Thus, in these and other ways, criminals use stolen business identities to access a business’s financial accounts and employee records and to create bogus checks, open new credit card and bank accounts, take over existing accounts, and gain access to offices and even homes of employees and customers. The effects on businesses are enormous.
Other Effects on Businesses
The financial losses for business identity theft are the costs due to the loss of merchandise from the thefts and other financial losses from the thefts and fraudulent use of business credit card and bank account numbers. Additional costs to businesses are the losses accrued when customers who, on learning their identities have been stolen, cancel their accounts and move to other financial institutions, discontinue current credit card accounts, and stop shopping at their usual retail or other stores—all without considering that no business is immune, and that the business, too, is a victim.
Costs too difficult to measure include employee time that must be allocated to resolving the issues of a business identity theft; the costs for auditors to review accounting and operating procedures; the employee time involvement with customers of the business whose accounts have been accessed; and the loss of productivity on the “other” jobs the employees were principally hired to perform. Also difficult to assess precisely are employee costs associated with decreased job satisfaction, pay satisfaction, and other costs attributable to work-overload stress and (when applicable) concomitant healthcare costs that occur as a result of work problems manifesting themselves either physically and/or emotionally.
Additionally, a potentially devastating cost to business victims of identity theft and/or identity crime is negative word-of-mouth advertising originating from the victimized customer who perceives having been offered little, if any, assistance from the business itself or, worse yet, who finds fault with the business for failing to provide adequate identification security.
Although routinely reported in the media as “estimates,” the costs of identity theft to business are largely impossible to gauge precisely, not only for each of the reasons above but also because the crime of identity theft is the precursor to identity crime. That is to say, for example, an estimate for the costs of credit card fraud likely involves one and usually more offenses, such as retail account fraud, telecommunications and utilities fraud, and, increasingly, organized crime and drug trafficking. The financial effects of identity theft on businesses, therefore, are largely unknown.
Despite not knowing the costs of even one identity theft and identity crime, and given reasons why reported costs are in effect gross underestimates, it is certain that identity thefts and identity crimes negatively impact managers, employees, the work environment, and levels of work output. It is, therefore, reasonable to assert that identity theft unchecked will upset the economic equilibrium of the entire Untied States and beyond. It is frightening to recognize, as the next chapter discloses, that identity theft and identity crimes are entrenched in our society and that they are here to stay.
CHAPTER 3
IDENTITY CRIME IS ENTRENCHED
The need for business standards of information security has never been greater. In the United States, “information technology” and “database management” are characteristic themes of the information era. To this list might be added “identity marketing.” We are a nation of databases that aggregate, consolidate, and disseminate worldwide the names, addresses, Social Security numbers (SSNs), and other personal information of U.S. citizens. From the time of birth, when newborns are assigned SSNs, and forever after, even beyond death, every citizen becomes a number in one or more databases. Many people may share the same name—first, middle, and last—but no two share the same nine-digit database identifier. Identity crime is entrenched in our society and is here to stay. Why? Because identity crimes are low-risk offenses with high payoffs, and the SSNs with which the criminals work are easily accessible. Most every business today has at least one database complete with these numbers.
Small and large businesses alike use a wide range of computerized systems to efficiently manage, control, and maintain information on products purchased and sold, services bought and rendered, salaries and healthcare benefits earned and paid, and other business activities that use the SSNs of employees and customers. For many businesses, SSNs are financial commodities bought and sold on the market. Many companies, for example, purchase identities, often with the option to resell them later. These sales of personal information for marketing purposes are examples of how identities become a part of many databases without the knowledge or permission of the person whose information is sold.
This “identity marketing” also explains why “opting out” of direct marketing lists—the request to remove a name from marketing lists—is only temporary; the purchaser of the marketing list also may purchase the option to sell the identities to third parties who, in turn, may resell the list to others, and so on. Identity thieves do this on the street; that is, criminals sell lists of identities to one another. On the street, of course, this practice of selling identities is a crime.
Identity marketing places a great many individuals at risk because, given that many of the database systems in use are unsecured in the first place, the more times a person’s identity is marketed, the greater the likelihood that someone, somewhere will steal that identity and use it for underhanded purposes. It is simply a matter of probability, with increasing chances as new identity databases continue to be developed and disseminated. One recent example is the most comprehensive database in terms of the numbers of people tracked and the types of personal information stored, the database overseen by the Health Insurance Portability and Accountability Act.1
HIPAA DATABASE
Anyone who recently has visited a doctor’s office or other medical facility has been asked to sign a form acknowledging receipt of information outlining rights under the Health Insurance Portability and Accountability Act, or HIPAA. Meant to ease information sharing between medical professionals and billing to third-party payers, HIPAA oversees a national database containing personal information on everyone with healthcare coverage or who have in the past received health services. HIPAA, which became official and legally effective for all healthcare-related organizations in October 2003, unwittingly opened a new avenue for increasing numbers of potential identity thefts.
