimsarenot
aware,ordonottakeadvantage,of theresourcesavailabletothem.For
example,whiletheFTCreceivesroughly250,000contactsfromvictims
everyyear,thatnumberisonlyasmallpercentageof allidentitytheft
victims.Moreover,althoughfirstresponderscouldbeakeyresourcefor
identitytheftvictims,thefirstrespondersoftenareoverworkedandmay
nothavetheinformationthattheyneedaboutthestepsforvictimrecov-
ery.Itisessential,therefore,thatpublicandprivateoutreacheffortsbe
expanded,bettercoordinated,andbetterfunded.
rECOMMENDATION: PrOVIDE SPECIALIZED TrAINING
ABOuT VICTIM rECOVErY TO FIrST rESPONDErS AND
OTHErS PrOVIDING DIrECT ASSISTANCE TO IDENTITY
THEFT VICTIMS
Firstrespondersandotherswhoprovidedirectassistanceand
supporttoidentitytheftvictimsmustbeadequatelytrained.
Accordingly,theTaskForcerecommendsthefollowing:
Train Local Law Enforcement Offcers. Bythethirdquarterof
2007,federallawenforcementagencies,whichcouldinclude
theU.S.PostalInspectionService,theFBI,theSecretService,
andtheFTC,shouldconducttrainingseminarsdeliveredin
person,online,orviavideoforlocallawenforcementofficers
onavailableresourcesandprovidingassistanceforvictims.
Provide Educational Materials for First responders That Can Be
readily used as a reference Guide for Identity Theft Victims.
Duringthethirdquarterof 2007,theFTCandDOJshould
developareferenceguide,whichshouldincludecontact
informationforresourcesandinformationonfirststeps
torecovery,andshouldmakethatguideavailabletolaw
enforcementofficersthroughtheonlineclearinghouseat
48
IDENTITY THEFT
www.idtheft.gov.Suchguidancewouldassistfirstrespondersin
directingvictimsontheirwaytorecovery.
Distribute an Identity Theft Victim Statement of rights. Federallaw
providessubstantialassistancetovictimsof identitytheft.From
obtainingapolicereporttoblockingfraudulentaccountsina
creditreport,consumersaswellaslawenforcement,private
businesses,andotherpartiesinvolvedintherecoveryprocess
needtoknowwhatremediesareavailable.Accordingly,theTask
Forcerecommendsthat,duringthethirdquarterof 2007,the
FTCdraftanIDTheftVictimStatementof Rights,ashortand
simplestatementof thebasicrightsvictimspossessundercurrent
law.Thisdocumentshouldthenbedisseminatedtovictims
throughlawenforcement,thefinancialsector,andadvocacy
groups,andpostedatwww.idtheft.gov.
Develop Nationwide Training for Victim Assistance Counselors.
Crimevictimsreceiveassistancethroughawidearrayof federal
andstate-sponsoredprograms,aswellasnonprofitorganizations.
Additionally,everyUnitedStatesAttorneysOfficeinthecountry
hasavictim-witnesscoordinatorwhoisresponsibleforreferring
crimevictimstotheappropriateresourcestoresolveharms
thatresultedfromthemisuseof theirinformation.Allof these
counselorsshouldbetrainedtorespondtothespecificneedsof
identitytheftvictims,includingassistingthemincopingwiththe
financialandemotionalimpactof identitycrime.Therefore,the
TaskForcerecommendsthatastandardizedtrainingcurriculum
forvictimassistancebedevelopedandpromotedthrougha
nationwidetrainingcampaign,includingthroughDOJsOffice
forVictimsof Crime(OVC).Already,OVChasbegunorganizing
trainingworkshops,thefirstof whichwasheldinDecember
2006.Theseworkshopsareintendedtotrainnotonlyvictim-
witnesscoordinatorsfromU.S.AttorneysOffices,butalsostate,
tribal,andlocalvictimserviceproviders.Theprogramwillhelp
advocateslearnhowtoassistvictimsinself-advocacyandhow
andwhentointerveneinavictimsrecoveryprocess.Training
topicswillincludehelpingvictimsdealwiththeeconomicand
emotionalramificationsof identitytheft,assistingvictimswith
understandinghowanidentitytheftcaseproceedsthroughthe
criminaljusticesystem,andidentitytheftlaws.Additional
workshopsshouldbeheldin2007.
rECOMMENDATION: DEVELOP AVENuES FOr
INDIVIDuALIZED ASSISTANCE TO IDENTITY THEFT VICTIMS
Althoughmanyvictimsareabletoresolvetheiridentitytheft-
relatedissueswithoutassistance,someindividualswould
49
benefitfromindividualizedcounseling.Theavailabilityof
personalizedassistanceshouldbeincreasedthroughnational
serviceorganizations,suchasthoseusingretiredseniorsor
similargroups,andprobonoactivitiesbylawyers,suchas
thoseorganizedbytheAmericanBarAssociation(ABA).In
offeringindividualizedassistancetoidentitytheftvictims,these
organizationsandprogramsshouldusethevictimresource
guidesthatarealreadyavailablethroughtheFTCandDOJs
OfficeforVictimsof Crime.Specifically,theTaskForcealso
recommendsthefollowing:
Engage the American Bar Association to Develop a Program
Focusing on Assisting Identity Theft Victims with recovery.
TheABAhasexpertiseincoordinatinglegalrepresentationin
specificareasof practicethroughlawfirmvolunteers.Moreover,
lawfirmshavetheresourcesandexpertisetostaff aneffortto
assistvictimsof identitytheft.Accordingly,theTaskForce
recommendsthat,beginningin2007,theABA,withassistance
fromtheDepartmentof Justice,developaprobonoreferral
programfocusingonassistingidentitytheftvictimswithrecovery.
2. making iDentity theft victims Whole
Identitytheftinflictsmanykindsof harmuponitsvictims,makingit
difficultforthemtofeelthattheyeverwillrecoverfully.Beyondtangible
formsof harm,statisticscannotadequatelyconveytheemotionaltoll
thatidentitytheftoftenexactsonitsvictims,whofrequentlyreport
feelingsof violation,anger,anxiety,betrayalof trust,andevenself-
blameorhopelessness.Thesefeelingsmaycontinue,orevenincrease,as
victimsworkthroughthecreditrecoveryandcriminaljusticeprocesses.
Embarrassment,culturalfactors,orpersonalorfamilycircumstances(e.g.,
if thevictimhasarelationshiptotheidentitythief)maykeepthevictims
fromreportingtheproblemtolawenforcement,inturnmakingthem
ineligibletotakeadvantageof certainremedies.Often,thesereactionsare
intensifiedbytheongoing,long-termnatureof thecrime.Criminalsmay
notstopcommittingidentitytheftafterhavingbeencaught;theysimply
useinformationagainstthesameindividualinanewway,ortheysell
theinformationsothatmultipleidentitythievescanuseit.Evenwhen
thefraudulentactivityceases,theeffectsof negativeinformationonthe
victimscreditreportcancontinueforyears.
Themanyhoursvictimsspendinattemptingtorecoverfromtheharms
theysufferoftentakesatollonvictimsthatisnotreflectedintheir
monetarylosses.Onereasonthatidentitytheftcanbesodestructivetoits
victimsisthesheeramountof timeandenergyoftenrequiredtorecover
fromtheoffense,includinghavingtocorrectcreditreports,disputecharges
withindividualcreditors,closeandreopenbankaccounts,andmonitor
creditreportsforfutureproblemsarisingfromthetheft.
I received delinquent bills
for purchases she [the
suspect] made. I spent
countless hours on calls with
creditors in Texas who were
reluctant to believe that
the accounts that had been
opened were fraudulent. I
spent days talking to police
in Texas in an effort to
convince them that I was
allowed by Texas law to fle
a report and have her [the
suspect] charged with the
theft of my identity.... I had
to send more than 50 letters
to the creditors to have them
remove the more than 60
inquiries that were made by
this woman....
Nicole Robinson
Testimony before
House Ways and
Means Committee,
Subcommittee on
Social Security
May 22, 2001
50
IDENTITY THEFT
Inadditiontolosingtimeandmoney,someidentitytheftvictimssuffer
theindignityof beingmistakenforthecriminalwhostoletheiridenti-
ties,andhavebeenwrongfullyarrested.
74
Inonecase,avictimsdrivers
licensewasstolen,andtheinformationfromthelicensewasusedtoopen
afraudulentbankaccountandtowritemorethan$10,000inbadchecks.
Thevictimherself wasarrestedwhenlocalauthoritiesthoughtshewasthe
criminal.Inadditiontotheresultingfeelingsof trauma,thistypeof harm
isaparticularlydifficultoneforanidentitytheftvictimtoresolve.
rECOMMENDATION: AMEND CrIMINAL rESTITuTION
STATuTES TO ENSurE THAT VICTIMS rECOVEr FOr THE
VALuE OF TIME SPENT IN ATTEMPTING TO rEMEDIATE THE
HArMS THEY SuFFErED
Restitutiontovictimsfromconvictedthievesisavailableforthe
directfinancialcostsof identitytheftoffenses.However,there
isnospecificprovisioninthefederalrestitutionstatutesfor
compensationforthetimespentbyvictimsrecoveringfromthe
crime,andcourtdecisionsinterpretingthestatutessuggestthat
suchrecoverywouldbeprecluded.
AsstatedintheTaskForcesinterimrecommendationstothe
President,theTaskForcerecommendsthatCongressamendthe
federalcriminalrestitutionstatutestoallowforrestitutionfroma
criminaldefendanttoanidentitytheftvictim,inanamountequal
tothevalueof thevictimstimereasonablyspentattemptingto
remediatetheintendedoractualharmincurredfromtheidentity
theftoffense.Thelanguageof theproposedamendmentisin
AppendixC.DOJtransmittedtheproposedamendmentto
CongressonOctober4,2006.
rECOMMENDATION: EXPLOrE THE DEVELOPMENT OF
A NATIONAL PrOGrAM ALLOWING IDENTITY THEFT
VICTIMS TO OBTAIN AN IDENTIFICATION DOCuMENT FOr
AuTHENTICATION PurPOSES
Oneof theproblemsfacedbyidentitytheftvictimsisprovingthat
theyarewhotheysaytheyare.Indeed,someidentitytheftvic-
timshavebeenmistakenforthecriminalwhostoletheiridentity,
andhavebeenarrestedbasedonwarrantsissuedforthethief who
stoletheirpersonaldata.Togiveidentitytheftvictimsameans
toauthenticatetheiridentitiesinsuchasituation,severalstates
havedevelopedidentificationdocuments,orpassports,that
authenticateidentitytheftvictims.Thesevoluntarymechanisms
aredesignedtopreventthemisuseof thevictimsnameinthe
5!
criminaljusticesystemwhen,forexample,anidentitythief uses
hisvictimsnamewhenarrested.Thesedocumentsoftenuse
multiplefactorsforauthentication,suchasbiometricdataand
apassword.TheFBIhasestablishedasimilarsystemthrough
theNationalCrimeInformationCenter,allowingidentitytheft
victimstoplacetheirnameinanIdentityFile.Thisprogram,
too,islimitedinscope.Beginningin2007,theTaskForce
memberagenciesshouldleadanefforttostudythefeasibilityof
developinganationwidesystemallowingidentitytheftvictimsto
obtainadocumentthattheycanusetoavoidbeingmistakenfor
thesuspectwhohasmisusedtheiridentity.Thesystemshould
buildontheprogramsalreadyusedbyseveralstatesandtheFBI.
3. gathering better information on the effectiveness of
victim recovery measUres
Identitytheftvictimshavebeengrantedmanynewrightsinrecentyears.
Gatheringreliableinformationabouttheutilityof thesenewrights
iscriticaltoevaluatingwhethertheyareworkingwellorneedtobe
modified.Additionally,becausesomestateshavemeasuresinplaceto
assistidentitytheftvictimsthathavenofederalcounterpart,itisimportant
toassessthesuccessof thosemeasurestodeterminewhethertheyshould
beadoptedmorewidely.Buildingarecordof victimsexperiencesin
exercisingtheirrightsisthereforecrucialtoensuringthatanystrategyto
fightidentitytheftiswell-supported.
rECOMMENDATION: ASSESS EFFICACY OF TOOLS AVAILABLE
TO VICTIMS
TheTaskForcerecommendsthefollowingsurveysorassess-
ments:
Conduct Assessment of FACT Act remedies under FCrA. The
FCRAisamongthefederallawsthatenablevictimstorestore
theirgoodname.TheFACTActamendmentstotheFCRA
provideseveralnewrightsandtoolsforactualorpotential
identitytheftvictims,includingtheavailabilityof creditfilefraud
alerts;theblockingof fraudulenttradelinesoncreditreports;
therighttohavecreditorsceasefurnishinginformationrelating
tofraudulentaccountstocreditreportingagencies;andtheright
toobtainbusinessrecordsrelatingtofraudulentaccounts.Many
of theserightshavebeenineffectforashorttime.Accordingly,
theTaskForcerecommendsthattheagencieswithenforcement
authorityforthesestatutoryprovisionsassesstheirimpactand
effectivenessthroughappropriatesurveys.Agenciesshould
reportontheresultsincalendaryear2008.
52
IDENTITY THEFT
Conduct Assessment of State Credit Freeze Laws. Amongthe
state-enactedremedieswithoutafederalcounterpartisone
grantingconsumerstherighttoobtainacreditfreeze.Credit
freezesmakeaconsumerscreditreportinaccessiblewhen,for
example,anidentitythief attemptstoopenanaccountinthe
victimsname.Statelawsdifferinseveralrespects,including
whetherallconsumerscanobtainafreezeoronlyidentity
theftvictims;whethercreditreportingagenciescanchargethe
consumerforunfreezingafile(whichwouldbenecessarywhen
applyingforcredit);andthetimeallowedtothecreditreporting
agenciestounfreezeafile.Theseprovisionsarerelativelynew,
andthereisnotrackrecordtoshowhoweffectivetheyare,
whatcoststheymayimposeonconsumersandbusinesses,and
whatfeaturesaremostbeneficialtoconsumers.Anassessment
of howthesemeasureshavebeenimplementedandhoweffective
theyhavebeenwouldhelppolicymakersinconsideringwhether
afederalcreditfreezelawwouldbeappropriate.Accordingly,
theTaskForcerecommendsthattheFTC,withsupportfromthe
TaskForcememberagencies,assesstheimpactandeffectiveness
of creditfreezelaws,andreportontheresultsinthefirstquarter
of 2008.
D. LAW ENFOrCEMENT: PrOSECuTING AND PuNISHING
IDENTITY THIEVES
Thetwokeystopreventingidentitytheftare(1)preventingaccesstosensi-
tiveconsumerinformationthroughbetterdatasecurityandincreasededu-
cation,and(2)preventingthemisuseof informationthatmaybeobtained
bywould-beidentitythieves.Shouldthosemechanismsfail,strongcrimi-
nallawenforcementisnecessarytobothpunishanddeteridentitythieves.
Theincreasedawarenessaboutidentitytheftinrecentyearshasmadeit
necessaryformanylawenforcementagenciesatalllevelsof government
todevoteadditionalresourcestoinvestigatingidentitytheft-relatedcrimes.
Theprincipalfederallawenforcementagenciesthatinvestigateidentity
theftaretheFBI,theUnitedStatesSecretService,theUnitedStatesPostal
InspectionService,SSAOIG,andICE.Otheragencies,aswellasother
federalInspectorsGeneral,alsomaybecomeinvolvedinidentitytheft
investigations.
