ARTICLES

Federal agencies target businesses to help curb identity theft, other Internet crimes
Memphis Business Journal - 10/05/07
...Online fraud and theft costs businesses and individuals in excess of $200 million a year, according to Federal Trade Commission statistics, and the culprits are getting more and more sophisticated...

Brand hijackersready for the holidays
InfoWorld - 11/13/07
...Based on the firm's Autumn 2007 Brandjacking Index -- which is focused on data that was gathered from approximately 134 million public Web domains over the course of calendar Q3 -- phishing attacks carried out against retail brands jumped by 1,100 percent, compared to Q2 of this year...

Identity Theft Top Priority for State Legislators by Wall Street ...
Wall Street Technology - Melanie Rodier, 11/27/07
...Overall, Aite reports that more than 1,300 bills covering a range of issues that could impact financial institutions currently are pending before the 50 U.S. state legislatures...

**Identity and data theft often originate inside companies
San Antonio Business Journal - 10/19/07
...and while this trend is quickly affecting a large percentage of consumers, it is also finding a home in the business community...

For Victims, Repairing ID Theft Can Be Grueling
New York Times, Tom Zeller, Jr., 10/01/05
...Using private information, thieves can lead parallel and often luxurious lives, leaving a tangled mess that can take victims years to sort out....

Medical Identity Theft: Enough to Make You Sick -   itmanagement.earthweb.com, Ray Everett-Church, January 17, 2007
With last week's sobering news that medical identity theft is on the rise, we now face the prospect of privacy and security problems turning from annoyances into life-or-death issues.

The Coming Pandemic 
CIO.com, Michael Friedenberg,  05/15/06
...At the recent CSO Perspectives Conference, hosted by CIO’s sister publication, David McIntyre, CEO of TriWest, reported that 53 million identities have been stolen to date and 19,000 more are stolen every day...

Does Identity Theft Really Come at a Heavy Price for the Victims?
www.Ecorablog.com - by Mark Tordoff - 10/25/07

Recent research by the Center for Identity Management and Information Protection (CIMIP) indicates that the average actual dollar loss per victim was $31,356. The results were based on a study of 734 cases with an identity theft component that were opened and closed by the US Secret Service between 2000 and 2006.

A few interesting statistics from the findings:

• The more people involved in the fraudulent activity, the greater the take. The average figure was $42,710 in cases with two defendants, and $84,439 in cases with five.
• Information stolen from businesses such as service industries and retail or financial companies was responsible for 50 per cent of the identity thefts
• Data was stolen by an employee in one third of all cases
• In the case of employee theft, the majority were employed in retail occupations, including stores, car dealerships, gas stations, casinos, restaurants, hotels, hospitals, and doctors' offices

Rebecca Herold, in her blog, cited other key facts from the report.

• Internet and/or other technological devices were used in approximately half of the cases
• in half of the identity theft cases analyzed, the crime began in a business

I certainly agree that there is a lot of pain associated with clearing your name and your credit record if you are victimized by the theft of your personal information and the subsequent fraudulent use of that information. However, as Mike Rothman observed in his Laundry List today, I'm not sure that time and effort amounts to $31,356.

I think the issue here is the fraudulent charges made with stolen information, on average, total $31,356 for each person's PII that's stolen. I expect that most of this activity is using credit or debit cards, so the individual cardholder really never feels the pain of this whole amount. Usually a small $50 fee at most. This is a problem that Evan Schuman and I were chatting about recently as it relates to the TJX case. Consumers are still shopping at TJ Maxx and Marshalls because they aren't personally feeling the pain of that mammoth data breach. As Evan said, "Liability plans prevent consumers from losing a lot of true cash. That, in turn, means that huge breaches do not hurt consumers."

The moral of this story: $31,356 only hurts if you actually have to pay it.

Identity Theft Prevention
Curtis Martin and Dr. Ron Kite offer information to help protect your identity from being stolen.
July 2007
By Virginia Goode

A recent news publication notes that identity theft will increase 20 times in the next 20 months. Similar to a thief breaking into your home, being a victim of identity theft is devastating. Although nothing may appear to be missing, your rights have been violated. Like carbon monoxide, the silent killer, people do not know when it will strike.

Identity theft can unravel a person’s life. The process of restoring your name can be overwhelming and costly. It could take years and thousands of dollars, and one can never be sure if it will strike again or if the matter has been completely taken care of. Everyone should learn how to avoid identity theft and have a plan if the devastating crime does occur.

Dr. Ron Kite and Curtis Martin work with one of the largest risk management consultant firms in the world. The identity theft service they offer provides continuous, 24-hour monitoring of your identity, as well as true restoration if it does happen.

