Documents Session 328 Powerpoint Presentation

1
Identity Fraud This Crime Is Changing Your
Job Session 328 Nevin Maffett Application
Outfitters, Inc.
2
Agenda

• Overview
• How Does It Happen
• Historical Perspective
• National Response
• Privacy Crisis
• Protecting Yourself
• Impact on Employers
• Taking Action

3
Overview

• What Is Identity Theft?
• Fastest Growing Crime in US
• High-Profit, Low-Risk, Low-Penalty Crime
• A Dual-Victim Crime
• An Invasive Crime with Substantial, Long-Lasting,
  Emotional Impact
• Exists in Vacuum b/w the eXplosion US
  Piecemeal Approach to Privacy

4
Overview

• Three General Types
• Financial Identity Theft
• Imposter Establishes New Credit
• Enabler Personal Id Info, Particularly SSN
• Criminal Identity Theft
• Criminal Poses as Someone Else
• Provides Personal Info of Someone Else
• Identity Cloning
• Imposter Establishes New Life
• Imposter Lives and Works as You

5
Overview

• Most Common Types of Fraud Committed Via Identity
  Theft
• Credit Card Fraud
• More than Half of Victims Reported This
• Bank Fraud
• Unauthorized Checking/ Savings Account Activity
• Communications Services
• ¼ of Victims New Service Opened in Their Name
• Fraudulent Loans
• Thief Uses Your Identity

6
Overview

• A Few Statistics
• Victim Liability Limit 50/ Credit Card
• Average Victim Spends 175 Hours and 1,100
  Out-of-Pocket Responding
• Various Estimates of Between 500,000 1.1
  Million Cases of ID Theft in 2001
• Avg. Time to Discovery 15 Months
• Law Enforcement 100 500 Hrs/Case
• Criminal Profit Est. at 18,000/Case

7
Overview

• From FTCs Consumer Sentinel
• ID Theft Complaints
• CY 2000 31,117 22 of Total
• CY 2001 86,198 39
• CY 2002 161,819 43
• Victims per 100,000 Population in 2002
• Worst 5 DC (123.1), California (90.7), Arizona
  (88.0), Nevada (85.6), Texas (68.9)
• Best 5 N Dakota (12.6), S Dakota (16.4), Vermont
  (17.6), Iowa (18.9), West Va. (19.9)

8
How Does It Happen

• Root Problem is Authentication
• Three Ways to Authenticate Oneself
• Something You Know
• PIN, Password, etc.
• Something You Have
• Credit Card, ATM Card, ID Card at Work, etc.
• Something You Are
• Handwriting, Fingerprint, DNA, etc.

9
How Does It Happen

• Key is the Numbers that Identify Us
• They Are Everywhere. . .
• Bank Statements Utility Bills
• Credit Card Stmts ID Cards
• Personal Checks Pay Advice/Check
• Empl Application School Records
• Drivers License Real Estate Trans
• Court Documents Loan Apps
• Product Reg Cards Tax Forms
• Insurances (Med, Auto, Homeowners, etc.)

10
How Does It Happen

• SSN is Big(gest?) Problem
• Reality SSN is Required Used as Identifier
  in Many Places Many Ways
• Myth is that SSN is Private
• Presumed to be Valid Way to Authenticate
• Only that Person Would Know It, Right?
• We Are Generally a Trusting Society . . .
• Space Between Reality and Myth
• Opportunity for Abuse, Fraud, ID Theft

11
How Does It Happen

• One Thing Leads To Another. . . .
• Perhaps You Get Careless
• Throw Something in the Trash Misplace a Check or
  Credit Card, or Receipt
• Youre Too Nice
• If Somebody Asks for Info They Have A Good
  Reason, Right?
• You Are Targeted
• Thief Steals Wallet/Purse Takes Your Mail Opens
  Acct in Your Name False ID

12
Historical Perspective

• The Term
• Appears to have Emerged in mid 90s
• Prior to that, These Crimes Classified as
  Fraud, Wallet Stolen, etc.
• In The Beginning. . . .
• 1935 Social Security Act
• Govt Attempt to Create Old-Age Pension
• Byproduct A Unique Record ID, The SSN
• Original Intention SSN For Use Only by Social
  Security Administration

