Preventing Identity Theft in Your Business
Page 5
In this case, were the criminals to be apprehended, the question is: In which U.S. jurisdiction would these crimes be prosecuted? Usually, credit card frauds committed by organized networks are the domain of the U.S. Secret Service. This case, had it been resolved, could have been prosecuted at the federal level of jurisdiction. However, the investigation of this case, to bring it to prosecution, was hampered by the jurisdictional complexities.
Some jurisdictional problems are international, as in the case of the robbery of the apartment a young man in Oakland, California, in which the perpetrator(s) stole a passport, Social Security card, and other personal documents.3 Some six months later, the man received a letter from a London bank approving a loan for the (fraudulent) purchase of a condominium. In another international case, this one involving “business” identity theft, the corporate credit card number of an Okemos, Michigan, business was stolen and used fraudulently to purchase merchandise that was traced by the MSU Crime Lab to an apartment in Romania.4 In both of these cases, international obstacles hindered the investigations, but even if the perpetrators had been identified and apprehended, prosecutions across international jurisdictions are particularly difficult. Another, related jurisdictional problem is that identity crimes rarely are one-person offenses.
Identity networks grow rapidly to include relatives, friends, and friends of friends. Identity networks attract criminals because they know the chances for apprehension are slim, the networks are difficult to track, and payoffs are high. To illustrate the evolution of one such network, on her last day of work at a major U.S. automobile manufacturing company, a contract employee stole a list of coworker identities, then gave and sold sections of the list to others, who in turn sold sections of those lists to still others, and so on. Within six weeks, when this case was uncovered by a police task force, the network had evolved from the one contract employee to include 45 others who were directly and indirectly involved in credit card fraud, bank fraud, retail fraud, and telecommunications fraud. This crime was solved, but, in most cases, even with the apprehension and confession of one person in the network, chances are that a criminal may know only the immediately previous source of the stolen identity—the friend or relative from whom the identity was purchased; thus, the prosecution and conviction of these two perpetrators would not ensure curtailment of the network’s continuing evolution and operation. (In fact, in this case, one cell member tracked to Philadelphia was never found.)
Yet another jurisdictional issue—the “layering” of identity crimes—points to why these crimes go unprosecuted and therefore continue. Identity crimes are “layered” so that different cells operate in different legal jurisdictions and each cell performs different but interrelated job tasks—much like some organizations departmentalize operations. In one such network, one cell used the stolen identities to create false checks; another cell’s responsibility was to cash the checks; another cell manufactured secondary identities, which were used by yet another cell to open post office drops for the delivery of fraudulent merchandise purchased by yet other cells. Many of these cells operated in different jurisdictions, so the chain of criminal activities occurred across different and distinct legal boundaries.
This layering illustrates both the complexity of these offenses due to the network (cell) configurations and the jurisdictional problems encountered in these investigations, which is another reason why most identity crimes go unresolved and are predicted to increase.
POLICE LACK RESOURCES
Another reason for increases in identity thefts and concomitant crimes is because investigations are particularly costly and local law enforcement has been stripped of crime-fighting resources. Primary responsibility for fighting identity theft lies with local law enforcement, but with the establishment of the Department of Homeland Security, the federal government has reallocated resources from local agencies to the Federal Bureau of Investigation (FBI) to fight terrorism. Because of these federal cuts and also because of state funding cuts, police departments nationwide are being forced to pare budgets; freeze hiring; scale back on overtime; cutback on materials and equipment; and reduce officer training. (Some departments have been eliminated altogether.) In these circumstances, police departments are unable to give enough attention to costly investigations of identity theft.
Identity theft investigations require backtracking from the end of the crime, where the merchandise was delivered, to the primary crime scene, where the identity was stolen. Tracking an identity crime chain is costly when using traditional methods of investigation that must traverse complex network configurations with cells that sometimes operate internationally. Although advanced technology does exist to track identity crimes and criminals online, few police departments have resources for the technology or for officer training to use it. This fact is most unfortunate because online investigations are speedy, efficient, and economical—and there are no jurisdictional boundaries in cyberspace. However, the lack of funding curtails or precludes many investigations. Identity crimes will naturally, therefore, persist. Ironically, funds have been diverted to federal agencies to fight terrorism, but local law enforcement is responsible for fighting the fundamental crime that facilitates terrorism—the overarching crime of identity theft.
Legislation could mitigate and help de-escalate identity crimes. For example, resources could be reallocated or shared; jurisdictional boundaries could be redefined for collaborative cross-jurisdictional investigations and prosecutions; and, of course, security standards could be required for businesses that house identities. But so far, this is not happening.
