It’s 8:00 a.m. Monday morning. The office phone rings and it’s your executive assistant’s husband calling. “Hi! I’m sorry, but Sally won’t be in today, she was just arrested for check forgery, and she’s on the way to the police station. It wasn’t her, and she kept saying “but it’s not me”. I’m on my way to bail her out. I don’t know what we’re going to do!” After months of investigation, time spent in jail, disruption to your office and Sally’s life, the prosecutor’s office finally decides to drop the case. Not because they believe that Sally is innocent, but because they don’t enough evidence against her. Sally was the victim of identity theft. A scary hypothetical? Yes. A growing possibility of being real? Absolutely.
Identity theft is a term you’re probably hearing about more and more every day. Some common reactions to this topic are:
“I don’t shop online”
“I don’t use credit cards”
“I use a shredder”
“I had some charges on my bank statement for jewelry that weren’t mine,
but the bank took care of it”
The most dangerous reactions of all are:
"Who would want my identity? I have bad credit, let them take it!
“It can’t happen to me”.
Identity theft: Isn’t it all just media hype?The simple answer is No! First and foremost, it is a crime of international proportions, and it’s out of our control. It’s a crime that has been going on and growing for years. But with the launch of the Internet, and other digital media, it has become increasingly easy to steal consumers’ personal information. Now with the help of mass and social media outlets, identity theft is beginning to get the press it deserves.
But Identity Theft Isn't A Crime!
This statement was actually made to me about a year ago by a member of the legal community. I explained that Identity theft was formally acknowledged as a crime when Congress enacted the Identity Theft Assumption and Deterrence Act in 1998. The Federal Trade Commission was designated as the lead government agency to handle consumer matters pertaining to ID Theft. Under the act, it is a federal crime when someone:
knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.
It is important to note that means of identification is defined as: "any name or number that may be used, alone or in conjunction with any other information to identify a specific individual, including any –
Name, Social Security Number, Date Of Birth, officially issued Driver's
License Numbers or identification numbers
Unique Biometric data
Unique electronic identification number, address, or routing code
Telecommunication identifying information or access device.
What Is Identity Theft Really?
Most people think it has something to do with bank accounts, credit cards and fraudulent purchases. They are indeed correct, but only partially. There are several forms that identity theft can take:
Theft of Character – This is where a person steals someone’s social security number, driver’s license number or commits a crime in a victim’s name. Some of the things that can happen include receiving a DUI, traffic tickets, filing false tax returns, opening new bank accounts, or gaining employment in a victim’s name.
Theft of Medical Benefits – Occurs when a victim’s health insurance identification or social security number is used to get health care. This form of identity theft can have life threatening ramifications if misinformation is included in a victim’s health records. Think about a comatose auto accident victim arriving at the local ER. Computer records say that the victim is a diabetic but has no documented drug allergies. But the victim is really not a diabetic but has an allergy to penicillin.
Theft of Financial Information/Identity Fraud- This is probably the most recognized form of the crime. This theft occurs when a thief uses a victim’s information for illicit gain. Thieves obtain credit cards, loans, purchase merchandise, vehicles, and even homes posing as someone else. This type of misuse of information is termed identity fraud.
Synthetic Identity Theft – This happens when different pieces of personally identifiable information, typically a real person’s social security number are joined with a different name to create a new person. This crime can be financial in nature, but also can impact a victim in other ways. For example, a friend of mine couldn’t figure out why every time he went to apply for a job he was being turned down. He ultimately found out he had “a record” with several criminal convictions. His social security number was used each time the other person was arrested.
Business/Commercial Identity Theft– Criminals can establish new credit cards or accounts with a business' name or even make fraudulent purchases in the name of the business. Businesses normally don’t become aware of the activity until they are billed on these accounts. Business owners and executives, employees of the business, and business clients can all be victims or suffer losses, directly or indirectly. Another form this takes is misue of corporate brand identity, such as logos asnd false websites.
For a small business, this can be devastating to both the business and the owner. Small businesses can be especially vulnerable to this form of crime because the business’ credit and the business owner’s credit are very often one and the same. The business owner may personally guarantee a business loan or line of credit, or may use his or her own personal credit accounts directly to finance the business.
During a speaking engagement, I met a gentleman who was victimized in that fashion. Hearing of my topic, he told me about a current case he was embroiled in. Someone had taken his social security number and opened a business in another state. The only reason he found out was when the thief walked away from the business, and this gentleman was left with $150,000 in debt and a big legal battle on his hands.
I'm Careful, So I Must Be Safe!
At this point you may feel, “I’m pretty safe. I leave my extra credit cards at home; I don’t carry a social security card around with me; I have a firewall on my network, we run background checks on all our new hires…”But think about it. If you’ve purchased a car, bought a home, gone to a doctor’s office, served in the military, applied for a loan or insurance, how many thousands of databases have you been entered into? How about all those great supermarket key tags: just swipe it and we’ll give you $2 off a gallon of ice cream. Sounds funny, but that purchasing data is associated with you, and who has it?
Face it, our information is irrevocably and irretrievably out in the real world, and it’s vastly out of our control!
