On April 23, 2007, the President's Identity Theft Task Force, led by the Attorney General and the Chair of the Federal Trade Commission, released a report that describes a coordinated strategic plan to reduce injuries from identity theft and take more aggressive action against identity thieves. (The Strategic Plan, called "Combating Identity Theft: A Strategic Plan," is available at www.idtheft.gov/reports/StrategicPlan.pdf. A second volume of the Report—containing a wide variety of very useful resources related to identity theft and the privacy and security of personal information, is available at www.idtheft.gov/reports/VolumeII.pdf).
This Report provides valuable information for companies and individuals interested in the ongoing fight against identify theft. In addition to a vast array of useful detail about security practices, current privacy/security statutes and recent data breaches, the Report focuses on the following key elements of the identity theft problem:
- Prevention, through providing enhanced security for information that can lead to identity theft;
- Prevention, through making it more difficult for identity thieves to misuse or take advantage of personal information;
- Improving identity theft victim recovery activities; and
- Law enforcement efforts to investigate, prosecute and punish identity thieves.
This coordinated strategy creates an ongoing series of action steps for the federal government, its state and local law enforcement partners and all entities that create and maintain personal information. The Plan describes a continuing effort to make identity theft harder to commit, harder to profit from and easier to investigate and prosecute.
Action Plan and Key Elements for Private Companies
Beyond the key elements of the Report, private entities—the companies that collect, maintain and disclose the personal information that can be misused to steal identity—need to review the key elements of the Report and to understand the major action items and implications of this Report. Here are some of the central points for Corporate America stemming from this Report.
Start a Project Related to SSNs
The Strategic Plan makes clear that the Social Security Number is the single most sensitive piece of data, posing the highest identity theft risks. While an increasing variety of laws relate to the use, collection and disclosure of Social Security Numbers, these laws impose only modest formal restrictions on how SSNs can be used and disclosed by private companies.
Despite this limited legal environment, however, all private companies should institute a specific management project to understand—across the company—how Social Security Numbers are obtained, collected, stored and disclosed. It is clear that—throughout Corporate America—SSNs are procured, shared and maintained for purposes that are either unnecessary or inappropriate. Most companies have no firm idea of all the places in the company where an SSN may exist. Each of these SSN contact points creates a realistic risk in connection with identity theft. Only through an organized effort—by each individual company—can appropriate steps be taken to reduce access to SSNs and the related risks of inappropriate use or disclosure.
Overall Security Practices
The Report also emphasizes the importance of improving overall security practices, in both private industry and throughout the government. Companies in many industries face existing requirements to develop and implement appropriate security plans. Companies in all industries should be aware of the BJ's Wholesale case, where the Federal Trade Commission imposed liability on a company for failure to implement reasonable and appropriate security procedures, despite the absence of either a specific legal requirement or specific representations to customers about security practices. Moreover, new federal legislation imposing broad security requirements across all industries appears increasingly likely.
Whether motivated by specific legal requirements or not, all companies should understand the need to develop and implement appropriate security practices. These practices do not need to meet a "perfection" standard. Instead, the existing legal standard requires "reasonable and appropriate" security practices. But meeting this standard requires an ongoing effort to develop security policies and to impose stricter security practices across all parts of a company. A failure to create reasonable and appropriate security creates both practical risks of security breaches and an increasing array of potential legal and financial liabilities.
In addition, the Report highlights the need for a security program that is ongoing—to stay abreast of both technological developments and new issues that become visible as security risks. The past year has featured a flood of cases involving stolen or lost laptops. Clearly, companies need to evaluate their use of laptops, including encryption programs and new practices related to the storage of information on laptops. Similarly, PDAs, Blackberries and other portable media create a new category of risks, often outside of the traditional security practices of companies. This need for re-evaluation of security practices is ongoing and crucial.
Be Aware of "Low Tech" Security Risks
While companies must evaluate their electronic security practices, they must also recognize that this is not simply an exercise in computer or network security. Instead, the Report details a wide variety of "low tech" cases and risks, designed to focus attention on the wide variety of security breaches that do not require sophisticated electronic hacking skills. Companies must be sure to address basic document retention and security issues in an overall security plan. In addition, companies should be aware of the existing laws related to the appropriate disposal of information, regardless of the form of this information.
The Importance of Customer Notice
The rise in identity theft risks also focuses attention on the new breed of security breach issues, notification obligations in the event of a security breach. These laws—in place in more than 35 states, with more on the way—likely will be followed in the near future by a national security breach notification standard. Moreover, the widespread publicity associated with many security breaches has raised the complexity of these notice evaluations, in terms of mandating specific investigations and forcing companies to undertake a sophisticated analysis of whether notice is required (or whether it should be given even if not required), along with a host of related issues (should we provide credit monitoring, etc.).
In addition, companies should be aware of the start of enforcement concerning these notice laws, such as the recent New York case involving an alleged violation of the New York security breach notification statute by CS STARS LLC, a Chicago-based claims management company (see www.oag.state.ny.us/press/2007/apr/apr26a_07.html for more information about this case).