13
Historical Perspective

• Whats In That Box? Lets Open It!
• 1943 SSN Authorized as Primary Key in Other
  Federal Databases
• Ooh, Shouldnt Have Done That . . .
• 1974 Privacy Act Cessation of SSN Use by
  Agencies, (Except SSA), But
• Legitimate Use of SSN as Primary Keys by All
  Fed Agencies Using it Before 1/1/75
• Required Privacy Act Disclosure Notice

14
Historical Perspective

• Tax Reform Always Makes Things Better!
• 1976 Tax Reform Act Authorizes Use of SSN by
  State and Local Revenue Offices, Licensing
  Agencies, etc. . .
• Results in Substantially Increased Usage of SSN
  by Fed, State, Local Govt Agencies
• Widespread Use in Govt Makes it a Popular Choice
  in Business Industry
• SSN Now Begins to Take on Character of a Personal
  Identifier for Public Use

15
National Response

• States
• 1996 Arizona Passes First Identity Theft Law
• 2003 DC Still Has No ID Theft Law
• California is Leading The Way
• May, 2000 37 States Had ID Theft Laws
• End of 2002 Only CO, DC, and VT w/o Specific
  Identity Theft Laws (Source FTC)
• Some States Revisiting Existing Laws
• Increasing Penalties
• Revising Definition of Criminal Activity

16
National Response

• Federal
• Fair Credit Billing Act (1986)
• Limits Consumer Liability for Fraudulent Charges
• Fair Credit Reporting Act (1996)
• Establishes Procedures for Correcting Errors
• Record Can Only be Provided for Legitimate
  Business Needs
• Identity Theft Assumption Deterrence Act
  (1998)
• A Federal Crime to Transfer or Use, w/o Lawful
  Authority, Means of Identification of Another

17
National Response

• Federal (contd)
• Gramm-Leach-Bliley Financial Mod Act (1999)
• Original Focus Restructuring Financial Industry
• Amended to Include Privacy Aspects
• Some Limits Placed on How Institutions Disclose
  Nonpublic Personal Information About a Customer
• Provision for Consumers to Opt-Out of Having
  Their Information Shared
• Notices Written at 2nd Year College Level Bill
  Provision is Clear and Concise Language
• Sharing Can Still Occur Over Your Objections

18
National Response

• Federal (contd)
• November 2001 Supreme Court Ruling
• At Issue The 2-year Statute of Limitations Under
  the Fair Credit Reporting Act
• Ruling Period Begins When the Alleged Wrongful
  Disclosure Occurred, not When Discovered
• Protection of SSN (NOT!)
• No Fed Law Limiting Disclosure In Private Sector
• Business Can Request It
• Youre Not Required to Provide It, However . . .
• If You Dont, Business Can Legally Refuse to
  Provide You Service

19
National Response

• Federal (contd)
• Relevant Bills Introduced in 2002
• US House of Representatives (www.house.gov)
• HR5588, ID Theft
• HR5474, GLB ID Theft
• HR5215, Privacy in Stat Data
• HR4678, Consumer Privacy
• HR4561, Privacy in Rule Making
• HR4513, Social Security Privacy
• US Senate (www.senate.gov)
• S3067, Government Information Security Reform
• S3064, Health Privacy Opt-In
• S2629, Privacy Policies of Fed Agencies
• S2201, Online Privacy

20
National Response

• Federal (contd)
• Relevant Bills Introduced in 2003
• 14 Different Bills Introduced in House or Senate
  as of April 9th Some Examples
• HR 338 Defense of Privacy Act
• HR 781 Privacy Protection Clarification Act
• HR 122 Wireless Telephone Spam Protection Act
• HR 69 Online Privacy Protection Act
• S 188 Data Mining Moratorium Act
• HR 220 Identity Theft Prevention Act
• S 745 Privacy Act
• S 228 SSN Misuse Prevention Act
• S 223 Identity Theft Prevention Act