The HIPAA database contains names, addresses, SSNs, physical and psychological details, and other data on individuals and their family members. According to the act, healthcare-related institutions can disclose this information to any number of other organizations and individuals for purposes directly and indirectly related to treatment, payment, healthcare operations, benefits, and services. Therefore, this sensitive information is accessible by all healthcare institutions, such as hospitals, clinics, pharmacies, private practitioners, and medical supply houses, as well as by second- and third-party clearinghouses including database management companies, suppliers, and vendors. In other words, thousands of institutions and hundreds of thousands of their employees now have access to the personal information on millions of U.S. citizens. Yet, except for computer system security, no security standards are required for institutions that have access to this mammoth HIPAA database.
The Health Insurance Portability and Accountability Act and its provisions are essential for the maintenance of the healthcare system and, thus, valuable to many U.S. citizens. The database provides for the efficient transmission of information and payments between healthcare insurers and providers, and the act contains features beneficial to employees, disabled persons, and seniors. Yet this unsecured national identity database exposes these same persons to risk for abuse by identity theft criminals. The HIPAA database, although widely accessible, is not known to be used to market identities, as some other databases are.
CREDIT AGENCY DATABASES
Three credit agencies—TransUnion, Equifax, and Experian—each keep records of the names, addresses, SSNs, and fi
nancial dealings on the majority of U.S. citizens. These agencies sell personal information to other businesses that pay to verify a customer’s creditworthiness before completing a financial transaction, which the customer authorizes when requesting on-credit purchases. At least three of these agencies also sell information the consumer does not explicitly authorize, usually personal information contained in the “header” of the credit report.
The header is the first of three sections of a credit report that lists a person’s primary identifiers—name, addresses, SSN, birth date, and other information. A second section contains detailed information collected over a period of years on the person’s financial activities, such as the names of banks, credit card companies, mortgage and insurance companies, retail and other entities the individual has conducted business with, and the amounts of money borrowed and owed.
In the third section, the credit report lists all companies that have purchased a person’s credit report, even though that person has never applied to that company for credit. Businesses use these unauthorized credit reports to market products and services; for example, credit card companies buy lists of information on creditworthy consumers prior to mailing them preapproved credit applications. This is one example of how identities become disseminated among databases, usually without the knowledge of the person whose identity was sold. As mentioned earlier, this also explains why the opting out of direct mailing lists is only temporary—the opted-out mailing list already has been sold to some other company, which now must also be mailed an opt-out letter. The problem is that the new company may be unknown—consumers have no control over where their identities are marketed or to whom.
Presumably, any employee of any authorized or unauthorized business that has a membership with the credit agency can access the credit agency’s database. Thousands of businesses have pass codes to the credit agency databases, providing access to millions of employees worldwide. Unfortunately, credit agencies and other businesses are not required to request consumers’ permissions to market identities, nor are consumers informed of, or compensated for, the sale of their identities. Ironically, indeed, people requesting their own, personal credit information often must pay for it.
Credit reporting agencies are critical to the financial success of businesses and the economic infrastructure of the United States. Businesses must be able to legitimately determine the creditworthiness of individuals who seek to obtain products or services based on their abilities to pay. However, credit agencies, and the business customers these agencies sell information to, operate on the edge of illegitimacy when they sell citizens’ identities without first having invested in an information security program that would protect those citizens’ personal identifiers. Although the numbers of available and accessible databases may border on the infinite, another stark example will serve to illuminate the burgeoning identity crisis.
GOVERNMENT DATABASES
The U.S. government maintains many unsecured databases on private citizens. Perhaps the most comprehensive after HIPAA (because they do not contain the physical and psychological histories) are those databases maintained by the Social Security Administration and the U.S. Internal Revenue Service. Additionally, the U.S. Selective Service maintains an identity database on U.S. males. There are also all the drivers’ license databases. Most recently, a travelers’ database proposed by the Department of Homeland Security monitors individuals coming into, departing from, and traveling within the United States.
These and a variety of other governmental U.S. databases provide for efficiencies in economies, services, and homeland security; they are a benefit to U.S. citizens and essential to the government and security of the United States. Unwittingly, these and all other databases also are gold mines for identity theft and terrorist networks to facilitate financial frauds and acts of terror. Information technology (IT) alone cannot contain the threats to thefts of identities from these databases; as previously noted, computers do not steal identities. In fact, computer and network security provide only a third layer of protection.
