The Price of Admission to the Digital Age
Identity theft is everywhere. Its the crime of the millennium; its the scourge of the digital age. If it hasnt happened to you, its happened to someone you know. Using Federal Trade Commission (FTC) data, Javelin Research estimates that about 9 million identity thefts occurred last year, which means that about 1 in 22 American adults was victimized in just one year. So far knock wood Ive personally been spared, but in the course of running an enterprise identity theft solutions company, Ive run across some amazing stories, including from close friends that I had not previously known were victims. One friend had her credit card repeatedly used to pay for tens of laptops, thousands of dollars of groceries, and rent on several apartments in New York City, just prior to the 9/11 attacks. The FBI finally got involved, and discovered an insider at the credit card firm, and links to organizations suspected of supporting terrorists.
So what is this big scary threat, is it for real, and is there anything one can do other than install anti-virus software, check credit card statements, put your social security card in a safe deposit box, and cross ones fingers? And perhaps even more important for the \r corporate audience whats the threat to corporations (oh, yes, theres a major threat) and what can be done to keep the company and its employees safe?
First, the basics. Identity theft is as the name implies any use of another persons identity to commit fraud. The obvious example is using a stolen credit card to purchase items, but it also includes such activities as hacking corporate networks to steal enterprise information, being employed using a fraudulent SSN, paying for medical care using another persons insurance coverage, taking out loans and lines of equity on assets owned by someone else, using someone elses ID when getting arrested (so that explains my impressive rap sheet!) and much more. In the late 90s and early 2000s, identity theft numbers skyrocketed, but they have plateaued in the last 3 years at around 9-10 million victims per year still an enormous problem: the most common consumer crime in America. And the cost to businesses continues to increase, as thieves become increasingly sophisticated business losses from identity fraud in 2005 alone were a staggering $60 billion dollars. Individual victims lost over $1500 each, on average, in out of pocket costs, and required tens or even hundreds of hours per victim to recover. In about 16% of cases, losses were over $6000 and in many cases, the victims are unable to ever fully recover, with ruined credit, large sums owed, and recurring problems with even the simplest of daily activities.
The underlying cause of the identity theft crime wave is the very nature of our digital economy, making it an extremely difficult problem to solve. Observe yourself as you go through the day, and see how many times your identity is required to facilitate some everyday activity. Turn on the TV the cable channels you receive are billed monthly to your account, which is stored in the cable companys database. Check your home page your Google or Yahoo or AOL account has a password that you probably use for other accounts as well, maybe your financial accounts or your secure corporate login. Check your stocks and realize that anyone with that account info could siphon off your money in seconds. Get into the car youve got your drivers license, car registration, and insurance, all linked to a drivers license number which is a surrogate national ID, and could be used to impersonate you for almost any transaction. Stop for coffee, or to pick up some groceries, and use one of your many credit cards, or a debit card linked to one of your several bank accounts if any of those are compromised, you could be cleaned out in a hurry.
And in the office a veritable playground of databases with your most sensitive data! The HR database, the applicant tracking system, the Payroll system, the Benefits enrollment system, and various corporate data warehouses each one stores your SSN and many other sensitive pieces of identifying data. Also the facilities system, the security system, the bonus and commission and merit increase and performance management systems, your network login and email accounts, and all of your job-specific system accounts. Not to mention all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel providers systems? And lets not forget how every outsourced system multiplies the risk each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.
Its a brave new digital world, where every step requires instant authentication of your identity not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs your drivers license number, your SSN, your userids and passwords, your card numbers have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. Its simple arithmetic combined with a financial incentive a growing volume of identity data, accessible by many people, that has significant value.
And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.
A Disaster Waiting to Happen?
Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (FACTA) went into effect that imposed significant penalties on any employer whose failure to protect employee information either by action or inaction resulted in the loss of employee identity data. Employers may be civilly liable up to $1000 per employee, and additional federal fines may be imposed up to the same level. Various states have enacted laws imposing even higher penalties. Second, several widely publicized court cases held that employers and other organizations that maintain databases containing employee information have a special duty to provide safeguards over data that could be used to commit identity fraud. And the courts have awarded punitive damages for stolen data, over and above the actual damages and statutory fines. Third, several states, beginning with California and spreading rapidly from there, have passed laws requiring companies to notify affected consumers if they lose data that could be used for identity theft, no matter whether the data was lost or stolen, or whether the company bears any legal liability. This has resulted in vastly increased awareness of breaches of corporate data, including some massive incidents such as the infamous ChoicePoint breach in early 2005, and the even larger loss of a laptop containing over 26 million veterans IDs a couple of months ago.
At the same time, the problem of employee data security is getting exponentially harder. The ongoing proliferation of outsourced workforce services from background checks, recruiting, testing, payroll, and various benefit programs, up to full HR Outsourcing makes it ever harder to track, let alone manage all of the potential exposures. Same thing for IT Outsourcing how do you control systems and data that you dont manage? How do you know where your data is, who has access, but shouldnt, and what criminal and legal system governs any exposures occurring outside the country? The ongoing trend toward more remote offices and virtual networks also makes it much harder to control the flow of data, or to standardize system configurations how do you stop someone who logs in from home from burning a CD full of data extracted from the HR system or data warehouse, or copying it to a USB drive, or transferring it over an infrared port to another local computer? And recent legislative minefields, from HIPAA to Sarbanes Oxley, not to mention European and Canadian data privacy regulations, and the patchwork of fast-evolving US federal and state data privacy legislation, have ratcheted up the complexity \r of control, perhaps past the point of reasonability. Who among us can say that they understand all of it, let alone fully comply?
The result: a perfect storm more identity data losses and thefts, much greater difficulty at managing and plugging the holes, much greater visibility to missteps, and much greater liability, all boiling in the cauldron of a litigious society, where loyalty to ones employer is a bygone concept, and all too many employees look at their employer as a set of deep pockets to be picked whenever possible.
And its all about people data the simple two-word phrase right at the heart of the mission of Human Resources and IT. The enterprise has a problem its people data is suddenly high value, under attack, and at escalating risk and theyre looking at you, kid.
The good news is that at least its a well-known problem. Indeed, although I hope Ive done a good job of scaring you into recognizing that identity theft is not all hype that its a genuine, long-term, big-deal problem the reality has a hard time keeping up with the hype. Identity theft is big news, and lots of folks, from solution vendors to media infotainment hucksters of every stripe have been trumpeting the alarm for years now. Everyone from the boardroom on down is aware in a general way of all the big data thefts, and the problems with computer security, and the hazards of dumpster divers and so on. Even the Citibank ads have done their part to raise awareness. So you have permission to propose a reasonable way to address the problem a serious, programmatic approach that will easily pay for itself in reduced corporate liability, as well as avoidance of bad publicity, employee dissatisfaction, and lost productivity.
The Journey of a Thousand Miles
In general, what I recommend is simply that you do, indeed, approach identity theft prevention and management as a program a permanent initiative that is structured and managed just like any other serious corporate program. That means an iterative activity cycle, an accountable manager, and real executive visibility and sponsorship. That means going through cycles of baselining, identification of key pain points and priorities, visioning a next generation state and scope, planning and designing the modules of work, executing, measuring, assessing, tuning and then repeating. Not rocket science. The most important step is to recognize and train a focus on the problem put a name and a magnifying glass to it. Do as thorough a baseline review as you can, examine the company from the perspective of this substantial risk, engage your executive leadership, and manage an ongoing improvement program. After a couple of cycles, youll be surprised how much better a handle you have on it.
Within the scope of your identity theft program, you will want to target the following primary objectives. Well examine each one briefly, and outline the critical areas to address and some key success factors.