21
National Response

• Is the Tide Turning??
• Fair Credit Reporting Act
• Preemption Provision Expires 1/1/04
• If Sustained, States Could Require Financial
  Institutions to Obtain Customer Approval
  (Opt-In)
• Sen. Shelby, R-AL, Chair of Banking Committee
  Appears to be Leaning Toward Opt-In Position
• Financial Services Industry Now More Interested
  in Stronger National Privacy Standards
• HR 70, Proposes Establishment of Opt-In Basis
• HR 220, Proposes Dramatic SSN Changes
• Some States Already Have Opt-In Rules

22
Privacy Crisis

• What is Privacy
• The Right to be Left Alone the Most
  Comprehensive of Rights and the Right Most Valued
  by a Free People
• Justice Louis Brandeis, Olmstead v. U.S.
  (1928)
• Your Privacy is Under Attack
• Commercial Exploitation
• Employer Negligence
• Governmental Inaction
• Individuals . . . Thieves, Terrorists, etc.

23
Privacy Crisis

• Information Awareness Office (DARPA)
• Key Initiative Total Information Awareness
• Stated Purpose to deter terrorism
• Based on assumption that terrorists must take
  certain actions
• Integrated database of people their actions
• Major Pushback from ACLU, EPIC, others
• Through 12/4/02 26 Awards for Work on TIA
• Feb, 2003 Congress Suspends Funding of Project
  Pending Report From DARPA
• 5/20/03 DARPA Report Delivered
• New Name Terrorism Information Awareness
• Congress Prohibits Application to US Citizens

24
Privacy Crisis

• No Controls Over SSN Use
• No Integrated National Policy
• Electronic Records Can be Easily Stolen
• Individual Must Take Action to Prevent Sharing of
  NPI
• Individuals Not Aware
• Confused About Rights, Obligations, etc.
• Do Not Understand Risks
• Dont Have Time to Figure it all Out
• Info Continues to be Collected, Shared, etc., w/o
  Regard for Accuracy/Impact

25
Privacy Crisis

• Profiling. . .
• The Product is You (Adbusters Media Foundation)
• Recording Classification of Behaviors
• Occurs Through Data Aggregation from Everywhere,
  Everything You Do
• Has Created the Customer Relations Management
  (CRM) Industry and Personalization

26
Privacy Crisis

• Personalization is Very Personal
• SSN Size of Clothes Worn Shopping Preferences
• Habits (Smoking) Health Information Arrest
  Records
• Marital Status Lifestyle Preferences Hobbies
  (Collections)
• Religion Homeownership Date of Birth
• Sex Age Household Income
• Race and Ethnicity Geography Physical
  Characteristics
• Household Occupants Telephone Number Magazine
  Subscriptions
• Occupation Level of Education Contributions
• Club Memberships Mail Order Purchases Pet
  Ownership and Type
• Interests (Gambling, Arts, Antiques, Astrology)
• Whether You Are Likely To Respond to Money
  Making Opportunities
• Characteristics of Automobile (year, make, value,
  fuel type, vanity tags)
• Financial Situation (solvency, creditworthiness,
  loan amounts, credit cards)

27
Privacy Crisis

• Medical Profiling We Know That Too
• Allergy Nasal Allergies Wheat Alzheimers
• Arthritis Asthma Athletes Foot
• Breast Cancer Bronchitis Cancer
• Celiac Sprue Chewing/Swallowing Dif Chronic
  Back Pain
• Clinical Depression Colon Cancer Constipation
• Contact Lenses Crohns Disease Dandruff
• Dentures Diabetes (all, Type 1, 2) Dry/Flaky
  Skin
• Eczema Emphysema Epilepsy
• Freq Chapped Lips Frequent Cold Sores Frequent
  Flu
• . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . . . . . . . . . . . . . . . . . . . . .
  . . . . . .
• Parkinsons Disease Prostate Cancer Psoriasis
• Rheumatoid Arthritis Rosacea Sensitive Teeth
• Shingles Spinal Cord Injury Ulcerative Colitis
• Ulcers Use Wheelchair Yeast Infection

28
Protecting Yourself

• Manage Your Risk
• Risk Management Taking Charge of the Things Over
  Which You Have Control
• Start. . . . .
• Understanding Your Risks
• Reviewing Your Credit Report Every 6 Months
• Shredding Every Credit Application, Every Piece
  of Paper That Has Any NPI
• Being Aware of Who You Give NPI To. . And Why
• Supporting Stronger Privacy Legislation
• Looking at Those Receipts
• OPTing Out