Ininvestigatingidentitytheft,lawenforcementagenciesuseawide
rangeof techniques,fromphysicalsurveillancetofinancialanalysisto
computerforensics.Identitytheftinvestigationsarelabor-intensive,and
becausenosingleinvestigatorcanpossessallof theskillsetsneededto
handleeachof thesefunctions,theinvestigationsoftenrequiremultiple
detectives,analysts,andagents.Inaddition,whenasuspectedidentity
In September 2006,
the Michigan Attorney
General won the conviction
of a prison inmate who had
orchestrated an elaborate
scheme to claim tax
refunds owed to low income
renters through the states
homestead property tax
program. Using thousands of
identities, the defendant and
his cohorts were detected by
alert U.S. Postal carriers who
were suspicious of the large
number of Treasury checks
mailed to certain addresses.
53
theftinvolveslargenumbersof potentialvictims,investigativeagencies
mayneedadditionalpersonneltohandlevictim-witnesscoordinationand
informationissues.
Duringthelastseveralyears,federalandstateagencieshaveaggressively
enforcedthelawsthatprohibitthetheftof identities.All50statesand
theDistrictof Columbiahavesomeformof legislationthatprohibits
identitytheft,andinallthosejurisdictions,exceptMaine,identitytheft
canbeafelony.SeeVolumeII,PartH,foradescriptionof statecriminal
lawenforcementefforts.Inthefederalsystem,awiderangeof statutory
provisionsisusedtoinvestigateandprosecuteidentitytheftincluding,
mostnotably,theaggravatedidentitytheftstatute
75
enactedin2004,which
carriesamandatorytwo-yearprisonsentence.Sincethen,DOJhasmade
increasinguseof theaggravatedidentitytheftstatute:inFiscalYear2006,
DOJcharged507defendantswithaggravatedidentitytheft,upfrom226
defendantschargedwithaggravatedidentitytheftinFiscalYear2005.In
manyof thesecases,thecourtshaveimposedsubstantialsentences.See
VolumeII,PartI,foradescriptionof sentencinginfederalidentitytheft
prosecutions.
TheDepartmentof Justicealsohasinitiatedmanyspecialidentitytheft
initiativesinrecentyears.Thefirstof these,inMay2002,involved73
criminalprosecutionsbyU.S.AttorneysOfficesagainst135individuals
in24federaldistricts.Sincethen,identitythefthasplayedanintegralpart
inseveralinitiativesthatDOJandotheragencieshavedirectedatonline
economiccrime.Forexample,OperationCyberSweep,aNovember
2003initiativetargetingInternet-relatedeconomiccrime,resultedin
thearrestorconvictionof morethan125individualsandthereturnof
indictmentsagainstmorethan70peopleinvolvedinvarioustypesof
Internet-relatedfraudandeconomiccrime.SeeVolumeII,PartJ,fora
descriptionof specialenforcementandprosecutioninitiatives.
1. coorDination anD intelligence/information sharing
Federallawenforcementagencieshaverecognizedtheimportanceof
coordinationamongagenciesandof informationsharingbetweenlaw
enforcementandtheprivatesector.Coordinationhasbeenchallenging,
however,forseveralreasons:identitytheftdatacurrentlyresidein
numerousdatabases;thereisnostandardreportingformforallidentity
theftcomplaints;andmanylawenforcementagencieshavelimited
resources.Giventhesechallenges,lawenforcementhasrespondedtothe
needforgreatercooperationby,amongotherthings,forminginteragency
taskforcesanddevelopingformalintelligence-sharingmechanisms.Law
enforcementalsohasworkedtodevelopmethodsof facilitatingthetimely
receiptandanalysisof identitytheftcomplaintdataandotherintelligence.
In a Operation Firewall,
the Secret Service was
responsible for the frst-ever
takedown of a large illegal
online bazaar. Using the
website www.shadowcrew.
com, the Shadowcrew
organization had thousands
of members engaged in the
online traffcking of stolen
identity information and
documents, such as drivers
licenses, passports, and
Social Security cards, as
well as stolen credit card,
debit card, and bank account
numbers. The Shadowcrew
members traffcked in at
least 1.7 million stolen credit
card numbers and caused
total losses in excess of
$4 million. The Secret
Service successfully shut
down the website following
a year-long undercover
investigation, which resulted
in the arrests of 21 individu-
als in the United States on
criminal charges in October
2004. Additionally, law
enforcement offcers in six
foreign countries arrested or
searched eight individuals.
54
IDENTITY THEFT
a. Sources of Identity Theft Information
Currently,federallawenforcementhasanumberof sourcesof
informationaboutidentitytheft.Theprimarysourceof direct
consumercomplaintdataistheFTC,which,throughitsIdentity
TheftClearinghouse,makesavailabletolawenforcementthrougha
securewebsitethecomplaintsitreceives.Internet-relatedidentitytheft
complaintsalsoarereceivedbytheInternetCrimeComplaintCenter
(IC3),ajointventureof theFBIandNationalWhiteCollarCrime
Center.TheIC3developscaseleadsfromthecomplaintsitreceivesand
sendsthemtolawenforcementthroughoutthecountry.Additionally,
aspecialcomponentof theFBIthatworkscloselywiththeIC3isthe
CyberInitiativeandResourceFusionUnit(CIRFU).TheCIRFU,based
inPittsburgh,facilitatestheoperationof theNationalCyberForensic
TrainingAlliance(NCFTA),apublic/privateallianceandfusioncenter,
bymaximizingintelligencedevelopmentandanalyticalresources
fromlawenforcementandcriticalindustrypartners.TheU.S.Postal
InspectionServicealsohostsitsFinancialCrimesDatabase,aweb-based
nationaldatabaseavailabletoU.S.PostalServiceinspectorsforusein
analyzingmailtheftandidentitytheftcomplaintsreceivedfromvarious
sources.Thesearebutafewof thesourcesof identitytheftdatafor
lawenforcement.SeeVolumeII,PartK,foradescriptionof howlaw
enforcementobtainsandanalyzesidentitytheftdata.
Privatesectorentitiesincludingthefinancialservicesindustryand
creditreportingagenciesalsoareimportantsourcesof identitytheft
informationforlawenforcementagencies.Theyoftenarebestpositioned
toidentifyearlyanomaliesinvariouscomponentsof thee-commerce
environmentinwhichtheirbusinessesinteract,whichmayrepresentthe
earliestindicatorsof anidentitytheftscenario.Forthisreasonandothers,
federallawenforcementhasundertakennumerouspublic-andprivate-
sectorcollaborationsinrecentyearstoimproveinformationsharing.
Forexample,corporationshaveplacedanalystsandinvestigatorswith
IC3insupportof initiativesandinvestigations.Inaddition,ITAC,the
cooperativeinitiativeof thefinancialservicesindustry,sharesinformation
withlawenforcementandtheFTCtohelpcatchandconvictthecriminals
responsibleforidentitytheft.SeeVolumeII,PartK,foradescriptionof
otherprivatesectorsourcesof identitytheftdata.Suchalliancesenable
criticalindustryexpertsandlawenforcementagenciestoworktogether
tomoreexpeditiouslyreceiveandprocessinformationandintelligence
vitalbothtoearlyidentificationof identitytheftschemesandrapid
developmentof aggressiveinvestigationsandmitigationstrategies,such
aspublicserviceadvisories.Atthesametime,however,lawenforcement
agenciesreportthattheyhaveencounteredobstaclesinobtainingsupport
andassistancefromkeyprivate-sectorstakeholdersinsomecases,absent
legalprocess,suchassubpoenas,toobtaininformation.
55
Onebarriertomorecompletecoordinationisthatidentitytheft
informationresidesinmultipledatabases,evenwithinindividuallaw
enforcementagencies.Asingleinstanceof identitytheftmayresultin
informationbeingpostedatfederal,state,andlocallawenforcement
agencies,creditreportingagencies,creditissuers,financialinstitutions,
telecommunicationscompanies,andregulatoryagencies.This,inturn,
leadstotheinefficientstove-pipingof relevantdataandintelligence.
Additionally,inmanycases,agenciesdonotorcannotshareinformation
withotheragencies,makingitdifficulttodeterminewhetheranidentity
theftcomplaintisrelatedtoasingleincidentoraseriesof incidents.This
problemmaybeevenmorepronouncedatthestateandlocallevels.
b. Format for Sharing Information and Intelligence
Arelatedissueistheinabilityof theprimarylawenforcementagencies
tocommunicateelectronicallyusingastandardformat,whichgreatly
impedesthesharingof criminallawenforcementinformation.When
datacollectionsystemsusedifferentformatstodescribethesameevent
orfact,atleastoneof thesystemsmustbereprogrammedtofittheother
programsterms.Whereseveralhundredvariablesareinvolved,the
programmingresourcesrequiredtoconnectthetwodatabasescanbean
insurmountablebarriertodataexchange.
Toaddressthatconcern,severallawenforcementorganizations,including
theInternationalAssociationof Chiefsof Polices(IACP)Private
SectorLiaisonCommitteeandtheMajorCitiesChiefs(MCC),have
recommendeddevelopingastandardelectronicidentitytheftpolicereport
form.Reportsthatuseastandardformatcouldbesharedamonglaw
enforcementagenciesandstoredinanationalrepositoryforinvestigatory
purposes.
c. Mechanisms for Sharing Information
Lawenforcementusesavarietyof mechanismstofacilitateinformation
sharingandintelligenceanalysisinidentity-theftinvestigations.See
VolumeII,PartL,foradescriptionof federallawenforcementoutreach
efforts.Asjustoneexample,theRegionalInformationSharingSystems
(RISS)Programisalong-standing,federally-fundedprogramtosupport
regionallawenforcementeffortstocombatidentitytheftandothercrimes.
Withinthatprogram,lawenforcementhasestablishedintelligence-
sharingsystems.Theseinclude,forexample,theRegionalIdentityTheft
Network(RITNET),createdtoprovideInternet-accessibleidentitytheft
informationforfederal,state,andlocallawenforcementagencieswithin
theEasternDistrictof Pennsylvania.RITNETisdesignedtoincludedata
fromtheFTC,lawenforcementagencies,andthebankingindustry,and
allowinvestigatorstoconnectcrimescommittedinvariousjurisdictions
56
IDENTITY THEFT
andlinkinvestigators.Italsowillcollectinformationonallreported
frauds,regardlessof size,therebyeliminatingtheadvantageidentity
thieveshaveinkeepingtheftamountslow.
Multi-agencyworkinggroupsandtaskforcesareanothersuccessful
investigativeapproach,allowingdifferentagenciestomarshalresources,
shareintelligence,andcoordinateactivities.Federalauthoritiesleadorco-
leadover90taskforcesandworkinggroupsdevoted(inwholeorinpart)
toidentitytheft.SeeVolumeII,PartM,foradescriptionof interagency
workinggroupsandtaskforces.
Despitetheseefforts,coordinationamongagenciescanbeimproved.
Bettercoordinationwouldhelplawenforcementofficersconnectthe
dotsininvestigationsandpoollimitedresources.
rECOMMENDATION: ESTABLISH A NATIONAL IDENTITY
THEFT LAW ENFOrCEMENT CENTEr
TheTaskForcerecommendsthatthefederalgovernment
establish,asresourcespermit,aninteragencyNationalIdentity
TheftLawEnforcementCentertobetterconsolidate,analyze,
andshareidentitytheftinformationamonglawenforcement
agencies,regulatoryagencies,andtheprivatesector.This
effortshouldbeledbytheDepartmentof Justiceandinclude
representativesof federallawenforcementagencies,including
theFBI,theSecretService,theU.S.PostalInspectionService,
theSSAOIG,andtheFTC.Leveragingexistingresources,
increasedemphasisshouldbeplacedontheanalysisof identity
theftcomplaintdataandotherinformationandintelligence
relatedtoidentitytheftfrompublicandprivatesources,including
fromidentitytheftinvestigations.Thisinformationshouldbe
madeavailabletoappropriatelawenforcementatalllevelsto
aidintheinvestigation,prosecution,andpreventionof identity
theftcrimes,includingtotargetorganizedgroupsof identity
thievesandthemostseriousoffendersoperatingbothinthe
UnitedStatesandabroad.Effectivemechanismsthatenablelaw
enforcementofficersfromaroundthecountrytoshare,access,
andsearchappropriatelawenforcementinformationaround-
the-clock,includingthroughremoteaccess,shouldalsobe
developed.Asanexample,intelligencefromdocumentsseized
duringinvestigationscouldhelpfacilitatetheabilityof agents
andofficerstoconnectthedotsbetweenvariousinvestigations
aroundthecountry.
In a case prosecuted by the

United States Attorneys
Offce for the Eastern District
of Pennsylvania, a gang
purchased 180 properties
using false or stolen names.
The thieves colluded to
procure infated appraisals
for the properties, obtained
fnancing, and drained the
excess profts for their own
beneft, resulting in harm to
the identity theft victims and
to the neighborhood when
most of the properties went
into foreclosure.
57
rECOMMENDATION: DEVELOP AND PrOMOTE
THE ACCEPTANCE OF A uNIVErSAL IDENTITY THEFT
rEPOrT FOrM
TheTaskForcerecommendedinitsinterimrecommendations
thatthefederalgovernment,ledbytheFTC,developandpro-
moteauniversalpolicereportlikethatrecommendedbythe
IACPandMCCastandarddocumentthatanidentitytheft
victimcouldcomplete,print,andtaketoanylocallawenforce-
mentagencyforverificationandincorporationintothepolice
departmentsreportsystem.Thiswouldmakeiteasierforvic-
timstoobtainthesereports,facilitateentryof theinformation
intoacentraldatabasethatcouldbeusedbylawenforcementto
analyzepatternsandtrends,andinitiatemoreinvestigationsof
identitytheft.
Criminallawenforcers,theFTC,andrepresentativesof financial
institutions,theconsumerdataindustry,andconsumeradvocacy
groupshaveworkedtogethertodevelopastandardformthat
meetsthisneedandcapturesessentialinformation.Theresulting
IdentityTheftComplaint(Complaint)formwasmade
availableinOctober2006viatheFTCsIdentityTheftwebsite,
www.ftc.gov/idtheft.Consumerscanprintcopiesof theircom-
pletedComplaintandtakeittotheirpolicestation,whereitcan
beusedasthebasisforapolicereport.TheComplaintprovides
muchgreaterspecificityaboutthedetailsof thecrimethanwould
atypicalpolicereport,soconsumerswillbeabletosubmititto
creditreportingagenciesandcreditorstoassistinresolvingtheir
identitytheft-relatedproblems.Further,theinformationthey
enterintotheComplaintwillbecollectedintheFTCsIdentity
TheftDataClearinghouse,thusenrichingthissourceof consum-
ercomplaintsforlawenforcement.Thissystemalsorelievesthe
burdenonlocallawenforcementbecauseconsumersarecomplet-
ingthedetailedComplaintbeforefilingtheirpolicereport.
rECOMMENDATION: ENHANCE INFOrMATION SHArING
BETWEEN LAW ENFOrCEMENT AND THE PrIVATE SECTOr
Becausetheprivatesectoringeneral,andfinancialinstitutions
inparticular,areanimportantsourceof identitytheft-related
informationforlawenforcement,theTaskForcerecommends
thefollowingstepstoenhanceinformationsharingbetweenlaw
enforcementandtheprivatesector:
58
IDENTITY THEFT
Enhance Ability of Law Enforcement to receive Information
From Financial Institutions. Section609(e)of theFairCredit
ReportingActenablesidentitytheftvictimstoreceiveidentity
theft-relateddocumentsandtodesignatelawenforcement
agenciestoreceivethedocumentsontheirbehalf.Despitethat
fact,lawenforcementagencieshavesometimesencountered
difficultiesinobtainingsuchinformationwithoutasubpoena.
