TABLE OF CONTENTS
Cover
Title
Copyright
Dedication
ACKNOWLEDGMENTS
PREFACE
INTRODUCTION
PART I: THE CURRENT STATE OF IDENTITY THEFT CHAPTER 1: WHAT IS AN “IDENTITY”? IDENTITY THEFT VERSUS IDENTITY CRIME
“PERSONAL” IDENTITY THEFT
“BUSINESS” IDENTITY THEFT
IDENTITY THEFT AS AN “OVERARCHING” CRIME
CHAPTER 2: IDENTITY THEFT: EFFECTS ON VICTIMS EFFECTS ON PERSONS
EFFECTS ON BUSINESSES
CHAPTER 3: IDENTITY CRIME IS ENTRENCHED HIPAA DATABASE
CREDIT AGENCY DATABASES
GOVERNMENT DATABASES
CHAPTER 4: IDENTITY CRIMES ARE ESCALATING OUTSOURCING IDENTITIES
JURISDICTIONAL PROBLEMS
POLICE LACK RESOURCES
LEGISLATION IS LACKING
CHAPTER 5: LEGAL REQUIREMENTS FOR BUSINESSES MANY LAWS
MANY “SUPERFICIAL” LAWS
BISP SECURITY STANDARDS
CHAPTER 6: CAVEAT LECTOR. LET THE READER BEWARE MESSAGE TO EXECUTIVES
MESSAGE TO EMPLOYEES
PART II: IDENTITY THEFT PREVENTION CHAPTER 7: THE BISP PLAN: TIGHTEN YOUR BUSINESS BORDERS BACKGROUND REVIEW: FOUR-FACTOR MODEL OF INFORMATION SECURITY
SECURING THE FRONTS
CHAPTER 8: BEGIN THE EXERCISES: IDENTIFY YOUR BUSINESS IDENTITIES STANDARD 1. WHAT ARE YOUR BUSINESS IDENTITIES?
STANDARD 2. WHO HAS ACCESS TO YOUR BUSINESS IDENTITIES?
CHAPTER 9: SECURING THE PEOPLE FRONT: THE SECURITY JOB ANALYSIS STANDARD 3. SCIENTIFIC JOB ANALYSIS FOR SECURITY DECISION MAKING
CHAPTER 10: THE PEOPLE FRONT: RECRUITMENT FOR SECURITY STANDARD 4. RECRUITMENT FOR SECURITY
CHAPTER 11: THE PEOPLE FRONT: PERSONNEL SELECTION FOR SECURITY STANDARD 5. PERSONNEL SELECTION FOR SECURITY
CHAPTER 12: THE PEOPLE FRONT: SELECT FOR MOTIVATION STANDARD 6. SELECT FOR MOTIVATION
CHAPTER 13: THE PEOPLE FRONT: SELECT FOR INTEGRITY AND SECURITY STANDARD 7. SELECT FOR INTEGRITY AND SECURITY
CHAPTER 14: THE PEOPLE FRONT: SELECT FOR INTERPERSONAL SKILLS STANDARD 8. SELECT FOR INTERPERSONAL SKILLS
CHAPTER 15: THE PEOPLE FRONT: SOCIALIZATION, COMPANY CULTURE, AND THE REALISTIC JOB PREVIEW STANDARD 9. COMPANY CULTURE AND THE REALISTIC JOB PREVIEW
CHAPTER 16: THE PEOPLE FRONT: SOCIALIZING NEWCOMERS TO THE HONEST COMPANY CULTURE STANDARD 10. THE SECURITY ORIENTATION PROGRAM
CHAPTER 17: THE PEOPLE FRONT: APPRAISAL AND FEEDBACK FOR PERFORMANCE AND SECURITY STANDARD 11. THE ORGANIZATIONAL APPRAISAL AND FEEDBACK SYSTEM
INDIVIDUAL APPRAISAL
GROUP APPRAISAL
SELF-APPRAISAL
DEPARTMENTAL ASSESSMENT
A MESSAGE TO THE PROJECT TEAM
CHAPTER 18: THE PROCESS FRONT: SECURE BUSINESS INFORMATION PROCESSES SELECT A NEW PROJECT TEAM
QUALITY-TO-SECURITY TOOLS
STANDARD 12. INFORMATION PROCESS RISK ASSESSMENT
CHAPTER 19: THE PROPERTY FRONT: THE E-BUSINESS WEB SITE STANDARD 13. WEB SITE SECURITY ASSESSMENT
PART III: MONITORING IDENTITY THEFT CHAPTER 20: THE CUSTOMER SECURITY PROGRAM STANDARD 14. CUSTOMER SECURITY PROGRAM
CONCLUSION
CHAPTER 21: E-COMMERCE “BEST PRACTICES” FOR CUSTOMERS STANDARD 15. E-COMMERCE “BEST PRACTICES”
CHAPTER 22: THE LEGISLATIVE PROCESS STANDARD 16. IDENTITY THEFT LEGISLATIVE PROCESS
CHAPTER 23: THE HIPAA DATABASE THE BISP SECURITY STANDARDS AND HIPAA
APPENDICES APPENDIX A: THE SECURITY STANDARD CHECKLIST IDENTITY THEFT PREVENTION