29
Protecting Yourself

• Manage Your Risk (contd)
• Stop. . . .
• Giving Out Your SSN w/o Asking Questions
• Printing NPI On Your Personal Checks
• Putting NPI on Product Registration Cards
• Participating in Shopper Loyalty Clubs
• Leaving Paid Bills in an Unsecured Mailbox
• Answering Questions When Youre Not Completely
  Sure Why Youre Being Asked
• Being Nice
• Trusting The System Nobody Cares About
  Protecting Your NPI, Except You

30
Protecting Yourself

• Be Aware, Be Vigilant . . . Examples
• Free Credit Report emails Most are Scams
• Account Verification emails purportedly
  describing a problem resulting in loss of data,
  need you to re-send SCAM
• FTC Investigation Uncovered Bogus FTC
  Investigator Who Sent Emails Asking for NPI to
  Assist in Investigation SCAM
• Bogus Hospital Employees Needing to Fill in
  Blanks on Your Record SCAM
• When In Doubt, Dont!!!

31
Impact on Employers

• Newest Trend in ID Theft
• To Be More Efficient!
• Why Steal One Identity When You Can Have
  Hundreds, or Even Thousands?
• Theft of NPI From the Workplace
• Now 1 Source for Credit Fraud ID Theft
• State of CA 262,000 Records
• TriWest HealthCare 562,000 Records
• Lawsuit Has Already Been Filed Charging Negligence

32
Impact on Employers

• Be Aware Changing Environment
• Employer Records are Prime Target Risk of Theft
  Increasing Substantially
• Employer Liability Due to Negligence is
  Increasing w/Focus on ID Theft
• Legislation Impacting Employers
• Need to Monitor Fed State Developments
• EU Privacy Directive, HIPAA, etc.
• Must be Proactive Periodically Review
  Policies/Procedures

33
Impact on Employers

• Records Management is Critical
• Judicial/Societal Expectations
• Employer Will Exercise Due Diligence
• Records Mgmt Policies, Procedures
• Design of Records Mgmt System
• Validating Identity of Individuals with Access to
  Records
• Temporary Workers Major Risk Factor
• Periodic Review/Audit of Policies, Practices,
  Procedures

34
Impact on Employers

• FTC Position
• It is not enough to make promises about
  protecting personal information and then just
  hope that nothing bad happens, or if it does,
  that nobody finds out (Howard Beales, Dir of
  FTCs Bureau of Consumer Protection)
• Employers Expected to Take Affirmative Action to
  Appropriately Protect Personal Information

35
Impact on Employers

• Some Suggested Actions
• Remove SSN from all Employee ID, Badges,
  Timecards, etc.
• Halt Use of SSN as Employee Identifier
• Never Ask for SSN Prior to Hire
• Audit Trails to Document Who Has Reviewed
  Employment Data
• Shred/Securely Destroy Documents Containing
  Employee Data
• Conduct Background Checks on Employees
• Closely and Carefully Monitor Temp Employees
• Implement Training Program for all Who Have
  Physical or Electronic Access to Employee Data
• Provide Employees with Yearly Credit Check as an
  Employee Benefit Helps Spot a Records Compromise
• Provide Employees w/Education on How to Protect
  Themselves
• Implement Strong Program of 3rd Party
  Audits/Reviews of Policies, Procedures,
  Practices, System Security

36
Impact on Employers

• Trend Increasing Employer Liability
• A Few Examples
• Washington State June 13, 2002
• Employer Liability for failing to take all
  reasonable precautions in destroying records
• GLB Safeguards Rule May 23, 2003
• Employer must implement various safeguards for
  protecting NPI FTC Oversight
• California Bill 1368 July 1, 2003
• Companies Required to Notify Individuals When
  Records Containing NPI are Compromised
• HIPAA Security Rule April 21, 2005
• Safeguards Issues HHS Oversight

37
Taking Action

• Check Your Credit Reports
• Equifax 888-397-3742 www.experian.com
• Experian 800-685-1111 www.equifax.com
• TransUnion 800-888-4213 transunion.com
• Check Your Medical History Info
• Medical Info Bureau 617/426-3660 www.mib.com
• Use Gramm-Leach-Bliley Act Opt-Out
• www.privacyrightsnow.com provides sample letters
  and procedures