The Federal Trade Commission
According to statistics from the Federal Trade Commission, identity theft results in approximately $50 billion dollars in annual business losses, affects about 10 million victims per year, and results in out-of-pocket expenses for victims of roughly $5 billion dollars each year. This doesn’t even include the incredible investment of personal time to restore their identities, which the FTC estimates could be as high as 500 hours per theft.
As a result of the implementation of many data privacy, security, and identity theft laws, people and businesses have become more aware of identity theft in general. But people don’t fully realize the damage it can cause a victim and their family, or how it devastates a business if it suffers a loss of data, or if its employees become victims. In addition to potential fines, lawsuits, and even worse, permanent reputation damage, there is also the possible responsibility on the consumer’s and/or business’s part for fraudulent losses to employees and other victims. The physical and emotional toll it can take on the victim is outlined in this Wall Street Journal article at http://online.wsj.com/article/SB121807447764219305.html
So How Do I Prevent It?
While there is no way to "prevent" identity theft, there are many simple steps a consumer can take to minimize the risk to the information in their possession such as:
Remove social security number from driver’s License and card from your wallet
Don’t leave your car unlocked in a driveway or parking lot (there’s a lot of information about you in the glove compartment)
Don’t put mail in a basket on the office receptionist’s front desk or a home mailbox, take it to the Post Office or an official postal box.
Don’t share a computer. If you do, have separate logons and passwords.
The Hidden Threat
This information about the crime of identity theft doesn’t address the fact that considerable identity theft occurs in the workplace. Examples of this are:
The tired employee that decides that “just one time” it won’t matter to throw some outdated information in the dumpster out back. Scavengers find names, social security numbers, and birth dates of customers in the discarded files.
The insurance agent who just finished a group enrollment for a large client decides to grab a quick hamburger at a local fast food restaurant. The agent gets out of the car, locks the door but leaves the briefcase containing the forms inside. What he doesn’t realize is that the parking lot has had a rash of break-ins. During the seven minutes to get lunch, the agent returns to smashed windows, a missing briefcase and responsibility for a data breach.
The employee, who had a clean record when hired, suddenly suffers financial difficulties. Her cousin says, “You have access to all those credit card and social security numbers at work, just take a few and I’ll show you how you can make some money selling them.”
Most consumers are rather naïve about the threat and potential damage of being victimized. Many business owners simply take a wait and see approach to implementing some kind of identity theft program within their organizations. But it can be a win-win situation for the employer, employees and customers to add an identity theft preventive plan. It can save dollars to the bottom line if it avoids an employee taking time off to fix the problem, and it can have risk mitigation benefits for the company to offer a benefit should employees become victims as a result of an internal breach. Simply put, (and yes, the old adage is still true) an ounce of prevention is worth a pound of cure. Beyond this, the benefits of offering employee education about identity theft and the potential risks to both the employees and the business can deter someone on the inside by letting a potential thief know that the company takes the personal information of its employees, customers and business entity seriously.
As the growth of the crime has skyrocketed, so have the potential offerings available for consumers. But there are many things one needs to look for when selecting one of the products. Some key features to look for in an identity theft protection program are: does it provide credit monitoring, restoration of a victim’s identity as well as access to legal services? Does it cover minor children?Does it prevent problems or merely clean up after the fact? Is it affordable in light of the risks and potential damages faced? Is it updated as the law changes? Does it identify new threats as criminals adapt to law enforcement efforts?
Even though the Internet receives a bulk of the blame, and crime through this mechanism is indeed growing, it is not the only area of activity. It happens in businesses, in your own home, at your kid’s college campus, over the telephone during a simple “survey”. Does this mean we should stop the use of the Internet, social media, cell phones and wireless devices? No. But it does mean that every consumer needs to be responsible for things like online activity, not ignoring privacy policies, Tweeting and posting on Facebook properly, and appropriately forwarding and responding to emails.
So, Now What?
The crime is not going to “go away” and is only expected to get worse. The crime is rampant world-wide, and the single best thing we can do is raise consumer and business awareness.
Some of my recommendations include
Take the issue seriously.
Put appropriate company privacy, security and breach preparedness plans in place.
Offer an identity theft program (and awareness training) as part of your employee benefits package.
Encourage people to implement simple personal safety measures.
Your identity is yours and yours alone, your connection to the rest of the world. Protect your identity as you would protect your physical well being.
Julie Davis Friend - CITRMS, CIPA
Gemstone Partners, Ltd.
Through her consulting practice the author works to help companies ensure that their “business security blanket” is in place with regard to information security, employees, their business entity, facilities, and financials. She helps to raise the awareness of businesses and consumers regarding issues such as privacy, security and identity theft in the workplace. Ms. Friend works with companies to implement risk mitigation programs. She can often be heard saying "an ounce of prevention is worth a pound of cure!" In her experience, many businesses choose a"wait and see position."While she knows that they struggle with the weight of rules, regulations and compliance, her focus is one of helping to put good practices into place beforehand that help protect a business.
During her career she has worked with many companies large and small, both as an independent franchisee as well as part of a global IT department for MasterCard Worldwide. Her passion for these issues is great, and stems both from professional education as well as experience as a business owner that survived a breach committed by an employee.
Ms. Friend enjoys public speaking, and has presented on many topics including identity theft. She is available as a presenter for industry trade shows, seminars and continuing education sessions.