APPENDIX B: CHECKLIST OF TEAM PREREQUISITES
APPENDIX C: STRUCTURED AND FORMAL BRAINSTORMING: STEP-BY-STEP INSTRUCTIONS DEFINITION OF FORMAL BRAINSTORMING
STEP-BY-STEP INSTRUCTIONS
APPENDIX D: CAUSE AND EFFECT ANALYSIS: STEP-BY-STEP INSTRUCTIONS
APPENDIX E: THE SECURITY FOCUS GROUP INTERVIEW
APPENDIX F: THE SECURITY JOB DESCRIPTION THE INFORMATION SECURITY RESEARCH INSTITUTE, LLC
THE SECURITY JOB DESCRIPTION
APPENDIX G: INDUSTRIAL AND ORGANIZATIONAL SPECIALISTS IN TEST DEVELOPMENT AND VALIDATION
APPENDIX H: ONE COMPANY’S SHORT- AND LONG-TERM STRATEGIC PLAN
APPENDIX I: THE INFORMATION PROCESS: DEFINITION, DESCRIPTION, AND ILLUSTRATION DEFINING THE INFORMATION PROCESS
DESCRIBING AN INFORMATION PROCESS
ILLUSTRATING THE INFORMATION PROCESS RISK ASSESSMENT
A KEY POINT
APPENDIX J: THE PARETO ANALYSIS: DEFINITION, DESCRIPTION, AND ILLUSTRATION DEFINING PARETO ANALYSIS
DESCRIBING PARETO ANALYSIS
ILLUSTRATING THE PARETO DIAGRAM
APPENDIX K: FORERUNNERS IN THE SUPPORT OF IDENTITY THEFT LEGISLATION U.S. SENATORS
STATE OFFICIALS
OTHERS
NOTES
INDEX
END USER LICENSE AGREEMENT
List of Tables
CHAPTER 9: SECURING THE PEOPLE FRONT: THE SECURITY JOB ANALYSIS EXHIBIT 9.1 Job Competency Checklist for Job of Computer Forensic Analyst
CHAPTER 16: THE PEOPLE FRONT: SOCIALIZING NEWCOMERS TO THE HONEST COMPANY CULTURE EXHIBIT 16.1 The Security Orientation Program of the Information Security Research Institute
CHAPTER 17: THE PEOPLE FRONT: APPRAISAL AND FEEDBACK FOR PERFORMANCE AND SECURITY EXHIBIT 17.1 Job Competency Appraisal Instrument
EXHIBIT 17.2 Work Group Appraisal Instrument
CHAPTER 19: THE PROPERTY FRONT: THE E-BUSINESS WEB SITE EXHIBIT 19.1 Example of a Web Site Security Assessment
APPENDIX C: STRUCTURED AND FORMAL BRAINSTORMING: STEP-BY-STEP INSTRUCTIONS EXHIBIT C.1 A Brainstorming Task Statement
EXHIBIT C.2 A Brainstorming List
APPENDIX D: CAUSE AND EFFECT ANALYSIS: STEP-BY-STEP INSTRUCTIONS EXHIBIT D.1 Cause-and-Effect Analysis for Incoming Identities
EXHIBIT D.2 Cause-and-Effect Analysis of Sources of SSN Thefts
APPENDIX I: THE INFORMATION PROCESS: DEFINITION, DESCRIPTION, AND ILLUSTRATION EXHIBIT I.1 Common Flow Chart Symbols
EXHIBIT I.2 Flow Chart Tracing the Route of a Fax Document through a Department—Each Location and Transfer Path Can Be Secured
APPENDIX J: THE PARETO ANALYSIS: DEFINITION, DESCRIPTION, AND ILLUSTRATION EXHIBIT J.1 Frequencies for Pareto Analysis
EXHIBIT J.2 Bar Chart for Pareto Frequencies
Preventing Identity Theft in Your Business
How to Protect Your Business, Customers, and Employees
Judith M. Collins
This book is printed on acid-free paper. ∞
Copyright © 2005 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: [email protected].
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they mak
e no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Library of Congress Cataloging-in-Publication Data
Collins, Judith M.
Preventing identity theft in your business : how to protect your business, customers, and employees / Judith M. Collins.
p. cm.
Includes index.