Early detection is one of the most powerful tools in protecting your credit, good name and your peace of mind. Taking preventive measures is imperative. By having Identity Theft Shield before an identity is stolen, the client can make a single call and let the licensed investigators do the work on the person’s behalf. Time and money are saved.

Martin and Dr. Kite also provide special services to business owners regarding current laws for employers. “We offer business owners an Affirmative Response Defense System at no charge to the business,” Dr. Kite says. “We give employers information for setting up the necessary meetings. We’ve done extensive work to put together a policy for every business, whether it is large or small. We have a checklist for these businesses, and we offer third party documentation to businesses to show the efforts being made to be in compliance. At no cost to the company, we train employees on what identity theft really is. While offered to businesses at no charge, the Affirmative Response Defense System effectively addresses each of the four things the government requires. The system offers a comprehensive solution to help business owners protect their assets.”

Three major federal legislations require businesses to take proactive measures in protecting nonpublic information. Understanding the laws pertaining to your business is critical, as penalties for not taking adequate measures to protect nonpublic data can be high. Betsy Broder, assistant director of the Federal Trade Commission’s Division of Privacy and Identity Protection, says, “We will act against businesses that fail to protect their customer data.”

“New laws require business owners to protect consumer information, and, by law, employees are consumers,” Martin explains. “We help people to be proactive in responsibly protecting their employees. Life happens. Be prepared. Our plan offers the peace of mind that comes from knowing you have somewhere to turn when help is most needed. Our services work together to help clients before, during and after identity theft is committed.”

Regardless of the size of your business, employers are responsible for protecting the personal data in their company’s possession. An organization’s best defense is a proactive, comprehensive and consistent position on privacy.

Gary Akin, president of the Owasso Chamber of Commerce, comments, “Dr. Ron Kite and Curtis Martin are backed by a 34-year-old New York Stock Exchange company which has demonstrated great integrity throughout its history. Business owners should give them a call and learn what your company must do to take action now and comply with identity theft laws.”

Former Oklahoma Senator John Young says, “I have practiced law all my life and stand in amazement with the knowledge that Dr. Ron Kite has acquired about identity theft. With identity theft at the forefront of public concern, legislators at the federal and state levels are taking action. If you own a business, you are responsible for safeguarding the nonpublic information that you collect. As identity theft continues to grow in our society, the people in charge of safeguarding information will be held accountable when their nonpublic information is compromised. Everyone needs a plan. I do not know of any other identity theft service that protects you before, during and after a crime has been committed. To my knowledge, this is the only program in the nation that will restore your identity once it is stolen.”

Protect the business that took so much hard work and dedication to build. Understand the risk and reduce your liabilities by educating employees and enforcing a strong privacy policy. No board or company is immune to the threat of lawsuits. Martin and Dr. Kite will help any business owner implement the Affirmative Response Defense System at no cost. A brief amount of time could save thousands of dollars when staff members understand how to protect nonpublic information.
 

September 19, 2006
Workplace Identity Theft: How to Curb an HR Headache
By Douglas Hottle, Meyer, Unkovic & Scott
A rise in identity theft is presenting employers with a major headache: They are being held liable for identity theft that occurs in the workplace.
Given the likelihood of liability when employees' records are misused or mishandled, employers should take steps to protect personal employee information and, indeed, are required to do so under state and federal statutes.
The bottom line is this: If an ID thief is lurking in your workplace, the first line of defense is your company's policies and procedures. Employers should periodically review their policies to ensure accordance with state and federal law. Employers may also want to consider seeking legal help to ensure compliance.
Revising and strengthening company policies will go a long way to minimizing the potential for identity theft and limiting employers' liability if an ID thief strikes. Keep in mind, however, that adopting a comprehensive series of policies and procedures will not prevent every known type of identity theft (ID thieves are an industrious and resourceful lot) nor prevent every lawsuit. Having a policy and following the law, however, will strengthen a company's position in any litigation related to identity theft.
 

Douglas Hottle, an attorney with Meyer, Unkovic & Scott in Pittsburgh and Lancaster, PA, works primarily in the area of employment law.



Recent FACTA Ruling Against a Company

On June 16, 2006 the Federal Trade Commission (FTC) issued the first ruling against a company under FACTA.

The FTC charged that BJ's Wholesale Club did not provide "reasonable security" for sensitive customer information. Allegedly they failed to encrypt credit card numbers that were stored in computers at their stores and the customer information was stored past the date it was required. The files with the customer's numbers and information were protected only by default passwords and were compromised. This resulted in the theft of credit cards numbers that were used to run up $13 million in charges.

The FTC is wasting no time in making the point that they plan to enforce this bill. "This case demonstrates our intention to challenge companies that fail to protect adequately consumers sensitive information", said Deborah Platt Majoras, Chairman of the Federal Trade Commission.