In this context, the ongoing debate about a "risk" standard for security breach notifications will be of considerable interest. The state laws vary on the standard for notification, with some states clearly limiting notice to situations where a risk of harm is "reasonable." Other states have different (and often more demanding) standards. The notice standard is a key component of the debate at the federal level. The Federal Trade Commission is on record as being concerned about the risk of "over-notice," where a "too low" standard results in so many notices that consumers come to ignore them or have no reasonable basis to evaluate their actual potential for harm.
The Crucial Issue of Authentication
The Report focuses attention on one issue that often receives less attention—inhibiting the ability of potential identity thieves to profit from the information they have taken. If a thief obtains your Social Security Number, but is unable to obtain new credit cards because of the authentication practices of a credit card company, the information becomes less valuable and the losses plummet. Companies must re-evaluate their customer and personnel authentication practices. In particular, while authentication issues are not new, "better" authentication practices often have taken a backseat to improved ease of use by customers. The Task Force report shows us that companies may need to re-evaluate this balance. If identity thieves cannot use stolen information, identity theft losses decrease. This new reality must be a component of the assessment as companies review their authentication practices.
Be Aware of Growing Litigation
To the extent that further encouragement is needed, companies also need to be aware of the rising tide of privacy and security litigation, much of it driven by identity theft concerns. To be clear, there still is no flood of identity theft litigation. Yet, we see a consistent increase in both consumer driven cases and litigation between companies, typically involving who is responsible for specific identity theft losses. The pending and expanding TJX breach situation should be watched closely as a potential tipping point—the case provides a privacy/security perfect storm, with a longstanding, ongoing security breach, apparently driven by weak security practices, resulting in substantial harm.
Recognize that Notice Doesn't Get You Out of Litigation
When considering the litigation environment and the complexities of various notification laws, companies need to reconcile the tension between notification and the risks of litigation. Critically, compliance with a notification law does not bar privacy or security litigation. Instead, compliance with the notification laws is just that—compliance with these laws, without any preclusion of other enforcement or litigation activity related to the breach. The purpose of the notification laws is to permit consumers to take action at a time when their action might in fact reduce harm from identity theft. Obviously, these steps are designed to reduce harm, but, from a legal perspective, they also can mitigate or reduce any actual damages resulting from a security breach. Proving actual damages remains a key hurdle for any plaintiff pursuing privacy or security breach litigation.
Companies providing notice should, of course, be aware that, in many circumstances, the notification is the first time that a consumer will hear of a security breach, and may itself lead to breach-related litigation. So, in addition to reviewing the requirements of notification laws, companies also need to consider carefully the mitigation and public relations implications of this notification. This challenge may be particularly difficult in situations where a company's obligation is to notify its corporate clients, rather than consumers directly. This notification process pushes the corporate client—the "owner" of the data under most statutes—to develop a notification plan that places blame on the agent. Companies need to work with their clients to develop a plan that is fair and accurate, without unduly placing blame or unnecessarily scaring consumers.
Recognize Substantial Weaknesses in Government Systems
The Task Force Report also highlights many weaknesses in federal government security practices. The Report is only the most recent description of the wide range of security flaws in governmental information systems (the GAO has a disturbingly long set of reports cataloguing the failures of virtually every major federal agency). These practices are even weaker at many state and local levels. Moreover, recent cases involving state Freedom of Information Acts demonstrate that, even where security practices are appropriate, the rules for government entities are such that information provided to government entities may be made available to unintended recipients through routine "open government" information requests.
These concerns should motivate private companies to be wary of government information requests, and to be cognizant of these risks when providing information to governmental entities. Recognizing that there may be times when companies have no choice, companies should always review whether information must be provided, including, in all instances, whether there are means of reducing the private information provided or otherwise encouraging additional protections for personal information about private customers and employees.
Recognize Non-Credit Aspects of Identity Theft and Other Security Harms
Last, businesses must begin to consider the range of identity theft concerns that extend beyond simple credit risks. Obviously, credit risks are significant and extensive. But, as the Report and other recent studies make clear, credit risks are not the only concerns with identity theft. The World Privacy Forum, for example, recently published a ground-breaking study (available at
www.worldprivacyforum.org/medicalidentitytheft.html) on the risks of medical identity theft. In addition, the Federal Trade Commission's report "Take Charge: Fighting Back Against Identity Theft," (available at www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.htm), identifies the following "specific problems" that can occur in connection with identity theft.
- Bank Accounts and Fraudulent Withdrawals
- Bankruptcy Fraud
- Credit Cards
- Criminal Violations
- Debt Collectors
- Driver's License
- Investment Fraud
- Mail Theft
- Passport Fraud
- Phone Fraud
- Social Security Number Misuse
- Student Loans
- Tax Fraud
- The FTC report discusses each of these areas, and describes specific means of responding to each kind of injury.
Identity theft remains a substantial problem in this country and around the world. The Task Force Report identifies an aggressive effort that is needed to attack this problem, along with the recognition that there is a long way to go. This Report highlights for businesses the key areas of risk and some of the most important steps that companies can take to play their part in limiting this problem. Companies cannot view this issue as someone else's problem. It is time for companies to play their own part in attacking the problem of identity theft.