The memorandum issued the following recommendations:

Data Breach Guidance to Agencies

The Office of Management and Budget should issue a memorandum guiding agencies on when and how notice must be given to individuals at risk for identity theft due to a security breach. The suggested memorandum, titled “Recommendations for Identity Theft Related Data Breach Notification” was released almost concurrently with the Task Force’s memorandum.

Development of Universal Police Report for Identity Theft Victims

Identity theft victims my require official police reports to contest fraudulent information on their credit reports. A universal identity theft police report ensures that all necessary information is collected. It also allows identity theft victims to print the report from online, fill it out and bring it to their local enforcement agency for verification. Currently, individuals may also file an official complaint with the Federal Trade Commission on the FTC website. A universal form of filing complaints, reduces the strain on law enforcement agencies and  allows streamlining of investigations.

Extending Restitution for Victims of Identity Theft

The Task Force recommended to Congress that defendants be required to pay their identity theft victims monetarily for the time lost due to investigating, responding to and correcting fraudulent activity on their credit reports. This created extra penalties for committing identity theft, as well as allowed some renumeration to be paid to identity theft victims for their troubles, in addition to settling any financial disputes related to the fraudulent activity.

Reducing Access of Identity Thieves to Social Security Numbers

All agencies in the public sector should limit the use of Social Security Numbers as an individuals main identifier in an information system. The Office of Personnel Management was instructed to assign employee identification numbers for common use to eliminate the widespread use of SSN as the primary identifier for government employees. The OPM was also instructed to develop policies for the appropriate use and protection of Social Security Numbers. Further more all agencies were asked to review their use of SSNs in physical and electronic records systems to eliminate and restrict its usage where possible.

Developing Alternative Methods of Authentication Identities

The Task Force recommended that agencies confer with privacy and security experts in the private sector to create and implement technologies that use identifiers such as biometrics to authenticate identity. Biometric identifiers are harder for identity thieves to replicate or abuse. Using biometric identifiers in order to access personally identifiable information would significantly increase the protection to sensitive data.

Improving Data Security in the Government

The Task Force asked that the Office of Management and Budget and the Department of Homeland Security work together to investigate privacy practices in the Federal government and develop a list of the top mistakes that affect an agency’s ability to adequately protect data. This document was published in 2007 under the title “Common Risks Impeding the Adequate Protection of Government Information.”

Improving the Agencies’ Ability to Respond to Data Breaches in the Government

Agencies were instructed to develop and publish a “routine use” policy for their systems of records under the Privacy Act. These “routine use” policies would allow agencies to share PII–without the prior consent of the individual–with other agencies in order to respond effectively to security breaches.

Summary

In 2006, the Presidential Identity Theft Task Force allowed the U.S. Government to quickly analyze federal information security practices and create appropriate recommendations and plans to increase protection. Of the seven recommendations put forth by the Identity Theft Task force in 2006, several have been fulfilled and/or implemented in to government practice. Today, the Task Force continues to discuss ways in which the U.S. Government can increase the protection of its data holdings to prevent unauthorized disclosure and expose citizens to the threat of identity theft. While only the Federal Government was required to implement many of the guidelines, they serve as a model for institutions in the private sector concerned with identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Recommendations of the Identity Theft Task Force, September 2006

Missouri accepted $17 M in DHS grants last year to serve as the lead developer in a REAL ID verification hub.  That grant included an additional $1.2M to each of four other states (Florida, Indiana, Nevada, and Wisconsin) that, as the DHS announced, would use Missouri:

… as a central router to provide timely, accurate, and cost-effective verification to motor vehicle departments of an applicant’s source documents. States will be able to seamlessly verify the identity, lawful status and social security number of an applicant through this common interface.

What will happen to any unspent funds, and if there will be any penalties from the DHS for contract breach has yet to be determined.  What is know is part of HB 361 does deal with destroying personally identifiable information collected in the verification hub capacity.  Missouri is taking their privacy role seriously:

Any biometric data previously collected, obtained, or retained in connection with motor vehicle registration or operation, the issuance or renewal of driver’s licenses, or the issuance or renewal of any identification cards by any department or agency of the state charged with those activities shall be retrieved and deleted from all databases. 

A few of the less obvious biometric authentication information are specifically called out in the bill.  Facial patterns, voice, iris patterns, retinal scans and fingerprint information are all part of the popular lexicon, showing up in Hollywood blockbusters over the past couple of decades.  Personally, DNA really has no reason to even be thought of as an option for biometrics with a whole host of associated issues that will no doubt be addressed at a future time.  Those that are a curiosity: eye spacing, gait, and keystroke dynamics.  None of these on their own should be an authentication parameter, as eye spacing and gait are casually observable, and keystroke dynamics vary widely.  Someone hopped up on a Starbucks or late for a plane simply won’t press the buttons with the same lethargy for accurate measurements.  Using percentages (2 out of 3) to make a better educated guess with these types of observations does makes sense.  This is probably not as big of a deal with a “driver’s license”, but as we covered, opponents of REAL ID expect the card to become the next Social Security Number in terms of ubiquity and several features of the Act worry privacy professionals.

The bill does give some justification as to the motives behind the change of heart, apparently seeing the REAL ID activities as complicating state’s rights.  As a verification hub, Missouri could be seen as potentially infringing on the rights of other states, or acting as an agent of the US Federal Government.  In all, the MO state legislators decreed:  

No citizen of this state shall have his or her privacy compromised by the state or agents of the state. The state shall within reason protect the sovereignty of the citizens the state is entrusted to protect.

Update:  Follow the current progress of HB 361 through the Missouri Governor’s desk on the MO State House of Representatives site.

This seems to fly in the face of EU’s Privacy Protection Directive, and a long history of pro-privacy government.  Finland was one of the early participants of a group called the Organization for Economic Cooperation and Development (OECD), signing up in 1969.  The OECD’s eight privacy principals served as a baseline for private data handling within member states and included such items as collecting the minimum amount of information necessary and limitations of use for any data collected.

Finland’s not the first country to register this sort of information – Singapore’s been doing this for several years.  They keep all of their citizen’s data (including fingerprints) in one big database called the Central Identification and Registration Information System (CIRIS).  It not only covers Singaporian’s, but includes anyone that passes through their customs and immigration checkpoints. Granted, it’s protected through several security mechanisms, they’re a much smaller country land-wise and not affiliated with Europe or it’s wartime past indiscretions, but the population difference is less than 600K in Singapore’s favor and the economic influence of the tiny island can’t be ignored.

Why the parallels to Singapore you may ask?  Pedigree.  Singapore is part of the Asia-Pacific Economic Cooperation and (mostly) abides by the APEC privacy framework. The nine principles of the APEC privacy framework mirrors the OECD’s eight, including both the Collection Limitation and Use Limitation principles.    The CIPP covers all of this history and evolution between the various privacy assurance concepts.

Finland might look over some of Singapore’s justifications for private data centralization in selling this to their citizens.  Are they collecting the fingerprints just to have them on file?  Maybe someone somewhere might do something criminal?

The Google translation of the Finnish government’s statement is here.