In May 2006, an Executive Order of the President created the Identity Theft Task Force. The Task Force includes members of several Federal agencies and departments. In September 2006, the Task Force released a number of recommendations ahead of the May 2007 document “Combatting ID Theft: Strategic Plan” in order to help agencies get a head start on the growing problem of identity theft.
The memorandum issued the following recommendations:
Data Breach Guidance to Agencies
The Office of Management and Budget should issue a memorandum guiding agencies on when and how notice must be given to individuals at risk for identity theft due to a security breach. The suggested memorandum, titled “Recommendations for Identity Theft Related Data Breach Notification” was released almost concurrently with the Task Force’s memorandum.
Development of Universal Police Report for Identity Theft Victims
Identity theft victims my require official police reports to contest fraudulent information on their credit reports. A universal identity theft police report ensures that all necessary information is collected. It also allows identity theft victims to print the report from online, fill it out and bring it to their local enforcement agency for verification. Currently, individuals may also file an official complaint with the Federal Trade Commission on the FTC website. A universal form of filing complaints, reduces the strain on law enforcement agencies and allows streamlining of investigations.
Extending Restitution for Victims of Identity Theft
The Task Force recommended to Congress that defendants be required to pay their identity theft victims monetarily for the time lost due to investigating, responding to and correcting fraudulent activity on their credit reports. This created extra penalties for committing identity theft, as well as allowed some renumeration to be paid to identity theft victims for their troubles, in addition to settling any financial disputes related to the fraudulent activity.
Reducing Access of Identity Thieves to Social Security Numbers
All agencies in the public sector should limit the use of Social Security Numbers as an individuals main identifier in an information system. The Office of Personnel Management was instructed to assign employee identification numbers for common use to eliminate the widespread use of SSN as the primary identifier for government employees. The OPM was also instructed to develop policies for the appropriate use and protection of Social Security Numbers. Further more all agencies were asked to review their use of SSNs in physical and electronic records systems to eliminate and restrict its usage where possible.
Developing Alternative Methods of Authentication Identities
The Task Force recommended that agencies confer with privacy and security experts in the private sector to create and implement technologies that use identifiers such as biometrics to authenticate identity. Biometric identifiers are harder for identity thieves to replicate or abuse. Using biometric identifiers in order to access personally identifiable information would significantly increase the protection to sensitive data.
Improving Data Security in the Government
The Task Force asked that the Office of Management and Budget and the Department of Homeland Security work together to investigate privacy practices in the Federal government and develop a list of the top mistakes that affect an agency’s ability to adequately protect data. This document was published in 2007 under the title “Common Risks Impeding the Adequate Protection of Government Information.”
Improving the Agencies’ Ability to Respond to Data Breaches in the Government
Agencies were instructed to develop and publish a “routine use” policy for their systems of records under the Privacy Act. These “routine use” policies would allow agencies to share PII–without the prior consent of the individual–with other agencies in order to respond effectively to security breaches.
In 2006, the Presidential Identity Theft Task Force allowed the U.S. Government to quickly analyze federal information security practices and create appropriate recommendations and plans to increase protection. Of the seven recommendations put forth by the Identity Theft Task force in 2006, several have been fulfilled and/or implemented in to government practice. Today, the Task Force continues to discuss ways in which the U.S. Government can increase the protection of its data holdings to prevent unauthorized disclosure and expose citizens to the threat of identity theft. While only the Federal Government was required to implement many of the guidelines, they serve as a model for institutions in the private sector concerned with identity theft.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- Recommendations of the Identity Theft Task Force, September 2006