the privacy symposium – summer 2007 identity theft resource center linda foley, founder presents:...

The Privacy Symposium – Summer 2007

Identity Theft Resource Center

Linda Foley, Founder

Presents:

Privacy and Identity Theft Case

Study

© Aug 2007


Identity Theft Defined

Identity theft occurs when an imposter gains access to personal identifying information and uses it for:

Credit and loans New accounts, check fraud Jobs, employment, contracts Tenancy and mortgages Avoidance of arrest and criminal

records


Identity Theft National Impact

New identity theft cases range between 9 and 15 million cases per year, depending upon the information sourceNew cases occur every 3.5 or 2.1 seconds, take your pick!Affects the national economy, as fraud loss is either absorbed by the company or passed along to the consumers or taxpayers, thus having a socio-economic impactConsumer confidence is shaken by data breaches and identity theftIdentity theft ranks as one of the top 5 fears among consumersIdentity theft is a matter of national security

Who benefits from this situation?


Business and PrivacyThe cost to business for data breaches and identity theft continues to rise at an ever increasing rateOld formula: Cost of fraud loss write-off vs. remediationNew formula: Cost of fraud loss write-off vs. direct incremental costs, lost productivity, customer confidence, lost customers, negative publicity, fines, lawsuits, cy pres awards, investigation and victim remediation*Largest breach cost is customer turnover; The cost to brand and corporate reputation can be the most long lasting effect When the pain of the situation is greater than the pain of the solution, we will change

It’s Time to Change!*Ponemon Institute


Business and PrivacyITRC Breach Data as of 7/10/07: 193 breaches affecting 87,941,305 individual records

– Financial Institutions: ~7% of breaches and ~11% of total records

– Business: ~20% of breaches and ~79% of total records– Education: ~31% of breaches and only ~1% of records– Government: ~26% of breaches and ~6% of records– Medical/Healthcare: 15% of breaches and ~4% of

records

Financial institutions and Medical/Healthcare have relatively small percentage of breaches and records exposed, despite handling a high volume of records


Business and PrivacyFinancial and Medical institutions appear to have had better data protection over the past several years– Myriad compliance requirements and regulations to ensure

that they protect consumer financial information– Security and confidentiality of customer information is

mandated– Audits for security and confidentiality are continuous and

ongoing

Business, Government, and Education appear to have increasing problems with data exposure– Increasing media and public awareness of the possible

impact of breaches leading to identity theft– Relationship between breaches and identity theft is not

completely identified, but consumers perceive a strong connection between the two

Is Regulation the only answer?


Victim Impact

The ITRC has spent years studying and assessing identity theft and its impact on victims. Through its own studies and victim assistance, the ITRC has realized that identity theft not only has a financial effect on its victims, it also has an emotional impact that may last for years.


Areas of Impact on Victim

Financial– Loss of employment and tenancy– Inability to gain employment, tenancy or mortgages– Inability to obtain credit, loans (including financial aid)

Emotional and Psychological– Ranging from anger and distress to severe clinical

depression– Stress on marriage and family– Exacerbate existing medical conditions

Inability to pursue life goals or career– Furthering of educational aspirations– Furthering your career aspirations– Achieving personal dreams


Case Study – Actual Victim

The victim’s employee information was exposed by her employer by not practicing safe information handling – folders left out on the desk, picked up by another employeeThe employee file included all of the victim’s personal identifying information (PII)The information was used to bring an illegal immigrant into the United States


Case Study – Details

On-going use of information by her impostor to: obtain 43 lines of credit (more than $200,000), commit criminal acts, gain employment, receive welfare, receive fraudulent IRS tax returns, as well as get married and have children using the victim’s identityThis case was multi-jurisdictional, causing law enforcement not to investigate due to difficulty and cost of investigationThe end result: this victim had to change her name, social security number and all of her personal information.To this day, more than 12 years later, the impostor continues to use victim’s information.


Case Study - Negative Business Response

Failure to authenticate and verify identity of applicantFailure to follow fraud alerts and consumer statements by numerous businesses and retailersFailure to clear fraudulent accounts and/or provide letters of clearance causing many fraudulent accounts to go to collectionFailure to file charges against the impostor due to “cost” of investigation and attorney’s feesMany of the same businesses continued to open new fraudulent accounts despite the closure of other fraudulent accounts at that same business and the annotation as “identity theft”


Case Study – Positive Business Response

A handful of companies did observe the fraud alert and consumer statement– Contacted victim and confirmed new applications– Denied new fraudulent applications

Two companies provided application and transaction information to assist in victim’s own investigation– Information was critical for the victim to clear herself

Some companies did provide letters of clearance and ceased collection action– Letters of Clearance reaffirm victim’s innocence in future

transactions

One company filed police report against impostor– Victim readily advertises this company as superior


Why Fight Identity Theft ?

Increase consumer loyalty and trustIncrease in consumer respectIncrease in customer retentionImprove employee productivityMinimize financial lossesAvoid negative publicity


Create an organizational ethic where all employees realize the importance of protecting personal informationUse best practices in information handling:– Authentication and Verification– Protection of all PII (Personal Identifying Information)– Limit access to PII by employees on a need to know basis– Proper disposal of sensitive documents and electronic data

Commit to writing the policy on PII protection and advertise this policy to customersStrict observation of fraud alerts from the CRA’s

New Organizational Philosophy - Prevention


New Organizational Philosophy – Victim Mitigation

Have a written protocol for handling of identity theft cases– Enhanced training for those who first encounter victims– Elevate victims to ombudsman trained for identity theft cases

Provide documents and information so that victim can file a fraud affidavit with your organizationProvide victim with transaction details and credit application information, so that victim can proceed with mitigationWhen fraud is determined, provide letter of clearance and stop all collection action against victimSupport law enforcement efforts in investigating the identity theft case


New Organizational Philosophy – Data Breaches

Data Breaches are not an “IF”, they are a “When”Organizational responsibility is minimized when adequate steps have been taken to protect the informationLaw enforcement must be notified when you suspect a data breach of PIIPrepare a comprehensive, intelligent, and timely breach notification for the affected parties – A bad notification is worse than no notification– Not communicating is unacceptable– Lack of timely information will create panic – media will speculate

Have a prepared “response team” to handle affected parties, media and other inquiries regarding the breach


The Bottom Line

Preparation and response to fraud losses have a cost.

The loss of your organization’s reputation will be much more costly.

How will the court of public opinionmeasure your organization?


Contact InformationIdentity Theft Resource Center

(858) 693-7935www.idtheftcenter.org


Questions

the privacy symposium – summer 2007 identity theft resource center linda foley, founder presents:...

Documents