The first layer of protection, and the primary source of security, concerns people—the employees who help maintain the confidentiality of personal information and who help prevent the theft of identities by the dishonest few insiders who have access to the computers and can use the databases to steal the identities of their coworkers and customers. Computerized data, however, whether downloaded or hand-copied, are only one source of the identity thefts because most jobs also process personal information in paper form—applications, certificates, receipts, accounting statements, and various other types of documents. The second layer of protection, therefore, consists of methods that can secure these work processes. People and work process security, together with the third layer of protection—IT security—comprise the foundation of an information security program that would secure any business, regardless of type or size, from the threat of identity theft. More than ever before, information standards for security are now needed—particularly because recent disturbing events point to escalations in identity thefts and identity crimes.
CHAPTER 4
IDENTITY CRIMES ARE ESCALATING
Identity theft in the United States is not only entrenched, it is escalating. Identities of untold numbers of U.S. citizens are being exported to India, China, Japan, Russia, Canada, the Philippines, and elsewhere. Prosecutions of identity crimes are rare because of jurisdictional obstacles. Local law enforcement has been stripped of resources to combat identity crimes. There is little, if any, preemptive identity theft legislation, and businesses require no security standards to protect personal identities. For these reasons, identity thefts and identity crimes are predicted to increase exponentially.
OUTSOURCING IDENTITIES
Consider, first, outsourcing. Hundreds of U.S. companies seek to remain competitive by sending white-collar jobs abroad to be performed by a cheaper workforce. The types of jobs being outsourced include employee benefits, customer service centers, database management, employee payroll, and income tax preparation, to name a few. Even the credit agencies, each of which maintains databases on over 200 million U.S. consumers, outsource jobs that process credit disputes—presumably, many or even most arising from identity thefts. These and other white-collar jobs would not exist but for Social Security numbers, credit card numbers, bank account numbers, and other personal identifiers. Without this personal information, there would be no job tasks to perform and no jobs to outsource. The real truth is that it is “identities” that are being outsourced.
U.S. identities are particularly vulnerable to theft in outsourced companies because of the relatively lucrative socioeconomic statuses of many U.S. citizens, coupled with the unorthodox business practices in some outsource-target countries. Pioneering research at the Michigan State University (MSU) Identity Theft Crime and Research Lab, since corroborated in other, independently conducted, studies, indicates that, contrary to conventional understanding, approximately 50 percent or more of identity thefts in the United States are stolen from within companies rather than from “Dumpster diving,” or from stolen purses or wallets, or by online hacking of computer systems.1 An insider who steals identities may be a part-time, full-time, temporary, or permanent employee, or even an impersonator of an employee—that is, someone who hires into a company specifically to steal identities. Given that a major source of identity theft in the United States is committed by thieves inside the workplace, insider theft can reasonably be assumed to be greater in other countries, particularly countries where bribery and payoffs are known to be common business practices.
Additionally, outsourcing identities to other countries gives foreigners easy access to personal information. Thus, terrorists have more readily available sources of this personal information. Terrorists who use stolen identities to travel incognito and to conceal their terrorist activities now have U.S. identities shipped to their own backyard.
Once databases are disseminated abroad be
yond U.S. boundaries, the United States has no control over the databases themselves, the identities in the databases, or investigations and prosecutions of identity crimes. Even within the United States, jurisdictional boundaries can present problems for prosecutions, should a criminal to be apprehended; these obstacles form another reason why identity crimes are escalating.
JURISDICTIONAL PROBLEMS
Identity crimes are predicted to increase because of identity outsourcing and also because identity crimes are complex and difficult both to investigate and to prosecute across legal jurisdictions. For instance, identity crimes are rarely unijurisdictional offenses. Most often, identity crimes are committed by organized networks that consist of several cells located across counties, states, and, increasingly, different countries. In the United States, a crime is prosecuted in the jurisdiction where it was committed. But with the identity theft, the jurisdictional location—the site of the theft—usually is unknown, which is why identity theft investigations begin at the post office drop or empty apartment where the fraudulent merchandise is delivered, and not the location where the identity was stolen, and why investigations of identity crimes usually lead to several, and not just one, legal jurisdiction, as illustrated in the next example from an actual case.
Perpetrators using a list of stolen identities completed numerous fraudulent credit card applications with several credit companies located in cities in several states.2 The credit card applications were made online, over the phone, and also in person. For each application, the criminals replaced the victim’s “present” legitimate address with a new, also actual, mail box address, where the credit cards were mailed to the criminal impersonators. In addition to the changed “present” address, the criminals completed sections on the applications requiring the names and addresses of the place of employment and the names and addresses of references who would attest to the credibility of the (criminal) applicant. Although the business and reference names were bogus, most of the addresses were real (and did lead to other information). The names and addresses given by the impersonating criminal—new present address, place of employment, and references—were all in one state but in different, bordering counties (i.e., in different jurisdictions). Once the criminals received the credit cards at the privately owned post office box, they used the cards to purchase merchandise online, over the phone, and in person at various retail stores; the purchases were made in different counties, cities, and states.
Preventing Identity Theft in Your Business Page 4