Bythesecondquarterof 2007,DOJshouldinitiatediscussions
withthefinancialsectortoensuregreatercompliancewith
thislaw,andshouldincludeotherlawenforcementagenciesin
thesediscussions.DOJ,onanongoingbasis,shouldcompile
anyrecommendationsthatmayresultfromthosediscussions
and,whereappropriate,relaythoserecommendationstothe
appropriateprivateorpublicsectorentityforaction.
Initiate Discussions With the Financial Services Industry on
Countermeasures to Identity Thieves. Federallawenforcement
agencies,ledbytheU.S.PostalInspectionService,should
continuediscussionswiththefinancialservicesindustryasearly
asthesecondquarterof 2007todevelopmoreeffectivefraud
preventionmeasurestodeteridentitythieveswhoacquiredata
throughmailtheft.Discussionsshouldincludeuseof thePostal
InspectionServicescurrentFinancialIndustryMailSecurity
Initiative.ThePostalInspectionService,onanongoingbasis,
shouldcompileanyrecommendationsthatmayresultfromthose
discussionsand,whereappropriate,relaythoserecommendations
totheappropriateprivateorpublicsectorentityforaction.
Initiate Discussions With Credit reporting Agencies On Preventing
Identity Theft. Bythesecondquarterof 2007,DOJshould
initiatediscussionswiththecreditreportingagenciesonpossible
measuresthatwouldmakeitmoredifficultforidentitythieves
toobtaincreditbasedonaccesstoavictimscreditreport.The
discussionsshouldincludeotherlawenforcementagencies,
includingtheFTC.DOJ,onanongoingbasis,shouldcompile
anyrecommendationsthatmayresultfromthediscussionsand,
whereappropriate,relaytherecommendationstotheappropriate
privateorpublicsectorentityforaction.
2. coorDination With foreign laW enforcement
Federalenforcementagencieshavefoundthatasignificantportionof
theidentitytheftcommittedintheUnitedStatesoriginatesinother
countries.Therefore,coordinationandcooperationwithforeignlaw
enforcementisessential.ApositivestepbytheUnitedStatesinensuring
59
suchcoordinationwastheratificationof theConventiononCybercrime
(2001).TheCybercrimeConventionisthefirstmultilateralinstrument
draftedtoaddresstheproblemsposedbythespreadof criminalactivity
oncomputernetworks,includingoffensesthatrelatetothestealingof
personalinformationandtheexploitationof thatinformationtocommit
fraud.TheCybercrimeConventionrequirespartiestoestablishlaws
againsttheseoffenses,toensurethatdomesticlawsgivelawenforcement
officialsthenecessarylegalauthoritytogatherelectronicevidence,and
toprovideinternationalcooperationtootherpartiesinthefightagainst
computer-relatedcrime.TheUnitedStatesparticipatedinthedraftingof
theConventionand,inNovember2001,wasanearlysignatory.
Becauseof theinternationalnatureof manyformsof identitytheft,
providingassistanceto,andreceivingassistancefrom,foreignlaw
enforcementonidentitytheftiscriticalforU.S.enforcementagencies.
Undercurrentlaw,theUnitedStatesgenerallyisabletoprovidesuch
assistance,whichfulfillsourobligationsundervarioustreatiesand
enhancesourabilitytoobtainreciprocalassistancefromforeignagencies.
Indeed,therearenumerousexamplesof collaborationsbetweenU.S.and
foreignlawenforcementinidentitytheftinvestigations.
Nevertheless,lawenforcementfacesseveralimpedimentsintheirability
tocoordinateeffortswithforeigncounterparts.First,eventhoughfederal
lawenforcementagencieshavesuccessfullyidentifiednumerousforeign
suspectstraffickinginstolenconsumerinformation,theirabilitytoarrest
andprosecutethesecriminalsisverylimited.Manycountriesdonot
havelawsdirectlyaddressingidentitytheft,orhavegeneralfraudlaws
thatdonotparallelthoseintheUnitedStates.Thus,investigatorsin
theUnitedStatesmaybeabletoproveviolationsof Americanidentity
theftstatutes,yetbeunabletoshowviolationsof theforeigncountrys
law.Thiscanimpactcooperationonextraditionorcollectionof evidence
necessarytoprosecuteoffendersintheUnitedStates.Additionally,some
foreigngovernmentsareunwillingtocooperatefullywithAmericanlaw
enforcementrepresentatives,ormaycooperatebutfailtoaggressively
prosecuteoffendersorseizecriminalassets.
Second,certainstatutesgoverningforeignrequestsforelectronicand
otherevidencespecifically,18U.S.C.2703and28U.S.C.1782fail
tomakeclearwhether,how,andinwhichcourtcertainrequestscan
befulfilled.Thisjurisdictionaluncertaintyhasimpededtheabilityof
Americanlawenforcementofficerstoassisttheircounterpartsinother
countrieswhoareconductingidentitytheftinvestigations.
The FBI Legal Attache
in Bucharest recently
contributed to the
development and launch of
www.efrauda.ro, a
Romanian government
website for the collection
of fraud complaints based
on the IC3 model. The IC3
also provided this Legal
Attache with complaints
received by U.S. victims who
were targets of a Romanian
Internet crime ring. The
complaint forms provided
to Romanian authorities via
the Legal Attache assisted
the Romanian police and
Ministry of Justice with the
prosecution of Romanian
subjects.
60
IDENTITY THEFT
rECOMMENDATION: ENCOurAGE OTHEr COuNTrIES TO
ENACT SuITABLE DOMESTIC LEGISLATION CrIMINALIZING
IDENTITY THEFT
TheDepartmentof Justice,afterconsultingwiththeDepartment
of State,shouldformallyencourageothercountriestoenact
suitabledomesticlegislationcriminalizingidentitytheft.A
numberof countriesalreadyhaveadopted,orareconsidering
adopting,criminalidentity-theftoffenses.Inaddition,since
2005,theUnitedNationsCrimeCommission(UNCC)has
convenedaninternationalExpertGrouptoexaminethe
worldwideproblemof fraudandidentitytheft.ThatExpert
GroupisdraftingareporttotheUNCC(forpresentationin2007)
thatisexpectedtodescribethemajortrendsinfraudandidentity
theftinnumerouscountriesandtoofferrecommendationson
bestpracticesbygovernmentsandtheprivatesectortocombat
fraudandidentitytheft.DOJshouldprovideinputtotheExpert
Groupconcerningtheneedforthecriminalizationof identity
theftworldwide.
rECOMMENDATION: FACILITATE INVESTIGATION AND
PrOSECuTION OF INTErNATIONAL IDENTITY THEFT BY
ENCOurAGING OTHEr NATIONS TO ACCEDE TO THE
CONVENTION ON CYBErCrIME, Or TO ENSurE THAT THEIr
LAWS AND PrOCEDurES ArE AT LEAST AS COMPrEHENSIVE
Globalacceptanceof theConventiononCybercrimewillhelp
toassurethatallcountrieshavethelegalauthoritytocollect
electronicevidenceandtheabilitytocooperateintrans-border
identitytheftinvestigationsthatinvolveelectronicdata.The
U.S.governmentshouldcontinueitseffortstopromoteuniversal
accessiontotheConventionandassistothercountriesinbringing
theirlawsintocompliancewiththeConventionsstandards.The
Departmentof State,inclosecoordinationwiththeDepartment
of JusticeandDepartmentof HomelandSecurity,shouldlead
thiseffortthroughappropriatebilateralandmultilateraloutreach
mechanisms.Otheragencies,includingtheDepartmentof
CommerceandtheFTC,shouldparticipateintheseoutreach
effortsasappropriate.Thisoutreacheffortbeganyearsagoina
numberof internationalsettings,andshouldcontinueuntilbroad
internationalacceptanceof theConventiononCybercrimeis
achieved.
6!
rECOMMENDATION: IDENTIFY COuNTrIES THAT HAVE
BECOME SAFE HAVENS FOr PErPETrATOrS OF IDENTITY
THEFT AND TArGET THEM FOr DIPLOMATIC AND
ENFOrCEMENT INITIATIVES FOrMuLATED TO CHANGE
THEIr PrACTICES.
Safehavensforperpetratorsof identitytheftandindividualswho
aidandabetsuchillegalactivitiesshouldnotexist.However,
theinactionof lawenforcementagenciesinsomecountrieshas
turnedthosecountriesintobreedinggroundsforsophisticated
criminalnetworksdevotedtoidentitytheft.Countriesthat
toleratetheexistenceof suchcriminalnetworksencouragetheir
growthandemboldenperpetratorstoexpandtheiroperations.
In2007,theU.S.lawenforcementcommunity,withinput
fromtheinternationallawenforcementcommunity,should
identifythecountriesthataresafehavensforidentitythieves.
Onceidentified,theU.S.governmentshoulduseappropriate
diplomaticmeasuresandanysuitableenforcementmechanisms
toencouragethosecountriestochangetheirpractices.
rECOMMENDATION: ENHANCE THE u.S. GOVErNMENTS
ABILITY TO rESPOND TO APPrOPrIATE FOrEIGN
rEQuESTS FOr EVIDENCE IN CrIMINAL CASES INVOLVING
IDENTITY THEFT
TheTaskForcerecommendsthatCongressclarifywhichcourts
canrespondtoappropriateforeignrequestsforelectronicand
otherevidenceincriminalinvestigations,sothattheUnited
Statescanbetterprovidepromptassistancetoforeignlaw
enforcementinidentitytheftcases.Thisclarificationcan
beaccomplishedbyamending18U.S.C.2703andmaking
accompanyingamendmentsto18U.S.C.2711and3127,
andbyenactinganewstatute,18U.S.C.3512,whichwould
supplementtheforeignassistanceauthorityof 28U.S.C.1782.
Proposedlanguagefortheselegislativechangesisavailablein
AppendixD(textof amendmentsto18U.S.C.2703,2711,and
3127,andtextof newlanguagefor18U.S.C.3512).
62
IDENTITY THEFT
rECOMMENDATION: ASSIST, TrAIN, AND SuPPOrT FOrEIGN
LAW ENFOrCEMENT
Becausetheinvestigationof majoridentitytheftringsincreas-
inglywillrequireforeigncooperation,federallawenforcement
agencies,ledbyDOJ,FBI,SecretService,USPIS,andICE,
shouldassist,train,andsupportforeignlawenforcementthrough
theuseof Internetintelligence-collectionentities,includingIC3
andCIRFU,andcontinuetomakeitaprioritytoworkwithother
countriesinjointinvestigationstargetingidentitytheft.This
workshouldbegininthethirdquarterof 2007.
3. ProsecUtion aPProaches anD initiatives
Aspartof itsefforttoprosecuteidentitytheftaggressively,DOJ,since
2002,hasconductedanumberof enforcementinitiativesthathave
focused,inwholeorinpart,onidentitytheft.Inadditiontobroader
enforcementinitiativesledbyDOJ,variousindividualU.S.Attorneys
Officeshaveundertakentheirownidentitytheftefforts.Forexample,
theU.S.AttorneysOfficeintheDistrictof Oregonhasanidentitytheft
fasttrackprogramthatrequireseligibledefendantstopleadguiltyto
aggravatedidentitytheftandagree,withoutlitigation,toa24-month
minimummandatorysentence.Underthisprogram,itiscontemplated
thatdefendantswillpleadguiltyandbesentencedonthesameday,
withouttheneedforapre-sentencereporttobecompletedpriortothe
guiltyplea,andwaiveallappellateandpost-convictionremedies.In
exchangefortheirpleasof guilty,defendantsarenotchargedwiththe
predicateoffense,suchasbankfraudormailtheft,whichwouldotherwise
resultinaconsecutivesentenceundertheUnitedStatesSentencing
Guidelines.Inaddition,twoU.S.AttorneysOfficeshavecollaborated
onaspecialinitiativetocombatpassportfraud,knownasOperation
Checkmate.SeeVolumeII,PartJ.
Notwithstandingtheseefforts,challengesremainforfederallaw
enforcement.Becauseof limitedresourcesandashortageof prosecutors,
manyU.S.AttorneysOfficeshavemonetarythresholdsi.e.,
requirementsthatacertainamountof monetarylossmusthavebeen
sufferedbythevictimsbeforetheU.S.AttorneysOfficewillopenan
identitytheftcase.WhenaU.S.AttorneysOfficedeclinestoopena
casebasedonamonetarythreshold,investigativeagentscannotobtain
additionalinformationthroughgrandjurysubpoenasthatcouldhelpto
uncovermoresubstantialmonetarylossestothevictims.
63
rECOMMENDATION: INCrEASE PrOSECuTIONS OF IDENTITY
THEFT
TheTaskForcerecommendsthat,tofurtherincreasethenumber
of prosecutionsof identitythieves,thefollowingstepsshouldbe
taken:
Designate An Identity Theft Coordinator for Each united States
Attorneys Offce To Design a Specifc Identity Theft Program for
Each District.DOJshoulddirectthateachU.S.Attorneys
Office,byJune2007,designateoneAssistantU.S.Attorneywho
shouldserveasapointof contactandsourceof expertisewithin
thatofficeforotherprosecutorsandagents.ThatAssistant
U.S.AttorneyalsoshouldassisteachU.S.Attorneyinmaking
adistrict-specificdeterminationabouttheareasonwhichto
focustobestaddresstheproblemof identitytheft.Forexample,
insomesouthwestborderdistricts,identitytheftmaybebest
addressedbysteppingupeffortstoprosecuteimmigration
fraud.Inotherdistricts,identitytheftmaybebestaddressedby
increasingprosecutionsof bankfraudschemesorbymaking
anefforttoaddidentitytheftviolationstothechargesthat
arebroughtagainstthosewhocommitwire/mail/bankfraud
schemesthroughthemisappropriationof identities.
Evaluate Monetary Thresholds for Prosecution.ByJune2007,
theinvestigativeagenciesandU.S.AttorneysOfficesshould
re-evaluatecurrentmonetarythresholdsforinitiatingidentity
theftcasesand,specifically,shouldconsiderwhethermonetary
thresholdsforacceptingsuchcasesforprosecutionshould
beloweredinlightof thefactthatinvestigationsoftenreveal
additionallossandadditionalvictims,thatmonetaryloss
maynotalwaysadequatelyreflecttheharmsuffered,andthat
theaggravatedidentitytheftstatutemakesitpossibleforthe
governmenttoobtainsignificantsentencesevenincaseswhere
preciselycalculatingthemonetarylossisdifficultorimpossible.
Encourage State Prosecution of Identity Theft. DOJshouldexplore
waystoincreaseresourcesandtrainingforlocalinvestigatorsand
prosecutorshandlingidentitytheftcases.Moreover,eachU.S.
Attorney,byJune2007,shouldengageindiscussionswithstate
andlocalprosecutorsinhisorherdistricttoencouragethose
prosecutorstoacceptcasesthatdonotmeetappropriately-set
thresholdsforfederalprosecution,withtheunderstandingthat
thesecasesneednotalwaysbebroughtasidentitytheftcases.
64
IDENTITY THEFT
Create Working Groups and Task Forces. Bytheendof 2007,
U.S.Attorneysandinvestigativeagenciesshouldcreateormake
increaseduseof interagencyworkinggroupsandtaskforces
devotedtoidentitytheft.Wherefundsforataskforceare
unavailable,considerationshouldbegiventoformingworking
groupswithnon-dedicatedpersonnel.
rECOMMENDATION: CONDuCT TArGETED ENFOrCEMENT
INITIATIVES
Lawenforcementagenciesshouldcontinuetoconductenforce-
mentinitiativesthatfocusexclusivelyorprimarilyonidentity
theft.Theinitiativesshouldpursuethefollowing:
unfair or Deceptive Means to Make SSNs Available for Sale.
