What is Identity Theft?

Identity theft is the unauthorized use of personally identifiable information (PII) by an individual to commit fraud, usually financial related fraud. This is achieved either by using financial account information or using an individual’s Social Security Number (SSN) to open new financial accounts. Identity theft is a serious problem costing American citizens millions of dollars every year. As one of the largest collectors of information, the U.S. Government must implement strong measures to reduce the risk of security breaches leading to identity theft.

The President’s Identity Theft Task Force made the following recommendations:

Data Breach Planning

Effective information security requires building contingency plans in the event a data breach occurs. Each agency should select a number of appropriate individuals to be part of a data breach response group that convenes after any potential or confirmed data breach has been found.

This group should include at minimum:

• Chief Information Officer
• Chief Legal Officer
• Chief Privacy Officer
• Senior management official
• Agency’s Inspector General

This group should meet initially to develop basic contingency plans to be automatically implemented when a breach occurs and reconvene as necessary in response to security incidents.

Identifying an Incident that Presents Identity Theft Risk and the Level of Risk Involved

Not all data breaches may result in an identity theft risk. When a security breach occurs, agencies must determine on a case by case basis if there is a risk of identity theft and the level of that risk.

What constitutes an identity theft risk?

• Unauthorized disclosure of an individual’s Social Security Number
• Unauthorized disclosure of an individual’s name, address or telephone number with
  • a government identifier (ie: driver’s license)
  • a biometric record
  • a financial account number with the pin or security code
  • any information that particularly identifies an individual such as a relationship with a financial institution or club membership

When such information has been compromised the following criteria should be used to determine the level of risk of identity theft:

• the level of difficulty an unauthorized individual would have to use the information
• how the data loss occurred including whether it may be considered or related to criminal activity
• the ability of the agency to counteract or prevent abuse of the information
• evidence that the information that has been compromised is used to commit fraud related to identity theft

Reducing Risk After Disclosure

When a data breach has occurred and a risk of identity theft has been determined, measures should be taken by both the affected individual and the agency to minimize the abuse of the information. Responses may vary depending on the type of information compromised and the level of risk determined by the agency.

Individual actions may include:

• Closing affected financial accounts
• Monitoring financial accounts
• Requesting and monitoring their credit report
• Placing a fraud alert with the credit bureaus
• Placing a credit freeze on their credit account
• Increasing identity theft awareness by watching for criminals offering credit assistance who may just be attempting to obtain more PII

Agency actions may include:

• Notifying banks if government authorized credit cards or government payments are involved
• Perform data breach analysis to determine whether a data breach has resulted in identity theft
• Provide credit monitoring services to affected individuals.
• Notification to law enforcement officials

Providing Notice to Those Affected

Agencies are not required to notify affected individuals after any data breach has occurred. However, agencies must notify individuals when a breach has occurred that poses a significant risk of identity theft so that suitable countermeasures may be taken.

Providing notice for all data breaches is not an effective response to data breaches because:

• Notification is costly
• Counter measures, such as closing financial accounts, placing fraud alerts and obtaining new ID documents is too costly to both the public and private sector to be undertaken with every data breach
• Frequent public notices may confuse the public as to what constitutes a minor or major threat and what actions must be taken

If an agency has determined that the risk of identity theft is large enough to warrant notification, the following guidelines should be used in providing notice:

• Timing– Affected individuals must be notified at the correct time. Individuals should be notified as early as possible to allow protective measures to be implemented. However, information regarding identity theft, if released too early may exaggerate the threat, or impede an investigation. Agencies must confer with law enforcement officials to make sure that notification is made at the time appropriate to the actions that must be taken
• Source– Individuals must be given the name of the responsible party from where the breach occurred. The breach may not always occur within an agency, for instance, if an outside contractor handles the information on behalf of an agency and the breach occurred in their system. The agency still maintains liability for the information and an agency official should be cited as the contact person.
• Contents– Individuals should be told in clear, easy-to-understand terms:
  • brief description of the data breach
  • the type of information that may be compromised
  • brief description of the agency’s actions to investigate and mitigate the breach and prevent further problems in the future
  • contact information to ask questions including a toll free number, web address and postal address
  • the actions an individual should take to mitigate the threat of identity theft
• Method of Notification–Notification methods should be chosen based on how the majority of affected individuals can receive the information. A mailing address should be the primary means of communication.
• Preparing for follow-on inquiries– Agencies must be prepared to handle the volume of follow-up inquiries they may receive, especially after a public announcement. Officials may choose to delay public notice of data breaches to allow an agency adequate time to prepare a response plan for such requests.
• Preparing counterpart entities that may receive a surge in inquiries– agencies should alert other entities such as affected financial institutions or the credit bureaus if they may see a significant increase in requests due to notice of a data breach.

