The Federal Identity Theft Task Force (Task Force), chaired by Attorney General Gonzales and co-chaired by Federal Trade Commission (FTC) Chairman Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce instances of identity theft. Policymakers are likely to rely upon these recommendations as guidance in developing legislation and regulations for the private sector. Comments are due Friday, January 19, 2007. See http://www.ftc.gov/speeches/majoras/061221PublicNoticeFinal.pdf.
By way of background, this Task Force was created by an Executive Order signed by the President on May 10, 2006 to strengthen efforts to combat identity theft. Comprised of 17 federal agencies and departments, its purposes are to improve the federal government’s protection of personal data, improve public outreach to educate the public about identity theft, consider the development of appropriate safeguards for the private sector, and encourage more aggressive law enforcement action against perpetrators of identity theft. The Task Force was to provide to the President by November 10, 2006 a coordinated strategic plan for improving the federal government’s activities in identity theft awareness, prevention, detection, and prosecution. By further Executive Order, this time frame was amended to require submission of the strategic plan no later than February 9, 2007.
On September 19, 2006, the Task Force published interim recommendations. Although there is no requirement to formally solicit public comment, the Task Force has decided to do so to obtain the benefit of additional research, analysis, and recommendations on these issues. The request for public comment notes that it is not expected that the Task Force will respond directly to particular suggestions or comments. Rather, it will use the information to supplement its work.
The work of the Task Force has been focused in the following four areas:
I. Enhanced security and consumer education to help keep sensitive data out of the hands of identity thieves;
II. Preventing misuse of consumer data—making it more difficult for identity thieves to use information to steal identities;
III. Victim recovery; and
IV. Law Enforcement: greater ID theft deterrence through more aggressive prosecution and punishment.
The recommendations under consideration that would have the greatest impact on the private sector are consideration of a national data security standard and breach notification requirement; issues related to both government and private sector uses of social security numbers (SSNs), including a request for comment on alternative identifiers for SSNs; and public private partnerships efforts to combat identity theft.
Following is a summary of the key issues and questions on which the Task Force is inviting comments:
I. Maintaining Security of Consumer Data
Building on the interim recommendation that called for an examination by federal agencies of their collection and use of SSNs, the Task Force is considering whether the following types of additional measures should be taken as well as comments on the following issues:
- Government Use of SSNs
- Ways to achieve reduced reliance on SSNs by federal, state and local government, including steps to eliminate unnecessary use and display of SSNs
- Comments on any available substitutes for SSNs
- Private Sector Use of SSN
- Whether to recommend an investigation into and analysis of how SSNs are currently used in the private sector
- National Data Security Standards for Commercial Entities
- Whether to recommend national data security requirements for all commercial entities that maintain sensitive consumer information
- Comments on essential elements of such a requirement, variations for small businesses, costs associated with such a requirement
- Breach Notification Requirement for Private Sector
- Whether to recommend a national breach notification requirement
- Deficiencies in current protocols regarding breach notification
- Comments on essential elements of such a requirement
- Education of private sector and consumers regarding data safeguards
II. Preventing Misuse of Consumer Data
Building on the interim recommendation to hold a workshop or series of workshops on authentication issues (which will begin in early 2007) to develop and promote more reliable methods of authentication to make it harder for identity thieves to open new accounts or access existing ones, the Task Force is seeking comment on any additional measures to prevent the misuse of consumer data. III. Victim Recovery
- Improving victim assistance (e.g., educational materials for first responders, law enforcement training, victim statement of rights)
- Developing a national identification document for authentication purposes
- Gathering data on effectiveness of victim recovery efforts (e.g., FTC surveys, assessment of state credit freeze laws)
IV. Law Enforcement
To further the Executive Order's policy of increased aggressive law enforcement, among other measures, the Task Force is considering:
- Establishing a National I.D. Theft Law Enforcement Center
- Enhancing law enforcement's ability to receive information from private sector
- DOJ discussions with private sector to increase awareness by victims of rights to receive I.D. theft-related documents
- DOJ discussions with credit reporting agencies regarding possible measures to make it more difficult for identity thieves to obtain credit base on access to a victim's credit report
- Investigation of I.D. thieves resident in foreign countries
- Amendments to federal statutes and guidelines used to prosecute identity theft-related offenses
- Amending 18 U.S.C. § 1030 by eliminating current requirement that key-logging or malicious spyware actions must cause damage to computers, and that the loss caused must exceed $5,000
- Enacting legislation that would make it a felony for data brokers and telephone company employees to knowingly and intentionally sell or transfer customer information without prior written authorization from the customer, with exceptions for law enforcement