Beginningimmediately,lawenforcementshouldmore
aggressivelytargetthecommunityof businessesontheInternet
thatsellindividualsSSNsorothersensitiveinformationto
anyonewhoprovidesthemwiththeindividualsnameand
otherlimitedinformation.TheSSAOIGandotheragencies
alsoshouldcontinueorinitiateinvestigationsof entitiesthat
useunlawfulmeanstomakeSSNsandothersensitivepersonal
informationavailableforsale.
Identity Theft related to the Health Care System. HHSshould
continuetoinvestigateidentitytheftrelatedtoMedicarefraud.
Aspartof thiseffort,HHSshouldbegintoworkwithstate
authoritiesimmediatelytoprovideforstrongerstatelicensureand
certificationof providers,practitioners,andsuppliers.Schemes
todefraudMedicaremayinvolvethetheftof beneficiariesand
providersidentitiesandidentificationnumbers,theopening
of bankaccountsinindividualsnames,andthesubmission
of fraudulentMedicareclaims.Medicarepaymentislinked
tostatelicensureandcertificationof providers,practitioners,
andsuppliersasbusinessentities.Lackof statelicensureand
certificationlawsand/orlawsthatdonotrequireidentification
andlocationinformationof ownersandofficersof providers,
practitionersandsuppliers,canhampertheabilityof HHSto
stopidentitytheftrelatedtofraudulentbillingof theMedicare
program.
Identity Theft By Illegal Aliens.Lawenforcementagencies,
particularlytheDepartmentof HomelandSecurity,should
conducttargetedenforcementinitiativesdirectedatillegalaliens
whousestolenidentitiestoenterorstayintheUnitedStates.
65
rECOMMENDATION: rEVIEW CIVIL MONETArY PENALTY
PrOGrAMS
Bythefourthquarterof 2007,federalagencies,includingthe
SEC,thefederalbankregulatoryagencies,andtheDepartment
of Treasury,shouldreviewtheircivilmonetarypenaltyprograms
toassesswhethertheyadequatelyaddressidentitytheft.If they
donot,analysisshouldbedoneastowhat,if any,remedies,
includinglegislation,wouldbeappropriate,andanysuch
legislationshouldbeproposedbythefirstquarterof 2008.If a
federalagencydoesnothaveacivilmonetarypenaltyprogram,
theestablishmentof suchaprogramwithrespecttoidentitytheft
shouldbeconsidered.
4. statUtes criminalizing iDentity-theft relateD
offenses: the gaPs
Federallawenforcementhassuccessfullyinvestigatedandprosecuted
identitytheftunderavarietyof criminalstatutes.Effectiveprosecution
canbehinderedinsomecases,however,asaresultof certaingapsinthose
statutes.Atthesametime,agapinoneaspectof theU.S.Sentencing
Guidelineshasprecludedsomecourtsfromenhancingthesentences
forsomeidentitythieveswhoseconductaffectedmultiplevictims.See
VolumeII,PartN,foranadditionaldescriptionof federalcriminal
statutesusedtoprosecuteidentitytheft.
a. The Identity Theft Statutes
Thetwofederalstatutesthatdirectlycriminalizeidentitytheftarethe
identitytheftstatute(18U.S.C.1028(a)(7))andtheaggravatedidentity
theftstatute(18U.S.C.1028A(a)).Theidentitytheftstatutegenerally
prohibitsthepossessionoruseof ameansof identificationof apersonin
connectionwithanyunlawfulactivitythateitherconstitutesaviolationof
federallaworthatconstitutesafelonyunderstateorlocallaw.
76
Similarly,
theaggravatedidentitytheftstatutegenerallyprohibitsthepossessionor
useof ameansof identificationof anotherpersonduringthecommission
of,orinrelationto,anyof severalenumeratedfederalfelonies,and
providesforenhancedpenaltiesinthosesituations.
Therearetwogapsinthesestatutes,however.First,becausebothstatutes
arelimitedtotheillegaluseof ameansof identificationof aperson,
itisunclearwhetherthegovernmentcanprosecuteanidentitythief who
misusesthemeansof identificationof acorporationororganization,
suchasthename,logo,trademark,oremployeridentificationnumberof
alegitimatebusiness.Thisgapmeansthatfederalprosecutorscannotuse
thosestatutestochargeidentitythieveswho,forexample,createanduse
66
IDENTITY THEFT
counterfeitdocumentsorchecksinthenameof acorporation,orwho
engageinphishingschemesthatuseanorganizationsname.Second,the
enumeratedfeloniesintheaggravatedidentitytheftstatutedonotinclude
certaincrimesthatrecurinidentitytheftandfraudcases,suchasmail
theft,utteringcounterfeitsecurities,taxfraud,andconspiracytocommit
certainoffenses.
b. Computer-related Identity Theft Statutes
Twoof thefederalstatutesthatapplytocomputer-relatedidentitytheft
havesimilarlimitationsthatprecludetheiruseincertainimportant
circumstances.First,18U.S.C.1030(a)(2)criminalizesthetheft
of informationfromacomputer.However,federalcourtsonlyhave
jurisdictionif thethief usesaninterstatecommunicationtoaccessthe
computer(unlessthecomputerbelongstothefederalgovernmentora
financialinstitution).Asaresult,thetheftof personalinformationeither
byacorporateinsiderusingthecompanysinternallocalnetworks,or
byathief intrudingintoawirelessnetwork,generallywouldnotinvolve
aninterstatecommunicationandcouldnotbeprosecutedunderthis
statute.InonecaseinNorthCarolina,forinstance,anindividualbroke
intoahospitalcomputerswirelessnetworkandtherebyobtainedpatient
information.StateinvestigatorsandthevictimaskedtheUnitedStates
AttorneysOfficetosupporttheinvestigationandchargethecriminal.
Becausethecommunicationsoccurredwhollyintrastate,however,no
federallawcriminalizedtheconduct.
Asecondlimitationisfoundin18U.S.C.1030(a)(5),whichcriminalizes
actionsthatcausedamagetocomputers,i.e.,thatimpairthe
integrityoravailabilityof dataorcomputersystems.
77
Absentspecial
circumstances,thelosscausedbythecriminalconductmustexceed$5,000
toconstituteafederalcrime.Manyidentitythievesobtainpersonal
informationbyinstallingmaliciousspyware,suchaskeyloggers,onmany
individualscomputers.Whethertheprogramssucceedinobtainingthe
unsuspectingcomputerownersfinancialdata,thesesortsof programs
harmtheintegrityof thecomputeranddata.Nevertheless,itisoften
difficultorimpossibletomeasurethelossthisdamagecausestoeach
computerowner,ortoprovethatthetotalvalueof thesemanysmall
lossesexceeds$5,000.
c. Cyber-Extortion Statute
Anotherfederalcriminalstatutethatmayapplyinsomecomputer-related
identitytheftcasesisthecyber-extortionprovisionof theComputer
FraudandAbuseAct,18U.S.C.1030(a)(7).Thisprovision,which
prohibitsthetransmissionof athreattocausedamagetoaprotected
computer,
78
isusedtoprosecutecriminalswhothreatentodeletedata,
67
crashcomputers,orknockcomputersoff of theInternetusingadenialof
serviceattack.Somecyber-criminalsextortcompanies,however,without
explicitlythreateningtocausedamagetocomputers.Instead,theysteal
confidentialdataandthenthreatentomakeitpublicif theirdemandsare
notmet.Inothercases,thecriminalcausesthedamagefirstsuchasby
accessingacorporatecomputerwithoutauthorityandencryptingcritical
dataandthenthreatensnottocorrecttheproblemunlessthevictim
pays.Thus,therequirementinsection1030(a)(7)thatthedefendantmust
explicitlythreatentocausedamagecanprecludesuccessfulprosecutions
forcyber-extortionunderthisstatuteundercertaincircumstances.
d. Sentencing Guidelines Governing Identity Theft
Inrecentyears,thecourtshavecreatedsomeuncertaintyaboutthe
applicabilityof themultiplevictimenhancementprovisionof theU.S.
SentencingGuidelinesinidentitytheftcases.Thisprovisionallowscourts
toincreasethesentenceforanidentitythief whovictimizesmorethan
oneperson.Itisunclear,however,whetherthissentencingenhancement
applieswhenthevictimshavenotsustainedactualmonetaryloss.For
example,insomejurisdictions,whenafinancialinstitutionindemnifies20
victimsof unauthorizedchargestotheircreditcards,thecourtsconsider
thefinancialinstitutiontobetheonlyvictim.Insuchcases,theidentity
thief thereforemaynotbepenalizedforhavingengagedinconductthat
harmed20people,simplybecausethose20peoplewerelaterindemnified.
Thisinterpretationof theSentencingGuidelinesconflictswithaprimary
purposeof theIdentityTheftandAssumptionDeterrenceActof 1998:to
vindicatetheinterestsof individualidentitytheftvictims.
79
rECOMMENDATION: CLOSE THE GAPS IN FEDErAL CrIMINAL

STATuTES uSED TO PrOSECuTE IDENTITY-THEFT rELATED
OFFENSES TO ENSurE INCrEASED FEDErAL PrOSECuTION
OF THESE CrIMES
TheTaskForcerecommendsthatCongresstakethefollowing
legislativeactions:
Amend the Identity Theft and Aggravated Identity Theft Statutes
to Ensure That Identity Thieves Who Misappropriate Information
Belonging to Corporations and Organizations Can Be Prosecuted.
Proposedamendmentsto18U.S.C.1028and1028Aare
availableinAppendixE.
68
IDENTITY THEFT
Add Several New Crimes to the List of Predicate Offenses for
Aggravated Identity Theft Offenses. Theaggravatedidentity
theftstatute,18U.S.C.1028A,shouldincludeotherfederal
offensesthatrecurinvariousidentity-theftandfraudcasesmail
theft,utteringcounterfeitsecurities,andtaxfraud,aswellas
conspiracytocommitspecifiedfeloniesalreadylistedin18
U.S.C.1028Ainthestatutorylistof predicateoffensesforthat
offense.Proposedadditionsto18U.S.C.1028Aarecontained
inAppendixE.
Amend the Statute That Criminalizes the Theft of Electronic Data By
Eliminating the Current requirement That the Information Must Have
Been Stolen Through Interstate Communications. Theproposed
amendmentto18U.S.C.1030(a)(2)isavailableinAppendixF.
Penalize Malicious Spyware and Keyloggers. Thestatutory
provisionsin18U.S.C.1030(a)(5)shouldbeamendedto
penalizeappropriatelytheuseof maliciousspywareand
keyloggers,byeliminatingthecurrentrequirementthatthe
defendantsactionmustcausedamagetocomputersandthat
thelosscausedbytheconductmustexceed$5,000.Proposed
amendmentsto18U.S.C.1030(a)(5),(c),and(g),andthe
accompanyingamendmentto18U.S.C.2332b(g),areincluded
inAppendixG.
Amend the Cyber-Extortion Statute to Cover Additional, Alternate
Types of Cyber-Extortion. Theproposedamendmentto18U.S.C.
1030(a)(7)isavailableinAppendixH.
rECOMMENDATION: ENSurE THAT AN IDENTITY THIEFS
SENTENCE CAN BE ENHANCED WHEN THE CrIMINAL
CONDuCT AFFECTS MOrE THAN ONE VICTIM
TheSentencingCommissionshouldamendthedefinitionof
victim,asthattermisusedunderUnitedStatesSentencing
Guidelinesection2B1.1,tostateclearlythatavictimneednot
havesustainedanactualmonetaryloss.Thisamendmentwill
ensurethatcourtscanenhancethesentencesimposedonidentity
thieveswhocauseharmtomultiplevictims,evenwhenthatharm
doesnotresultinanymonetarylosstothevictims.Theproposed
amendmenttoUnitedStatesSentencingGuidelinesection2B1.1
isavailableinAppendixI.
69
5. training of laW enforcement officers anD ProsecUtors
Trainingcanbethekeytoeffectiveinvestigationsandprosecutions,and
muchhasbeendoneinrecentyearstoensurethatinvestigatorsandpros-
ecutorshavebeentrainedontopicsrelatingtoidentitytheft.Inaddition
toongoingtrainingbyU.S.AttorneysOffices,forexample,severalfederal
lawenforcementagenciesincludingDOJ,thePostalInspectionService,
theSecretService,theFTC,andtheFBIalongwiththeAmericanAsso-
ciationof MotorVehicleAdministrators(AAMVA)havesponsoredjointly
over20regional,one-daytrainingseminarsonidentityfraudforstateand
locallawenforcementagenciesacrossthecountry.SeeVolumeII,PartO,
foradescriptionof trainingbyandforinvestigatorsandprosecutors.
Nonetheless,theamount,focus,andcoordinationof lawenforcement
trainingshouldbeexpanded.Identitytheftinvestigationsandprosecu-
tionsinvolveparticularchallengesincludingtheneedtocoordinatewith
foreignauthorities,somedifficultieswiththeapplicationof theSentenc-
ingGuidelines,andthechallengesthatarisefromtheinevitablegapin
timebetweenthecommissionof theidentitytheftandthereportingof the
identitytheftthatwarrantmorespecializedtrainingatalllevelsof law
enforcement.
rECOMMENDATION: ENHANCE TrAINING FOr LAW
ENFOrCEMENT OFFICErS AND PrOSECuTOrS
Develop Course at National Advocacy Center (NAC) Focused
Solely on Investigation and Prosecution of Identity Theft.Bythe
thirdquarterof 2007,DOJsOfficeof LegalEducationshould
completethedevelopmentof acoursespecificallyfocusedon
identitytheftforprosecutors.Theidentitytheftcourseshould
include,amongotherthings:areviewof thescopeof the
problem;areviewof applicablestatutes,forfeitureandsentencing
guidelineapplications;anoutlineof investigativeandcase
presentationtechniques;trainingonaddressingtheuniqueneeds
of identitytheftvictims;andareviewof programsforbetter
utilizingcollectiveresources(workinggroups,taskforces,and
anymodelprogramsfasttrackprograms,etc.).
Increase Number of regional Identity Theft Seminars.In2006,
thefederalagenciesandtheAAMVAheldanumberof regional
identitytheftseminarsforstateandlocallawenforcement
officers.In2007,thenumberof seminarsshouldbeincreased.
Additionally,theparticipatingentitiesshouldcoordinatewiththe
TaskForcetoprovidethemostcomplete,targeted,andup-to-date
trainingmaterials.
70
IDENTITY THEFT
Increase resources for Law Enforcement Available on the Internet.
Theidentitytheftclearinghousesite,www.idtheft.gov,shouldbe
usedastheportalforlawenforcementagenciestogainaccessto
additionaleducationalmaterialsoninvestigatingidentitytheft
andrespondingtovictims.
review Curricula to Enhance Basic and Advanced Training on
Identity Theft. Bythefourthquarterof 2007,federalinvestigative
agenciesshouldreviewtheirowntrainingcurricula,andcurricula
of theFederalLawEnforcementTrainingCenter,toensurethat
theyareprovidingthemostusefultrainingonidentitytheft.
6. measUring sUccess of laW enforcement efforts
Oneshortcominginthefederalgovernmentsabilitytounderstandand
respondeffectivelytoidentitytheftisthelackof comprehensivestatistical
dataaboutthesuccessof lawenforcementeffortstocombatidentitytheft.
Specifically,therearefewbenchmarksthatmeasuretheactivitiesof the
variouscomponentsof thecriminaljusticesystemintheirresponseto
identitytheftsoccurringwithintheirjurisdictions,littledataonstateand
localenforcement,andlittleinformationonhowidentitytheftincidents
arebeingprocessedinstatecourts.