ISBN 0-471-69469-X (cloth)
1. Identity theft—United States—Prevention. I. Title.
HV6679.C653 2005
658.4’72—dc22
2004022093
To victims of identity theft and employees who help prevent it
ACKNOWLEDGMENTS
More than a faithful colleague and meticulous research assistant, Sandra Hoffman is a valued friend. As associate director, Sandra diligently, skillfully, and solely managed the bustling activities of Identity Theft Crime and Research Lab for three months so that I could write this book. I publicly acknowledge that without Sandra this book would not have been possible. With deep appreciation, I thank you, Sandra.
I also am indebted to my editor at John Wiley & Sons, Tim Burgard. Tim took the time to read my manuscript and recognized its potential importance for businesses. He provided the logistical and organizational support necessary to bring this book to fruition and along the way provided many constructive suggestions for improvements. Moreover, throughout the summer of 2004, Tim routinely and consistently prompted me for the next “batch” (of chapters). Because of Tim, this book moved from “in progress” to “in production.” Thank you, Tim, for the guidance you’ve given me and also for believing with me that this book can positively impact businesses and people.
With appreciation, I especially thank my son, Michael Collins. Michael read every word of every chapter and offered many recommendations for modifications. I made them all. I now find it difficult to adequately express my deep gratitude to Michael, who unselfishly shared with me considerable time and his intellectual talents in reviewing chapter writes and rewrites. Thank you, son, for your invaluable contributions.
And to Larry Collins, my husband, mentor, and enthusiastic supporter of each next “project,” thank you for being alongside me throughout these life’s adventures.
PREFACE
All companies that engage in financial transactions are bound by law to establish and enforce information security programs to prevent identity theft. Security “standards” are required by at least five federal laws, including the Fair Credit Reporting Act, the Federal Trade Commission’s Privacy Rule, the Banking Guidelines, the Health Insurance Portability and Accountability Act, and the Gramm-Leach-Bliley Safeguards Rule. But there are problems. Nowhere do any of these laws describe how to develop, maintain, and enforce an information security program. In effect, the laws fail to stipulate what constitutes an “information security program” or “standards” for security.
Granted, the laws do specify information technology (IT) security—the security of computers and networks. Indeed, the main theme at the September 2004 American Banking Association’s Identity Theft Symposium was “Technology to the Rescue.” Bankers were informed of online products and protections and advised to prevent identity theft by using tools such as encryption, authentication, and software programs that guard against email and other computer fraud. But computers do not steal identities.