Summary

The Government is one of the largest consumers of personally identifiable information. As such, it is at significant risk for data breaches and unauthorized disclosure of sensitive data. In addition to implementing adequate security measures, agencies must be prepared to notify individuals when significant data breaches occur. While a data breach may be considered something of an embarrassment, agencies are required by law to report such incidents and alert affected individuals that may face significant threat of identity theft.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• OMB Memorandum, September 20, 2006: Recommendations for Identity Theft Related Data Breach Notification Guidance (II.A.c.2.i)

The Fair Information Practice Principles

Notice/Awareness

Individuals should receive notice of an entity’s privacy practices prior to the collection of personally identifiable information. Notice allows individuals to make informed choices regarding the use of the personal information. A privacy notice must include:

• A legitimate name and physical address of the entity collecting the data
• The type of data collected
• How collected data will be used
• Any potential third party disclosure of personal information
• Any potential secondary use of personal information

Choice/Consent

Individuals must be able to consent or reject to certain uses of their personal information, particularly with regard to secondary uses and marketing purposes. Two main mechanisms are used to provide consumer with consent options:

• Opt in: Require affirmative consent from the individual. In other words, action must be taken by the individual to START the processing of personal information for secondary uses or disclosures. This may include signing up to receive marketing newsletters, special offers and similar types of communications.
• Opt Out: Requires the implicit consent of the individual. Here consent is assumed because the individual has not stated a desire otherwise. In other words, action must be taken by the individual to STOP the processing of personal information for secondary uses or disclosures. This may include opting out of third party advertising

An individual must be able to view their consent options and change them at any time. Changes should be honored within a reasonable length of time.

Access/Participation

An individual must be able to view the data an entity has on record. They must also be allowed to correct an incomplete or false information contained in their file. Access to data must be granted within a reasonable time frame and at a minimal cost.

Integrity/Security

Data must be accurate, up-to-date, complete and not stored longer than necessary. Security of data must be maintained using physical, technical and administrative safeguards to protect against unauthorized access, use, disclosure and destruction. Safeguards should be implemented in proportion to the security risk or threat, with greater risks or threats using greater resources and stronger protections.

Enforcement/Redress

An individual must be able to file complaints with the entity have their issues addressed.   Furthermore there should be a mechanism in place to ensure compliance with the above standards, either through self or government regulation.

Enforcement of Privacy Practices

The Fair Information Practice Principles are suggestions to guide the use of personal information in connection with business activities and transactions. They are not in themselves a law that must be followed, and as such are not enforceable. However, there are many privacy laws(see below) which make use of the Fair Information Practices to protect personal information.

The United States supports the use of self-regulation to enforce Fair Information Practices. Theoretically, informed consumers will choose to use businesses that implement the Fair Information practices and ensure the protection of their information, forcing those business that do not guarantee such protections out of business. Services such as the Better Business Bureau and online assurance programs build trust between businesses and consumers by providing consumers with a directory of businesses whose privacy practices have been assessed and found to provide adequate protection.

The Fair Information Practice Principles have been criticized because they do not require the creation of a general privacy authority and rely largely on self-regulation, which at times falls short of adequately regulating consumer protection. At the same time, many businesses believe implementing stronger guidelines or regulations would be too costly and detrimental to the growth of business. For now, the United States continues to use a sectoral approach, developing privacy laws as needed.

Laws Using the Fair Information Practice Principles to regulate Privacy

• Fair Credit Reporting Act– Regulated by the Federal Trade Commission, the Fair Credit Reporting Act regulates the use of consumer reports. Requires Notice of disclosure and adverse action, as well as the ability for a consumer to access and rectify inaccuracies in their consumer reports.
• Right to Financial Privacy Act– Protects the privacy of customers using financial institutions from government searches (with exceptions.) RFPA restricts government access to financial records without the individual’s consent or meeting one of the specified exemptions from the rule.
• Children’s Online Privacy and Protection Act–Protects against the collection, use and disclosure of the personal information of children under 13 without parental notice and consent.

Summary:

The Fair Information Practice Principles form the backbone of privacy laws in the United States. Though the principles put forth by the FTC are only considered guidelines, there are some laws that have turned the guidelines into law and even more businesses which choose build trust with consumers by ensuring their privacy through self regulation of the Fair Information Practice Principles. Understanding the principles and their implementation is one of the core concepts all privacy professionals need to know.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Principles and Definitions including Fair Information Principles(I.B.a.i.)