Every business can understand from this ruling that lax security and poor or non-existent privacy policies is no longer acceptable when it comes to protecting personal information of employees, customers, and vendors. Businesses will now be required to implement effective policies related to all information security, or suffer the consequences.
 

Federal survey: Identity theft hits 1 in 4 U.S. households
By Christine Dugas
USA Today
Sept 4, 2003

Identity theft statistics now show that one in four U.S. households has been a victim of identity theft in the past five years, according to a report released Wednesday in which the federal government for the first time measures the full extent of the crime wave.

In the last year alone, 10 million people were victimized, according to a survey of 4,000 adults sponsored by the Federal Trade Commission.

Identity theft cost victims $5 billion in out-of-pocket expenses and nearly $48 billion in losses to businesses and financial institutions last year.
 

USA TODAY
Posted by Mark Memmott at 11:34 AM/ET, December 12, 2006 in Crime, Local news
Meat-packing plants raided in identity theft probe
Federal agents raided meat processing plants in six states this morning and arrested an unknown number of suspected illegal immigrants in an identity theft investigation, the Associated Press is reporting.
The investigation indicated that large numbers of illegal immigrants may have used the Social Security numbers of U.S. citizens or residents to get jobs with Swift & Co., AP says.
Immigration officials said they and the Federal Trade Commission had identified hundreds of potential victims.
Six Swift processing facilities were raided Tuesday, the AP says, in Greeley, Colo.; Grand Island, Neb.; Cactus, Texas; Hyrum, Utah; Marshalltown, Iowa; and Worthington, Minn.
 

NewsTarget.com printable article
Originally published September 25 2006
Medical identity theft on the rise as health care desperation leads to crime
by Jessica Fraser

(NewsTarget) Although most identity theft cases in the United States involve credit cards and bank accounts, ID thieves are now engaging in medical fraud -- falsely obtaining medical care using someone's stolen identity -- according to today's Los Angeles Times.
After surgery on her shoulder last year, Lind Weaver, a 56-year-old retired schoolteacher, was billed for the amputation of her right foot. Refusing to pay the medical bill collectors, Weaver set about trying to prove that the surgery had obviously not been performed on her -- since her foot was intact -- which proved a more difficult task than recovering from simple credit card ID theft.
Experts say the rising costs of U.S. healthcare are driving medical identity fraud, and many victims are entirely unaware that their medical identity has been stolen unless they receive a hospital bill or an inquiry from their insurance provider. In addition to potentially damaging credit reports and affecting future job status -- since many Fortune 500 companies require access to medical records when hiring or promoting -- medical identity theft can also cause fatal future hospital errors.
For example, Weaver suffered a heart attack in May, and when she awoke in the hospital two days later, a nurse asked her what drugs she was taking to treat her diabetes. Weaver did not suffer from diabetes -- though the woman who stole her identity did -- and diabetes patients receive different heart surgeries than patients without the disease.
However, even if health complications are avoided, medical identity fraud can lead to hellish legal ordeals. In the case of Salt Lake City resident Anndorie Sachs -- whose ID was stolen and used when the thief delivered a baby that tested positive for methamphetamine -- her four children were nearly taken from her by social workers, though she had not given birth for two years. Sachs' case was only resolved after she hired a lawyer and went to the local media. However, when Sachs was admitted to the hospital for a kidney infection last year, the hospital records indicated the wrong blood type, which could have resulted in a fatal error.
Victims of medical identity theft find that clearing their names can be even more difficult than those clearing a traditional credit card ID theft, largely because of laws designed to protect patients' medical records. Once a patient reveals to the hospital or doctor's office that their medical records are somehow tied to someone else's -- even though that person is an identity thief -- their records become much more difficult to access.
The U.S. House and Senate are currently working to pass bills that push wider use of electronic health records, which could potentially make it easier for medical identity theft victims to clear their names.
 

