On June 12, 2011, the FTC and the DOJ’s Office for Victims of Crimes hosted a forum on child identity theft. The forum focused on the increasing prevalence of child identity theft and on ways to respond to identity theft and data breaches.
Theft of children’s identities—particularly Social Security Numbers (SSNs)—is on the rise, making this a growing concern for government agencies and others. The DOJ found 6,500 reported cases of child identity theft in 2003, and 10,000 in 2006. One panelist reported child SSNs face 51 times more attacks than adult SSNs. There are a number of reasons for the particular vulnerability of child SSNs. First, the number is a new one in the system, so thieves can easily associate it with a different name and date of birth. This means the theft is unlikely to surface on a related credit report, which a child is unlikely to have in the first place. Additionally, the theft is likely to remain unnoticed for quite some time. A child or parent may not become aware of the theft until the child is 18 and applying for a student loan or line of credit. By this point, years of misuse may have occurred.
In discussing the increase of child identity theft, some panelists at the forum advocated for more information sharing between businesses and the government, as the government has the ability to match a SSN up with the proper name and date of birth, and could help businesses to better verify customer identities. Some panelists also proposed increases in laws punishing child identity theft, for example, considering age as an aggravating factor. There was a universal call for more consumer and corporate awareness regarding child identity theft and the need for security and monitoring when dealing with sensitive information. Child identity theft will likely be an area of heightened concern for regulators in the future.
Given the increasing concern over the misuse of children’s SSNs, the panelists identified a number of steps companies can take now to minimize risk:
- Pause before asking customers to provide SSNs, particularly if those customers may be under 18. If there are ways to authenticate or identify a user aside from a SSN, consider using those instead. Businesses using SSNs should have a justifiable reason for doing so.
- Turn to available verification tools if you are using SSNs in your business. The Social Security Administration’s Website has tools for employers to verify the SSNs of current and former employees, and businesses can verify others’ SSNs with consent (visit http://www.ssa.gov/pgm/business.htm).
- Remain ever vigilant about protecting personal data, and plan proactively for a breach.
Additionally, other preventative steps were identified, including:
- creating a culture of security awareness;
- knowing the locations of all physical and electronic data your business keeps;
- knowing how to wipe clean all devices, particularly portable ones;
- having a strong crisis communication plan;
- running frequent tests and audits to ensure the security of information and data.