LEGISLATION IS LACKING
As identity crime legislation continues to be proposed and enacted, identity crimes are on the increase and criminals continue to discover new modus operandi to, in effect, stay ahead of the law. The misappropriation of “business” identities is a developing extension of traditional “personal” identity theft, with variations such as subsidiary theft and also, recently, phishing—the cloning of a legitimate business Web site to obtain customer identities. Although criminals will continue to develop novel methods to commit identity crimes, effective legislation, were it to be enacted, can thwart their attempts.
Granted, some legislation—the Gramm-Leach-Bliley Act, the Federal Trade Commission Privacy Rule, the Safeguard Rule, and others—does require information technology (IT) security compliance to help mitigate and prevent computer and network system breaches, such as hacking and phishing.5 However, IT security does not also secure people and processes and also will not safeguard personal information, absent other security measures.
If it existed, legislation involving people and process security would be preemptive, as are the IT security laws. Unfortunately, however, most current laws are neither proactive nor preventive; the laws are, rather, reactive and hastily enacted, and many reflect a lack of knowledge about the crime, the criminal, and the victim. Not surprisingly, many “experts” who testify at legislative hearings exhibit only peripheral visions of identity theft causes and consequences. There are understandable reasons why this is true. For one, until late 2003, most police departments refused to take identity theft complaints—some still do not—and those that do, often file away the complaints, never to act on them, all because of the jurisdictional problems and costs of investigating these complaints. In short, even though they have been slow to focus attention on identity crimes, law enforcement officials are the presumed experts on crime and thus most often sought after to give testimony at identity theft legislative hearings. Unfortunately, those not close to the crime cannot know it very well and cannot, therefore, expertly inform legislative decision making.
In addition to law enforcement, victim “experts” also are called to testify in legislative hearings. However, the knowledge that victims’ testimony provides is anecdotal: Their vision and understanding of what has occurred is often blurred from the duress of the offenses; and their testimonies, charged with subjectivity and emotion, can
be superficial and misleading. The quality of legislative information, therefore, is often insufficient as a basis for enacting laws to prevent identity theft and identity crimes. Doubtless, this is why most legislation is merely reactive and not preventive.
Current reactive laws increase penalties and fines, although volumes of criminal justice research show punishment fails to deter. Nonetheless, if incarcerated, a criminal is at least temporarily removed from society. However, incarceration does not always stop the crime; the tentacles of identity theft networks reach into the general prison populations, where criminals commit online credit card fraud to purchase merchandise that is delivered to outside accomplices, for kickbacks in money or drugs that are infiltrated back into the prison facility. Following release from prison, many criminals recidivate; should this be true for identity theft criminals, the cycle of identity crimes could be expected to resume. Despite all this, reactive legislation is necessary, to help victims resolve credit and other problems, such as clearing unwarranted criminal records. Of course, the best legislation would prevent the identity theft in the first place. Sometimes, however, reactive bills are precursors for proactive bills that come later when the crime is better understood. Examples are recent bills proposed in the state of California.
California has taken a lead in identity theft regulation, perhaps because it was the first state to report an insurgence of identity crimes. One lawmaker in particular, U.S. Senator Dianne Feinstein, has taken a leadership role in protecting “personal” information that includes bills that were first to link identity theft to terrorism and insider theft.6 A recent amendment to the Identity Theft and Assumption Deterrence Act penalizes insiders who use their employment positions to commit fraud or help others commit fraud. Although not (yet) preventive, the bill is a beginning toward the real solution in which the legislation would be amended to require all businesses that use personal information to show evidence for “personnel selection for security” procedures that comply with Equal Employment Opportunity Commission (EEOC) Guidelines and Title VII statutes for fairness in personnel practices and that meet the standards of “information process” risk assessments.7 Such legislation requiring security standards for people and processes would explicitly target insider theft prevention; coupled with current IT security requirements, such legislation would eliminate opportunities for identity theft, thereby decreasing or even preventing identity crimes. But as yet, there is no such legislation because, prior to the publication of this book (see Part II), there have been no such security standards. Thus, for this final and cumulative reason, identity crimes are predicted to increase greatly unless something is done very soon.
The burden of preventing identity thefts lies with businesses for two reasons:
The majority of identity thefts occur in the workplace.
Businesses are required by law to develop, document, and implement information security programs.
The problem is that those laws neither define what constitutes an information security program nor describe how a business would go about developing such a program. Nonetheless, as the laws discussed in Chapter 5 make clear, businesses must comply or face fines.