Identity theft now part of American life
05:09 PM CDT on Thursday, June 16, 2005
By CRAYTON HARRISON / The Dallas Morning News
The personal records of 145,000 people were exposed when thieves infiltrated ChoicePoint Inc.'s databases last year. The breach has resulted in 750 cases of identity theft fraud, law enforcement officials have said.
The rest of the thousands of people affected by the breach have to wait and be vigilant. Their identities could still be stolen, since personal data can circulate among thieves for years.
That means they'll have to pay close attention to bank statements and credit reports for signs of illegal activity.
Also Online
Victims of the hook
The ChoicePoint breach and other corporate security lapses, combined with the spread of e-mail and Internet scams, have raised the public consciousness of identity theft to a new level.
Every consumer is now a potential identity theft victim, just like people affected by the ChoicePoint theft. All it takes is a stolen credit card, an e-mail scam or a corporate security lapse.
The odds of having information stolen are so high, and the data so valuable, that dealing with the scourge is becoming a way of life. About 10 million Americans have their identity stolen each year, according to government statistics.
"Identity theft now passes the someone-you-know test," says Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "Most people have been a victim or know somebody who has been a victim."
Privacy advocates say that, after years of indifference, the general public is finally getting concerned about securing personal data. Governments and companies also appear to be waking up to the threat.
"Corporations and people who face the public are trying to make it less easy for this kind of information to leak out," says Avi Rubin, a computer science professor at Johns Hopkins University. "These breaches are pretty high-profile, and nobody wants to be the next story in The New York Times."
For most victims, identity theft is a minor hassle, a charge on a credit card that requires a phone call to clear up.
Dallas resident Shelley Cook's experience was typical. A couple of years ago, she got a call from her bank asking about a suspicious charge on her credit card. She followed the bank's instructions, asking the credit reporting bureaus to place a fraud alert on her account, and called the police to report the incident.
"There was no real negative result," says Ms. Cook, 26.
A smaller number of identity theft cases are more onerous, requiring dozens of hours of letter-writing and phone calls to clear up. They typically occur when a thief gets enough personal data to open a line of credit.
If such cases are caught early enough, they normally don't result in lasting financial harm. On rare but worrisome occasions, a victim suffers gut-wrenching financial damage that requires legal help to fix.
Identity theft presents one other important risk, experts say. Terrorists could use stolen personal data to bypass security measures.
How it happens
Researchers have found it difficult to determine how most identities get stolen. Studies ask consumers how they've lost their data, but consumers often simply don't know.
Thieves have big incentives to keep stealing personal data.
A person's identity is a financial criminal's ultimate alibi. Social Security numbers, checking accounts and credit card digits unlock doors at banks, retailers and even international borders. The data is valuable, available for sale every day on the Internet.
While many consumers change their credit card numbers over the years, some pieces of data, including Social Security numbers, stay eternally useful for thieves.
"They're sold and resold and resold," says Judith Collins, a criminal justice associate professor at Michigan State University.
ChoicePoint, LexisNexis and other companies whose databases have suffered major infiltrations have eventually notified consumers about the problem. California law requires companies to tell its citizens about security breaches that affect them.
But similar thefts at other companies occur all the time, and they're not always publicized.
"There are at least one to two hacks every single day of thousands or tens of thousands of data," says Mike Brown, president of CardCops, a California company that patrols the Web for stolen credit card numbers. "We hear about the big hacks. We don't hear about the little hacks."
In many cases, hacks involve very little hacking in the sense of sophisticated computer trickery. In the ChoicePoint breach, for instance, the thieves impersonated legitimate businesses to apply for access to the databases.
In other cases, thieves have obtained passwords from employees. More than half of identity theft cases are inside jobs, says Ms. Collins, who recently completed a study of 1,037 such cases. And some criminals have tricked employees into giving away passwords.
Identity thieves are just as aggressive in robbing individuals. They've used fraudulent e-mails, Web sites and even instant messages to try to trick consumers into entering personal data.
Vulnerability
The data from individuals and from businesses flow into an underground world, where money launderers and other unsavory types can buy the information.
A hacker might steal 100,000 records, keep 10 of the most vulnerable for himself, divide up the rest and sell a portion to 10 people, Mr. Brown says.
"Eventually there are about a hundred different guys out there working on thousands of accounts," Mr. Brown says. Thousands of pieces of data can be disseminated in 24 hours, he says.
The data in the ChoicePoint breach and other high-profile thefts have probably been distributed through wide networks and may be used once people let their guard down, experts said.
But at least people affected by the high-profile data breaches know their information has been exposed. In many cases, identity theft is so effective because it's so difficult to detect, says Mr. Rubin of Johns Hopkins.
"If someone steals your bike, you don't have a bike anymore, and you know it," he says. "If they steal data, it's copied. It's still there, but it's not like it's missing."
Raising security
Every company – an e-commerce site, health insurer, phone company – that a consumer interacts with keeps a record of their purchases and subscriptions.
Privacy advocates are proposing laws to limit data collection and help consumers monitor their financial accounts. Dozens of states are considering laws like California's that require companies to disclose data thefts. Credit agencies now have to grant free reports to consumers once a year, thanks to a federal law.
Some advocates have proposed laws that would limit the collection of Social Security numbers. And some are pushing for "opt-in" legislation, which would require data collection agencies to request consumers' permission before selling information about them.
Companies, facing enormous legal liability for the loss of personal information, have concentrated on digitally securing data. They must also develop stronger internal privacy rules and place more scrutiny on employees, experts say.
"You have to implement some policies and record-keeping that most companies have not thought about implementing yet," says Chad King, a partner and technology lawyer at Hughes & Luce in Dallas. "Until we reach that point, it's always at risk."
Personal finance writer Pamela Yip contributed to this report.
E-mail charrison@dallasnews.com