38
Taking Action

• Halt Pre-Approved Credit Offers
• One Call Does It 888-5OPTOUT
• Junk the Junk Mail
• Write to Mail Preference Service, PO Box 643,
  Carmel, NY 10512
• Pay 5 online www.dmaconsumers.org
• Avoid Sweepstakes Other Contests
• Reduces Number of Lists That Include You
• If It Seems Too Good To Be True, Then Its a SCAM

39
Taking Action

• Reduce Risk from Telemarketing
• Telephone Preference Service, PO Box 1559,
  Carmel, NY 10512
• Pay 5 online www.dmaconsumers.org
• Leverage FTC Resources Implementing Brand New
  National Do Not Call List www.ftc.gov for
  Information
• Practice Safe Interneting
• http not secure
• https secure (at least more secure. . . .)
• Look for Trusted Security Designators (VeriSign,
  etc.)

40
Taking Action

• Check Your Driving Record
• State Sites Listed at www.aamva.org/links Read
  Fine Print on Applications/Forms
• Your Identity is Worth 3 Minutes. . . .
• Handle Loyalty Clubs Differently
• Protect and Keep Private Your SSN
• Review Your SSA Stmt of Benefits
• Consider Placing a Pre-Emptive Fraud Alert on
  Your Credit Record

41
If It Happens To You. . .

• Contact Fraud Depts of Credit Bureaus
• Request Free Credit Report From Each
• Place Fraud Alert On Your Record
• Review Credit Reports
• Contact Creditors of Compromised Accounts
• Close These Accounts
• File Report
• With Local Police, or Police Where Theft Occurred
• Get Copy of Report to Support Claim of Theft
• FTCs ID Theft Clearinghouse 877-438-4338
• Complete ID Theft Affidavit (From FTC)

42
If It Happens To You. . .

• Some Other Valuable Resources
• ID Theft Info
• www.ftc.gov FTC Site
• www.consumer.gov/idtheft Fed Govt Central ID
  Theft Site
• www.idtheftcenter.org General Info and Resources
• www.fightidentitytheft.com General Info and
  Resources
• www.stolenidentity.com General Info and
  Resources
• www.callforaction.org General Info and Resources
• Privacy Issues and Awareness
• www.privacyrights.org Privacy Advocacy Group
• www.epic.org Electronic Privacy Info Center
• Your Representatives
• www.house.gov US House of Representatives
• www.senate.gov US Senate
• www.ncsl.org Council of State Legislatures

43
Information Sources

• VG 3 Testimony Provided by Linda Foley,
  Executive Director, Identity Theft Resource
  Center, to U.S. Senate Judiciary Subcommittee on
  Technology, Terrorism, and Government
  Information, March 20, 2002
• VG 5 Source FTCs Identity Theft Clearinghouse
• VG 6 Statistics Excerpted from various Federal
  Trade Commission and Privacy Rights Clearinghouse
  Documents
• VGs 12 14 SSN Historical Perspective Points
  Excerpted From Social Security Numbers, Identity
  Theft, and The Web, by Hal Berghel, Professor
  and Chair of the Department of Computer Science
  at the University of Nevada at Las Vegas article
  at www.acm.org
• VGs 26, 27 Electronic Privacy Information
  Center www.epic.org/privacy/profiling
• VG 30 Identity Theft Resource Centers Scam
  Alert, www.idtheftcenter.org and FTCs ID Theft
  site www.consumer.gov/idtheft
• VG 32 Adapted From Victims Assistance of
  Americas Employer Checklist
  ww.victimsassistanceofamerica.org
• VGs 37 40 List Adapted From Privacy Survival
  Guide, Privacy Rights Clearinghouse
  ww.privacyrights.org/fs/fs1-surv.htm
• VG 41 Adapted From Source Adapted From FTC web
  site www.consumer.gov/idtheft/victim.htm

44
IHRIM Needs Your Feedback!Please complete a
session evaluation for

Session 328 Identity Fraud, This Crime Is
Changing Your Job Nevin Maffett nevin.maffett_at_ap
poutfit.com 410/684-3700 THANK YOU!