Addressingthesequestionsrequiresbenchmarksandperiodicdata
collection.TheBureauof JusticeStatistics(BJS)hasplatformsinplace,
aswellasthetoolstocreatenewplatforms,toobtaininformationabout
identitytheftfromvictimsandtheresponsetoidentitytheftfromlaw
enforcementagencies,stateandfederalprosecutors,andcourts.
rECOMMENDATION: ENHANCE THE GATHErING OF
STATISTICAL DATA MEASurING THE CrIMINAL JuSTICE
SYSTEMS rESPONSE TO IDENTITY THEFT
Gather and Analyze Statistically Reliable Data from Identity Theft
Victims. TheBJSandFTCshouldcontinuetogatherandanalyze
statisticallyreliabledatafromidentitytheftvictims.TheBJS
shouldconductitssurveysincollaborationwithsubjectmatter
expertsfromtheFTC.BJSshouldaddadditionalquestionson
identitythefttothehouseholdportionof itsNationalCrime
VictimizationSurvey(NCVS),andconductperiodicsupplements
togathermorein-depthinformation.TheFTCshouldconduct
ageneralidentitytheftsurveyapproximatelyeverythreeyears,
independentlyorinconjunctionwithBJSorothergovernment
agencies.TheFTCalsoshouldconductsurveysfocusedmore
narrowlyonissuesrelatedtotheeffectivenessof andcompliance
withtheidentitytheft-relatedprovisionsof theconsumer
protectionlawsitenforces.
7!
Expand Scope of National Crime Victimization Survey (NCVS).
Thescopeof theannualNCVSshouldbeexpandedtocollect
informationaboutthecharacteristics,consequences,andextent
of identitytheftforindividualsages12andolder.Currently,
informationonidentitytheftiscollectedonlyfromthehousehold
respondentanddoesnotcapturedataonmultiplevictimsinthe
householdormultipleepisodesof identitytheft.
review of Sentencing Commission Data. DOJandtheFTCshould
systematicallyreviewandanalyzeU.S.SentencingCommission
identitytheft-relatedcasefileseverytwotofouryears,andshould
begininthethirdquarterof 2007.
Track Prosecutions of Identity Theft and the Amount of resources
Spent. Inordertobettertrackresourcesspentonidentity
theftcases,DOJshould,bythesecondquarterof 2007,create
anIdentityTheftcategoryonthemonthlyreportthatis
completedbyallAssistantUnitedStatesAttorneys,andshould
reviseitsdepartmentalcasetrackingapplicationtoallowforthe
reportingof offensesbyindividualsubsectionsof section1028.
Additionally,BJSshouldincorporateadditionalquestionsinthe
NationalSurveyof Prosecutorstobetterunderstandtheimpact
identitytheftishavingonprosecutorialresources.
Conduct Targeted Surveys. Inordertoexpandlawenforcement
knowledgeof theidentitytheftresponseandpreventionactivities
of stateandlocalpolice,BJSshouldundertakenewdata
collectionsinspecifiedareas.Proposeddetailsof thosesurveys
areincludedinAppendixJ.
72
IV. Conclusion: The Way Forward
Thereisnomagicbulletthatwilleradicateidentitytheft.Tosuccessfully
combatidentitytheftanditseffects,wemustkeeppersonalinformationoutof
thehandsof thieves;takestepstopreventanidentitythief frommisusingany
datathatmayendupinhishands;prosecutehimvigorouslyif hesucceedsin
committingthecrime;anddoallwecantohelpthevictimsrecover.
Onlyacomprehensiveandfullycoordinatedstrategytocombatidentity
theftonethatencompasseseffectiveprevention,publicawarenessand
education,victimassistance,andlawenforcementmeasures,andthatfully
engagesfederal,state,andlocalauthoritiesandtheprivatesectorwillhave
anychanceof solvingtheproblem.Thisproposedstrategicplanstrivesto
setoutsuchacomprehensiveapproachtocombatingidentitytheft,butit
isonlythebeginning.Eachof thestakeholdersconsumers,businessand
governmentmustfullyandactivelyparticipateinthisfightforustosucceed,
andmuststayattunedtoemergingtrendsinordertoadaptandrespondto
developingthreatstoconsumerwellbeing.
CONCLUSION
73
Appendices
APPENDIX A
Identity Theft Task Forces Guidance Memorandum on Data Breach
Protocol
74
APPENDICES
75
76
APPENDICES
77
78
APPENDICES
79
80
APPENDICES
8!
82
APPENDICES
83
APPENDIX B
Proposed routine use Language
Subsection(b)(3)of thePrivacyActprovidesthatinformationfroman
agencyssystemof recordsmaybedisclosedwithoutasubjectindividuals
consentif thedisclosureisforaroutineuseasdefinedinsubsection(a)(7)of
thissectionanddescribedundersubsection(e)(4)(D)of thissection.5U.S.C.
552a(b)(3).Subsection(a)(7)of theActstatesthatthetermroutineuse
means,withrespecttothedisclosureof arecord,theuseof suchrecordfora
purposewhichiscompatiblewiththepurposeforwhichitwascollected.
5U.S.C.552a(a)(7).TheOfficeof ManagementandBudget,which
pursuanttosubsection(v)of thePrivacyActhasguidanceandoversight
responsibilityfortheimplementationof theActbyfederalagencies,
hasadvisedthatthecompatibilityconceptencompasses(1)functionally
equivalentuses,and(2)otherusesthatarenecessaryandproper.52Fed.Reg.
12,990,12,993(Apr.20,1987).Inrecognitionof andinaccordancewith
theActslegislativehistory,OMBinitsinitialPrivacyActguidancestated
that[t]hetermroutineuse...recognizesthattherearecorollarypurposes
compatiblewiththepurposeforwhich[theinformation]wascollectedthat
areappropriateandnecessaryfortheefficientconductof governmentandin
thebestinterestof boththeindividualandthepublic.40Fed.Reg.28,948,
28,953(July9,1975).Aroutineusetoprovidefordisclosureinconnection
withresponseandremedialeffortsintheeventof abreachof federaldata
wouldcertainlyqualifyassuchanecessaryandproperuseof information
ausethatisinthebestinterestof boththeindividualandthepublic.
Subsection(e)(4)(D)of thePrivacyActrequiresthatagenciespublish
notificationintheFederalRegisterof eachroutineuseof therecords
containedinthesystem,includingthecategoriesof usersandthepurpose
of suchuse.5U.S.C.552a(e)(4)(D).TheDepartmentof Justicehas
developedthefollowingroutineusethatitplanstoapplytoitsPrivacyAct
systemsof records,andwhichallowsfordisclosureasfollows:
80
Toappropriateagencies,entities,andpersonswhen(1)theDepartment
suspectsorhasconfirmedthatthesecurityorconfidentialityof
informationinthesystemof recordshasbeencompromised;(2)the
Departmenthasdeterminedthatasaresultof thesuspectedorconfirmed
compromisethereisariskof harmtoeconomicorpropertyinterests,
identitytheftorfraud,orharmtothesecurityorintegrityof thissystem
orothersystemsorprograms(whethermaintainedbytheDepartmentor
anotheragencyorentity)thatrelyuponthecompromisedinformation;
and(3)thedisclosuremadetosuchagencies,entities,andpersonsis
reasonablynecessarytoassistinconnectionwiththeDepartments
effortstorespondtothesuspectedorconfirmedcompromiseandprevent,
minimize,orremedysuchharm.
84
Agenciesshouldalreadyhaveapublishedsystemof recordsnoticeforeachof
theirPrivacyActsystemsof records.Toaddanewroutineusetoanagencys
existingsystemsof records,anagencymustsimplypublishanoticeinthe
FederalRegisteramendingitsexistingsystemsof recordstoincludethenew
routineuse.
Subsection(e)(11)of thePrivacyActrequiresthatagenciespublishaFederal
Registernoticeof anynewroutineuseatleast30dayspriortoitsuseand
provideanopportunityforinterestedpersonstosubmitwrittendata,views,
orargumentstotheagency.5U.S.C.552a(e)(11).Additionally,subsection
(r)of theActrequiresthatanagencyprovideCongressandOMBwith
adequateadvancenoticeof anyproposaltomakeasignificantchangein
asystemof records.5U.S.C.552a(r).OMBhasstatedthattheaddition
of aroutineusequalifiesasasignificantchangethatmustbereportedto
CongressandOMBandthatsuchnoticeistobeprovidedatleast40days
priortothealteration.SeeAppendixItoOMBCircularNo.A-130Federal
AgencyResponsibilitiesforMaintainingRecordsAboutIndividuals,61Fed.
Reg.6435,6437(Feb.20,1996).Onceanoticeispreparedforpublication,
theagencywouldsendittotheFederalRegister,OMB,andCongress,usually
simultaneously,andtheproposedchangetothesystem(i.e.,thenewroutine
use)wouldbecomeeffective40daysthereafter.Seeid.at6438(regarding
timingof systemsof recordsreportsandnotingthatnoticeandcomment
periodforroutineusesandperiodforOMBandcongressionalreviewmay
runconcurrently).Recognizingthateachagencylikelywillreceivedifferent
typesof commentsinresponsetoitsnotice,theTaskForcerecommendsthat
OMBworktoensureaccuracyandconsistencyacrosstherangeof agency
responsestopubliccomments.
APPENDICES
85
APPENDIX C
Text of Amendments to 18 u.S.C. 3663(b) and 3663A(b)
Proposed Language:
(a) Section3663of Title18,UnitedStatesCode,isamendedby:
(1) Deletingandattheendof paragraph(4)of subsection(b);
(2) Deletingtheperiodattheendof paragraph(5)of subsection(b)
andinsertinginlieuthereof ;and;and
(3) Addingthefollowingafterparagraph(5)of subsection(b):
(6)inthecaseof anoffenseundersections1028(a)(7)or1028A(a)
of thistitle,payanamountequaltothevalueof thevictimstime
reasonablyspentinanattempttoremediateintendedoractual
harmincurredfromtheoffense..
Makeconformingchangestothefollowing:
(b) Section3663Aof Title18,UnitedStatesCode,isamendedby:
(1) AddingthefollowingafterSection3663A(b)(4)
(5)inthecaseof anoffenseunderthistitle,section1028(a)(7)or
1028A(a),payanamountequaltothevalueof thevictimstime
reasonablyspentinanattempttoremediateintendedoractual
harmincurredfromtheoffense..
Section Analysis
Thesenewsubsectionsprovidethatdefendantsmaybeorderedtopayrestitu-
tiontovictimsof identitytheftandaggravatedidentitytheftforthevalueof
thevictimstimespentremediatingtheactualorintendedharmof theof-
fense.Restitutioncouldthereforeincludeanamountequaltothevalueof the
victimstimespentclearingavictimscreditreportorresolvingchargesmade
bytheperpetratorforwhichthevictimhasbeenmaderesponsible.
Newsubsections3663(b)(6)and3663A(b)(5)of Title18wouldmakeclear
thatrestitutionordersmayincludeanamountequaltothevalueof the
victimstimespentremediatingtheactualorintendedharmof theidentity
theftoraggravatedidentitytheftoffense.Thefederalcourtsof appeals
haveinterpretedtheexistingprovisionsof Section3663insuchawaythat
wouldlikelyprecludetherecoveryof suchamounts,absentexplicitstatutory
authorization.Forexample,inUnited States v. Arvanitis,902F.3d489(7th
Cir.1990),thecourtheldthatrestitutionorderedforoffensesresultingin
lossof propertymustbelimitedtorecoveryof propertywhichisthesubject
of theoffenses,andmaynotincludeconsequentialdamages.Similarly,in
United States v. Husky,924F.2d223(11thCir.1991),theEleventhCircuitheld
86
thatthelistof compensableexpensesinarestitutionstatuteisexclusive,and
thusthedistrictcourtdidnothavetheauthoritytoorderthedefendantto
payrestitutiontocompensatethevictimformentalanguishandsuffering.
Finally,inUnited States v. Schinnell,80F.3d1064(5thCir.1996),thecourt
heldthatrestitutionwasnotallowedforconsequentialdamagesinvolvedin
determiningtheamountof lossorinrecoveringthosefunds;thus,avictim
of wirefraudwasnotentitledtorestitutionforaccountingfeesandcoststo
reconstructbankstatementsforthetimeperiodduringwhichthedefendant
perpetuatedthescheme,forthecostof temporaryemployeestoreconstruct
monthlybankstatements,andforthecostsincurredinborrowingfundsto
replacestolenfunds.Thesenewsubsectionswillprovidestatutoryauthority
forinclusionof amountsequaltothevalueof thevictimstimereasonably
spentremediatingtheharmincurredasaresultof theidentitytheftoffense.
APPENDICES
87
APPENDIX D
Text of Amendments to 18 u.S.C. 2703, 2711 and 3127, and Text of
New Language for 18 u.S.C. 3512
ThebasisfortheseproposalsissetforthinSectionIII.2of thestrategicplan,
whichdescribescoordinationwithforeignlawenforcement.
Proposed Language:
2703. Required disclosure of customer communications or records
(a) Contents of wire or electronic communications in electronic
storage.Agovernmentalentitymayrequirethedisclosurebya
providerof electroniccommunicationserviceof thecontentsof a
wireorelectroniccommunication,thatisinelectronicstorageinan
electroniccommunicationssystemforonehundredandeightydaysor
less,onlypursuanttoawarrantissuedusingtheproceduresdescribed
intheFederalRulesof CriminalProcedurebyacourtwithjurisdiction
overtheoffenseunderinvestigationby a court of competent jurisdiction
oranequivalentStatewarrant.Agovernmentalentitymayrequire
thedisclosurebyaproviderof electroniccommunicationsservicesof
thecontentsof awireorelectroniccommunicationthathasbeenin
electronicstorageinanelectroniccommunicationssystemformorethan
onehundredandeightydaysbythemeansavailableundersubsection(b)
of thissection.
(b) Contents of wire or electronic communications in a remote
computing service.(1)Agovernmentalentitymayrequireaprovider
of remotecomputingservicetodisclosethecontentsof anywireor
electroniccommunicationtowhichthisparagraphismadeapplicableby
paragraph(2)of thissubsection
(A) withoutrequirednoticetothesubscriberorcustomer,if the
governmentalentityobtainsawarrantissuedusingtheprocedures
describedintheFederalRulesof CriminalProcedurebyacourt
withjurisdictionovertheoffenseunderinvestigationby a court of
competent jurisdictionorequivalentStatewarrant;or
(B) withpriornoticefromthegovernmentalentitytothesubscriberor
customerif thegovernmentalentity
(i) usesanadministrativesubpoenaauthorizedbyaFederalor
StatestatuteoraFederalorStategrandjuryortrialsubpoena;
or
(ii) obtainsacourtorderforsuchdisclosureundersubsection(d)
of thissection;
exceptthatdelayednoticemaybegivenpursuanttosection2705of thistitle.
88
(c) Records concerning electronic communication service or remote
computing service.(1)Agovernmentalentitymayrequirea
providerof electroniccommunicationserviceorremotecomputing
servicetodisclosearecordorotherinformationpertainingtoa
subscribertoorcustomerof suchservice(notincludingthecontentsof
communications)onlywhenthegovernmentalentity
(A) obtainsawarrantissuedusingtheproceduresdescribedinthe
FederalRulesof CriminalProcedurebyacourtwithjurisdiction
overtheoffenseunderinvestigationby a court of competent
jurisdictionorequivalentStatewarrant;
2711. Definitions for chapter
Asusedinthischapter
(1) thetermsdefinedinsection2510of thistitlehave,respectively,the
definitionsgivensuchtermsinthatsection;
(2) thetermremotecomputingservicemeanstheprovisiontothepublic
of computerstorageorprocessingservicesbymeansof anelectronic
communicationssystem;and
(3) thetermcourtof competentjurisdictionhasthemeaningassigned
bysection3127,andincludesanyFederalcourtwithinthatdefinition,
withoutgeographiclimitationmeans
(A) any district court of the United States (including a magistrate judge of
such a court) or any United States court of appeals that
(i) has jurisdiction over the offense being investigated;
(ii) is in or for a district in which the provider of electronic
communication service is located or in which the wire or electronic
communications, records, or other information are stored; or
(iii) is acting on a request for foreign assistance pursuant to section
3512 of this title; or
(B) a court of general criminal jurisdiction of a State authorized by the law
of that State to issue search warrants.
