U.S. Dept of Justice Identity Theft Task Force Recommendations: Possible Models for All Organizations?

Today the U.S. DoJ announced in a speech their interim identity theft task force recommendations.  The final recommendations will be submitted to President Bush in November.  They also provided a press release about the interim task force recommendations.  But before showing a copy of the press release, a few thoughts about the guidelines…

I look forward to seeing the data breach guidance the task force creates.  Most organizations have very weak, if any, breach response plans, so if this could potential be a good model for them.  True, it will be guidance written specifically for government agencies, but there should be many guidelines applicable to any organization; no use re-inventing the wheel.

I really like the idea of creating a universal police report!  The challenge will be implementing this report throughout the U.S.  State, county and city-level government agencies, particularly law enforcement, are notoriously disjointed from all other law enforcement agencies.  I want to see the report they come up with!  I hope they do a privacy impact assessment (PIA) on their implementation plans before putting it into use…you don’t want this type of personally identifiable information (PII) getting into the wrong hands because the system was created poorly and/or with insufficient controls.  It would be horrible for the victims of identity theft to become victims again because of the mishandling of the identity theft report.

Restitution for victims’ lost time could be a very good motivator for organizations to create strong safeguards for their PII.  It will be interesting to see what ways they create to determine the restitution…what forms victims must fill out, how much they determine a victim’s time is worth per hour, etc.

Limiting use of SSNS…what a great idea…whose time has finally come??  Well, we shall see.  Hopefully they CAN take some positive steps forward with this initiative; anything is better than doing nothing, or worse, doing even more with SSNs as identifiers.

Authenticating individuals’ identities is so important; not only for the government, but for all organizations.  And most organizations struggle with how to do this efficiently, effectively and without the use of SSNs.  Perhaps this can be another area where the proposed and final solutions of the task force can also be used by any type organization.

Improving the security of information within the government…always a great idea!  I look forward to seeing what they come up with as the “top 10 or 20 ‚Äúmistakes‚Äù to avoid in order to protect government information.”

Improving the ability to respond to breaches; probably all organizations need to do this.  Definitely in some of the high profile government agencies that have had widely publicized incidents.

They are all great ideas, and it will be interesting to see the final recommendations in November.  The real test will be to see if there is any actual implementation or action taken after the final recommendations are issued.  Will these be mandatory, through some new or amended law, for all government agencies?  Will an oversight agency be chosen that will actually make sure the agencies are implementing the directives?  If not the recommendations will turn out to be a good hill of bean ideas never sewn or cultivated.  With proper cultivation and harvesting, however, these could turn out to be cash crop actions that actually make a dent in the misuse and subsequent crime committed with PII.

Okay…yes…it’s getting to be harvest time in the midwest…:)

Now here’s the press release:

“WASHINGTON ‚Äì The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.

The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.

‚ÄúAs with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,‚Äù said Attorney General Gonzales. ‚ÄúThe President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.‚Äù

“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”

The Identity Theft Task Force’s interim recommendations to the Administration include the following:

Data Breach Guidance to Agencies-

In light of several, large data breaches suffered in recent months by government agencies, the Task Force recommends that the Office of Management and Budget (OMB) issue to all federal agencies a Task Force memorandum, which covers the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring. Such guidance is the first comprehensive road map of the steps that agencies should take to respond to a breach and to mitigate the risk of identity theft.

Development of Universal Police Report for Identity Theft Victims-

To ensure that identity theft victims have easy access to police reports documenting the misuse of their personal information ‚Äì which are necessary in order for the victims to, for example, request that fraudulent information on their credit report be blocked, or to obtain a seven-year fraud alert on their credit file ‚Äì the Task Force recommends the development of a ‚Äúuniversal police report‚Äù that an identity theft victim can complete online, print and take to a local law enforcement agency for verification and incorporation into the police department’s report system. The use of universal police reports will also ensure that identity theft complaints will flow into the FTC’s ID Theft Data Clearinghouse, and thereby will assist law enforcement officers in responding to such complaints.

Extending Restitution for Victims of Identity Theft-

To allow identity theft victims to recover for the value of the time that they spend attempting to make themselves whole – for example, the hours spent disputing fraudulent accounts with creditors that may be compromised or spent correcting credit reports – the Task Force recommends that Congress amend the criminal restitution statutes, 18 U.S.C. 3663(b) and 3663A(b), to require that defendants pay identity theft victims for the value of their lost time.

Reducing Access of Identity Thieves to Social Security Numbers-

In order to limit the unnecessary use in the public sector of Social Security Numbers (SSNs) – which are the most valuable pieces of consumer information for identity thieves – the Task Force recommends the following:

* The Office of Personnel Management (OPM) should accelerate its review of the use of SSNs, and take steps to eliminate, restrict or conceal their use, including assignment of employee identification numbers where practicable.

* OPM should develop and issue policy guidance to the federal human capital management community on the appropriate and inappropriate use of an employee’s SSN in employee records, including the appropriate way to restrict, conceal and/or mask SSNs in employee records and human resource management information systems.

* OMB should require all federal agencies to review their use of SSNs to determine where such use can be eliminated, restricted or concealed in agency business processes, systems and paper and electronic forms.

Developing Alternative Methods of “Authenticating” Identities-

Developing reliable methods of authenticating the identities of individuals, such as “biometrics,” would make it more difficult for identity thieves to misuse existing accounts or open new accounts using other individuals’ information. The Task Force recommends that agencies gather together academics, industry experts and entrepreneurs who are exploring ways to encourage greater development and use of authentication systems, and hold a workshop or workshops focused on developing and promoting improved means of authenticating the identities of individuals.

Improving Data Security in the Government-

To ensure that government agencies improve their data security programs, the Task Force recommends that OMB and the Department of Homeland Security (DHS), through the interagency effort already underway to identify ways to strengthen the ability of all agencies to identify and defend against threats, correct vulnerabilities, and manage risks: (a) outline best practices in the areas of automated tools, training, processes, and standards that would enable agencies to improve their security and privacy programs, and (b) develop a list of the top 10 or 20 “mistakes” to avoid in order to protect government information.

Improving Agencies’ Ability to Respond to Data Breaches in the Government-

In order to allow agencies to quickly respond to any data breaches, including by sharing information about those who may be affected with other agencies and entities that can assist in the response to the breach, all federal agencies should publish a “routine use” for their systems of records under the Privacy Act that would allow for the disclosure of such information in the course of responding to a breach of federal data.

Anyone wishing to ask a question about identity theft or to report identity theft may call 1-877-ID-THEFT, or visit the FTC’s Web site, http://www.ftc.gov/idtheft, or the Department of Justice’s Web site, http://www.justice.gov/criminal/fraud/websites/idtheft.html.” 

Technorati Tags

Leave a Reply