Identity Theft - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Identity Theft

Description:

Petco's website has been vulnerable to commonly known or reasonably foreseeable ... Petco shall not misrepresent in any manner, expressly or by implication, the ... – PowerPoint PPT presentation

Number of Views:85
Avg rating:3.0/5.0
Slides: 30
Provided by: carol90
Category:
Tags: identity | petco | theft

less

Transcript and Presenter's Notes

Title: Identity Theft


1
Identity Theft
  • Carol Romej
  • May 24, 2005
  • Butzel Long

2
How ID Theft Occurs
  • Employees steal your ID information from the
    files of their Employers
  • Bribing Employees who have access to ID
    information
  • Dumpster Diving
  • Skimming
  • Stealing mail (change of address)
  • Steal ID information from your home

3
What Happens?
  • Spending sprees with your current credit cards
  • Spending sprees with new credit cards opened with
    your ID
  • Establish new loans with your ID, or cell service
  • Open a bank account with your ID and write bad
    checks on the account

4
The Identity Theft Protection Act
  • Effective March 1, 2005
  • Prohibitions on the use of Personal Identifying
    Information
  • PII name, phone no.,driver license no., social
    security no., passport no., mothers maiden
    name.
  • Prohibits using or attempting to use PII for
    credit, goods, services, employment

5
SSN Privacy Act
  • An act to establish the Social Security Number
    Privacy Act in the state of Michigan.
  • Effective March 1, 2005
  • Restricts use of SSN for
  • - Employees
  • - Students
  • - Other Individuals

6
The Identity Theft Resource Center
  • ITRC Nonprofit program dedicated to identity
    theft
  • Supports and advises victims, legislators,
    governmental agencies and law enforcement
  • www.idtheftcenter.org
  • 2004 Crime Victims Service Award from the US Dept
    of Justice

7
The Organization Responsibilities
  • Information Acquisition
  • Storage
  • Access
  • Disposal
  • Distribution
  • Personnel

8
Federal Trade Commission
  • SPAM
  • ID THEFT
  • Pretexting
  • Credit Reporting
  • Gramm Leach Bliley
  • Privacy

9
Online Consumers FTC Enforcement
  • Privacy Statements
  • Terms of Use

10
Petco Animal Supplies,Inc.
  • Privacy Statement At PETCO.COM our customers
    data is strictly protected against any
    unauthorized access. PETCO.COM also provides a
    100 Safeguard Your Shopping Experience
    Guarantee so you never have to worry about the
    safety of your credit card information.

11
PETCO.COM
  • Payment statements Entering your credit card
    number via our secure server is completely safe.
    The server encrypts all of your information no
    one except you can access it. At PETCO.COM,
    protecting your information is our number one
    priority, and your personal data is strictly
    shielded from unauthorized access.

12
SQL Injection Attack
  • Such an attack occurs when an attacker enters
    certain characters in the address (or URL) bar of
    a standard web browser to direct an application
    to obtain information from a database that
    supports or connects to a website. By such an
    attack, respondents application can be accessed
    in clear readable text.

13
FTC A failure to implement reasonable and
appropriate measures to protect personal
information
  • Failed to detect reasonably foreseeable
    application vulnerabilities
  • Failed to prevent web site visitors from
    exploiting such vulnerabilities and obtaining
    unauthorized access to sensitive consumer
    information.

14
Violation of Sec. 5(a) FTC
  • The representation in the Privacy Statement was
    false and misleading Personal data was NOT
    encrypted
  • The representation, expressly or by implication,
    represented that Petco implemented reasonable and
    appropriate measures to protect against
    unauthorized access to personal consumer
    information
  • Petcos website has been vulnerable to commonly
    known or reasonably foreseeable attacks from
    third parties attempting to gain access

15
FTC Order
  • Petco shall not misrepresent in any manner,
    expressly or by implication, the extent to which
    respondent maintains and protects the privacy,
    confidentiality, security, or integrity of any
    personal information collected from or about
    consumers.

16
FTC Order
  • Petco shall maintain a comprehensive information
    security program that is reasonably designed to
    protect the security, confidentiality, and
    integrity of personal information collected from
    or about consumers.

17
Security Program
  • Documented in Writing
  • Address Administrative, Technical and Physical
    Safeguards
  • Designate an Employee to be Accountable for the
    Security Program
  • Implement a Risk Assessment

18
Assessment
  • By objective independent third party
  • Who reports on the specific administrative,
    technical and physical safeguards that Petco has
    implemented, and how they meet or exceed this
    order
  • Third party shall be prepared by a qualified
    person CISSP, or CISA, GIAC, or such person
    approved by the FTC

19
HIPAA The Privacy Rule
20
Covered Entities
  • Health Care Providers
  • Doctors
  • Clinics
  • Hospitals
  • Health Care Clearinghouses

21
Covered Entities
  • Health Plans
  • HMOs
  • Insurance Companies
  • Employer-sponsored group health plans

22
Types of Group Health Plans
  • Medical
  • Dental
  • Vision
  • Prescription Drug
  • FSAs
  • EAPs that provide health care

23
Protected Health Information
  • PHI is information that is individually
    identifiable transmitted or maintained in any
    form or medium and relates to past, present, or
    future, physical or mental condition, provision
    of health care, or payment for health care

24
Penalties
  • Civil 100 per violation, up to 25,000 per
    standard per year
  • Criminal Fines up to 250,000 and 10 years
    imprisonment

25
Identity Theft Case
  • Medical Technician at Seattle Cancer Care
    Alliance used his access to patient records
    (name, date of birth, social security) to obtain
    four credit cards in their names

26
DOJ HIPAA Violation
  • R. Gibson The First Person in the U.S. to be
    sentenced for the wrongful disclosure of PHI
    under HIPAAs Privacy Rule

27
Organization Exposure
  • The Privacy Rules enforcement provision has been
    expanded TAKE NOTE!
  • An extension to Employees could also include
    Business Associates in the future
  • Exposure to the Covered Entity could increase if
    the CE knew or should have known of the improper
    acts

28
Resources and References
  • www.consumer.gov/idtheft
  • 1-877-IDTHEFT
  • File No. 0323221, Petco
  • www.idtheftcenter.org
  • www.hhs.gov/ocr/hipaa

29
Identity Theft
  • Carol Romej
  • May 24, 2005
  • Butzel Long
Write a Comment
User Comments (0)
About PowerShow.com