3127. Definitions for chapter
Asusedinthischapter
(1) thetermswirecommunication,electroniccommunication,
electroniccommunicationservice,andcontentshavethemeanings
setforthforsuchtermsinsection2510of thistitle;
(2) thetermcourtof competentjurisdictionmeans
APPENDICES
89
(A) anydistrictcourtof theUnitedStates(includingamagistrate
judgeof suchacourt)oranyUnitedStatescourtof appealshaving
jurisdictionovertheoffensebeinginvestigatedthat
(i) has jurisdiction over the offense being investigated;
(ii) is in or for a district in which the provider of electronic
communication service is located;
(iii) is in or for a district in which a landlord, custodian, or other
person subject to 3124(a) or (b) is located; or
(iv) is acting on a request for foreign assistance pursuant to section
3512 of this title; or
(B) acourtof generalcriminaljurisdictionof aStateauthorizedby
thelawof thatStatetoenterordersauthorizingtheuseof apen
registeroratrapandtracedevice;
3512. Foreign requests for assistance in criminal investigations and prosecutions:
(a) Upon application of an attorney for the government, a Federal judge may
issue such orders as may be necessary to execute a request from a foreign
authority for assistance in the investigation or prosecution of criminal
offenses, or in proceedings related to the prosecution of criminal offenses
including but not limited to proceedings regarding forfeiture, sentencing,
and restitution. Such orders may include the issuance of a search warrant
as provided under Rule 41 of the Federal Rules of Criminal Procedure, a
warrant or order for contents of stored wire or electronic communications or
for records related thereto as provided under 18 U.S.C. 2703, an order for a
pen register or trap and trace device as provided under 18 U.S.C. 3123, or
an order requiring the appearance of a person for the purpose of providing
testimony or a statement, or requiring the production of documents or other
things, or both.
(b) In response to an application for execution of a request from a foreign
authority as described in subsection (a) , a Federal judge may also issue an
order appointing a person to direct the taking of testimony or statements
or of the production of documents or other things, or both. A person so
appointed may be authorized to
(1) issue orders requiring the appearance of a person, or the
production of documents or other things, or both;
(2) administer any necessary oath; and
(3) take testimony or statements and receive documents or other
things.
90
(c) Except as provided in subsection (d), an application for execution of a request
from a foreign authority under this section may be fled
(1) in the district in which a person who may be required to appear resides
or is located or in which the documents or things to be produced are
located;
(2) in cases in which the request seeks the appearance of persons or
production of documents or things that may be located in multiple
districts, in any one of the districts in which such a person, documents
or things may be located; or
(3) in any case, the district in which a related Federal criminal investigation
or prosecution is being conducted, or in the District of Columbia.
(d) An application for a search warrant under this section, other than an
application for a warrant issued as provided under 18 U.S.C. 2703, must be
fled in the district in which the place or person to be searched is located.
(e) A search warrant may be issued under this section only if the foreign offense
for which the evidence is sought involves conduct that, if committed in the
United States, would be considered an offense punishable by imprisonment
for more than one year under federal or state law.
(f) Except as provided in subsection (d), an order or warrant issued pursuant to
this section may be served or executed in any place in the United States.
(g) This section does not preclude any foreign authority or an interested person
from obtaining assistance in a criminal investigation or prosecution pursuant
to 28 U.S.C. 1782.
(h) As used in this section
(1) the term foreign authority means a foreign judicial authority, a
foreign authority responsible for the investigation or prosecution of
criminal offenses or for proceedings related to the prosecution of
criminal offenses, or an authority designated as a competent authority
or central authority for the purpose of making requests for assistance
pursuant to an agreement or treaty with the United States regarding
assistance in criminal matters; and
(2) the terms Federal judge and attorney for the Government have
the meaning given such terms for the purposes of the Federal Rules of
Criminal Procedure.
APPENDICES
9!
APPENDIX E
Text of Amendments to 18 u.S.C. 1028 and 1028A
ThebasisfortheseproposedamendmentsissetforthinSectionIII.D.4.aof
thestrategicplan,whichdescribesgapsintheidentitytheftstatutes.
Proposed Amendment to Aggravated Identity Theft Statute to Add
Predicate Offenses
Congressshouldamendtheaggravatedidentitytheftoffense(18U.S.C.
1028A)toincludeotherfederaloffensesthatrecurinvariousidentity-theft
andfraudcases,specifically,mailtheft(18U.S.C.1708),utteringcounterfeit
securities(18U.S.C.513),andtaxfraud(26U.S.C.7201,7206,and
7207),aswellasconspiracytocommitspecifiedfeloniesalreadylistedin
section1028Ainthestatutorylistof predicateoffensesforthatoffense
(18U.S.C.1028A(c)).
Proposed Additions to Both Statutes to Include Misuse of Identifying
Information of Organizations
(a) Section1028(a)of Title18,UnitedStatesCode,isamendedbyinserting
inparagraph(7)thephrase(includinganorganizationasdefinedin
Section18of thisTitle)afterthewordperson.
Section1028A(a)of Title18,UnitedStatesCode,isamendedby
insertinginparagraph(1)thephrase(includinganorganizationas
definedinSection18of thisTitle)afterthewordperson.
(b) Section1028(d)(7)of Title18,UnitedStatesCode,isamendedby
insertinginparagraph(7)thephraseorotherpersonaftertheword
individual.
rationale:
Corporateidentitytheftwherebycriminalsassumetheidentityof corporate
entitiestocloakfraudulentschemesinamisleadinganddeceptiveair
of legitimacyhavebecomerampant.Criminalsroutinelyengagein
unauthorizedappropriationof legitimatecompaniesnamesandlogosina
varietyof contexts:misrepresentingthemselvesasofficersoremployeesof a
corporation,sendingforgedorcounterfeitdocumentsorfinancialinstruments
tovictimstoimprovetheirauraof legitimacy,andofferingnonexistent
benefits(e.g.,loansandcreditcards)inthenamesof companies.
Oneegregiousexampleof corporateidentitytheftisrepresentedon
theInternetbythepracticecommonlyknownasphishing,whereby
criminalselectronicallyassumetheidentityof acorporationinorderto
defraudunsuspectingrecipientsof emailsolicitationstovoluntarilydisclose
identifyingandfinancialaccountinformation.Thispersonalinformation
isthenusedtofurthertheunderlyingcriminalschemeforexample,to
92
scavengethebankandcreditcardaccountsof theseunwittingconsumer
victims.Phishingisjustoneexampleof howcriminalsinmass-marketing
fraudschemesincorporatecorporateidentitytheftintotheirschemes,though
phishingalsoisdesignedwithindividualidentitytheftinmind.
Phishinghasbecomesoroutineinmanymajorfraudschemesthatno
particularcorporationcanbeeasilysingledoutashavingsufferedaspecial
horrorstorywhichstandsabovetherest.InAugust2005,theAnti-
PhishingWorkingGroupdeterminedinjustthatmonthalone,therewere
5,259uniquephishingwebsitesaroundtheworld.ByDecember2005,that
numberhadincreasedto7,197,andtherewere15,244uniquephishing
reports.ItwasalsoreportedinAugust2005,that84corporateentitiesnames
(andevenlogosandwebcontent)werehijacked(i.e.,misused)inphishing
attacks,thoughonly3of thesecorporatebrandsaccountedfor80percentof
phishingcampaigns.ByDecember2005thenumberof victimizedcorporate
entitieshadincreasedto120.Thefinancialsectorisandhasbeenthemost
heavilytargetedindustrysectorinphishingschemes,accountingfornearly
85percentof allphishingattacks.See, e.g. http://antiphishing.org/apwg_
phishing_activity_report_august_05.pdf.
Inaddition,majorcompanieshavereportedtotheDepartmentof Justice
thattheircorporatenames,logos,andmarksareoftenbeingmisusedinother
typesof fraudschemes.Theseincludetelemarketingfraudschemesinwhich
communicationspurporttocomefromlegitimatebanksorcompaniesoroffer
productsorservicesfromlegitimatebanksandcompanies,andWestAfrican
fraudschemesthatmisuselegitimatebanksandcompaniesnamesincommu-
nicationswithvictimsorincounterfeitchecks.
UncertaintyhasarisenastowhetherCongressintendedSections1028(a)(7)
and1028A(a)of Title18,UnitedStatesCodetoapplyonlytonatural
personsortoalsoprotectcorporateentities.Thesetwoamendmentswould
clarifythatCongressintendedthatthesestatuteapplybroadlyandmaybe
usedagainstphishingdirectedagainstvictimcorporateentities.
APPENDICES
93
APPENDIX F
Text of Amendment to 18 u.S.C. 1030(a)(2)
ThebasisforthisproposedamendmentissetforthinSectionIII.D.4.bof
thestrategicplan,whichdescribesgapsinthecomputer-relatedidentitytheft
statutes.
Proposed Language:
1030(a) Whoever
(2) intentionallyaccessesacomputerwithoutauthorizationorexceeds
authorizedaccess,andtherebyobtains
(A) informationcontainedinafinancialrecordof afinancial
institution,orof acardissuerasdefinedinsection1602(n)of title
15,orcontainedinafileof aconsumerreportingagencyona
consumer,assuchtermsaredefinedintheFairCreditReporting
Act(15U.S.C.1681etseq.);
(B) informationfromanydepartmentoragencyof theUnitedStates;
or
(C) informationfromanyprotectedcomputerif theconductinvolved
aninterstateorforeigncommunication;
94
APPENDIX G
Text of Amendments to 18 u.S.C. 1030(a)(5), (c), and (g), and to 18
u.S.C. 2332b
ThebasisfortheseproposedamendmentsissetforthinSectionIII.D.4.bof
thestrategicplan,whichdescribesgapsinthecomputer-relatedidentitytheft
statutes.
Proposed Language:
18 U.S.C. 1030
(a) Whoever
(5)
(A) (i)knowinglycausesthetransmissionof aprogram,information,
code,orcommand,andasaresultof suchconduct,intentionally
causesdamagewithoutauthorization,toaprotectedcomputer;
(B) (ii)intentionallyaccessesaprotectedcomputerwithout
authorization,andasaresultof suchconduct,recklesslycauses
damage;or
(C) (iii)intentionallyaccessesaprotectedcomputerwithout
authorization,andasaresultof suchconduct,causesdamage;and
(B) byconductdescribedinclause(i),(ii),or(iii)of subparagraph
(A),caused(or,inthecaseof anattemptedoffense,would,if
completed,havecaused)
(i) lossto1ormorepersonsduringany1-yearperiod(and,for
purposesof aninvestigation,prosecution,orotherproceeding
broughtbytheUnitedStatesonly,lossresultingfroma
relatedcourseof conductaffecting1ormoreotherprotected
computers)aggregatingatleast$5,000invalue;
(ii) themodificationorimpairment,orpotentialmodification
orimpairment,of themedicalexamination,diagnosis,
treatment,orcareof 1ormoreindividuals;
(iii) physicalinjurytoanyperson;
(iv) athreattopublichealthorsafety;or
(v) damageaffectingacomputersystemusedbyorfora
governmententityinfurtheranceof theadministrationof
justice,nationaldefense,ornationalsecurity;
(c) Thepunishmentforanoffenseundersubsection(a)or(b)of thissection
is
(2) (A)exceptasprovidedinsubparagraph(B),afineunderthistitleor
imprisonmentfornotmorethanoneyear,orboth,inthecaseof an
offenseundersubsection(a)(2),(a)(3),(a)(5)(A)(iii),or(a)(6)of this
APPENDICES
95
sectionwhichdoesnotoccurafteraconvictionforanotheroffense
underthissection,oranattempttocommitanoffensepunishable
underthissubparagraph;
(3) ...(B)afineunderthistitleorimprisonmentfornotmorethan
tenyears,orboth,inthecaseof anoffenseundersubsection
(a)(4),(a)(5)(A)(iii),or(a)(7)of thissectionwhichoccursaftera
convictionforanotheroffenseunderthissection,oranattemptto
commitanoffensepunishableunderthissubparagraph;
(4) (A)exceptasprovidedinparagraph(5),afineunderthistitle,
imprisonmentfornotmorethan10years,orboth,inthecaseof an
offenseundersubsection(a)(5)(A)(i),oranattempttocommitan
offensepunishableunderthatsubsection;
(B)afineunderthistitle,imprisonmentfornotmorethan5years,
orboth,inthecaseof anoffenseundersubsection(a)(5)(A)(ii),or
anattempttocommitanoffensepunishableunderthatsubsection;
(C)exceptasprovidedinparagraph(5),afineunderthistitle,
imprisonmentfornotmorethan20years,orboth,inthecaseof an
offenseundersubsection(a)(5)(A)(i)or(a)(5)(A)(ii),oranattempt
tocommitanoffensepunishableundereithersubsection,that
occursafteraconvictionforanotheroffenseunderthissection;and
(5) (A)if theoffenderknowinglyorrecklesslycausesorattemptsto
causeseriousbodilyinjuryfromconductinviolationof subsection
(a)(5)(A)(i),afineunderthistitleorimprisonmentfornotmore
than20years,orboth;and
(B)if theoffenderknowinglyorrecklesslycausesorattemptsto
causedeathfromconductinviolationof subsection(a)(5)(A)(i),
afineunderthistitleorimprisonmentforanytermof yearsorfor
life,orboth.
(4) (A) a fne under this title, imprisonment for not more than 5 years, or
both, in the case of an offense under subsection (a)(5)(B), which does
not occur after a conviction for another offense under this section, if
the offense caused (or, in the case of an attempted offense, would, if
completed, have caused)
(i) loss to 1 or more persons during any 1-year period (and, for
purposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from a related
course of conduct affecting 1 or more other protected computers)
aggregating at least $5,000 in value;
(ii) the modifcation or impairment, or potential modifcation or
impairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety;
96
(v) damage affecting a computer used by or for a government entity in
furtherance of the administration of justice, national defense, or
national security; or
(vi) damage affecting ten or more protected computers during any
1-year period;
or an attempt to commit an offense punishable under this subparagraph;
(B) except as provided in subparagraphs (c)(4)(D) and (c)(4)(E), a
fne under this title, imprisonment for not more than 10 years, or
both, in the case of an offense under subsection (a)(5)(A), which does
not occur after a conviction for another offense under this section, if
the offense caused (or, in the case of an attempted offense, would, if
completed, have caused) a harm provided in subparagraphs (c)(4)(A)(i)
through (vi), or an attempt to commit an offense punishable under this
subparagraph;
(C) a fne under this title, imprisonment for not more than 20 years, or
both, in the case of an offense under subsection (a)(5) that occurs after
a conviction for another offense under this section, or an attempt to
commit an offense punishable under this subparagraph;
(D) if the offender attempts to cause or knowingly or recklessly causes
serious bodily injury from conduct in violation of subsection (a)(5)(A),
a fne under this title or imprisonment for not more than 20 years, or
both;
(E) if the offender attempts to cause or knowingly or recklessly causes
death from conduct in violation of subsection (a)(5)(A), a fne under
this title or imprisonment for any term of years or for life, or both; or
(F) a fne under this title, imprisonment for not more than one year,
or both, for any other offense under subsection (a)(5), or an attempt to
commit an offense punishable under this subparagraph.