CHAPTER 5
LEGAL REQUIREMENTS FOR BUSINESSES
Businesses are required under several federal laws to develop, implement, and document evidence for “information security programs,” or they risk being fined. But problems with the laws are innumerable: they are too broad and too flexible; they fail to cover “people” within businesses who are given access to personal information; and they do not concern the “work processes” the people perform, such as financial transactions using applications containing personal information. Moreover, the laws do not state how to develop the specified information security program and, except for expecting information technology (IT) to secure computers and networks, the laws do not provide uniform security standards.
This failure to require security standards is particularly problematic because, as discussed in Chapter 4, personal information is widely disseminated worldwide. Databases of information distributed around the world to second, third, and other parties are under no one’s control and therefore are uncontrollable. Surprisingly, of the many laws enacted to prevent identity theft, not one contains provisions that actually would secure identities.
MANY LAWS
Five federal laws require information security, including the Fair Credit Reporting Act (FCRA), the Privacy Rule of the Federal Trade Commission (FTC), the Banking Guidelines, the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Safeguards Rule (GLB Act).1 Additionally, the following federal agencies, collectively called the Federal Agencies, require businesses to keep personal information confidential: the U.S. Treasury’s Office of the Comptroller of the Currency, Treasury (OCC); the Federal Reserve System’s Board of Governors; the Federal Deposit Insurance Corporation (FDIC); and the Office of Thrift Supervision, Treasury (OTS).
Of all of these, the GLB Act, enacted on November 12, 1999, to reform the financial services industry, is the most comprehensive. The Gramm-Leach-Bliley Safeguards Rule, effective May 23, 2003, implemented the safeguards of the GLB Act. According to this Act, confidential information is defined as: any personal information given by an individual to obtain a financial, healthcare, or other product or service, including name, address, Social Security number, a mother’s maiden name, bank account number, credit card or retail account number, driver’s license information, or any other information on an application or used in any financial transaction. Further, the Act defines financial institutions as “any entity that engages in any kind of financial activity” and requires these institutions to “develop information security programs” (emphasis added) and also to train and designate employees to coordinate them.2 However, nowhere does this or any other law stipulate what constitutes the required information security program or what is to be included in the training.
Instead, the act requires that institutions must:
Give customers privacy notices.
Provide customers opportunities to decline having their information shared with third parties.
Avoid releasing personal information to unauthorized users.
Assure accuracy of personal information before releasing it.
Disclose to the consumer recipients of any released information.
Identify internal and external risks to security.
Develop and implement information security programs.
Unfortunately, these requirements, even as detailed in the text of the act, are merely superficial.
MANY “SUPERFICIAL” LAWS
The federal laws that claim to provide security are neither inclusive nor exhaustive—they fail to address either “people” or “work processes,” two major sources of identity theft, and the laws also neither describe nor prescribe any measures that actually would secure personal information. Additionally, ambiguities with each of the seven requirements render them ineffective. Specifically, the requirements of businesses to (1) give customers privacy notices raises more questions than answers and gives customers cause for concern. For example, some notices authorize access of personal information by indirectly related but unspecified businesses. Yes, businesses must also (2) provide consumers with opportunities to decline having their information shared with third parties—a reference to the “opt-out” choices that are only temporary because databases repeatedly are passed along to unaccountable, and sometimes indirectly related (and therefore unknown), other companies. Not only ambiguous, this requirement also is puzzling, as is the third, which (3) requires businesses to avoid releasing personal information to unauthorized users—that is, those not directly or (again) indirectly authorized.
Additionally, businesses are to (4) assure the accuracy of personal information before releasing it. As businesses are not required first to obtain from the customer notices of accuracy, how is accuracy determined? Only the customer knows the accuracy of t
he information, which is, after disseminated along a chain of second, third, and other parties, especially subject to deterioration, either intentional or inadvertent. A related but similarly confusing requirement is that businesses also are to (5) disclose to the consumer recipients of any released information; here again, once information is released to a business, it may subsequently be passed along to others who in turn release to others ad infinitum—also again, such business may be directly and indirectly related and thus unknown.
Finally, businesses are to (6) identify internal and external risks to security, and (7) develop and implement information security programs. How, exactly, are businesses supposed to identify internal and external risks? The laws do not answer this question, nor are businesses told how to develop the information security program, defined by Section 314.2 of the FTC’s Final Rule as “the administrative, technical, or physical safeguards that a financial institution uses to access, collect, process, store, use, transmit, dispose of, or otherwise handle customer [emphasis added] information.” Note that this definition does not cover the personal information of employees, which would include payroll, healthcare, benefits, and all other information that equates the employee’s name with a Social Security number and other identifiers. No less than customers, employees are susceptible to identity theft and are as worthy of protection.