Rather, recent studies indicate that at least 50 percent or more of identity thefts are committed inside the workplace by a dishonest few employees who steal the Social Security, credit card, banking, or other numbers from their coworkers and customers. Federal laws fail, however, to cover people within businesses who have access to personal identities and the work processes used to manage and maintain such information.
The federal laws fall short. Computer security alone will not work. To secure company borders from the threat of identity theft requires an inclusive and exhaustive three-fold approach to secure people, processes, and the IT property. And the techniques used to develop, maintain, and enforce such an information security program would use universally established and widely documented methods known to be reliable and valid and that are inexpensive and accessible for all businesses, large and small. Fortunately, such methods exist and so, therefore, do the security solutions.
Preventing Identity Theft in Your Business shows how employee-manager teams can develop a set of Security Standards using step-by-step instructions written in lay language and using methods from industrial and organizational psychology, the management sciences, and the field of criminal justice. The methods are inexpensive, comprehensive, and universally applicable to all businesses regardless of size, type, or geographic location. Within six months or less, employees and their managers can bring any company into compliance with all current as well as any future-enacted laws.
Preventing Identity Theft in Your Business shows how all companies can build effective corporate policies to protect the identities of employees and their customers without impacting budgets and business operations. What’s more, these Security Standards incorporate performance standards: Businesses will meet regulatory requirements while gaining competitive advantages. Using strategies proven to be effective, personal and business identities no longer are jeopardized and financial institutions no longer risk noncompliance. In short, identity theft stops here.
INTRODUCTION
Identity theft can be prevented. Contrary to common thought, most identities are stolen from businesses; fewer are stolen from garbage Dumpsters or by online hackers. Although thefts do occur from these sources (as well as from homes, cars, and persons), the majority of identity thefts are committed inside the workplace by a relatively few dishonest employees who steal the personal identification data of their coworkers and customers—a company’s most valued assets. To safeguard these potential victims, and the company’s interests, the workplace must be secured.
Because identity thefts occur so often in the workplace, businesses also are victims. In his keynote speech at the 2000 White Collar Crime Summit in Los Angeles, California’s attorney general, William Lockyer, warned that identity theft was the greatest threat to the financial economy of businesses and the entire United States. Since then, and despite his warning, identity theft has escalated worldwide and continues unabated. The reason in great part is that no international security standards exist to protect personal information, such as the identities of U.S. citizens.
Nevertheless, federal laws now require all businesses to secure personal identifiers and document this or risk being fined. Nowhere, however, are businesses told how they might do this. Granted, each of several federal laws recommends database and computer security—but computers do not steal identities. Information technology (IT) cannot by itself secure personal information because, and perhaps to some degree due to those already secured IT systems, employee insider theft is the source of most stolen identities.
In the field of criminal justice, when the source of a crime is known, the incidence of that crime can be mitigated and even prevented. Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees shows how manager-employee te
ams (managers have the decision power to authorize employee-designed solutions) can use step-by-step instructions in a series of consecutively ordered exercises to combat identity theft in the workplace. Preventing Identity Theft is written with employees in mind, to help protect them and because employees are the key to securing the workplace.
Employees are the persons closest to the workplaces and work processes where identity thefts occur. Some employees perform the job tasks required to process, update, and otherwise maintain and manage personal information contained on applications, healthcare forms, payroll and benefits checks, and other documents, both paper and digital. Those employees are positioned to recognize the work processes most susceptible to identity thefts; and those employees, therefore, also are the key individuals capable of securing those work processes.
But what exactly is an “identity”? In the evolution of crime, identity theft is a particularly fast-moving, ever-changing, and overarching crime that facilitates many ancillary identity crimes. In Part I, therefore, the first priorities are to update yesterday’s definitions of identity theft and report on recent events and trends that, disturbingly, point to even greater incidence and variations in identity crimes. Included in the text is a discussion on “identity rape,” the insidious effects on victims (both persons and businesses), and several sections detailing facts on why identity theft may never be completely eradicated.
Preventing Identity Theft in Your Business Page 1