(g) Anypersonwhosuffersdamageorlossbyreasonof aviolationof
thissectionmaymaintainacivilactionagainsttheviolatortoobtain
compensatorydamagesandinjunctiverelief orotherequitablerelief.
Acivilactionforaviolationof thissectionmaybebroughtonlyif the
conductinvolves1of thefactorssetforthinclause(i),(ii),(iii),(iv),
or(v)of subsection(a)(5)(B)subparagraph (c)(4)(A).Damagesfora
violationinvolvingonlyconductdescribedinsubsection(a)(5)(B)(i)
subparagraph (c)(4)(A)(i)arelimitedtoeconomicdamages.Noaction
maybebroughtunderthissubsectionunlesssuchactionisbegunwithin
2yearsof thedateof theactcomplainedof orthedateof thediscovery
of thedamage.Noactionmaybebroughtunderthissubsectionfor
thenegligentdesignormanufactureof computerhardware,computer
software,orfirmware.
18U.S.C.2332b(g)(5)(B)(I)
...1030(a)(5)(A)(i)resultingindamageasdefinedin1030(a)(5)(B)(ii)through
(v)1030(c)(4)(A)(ii) through (vi)(relatingtoprotectionof computers)...
APPENDICES
97
APPENDIX H
Text of Amendments to 18 u.S.C. 1030(a)(7)
ThebasisforthisproposedamendmentissetforthinSectionIII.D.4.cof the
strategicplan,whichdescribesgapsinthecyber-extortionstatute.
Proposed Language:
18 U.S.C. 1030(a)(7)
(7) withintenttoextortfromanypersonanymoneyorother
thingof value,transmitsininterstateorforeigncommerceany
communicationcontainingany
(a) threattocausedamagetoaprotectedcomputer;
(b) threat to obtain information from a protected computer without
authorization or in excess of authorization or to impair the
confdentiality of information obtained from a protected computer
without authorization or by exceeding authorized access; or
(c) demand or request for money or other thing of value in relation to
damage to a protected computer, where such damage was caused to
facilitate the extortion;
98
APPENDIX I
Text of Amendment to united States Sentencing Guideline 2B1.1
ThebasisforthisproposedamendmentissetforthinSectionIII.D.4.dof the
strategicplan,whichdescribestheSentencingGuidelinesprovisiongoverning
identitytheft.
Proposed language for united States Sentencing Guidelines 2B1.1,
comment.(n.1):
Victimmeans(A)anypersonwhosustainedanyharm,whethermonetary
ornon-monetary,asaresultof theoffense.Harmisintendedtobean
inclusiveterm,andincludesbodilyinjury,non-monetarylosssuchasthe
theftof ameansof identification,invasionof privacy,reputationaldamage,
andinconvenience.Personincludesindividuals,corporations,companies,
associations,firms,partnerships,societies,andjointstockcompanies.
APPENDICES
99
APPENDIX J
Description of Proposed Surveys
Inordertoexpandlawenforcementknowledgeof theidentitytheftresponse
andpreventionactivitiesof stateandlocalpolice,theBureauof Justice
Statistics(BJS)shouldundertakenewdatacollectionsinthreeareas:(1)
asurveyof lawenforcementagenciesfocusedontheresponsetoidentity
theft;(2)enhancementstotheexistingLawEnforcementManagementand
AdministrativeStatistics(LEMAS)surveyplatform;and(3)enhancements
totheexistingtrainingacademysurveyplatform.Specifically,BJSshould
undertaketodothefollowing:
New survey of state and local law enforcement agencies.Anew
studyfocusedonstateandlocallawenforcementresponsestoidentity
theftshouldseektodocumentagencypersonnel,operations,workload,
andpoliciesandprogramsrelatedtothehandlingof thiscrime.Detail
ontheorganizationalstructure,if any,associatedwithidentitytheft
responseshouldbeincluded(forexample,theuseof specialunits
devotedtoidentitytheft).Thestudyshouldinquireaboutparticipation
inregionalidentitythefttaskforces,communityoutreachandeducation
efforts,aswellasidentitytheftpreventionprograms.Information
collectedshouldalsoincludeseveralsummarymeasuresof identity
theftintheagenciesjurisdictions(offensesknown,arrests,referrals,
outcomes),withthegoalof producingsomestandardizedmetricswith
whichtocomparejurisdictions.
Enhancement to existing LEMAS survey. BJSshoulddevelopaspecial
batteryof questionsfortheexistingLEMASsurveyplatform.The
LEMASsurvey,conductedroughlyeverythreeyearssince1987,collects
detailedadministrativeinformationfromanationallyrepresentative
sampleof about3,000agencies.Thesampleincludesallagencieswith
100ormoreofficers,andastratifiedrandomsampleof smalleragencies
aswellascampuslawenforcementagencies.Informationcollected
shouldincludewhetheragenciespresentlyenforceidentitytheftlaws,
utilizespecialunits,havedesignatedpersonnel,participateinregional
identitythefttaskforces,andhavepoliciesandproceduresinplace
relatedtotheprocessingof identitytheftincidents.Thesurveyshould
alsoinquirewhetheragenciescollectsummarymeasuresof identity
theftintheirjurisdictions,includingoffensesknown,arrests,referrals,
andanyoutcomemeasures.Finally,thisstudyshouldalsocollect
informationonwhetheragenciesareengagedincommunityoutreach,
education,andpreventionactivitiesrelatedtoidentitytheft.
Enhancement to existing law enforcement training academy survey.
BJSshoulddevelopaspecialbatteryof questionsfortheexistinglaw
enforcementtrainingacademysurveyplatform.Asectionof thedata
collectioninstrumentshouldbedevotedtothetypesof training,if any,
!00
beingprovidedbybasicacademiesacrossthecountryintheareaof
identitytheft.BJSshouldsubsequentlyprovidestatisticsonthenumber
of recruitswhoreceivetrainingonidentitytheft,aswellasthenature
andcontentof thetraining.In-servicetrainingprovidedtoactive-duty
officersshouldalsobecovered.
The Bureau of Justice Statistics should revise both the State Court
Processing Statistics (SCPS) and National Judicial Reporting
Program (NJRP) programs so that they are capable of distinguishing
identity theft from other felony offenses.Inaddition,thescopeof
thesesurveysshouldbeexpandedtoincludemisdemeanoridentity
theftoffenders.If SCPSandNJRPwereabletofollowidentitytheft
offenders,thenavarietyof differenttypesof court-specificinformation
couldbecollected.Theseincludehowmanyoffendersarecharged
withidentitytheftintheNationscourts,whatpercentageof these
offendersarereleasedatpretrial,andhowarethecourtsadjudicating
(e.g.,convictingordismissing)identitytheftoffenders.Amongthose
convictedidentitytheftoffenders,datashouldbecollectedonhowmany
arebeingsentencedtoprison,jail,orprobation.Theseprojectsshould
alsoilluminatethepriorcriminalhistoriesorrapsheetsof identity
theftoffenders.Bothprojectsshouldalsoallowforthepostconviction
trackingof identitytheftoffendersforthepurposesof examiningtheir
overallrecidivismrates.
BJSshouldensurethatotherstatecourtstudiesthatitfundsare
reconfiguredtoanalyzetheproblemof identitytheft.Forexample,State
CourtOrganization(SCO)currentlysurveystheorganizationalstructure
of theNationsstatecourts.Thissurveycouldbesupplementedwith
additionalquestionnairesthatmeasurewhetherspecialcourtssimilarto
gun,drug,ordomesticviolencecourtsarebeingcreatedforidentitytheft
offenders.Also,SCOshouldexaminewhethercourtsaretrainingor
fundingstaff equippedtohandleidentitytheftoffenders.
BJSshouldensurethattheCivilJusticeSurveyof StateCourts,which
examinesciviltriallitigationinasampleof theNationsstatecourts,is
broadenedtoidentifyandtrackvariouscivilenforcementprocedures
andtheirutilizationagainstidentitythieves.
APPENDICES
!0!
ENDNOTES
1. PublicLaw105-318,112Stat.3007(Oct.30,1998).TheIdentityTheft
AssumptionandDeterrenceActprovidesanexpansivedefinitionof identity
theft.Itincludesthemisuseof anyidentifyinginformation,whichcould
includename,SSN,accountnumber,password,orotherinformationlinkedto
anindividual,tocommitaviolationof federalorstatelaw.Thedefinitionthus
coversmisuseof existingaccountsaswellascreationof newaccounts.
2. Thefederalfinancialregulatoryagenciesincludethebankingandsecurities
regulators,namely,theFederalDepositInsuranceCorporation,theFederal
ReserveBoard,theNationalCreditUnionAdministration,theOfficeof the
Comptrollerof theCurrency,theOfficeof ThriftSupervision,theCommodity
FuturesTradingCommission,andtheSecuritiesandExchangeCommission.
3. Thepubliccommentsareavailableatwww.idtheft.gov.
4. Testimonyof JohnM.Harrison,June19,2003,SenateBankingCommittee,
TheGrowingProblemof IdentityTheftanditsRelationshiptotheFairCredit
ReportingAct.
5. SeeU.S.AttorneysOffice,WesternDistrictof Michigan,PressRelease(July5,
2006),availableathttp://www.usdoj.gov/usao/miw/press/JMiller_
Others10172006.html.
6. JavelinStrategyandResearch,2007 Identity Fraud Survey Report: Identity Fraud is
Dropping, Continued Vigilance Necessary(Feb2007),summaryavailableathttp://
www.javelinstrategy.com;Bureauof JusticeStatistics(DOJ)(2004),availableat
http://www.ojp.usdoj.gov/bjs/pub/pdf/it04.pdf;Gartner,Inc.(2003),available
athttp://www.gartner.com/5_about/press_releases/pr21july2003a.jsp;FTC2003
SurveyReport(2003),availableathttp://www.consumer.gov/idtheft/pdf/
synovate_report.pdf.
7. SeeBusinessSoftwareAlliance,Consumer Confidence in Online Shopping Buoyed by
Security Software Protection, BSA Survey Suggests (Jan.12,2006),availableathttp://
www.bsacybersafety.com/news/2005-Online-Shopping-Confdence.cfm.
8. SeeCyberSecurityIndustryAlliance,Internet Security Voter Survey (June2005)at
9,availableathttps://www.csialliance.org/publications/surveys_and_polls/CSIA_
Internet_Security_Survey_June_2005.pdf.
9. SeeU.S.AttorneysOffice,SouthernDistrictof Florida,PressRelease(July19,
2006),availableat http://www.usdoj.gov/usao/fs/PressReleases/060719-01.html.
10.See, e.g.,JohnLeland,Meth Users, Attuned to Detail, Add Another Habit: ID
Theft,NewYorkTimes,July11,2006,availableathttp://www.nytimes.
com/2006/07/11/us/11meth.html?ex=1153540800&en=7b6c7773afa880be&ei=50
70;ByronAcohidoandJonSwartz,Meth addicts other habit: Online Theft,USA
Today,December14,2005,availableathttp://www.usatoday.com/tech/news/
internetprivacy/2005-12-14-meth-online-theft_x.htm.
!02
11. BobMims,Id Theft Is the No. 1 Runaway U.S. Crime,TheSaltLakeTribune,May
3,2006,availableat2006WLNR7592526.
12.DennisTomboy,Meth Addicts Stealing Mail,DeseretMorningNews,April28,
2005,http://deseretnews.com/dn/view/0,1249,600129714,00.html.
13.StephenMihm,Dumpster-Diving for Your Identity,NewYorkTimesMagazine,
December21,2003,availableathttp://www.nytimes.com/2003/12/21/magazine/
21IDENTITY.html?ex=1387342800&en=b693eef01223bc3b&ei=5007&partner=US
ERLAND.
14. Pub.L.No.108-159,117Stat.1952.
15. TheFACTActrequiredmerchantstocomplywiththistruncationprovision
withinthreeyearsof theActspassagewithrespecttoanycashregisterordevice
thatwasinusebeforeJanuary1,2005,andwithinoneyearof theActspassage
withrespecttoanycashregisterordevicethatwasfirstputintouseonorafter
January1,2005.15U.S.C.1681c(g)(3).
16. Overview of Attack Trends,CERTCoordinationCenter2002,availableathttp://
www.cert.org/archive/pdf/attack_trends.pdf.
17. Lanowitz,T.,GartnerResearchIDNumberG00127407:December1,2005.
18. Vishing Is Latest Twist In Identity Theft Scam, ConsumerAffairs,July24,2006,
availableathttp://www.consumeraffairs.com/news04/2006/07/scam_vishing.html.
19. Fraudstershaverecentlyusedpretextingtechniquestoobtainphonerecords,
see,e.g.,JonathanKrim,Online Data Gets Personal: Cell Phone Records For Sale,
WashingtonPost,July13,2005,availableat2005WLNR10979279,andthe
FTCispursuingenforcementactionsagainstthem.Seehttp://www.ftc.gov/
opa/2006/05/phonerecords.htm.
20. TheFTCbroughtthreecasesafterstingoperationsagainstfinancialpretexters.
Informationonthesettlementof thosecasesisavailableathttp://www.ftc.gov/
opa/2002/03/pretextingsettlements.htm.
21. See,e.g.,Computers Stolen with Data on 72,000 Medicaid Recipients,Cincinnati
Enquirer,June3,2006.
22. 15U.S.C.1681e;15U.S.C.6802(a).
23. AlthoughtheFACTActamendmentstotheFairCreditReportingActrequire
merchantstotruncatecreditaccountnumbers,allowingonlythefinalfivedigits
toappearonanelectronicallygeneratedreceipt,15U.S.C.1618c(g),manually
createdreceiptsmightstillcontainthefullaccountnumber.
24. Seehttp://www.bizjournals.com/philadelphia/stories/2006/07/24/daily30.html.
See alsoIdentityTheftResourceCenter,FactSheet126:Checking Account Takeover
and Check Fraud, http://www.idtheftcenter.org/vg126.shtml.
ENDNOTES
!03
25.Forexample,theSecuritiesandExchangeCommissioninstitutedproceedings
againsta19-year-oldinternethackerafterthehackerillicitlyaccessedan
investorsonlinebrokerageaccount.Hisbogustransactionssavedthehacker
approximately$37,000intradinglosses.TheSECalsoobtainedanemergency
assetfreezetohaltanEstonia-basedaccountintrusionschemethattargeted
onlinebrokerageaccountsintheU.S.tomanipulatethemarkets.SeeLitigation
ReleaseNo.19949(Dec.19,2006),availableat http://www.sec.gov/litigation/
litreleases/2006/lr19949.htm.
26.Forunauthorizedcreditcardcharges,theFairCreditBillingActlimitsconsumer
liabilitytoamaximumof $50peraccount.15U.S.C.1643.Forbankaccount
fraud,differentlawsdetermineconsumerslegalremediesbasedonthetype
of fraudthatoccurred.Forexample,applicablestatelawsprotectconsumers
againstfraudcommittedbyathief usingpaperdocuments,likestolenor
counterfeitchecks.If,however,thethief usedanelectronicfundtransfer,federal
lawapplies.TheElectronicFundTransferActlimitsconsumerliabilityfor
unauthorizedtransactionsinvolvinganATMordebitcard,dependingonhow
quicklytheconsumerreportsthelossortheftof hiscard:(1)if reportedwithin
twobusinessdaysof discovery,theconsumerslossesarelimitedtoamaximum
of $50;(2)if reportedmorethantwobusinessdaysafterdiscovery,butwithin60
daysof thetransmittaldateof theaccountstatementcontainingunauthorized
transactions,hecouldloseupto$500;and(3)if reportedmorethan60days
afterthetransmittaldateof theaccountstatementcontainingunauthorized
transactions,hecouldfaceunlimitedliability.15U.S.C.1693g.Asamatter
of policy,somecreditanddebitcardcompanieswaiveliabilityundersome
circumstances,freeingtheconsumerfromfraudulentuseof hiscreditordebit
card.
27. SeeJohnLeland,Some ID Theft Is Not For Profit, But to Get a Job,N.Y.Times,
Sept.4,2006.
28.SeeWorldPrivacyForum,Medical Identity Theft: The Information Crime That
Can Kill You(May3,2006),availableatworldprivacyforum.org/pdf/wpf_
medicalidtheft2006.pdf.
29.Seehttp://www.idanalytics.com/news_and_events/20051208.htm.Someother
organizationshavebegunconductingstatisticalanalysestodeterminethelink
betweendatabreachesandidentitytheft.Theseeffortsarestillintheirearly
stages,however.
30. GovernmentAccountingOffice,Social Security Numbers: Government Could Do
More to Reduce Display in Public Records and On Identity Cards(November2004),at
2,availableathttp://www.gao.gov/new.items/d0559.pdf.
31. 15U.S.C.6801etseq.;42U.S.C.1320detseq.;18U.S.C.2721etseq.
32. 5U.S.C.552a.
33.See,e.g.,Ariz.Rev.Stat.44-1373.
34.Social Security Numbers: Federal and State Laws Restrict Use of SSNs, Yet Gaps
Remain,GAO-05-1016T,September15,2005.
!04
35. See,e.g.,www.wpsic.com/edi/comm_sub_p.shtml?mm=3,Non-SSN Member Numbers
to Be Assigned for Privacy Protection.
36.Exceptwhereexpresslynoted,allreferencestoyearsinthisstrategicplanare
intendedtorefertocalendaryears,ratherthanfiscalyears.
37. Thefederalgovernmentsoverallinformationprivacyprogramderivesprimarily
fromfivestatutesthatassignOMBpolicyandoversightresponsibilities,and
agenciesresponsibilityforimplementation.ThePrivacyActof 1974(5U.S.C.
552a)setscollection,maintenance,anddisclosureconditions;accessand
amendmentrightsandnoticeandrecord-keepingrequirementswithrespect
topersonallyidentifiableinformationretrievedbynameorpersonalidentifier.
TheComputerMatchingandPrivacyProtectionActof 1988(5U.S.C.552a
note)amendedthePrivacyActtoprovideaframeworkfortheelectronic
comparisonof personnelandbenefits-relatedinformationsystems.The
PaperworkReductionActof 1995(44U.S.C.3501etseq.)andtheInformation
TechnologyManagementReformActof 1996(alsoknownasClinger-Cohen
Act;41U.S.C.251note)linkedagencyprivacyactivitiestoinformation
technologyandinformationresourcesmanagement,andassignedtoagency
Chief InformationOfficers(CIO)theresponsibilitytoensureimplementation
of privacyprogramswithintheirrespectiveagencies.Finally,Section208of
theE-GovernmentActof 2002(44U.S.C.3501note)includedprovisions
requiringagenciestoconductprivacyimpactassessmentsonneworsubstantially
alteredinformationtechnologysystemsandelectronicinformationcollections,
andpostwebprivacypoliciesatmajorentrypointstotheirInternetsites.These
provisionsarediscussedinOMBmemorandum03-22,OMBGuidancefor
ImplementingthePrivacyProvisionsof theE-GovernmentActof 2002.
38. See Protection of Sensitive Agency Information,MemorandumfromClayJohnson
III,DeputyDirectorforManagement,OMB,toHeadsof Departmentsand
Agencies,M-06-16(June23,2006).
39. TheUnitedStatesComputerEmergencyReadinessTeam(US-CERT)hasplayed
animportantroleinpublicsectordatasecurity.US-CERTisapartnership
betweenDHSandthepublicandprivatesectors.Establishedin2003toprotect
thenationsInternetinfrastructure,US-CERTcoordinatesdefenseagainstand
responsestocyberattacksacrossthenation.Theorganizationinteractswith
federalagencies,stateandlocalgovernments,industryprofessionals,andothers
toimproveinformationsharingandincidentresponsecoordinationandtoreduce
cyberthreatsandvulnerabilities.US-CERTprovidesthefollowingsupport:(1)
cybersecurityeventmonitoring;(2)advancedwarningonemergingthreats;(3)
incidentresponsecapabilitiesforfederalandstateagencies;(4)malwareanalysis
andrecoverysupport;(5)trendsandanalysisreportingtools;and(6)other
supportservicesintheareaof cybersecurity.US-CERTalsoprovidesconsumer
andbusinesseducationonInternetandinformationsecurity.
40. Seehttp://www.whitehouse.gov/results/agenda/scorecard.html.
ENDNOTES
!05
41. TheproposedroutineuselanguagesetforthinAppendixBdiffersslightlyfrom
thatincludedintheTaskForcesinterimrecommendationsinthatitfurther
clarifies,amongotherthings,thecategoriesof usersandthecircumstances
underwhichdisclosurewouldbenecessaryandproperinaccordancewiththe
OMBsguidanceonthisissue.
42. 15U.S.C.6801-09;16C.F.R.Part313(FTC);12C.F.R.Part30,App.B(OCC,
nationalbanks);12C.F.R.Part208,App.D-2andPart225,App.F(FRB,state
memberbanksandholdingcompanies);12C.F.R.Part364,App.B(FDIC,state
non-memberbanks);12C.F.R.Part570,App.B(OTS,savingsassociations);
12C.F.R.Part748,App.A(NCUA,creditunions);16C.F.R.Part314(FTC,
financialinstitutionsthatarenotregulatedbytheFRB,FDIC,OCC,OTS,
NCUA,CFTC,orSEC);17C.F.R.Part248.30(SEC);17C.F.R.Part160.30
(CFTC).
43. 15U.S.C.45(a).Further,thefederalbankregulatoryagencieshaveauthority
toenforceSection5of theFTCActagainstentitiesoverwhichtheyhave
jurisdiction.See15U.S.C.6801-09.
44. 15U.S.C.1681-1681x,asamended.
45. Pub.L.No.108-159,117Stat.1952.
46. 42U.S.C.1320detseq.
47. 31U.S.C.5318(l).
48. 18U.S.C.2721etseq.
49. http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm.
50. http://www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf;www.
staysafeonline.org/basics/company/basic_tips.html;The Financial Services
Roundtable, Voluntary Guidelines for Consumer Confidence in Online Financial Services,
availableatwww.bitsinfo.org/downloads/Publications%20Page/bitsconscon.pdf;
www.realtor.org/realtororg.nsf/fles/NARInternetSecurityGuide.pdf/$FILE/
NARInternetSecurityGuide.pdf;www.antiphishing.org/reports/bestpracticesforisps.
pdf; www.uschamber.com/sb/security/default.htm;www.truste.org/pdf/
SecurityGuidelines.pdf;www.the-dma.org/privacy/informationsecurity.shtml;
http://www.staysafeonline.org/basics/company/basic_tips.html.
51. Thesechangesmaybeattributabletorequirementscontainedintheregulations
implementingTitleVof theGLBAct.See12C.F.R.Part30,App.B(national
banks);12C.F.R.Part208,App.D-2andPart225,App.5(statememberbanks
andholdingcompanies);12C.F.R.Part364,App.B(statenon-memberbanks);
12C.F.R.Part570,App.B(savingsassociations);12C.F.R.Part748,App.A
andB,and12C.F.R.Part717(creditunions);16C.F.R.Part314(financial
institutionsthatarenotregulatedbytheFDIC,FRB,NCUA,OCC,orOTS).
52. See,e.g.,http://www.truste.org/pdf/SecurityGuidelines.pdf;http://www.the-dma.
org/privacy/informationsecurity.shtml.
!06
53. DeloitteFinancialServices,2006 Global Security Survey,availableathttp://singe.
rucus.net/blog/archives/756-Deloitte-Security-Surveys.html.
54. Datalink,Data Storage Security Study,March2006,availableatwww.datalink.com/
security/.
55. Id.
56. SeeSmallBusinessTechnologyInstitute,Small Business Information Security
Readiness(July2005).
57. See,e.g.,California(Cal.Civ.Code1798.82(2006));Illinois(815Ill.Comp.
Stat530/5(2005));Louisiana(La.Rev.Stat.51:3074(2006));RhodeIsland(R.I.
Gen.Laws11-49.2.3(2006)).
58. See,e.g.,Colorado(Colo.Rev.Stat.6-1-716(2006));Florida(Fla.Stat.
817.5681(2005));NewYork(NYCLSGen.Bus.889-aa(2006));Ohio(Ohio
Rev.CodeAnn.1349.19(2006)).
59. PonemonInstituteLLC,Benchmark Study of European and U.S. Corporate Privacy
Practices,p.16(Apr.26,2006).
60.Id.
61. PonemonInstitute,LLC,2005 Benchmark Study of Corporate Privacy Practices
(July11,2005).
62. MultiChannelMerchant,Retailers Need to Provide Greater Data Security, Survey Says
(Dec.1,2005),availableathttp://multichannelmerchant.com/opsandfulfllment/
advisor/retailers_data_security_1201/index.html.
63. SeeInformationTechnologyExaminationHandbooksInformationSecurity
Booklet,availableathttp://www.ffec.gov/guides.htm.
64. See,e.g.,http://www.pvkansas.com/police/crime/iden_theft.shtml(PrairieVillage,
Kansas),http://phoenix.gov//POLICE/dcd1.html(Phoenix,Arizona);
www.co.arapahoe.co.us/departments/SH/index.asp(ArapahoeCounty,Colorado).
65. Colleges Are Textbook Cases of Cybersecurity Breaches,USATODAY,August1,2006.
66.Examplesof thisoutreachincludeawide-scaleeffortattheUniversityof
MichiganwhichlaunchedIdentityWeb,acomprehensivesitebasedonthe
recommendationsof agraduateclassinfallof 2003.TheStateUniversityof
NewYorksOrangeCountyCommunityCollegeoffersidentitytheftseminars,
theresultof astudentwhofellvictimtoascam.Avideoatstudentorientation
sessionsatDrexelUniversityinPhiladelphiawarnsstudentsof thedangersof
identitytheftonsocialnetworkingsites.BowlingGreenStateUniversityin
Kentuckyemailscampus-widefraudalertswhenitsuspectsthatascamis
beingtargetedtoitsstudents.Inrecentyears,morecollegesanduniversities
havehiredchief privacyofficers,focusinggreaterattentionontheharmsthatcan
resultfromthemisuseof studentsinformation.
ENDNOTES
!07
67. See31C.F.R.103.121(banks,savingsassociations,creditunions,andcertain
non-federallyregulatedbanks);31C.F.R.103.122(broker-dealers);17C.F.R.
270.0-11,31C.F.R.103.131(mutualfunds);and31C.F.R.103.123(futures
commissionmerchantsandintroducingbrokers).
68. Seehttp://www.dhs.gov/xprevprot/laws/gc_1172765386179.shtm.
69. Aprimaryreasoncriminalsuseotherpeoplesidentitiestocommitidentitytheft
istoenablethemtooperatewithanonymity.However,incommittingidentity
theft,thesuspectsoftenleavetelltalesignsthatshouldtriggerconcernforalert
businesses.Section114of theFACTActseekstotakeadvantageof businesses
awarenessof thesepatterns,andrequiresthefederalbankregulatoryagencies
andtheFTCtodevelopregulationsandguidelinesforfinancialinstitutionsand
creditorsaddressingidentitytheft.Indevelopingtheguidelines,theagencies
mustidentifypatterns,practices,andspecificformsof activitythatindicatethe
possibleexistenceof identitytheft.15U.S.C.1681m.
Thoseagencieshaveissuedasetof proposedregulationsthatwouldrequire
eachfinancialinstitutionandcreditortodevelopandimplementanidentity
theftpreventionprogramthatincludespoliciesandproceduresfordetecting,
preventing,andmitigatingidentitytheftinconnectionwithaccountopenings
andexistingaccounts.Theproposedregulationsincludeguidelineslisting
patterns,practices,andspecificformsof activitythatshouldraisearedflag
signalingapossibleriskof identitytheft.Recognizingtheseredflagscan
enablebusinessestodetectidentitytheftatitsearlystagesbeforetoomuchharm
isdone.See71Fed.Reg.40786(July18,2006)tobecodifiedat12C.F.R.Parts
41(OCC),222(FRB),334and364(FDIC),571(OTS),717(NCUA),and16
C.F.R.Part681(FTC),availableathttp://www.occ.gov/fr/fedregister/71fr40786.
pdf.
70. USBtokendevicesaretypicallysmallvehiclesforstoringdata.Theyaredifficult
toduplicateandaretamper-resistant.TheUSBtokenispluggeddirectlyinto
theUSBportof acomputer,avoidingtheneedforanyspecialhardwareon
theuserscomputer.However,aloginandpasswordarestillrequiredtoaccess
theinformationcontainedonthedevice.Smartcardsresembleacreditcard
andcontainamicroprocessorthatallowsthemtostoreandretaininformation.
Smartcardsareinsertedintoacompatiblereaderand,if recognized,may
requireapasswordtoperformatransaction.Finally,thecommontoken
systeminvolvesadevicethatgeneratesaone-timepasswordatpredetermined
intervals.Typically,thispasswordwouldbeusedinconjunctionwithotherlogin
informationsuchasaPINtoallowaccesstoacomputernetwork.Thissystemis
frequentlyusedtoallowforremoteaccesstoaworkstationforatelecommuter.
71. Biometricsareautomatedmethodsof recognizinganindividualbased
onmeasurablebiological(anatomicalandphysiological)andbehavioral
characteristics.Biometricscommonlyimplementedorstudiedinclude:
fingerprint,face,iris,voice,signature,andhandgeometry.Manyother
modalitiesareinvariousstagesof developmentandassessment.Additional
informationonbiometrictechnologies,federalbiometricprograms,and
associatedprivacyconsiderationscanbefoundatwww.biometrics.gov.
!08
72. SeeAuthentication in an Internet Banking Environment(October12,2005),available
athttp://www.ffec.gov/pdf/authentication_guidance.pdf.
73. SeeFFIECFrequentlyAskedQuestionsonFFIEC Guidance on Authentication in
an Internet Banking Environment(August15,2006),availableathttp://www.ffec.
gov/pdf/authentication_faq.pdf.
74. SeeKristinDavisandJessicaAnderson,But Officer, That Isnt Me,Kiplingers
PersonalFinance(October2005);BobSullivan,The Darkest Side of ID Theft,
MSNBC.com(Dec.1,2003);DavidBrietkopf,State of Va. Creates Special Cards for
Crime Victims,TheAmericanBanker(Nov.18,2003).
75. 18U.S.C.1028A.
76.18U.S.C.1028(d)(7).
77.See18U.S.C.1030(e)(8).
78.18U.S.C.1030(a)(7).
79. S.Rep.No.105-274,at9(1998).
80. AsthisTaskForcehasbeenchargedwithconsideringthefederalresponseto
identitytheft,thisroutineusenoticedoesnotincludeallpossibletriggers,such
asembarrassmentorharmtoreputation.However,afterconsiderationof the
StrategicPlanandtheworkof othergroupschargedwithassessingPrivacyAct
considerations,OMBmaydeterminethataroutineusethattakesintoaccount
otherpossibletriggersmaybepreferable.
ENDNOTES

Strategic Plan

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Strategic Plan

Enviado por

Direitos autorais:

Formatos disponíveis

The Presidents Identity Theft Task Force

Anumberof statestatutesrestricttheuseanddisplayof SSNsincertain

Establish a Clearinghouse for Agency Practices that Minimize Use

In a case prosecuted by the

rECOMMENDATION: CLOSE THE GAPS IN FEDErAL CrIMINAL

Você também pode gostar