1) Prevent actual identity thefts to the extent possible
\r 2) Minimize your corporate liability in advance for any identity thefts (not the same thing as #1 at all)
\r 3) Respond effectively to any incidents, to minimize both employee damage and corporate liability
From an enterprise perspective, you cant achieve identity theft prevention without addressing processes, systems, people, and policy, in that order.
First, follow the processes and their data flows. Where does personal identity data go, and why? Eliminate it wherever possible. (Why does SSN have to be in the birthday tracking system? Or even in the HR system? One can tightly limit what systems retain this kind of data, while still preserving required audit and regulatory reporting capability for those few who perform this specific function). And by the way, assigning or hiring someone to try to social engineer (trick) their way into your systems, and also asking for employees to help identify all the little under the covers quick-and-dirty exposure points in your processes and systems can be very effective ways to get a lot of scary information quickly.
For those systems that do retain this data, implement access controls and usage restrictions to the extent possible. Remember, you are not tightening down data that drives business functions; you are merely limiting the access to and ability to extract your employees personal, private information. The only ones who should have access to this are the employee themselves and those with specific regulatory job functions. Treat this data as you would treat your own personal and private assets your family heirlooms. Strictly limit access. And remember its not only those who are supposed to have access that are the problem, its also those who are hacking who have stolen one employees ID in order to steal more. So part of your mission is to make sure that your network and system passwords and access controls are really robust. Multiple, redundant strategies are usually required strong passwords, multi-factor authentication, access audits, employee training, and employee security agreements, for example.
Train your people simply and bluntly that this data is personal, and not to be copied or used anywhere except where necessary. Its not the theft of laptops thats the big issue; its that the laptops inappropriately contain employees personal data. Give your people including any contractors and outsourced providers that serve you the guidance not to place this data at risk, and where necessary, the tools to use it safely: standardized computer system monitoring, encryption, strong password management on systems that contain this data, etc.
Develop policies for handling employees private data safely and securely, and that hold your employees and your service providers accountable and liable if they do not. Clearly, simply, and forcefully communicate this policy and then reinforce it with messages and examples from senior executives. Make this especially clear to every one of your external service providers, and require them to have policies and procedures that duplicate your own safeguards, and to be liable for any failures. This may seem a daunting task, but you will find that you are not alone these service providers are hearing this from many customers, and will work with you to establish a timetable to get there. If they dont get it, maybe thats a good signal to start looking for alternatives.
Minimizing corporate liability is all about having reasonable safeguards in place. What does that mean in practice? no one knows. But youd better be able to pass the reasonability smell test. Just like obscentity, judges will know reasonable safeguards when they see them or dont. You cant prevent everything and youre not required to, but if you have no passwords on your systems and no physical access control over your employee files, youre going to get nailed when theres a theft. So you need to do precisely the kind of review and controls that Ive outlined above, and you also need to do it in a well documented, measured, and publicized way. In short, you need to do the right thing, and you need to very publicly show that youre doing it. Its called CYA. Thats the way legal liability works, kids. And in this case, theres very good reason for this rigor. It ensures the kind of comprehensive and thorough results that you want, and it will assist you greatly as you iterate the cycles of improvement.
This is why you want to make the effort to establish a formal program, and benchmark what some other companies do, and define a comprehensive plan and metrics after you complete your baselining and scoping steps, and report results to your executives, and iterate for continuous improvement. Because you need to both know and show that youre doing all that could reasonably be expected to secure employees personal data which is in your care.
And yet, despite all your safeguards, the day will come when something goes wrong from an enterprise perspective. You absolutely can substantially reduce the probability, and the size of any exposure, but when over 90 million records were lost or stolen from thousands of organizations in just the last 18 months, sooner or later almost everyones data will be compromised. When that happens, you need to shift on a dime into recovery mode, and be ready to roll into action fast.
But not just fast your response must be comprehensive and effective, specifically including the following:
Clear, proactive communication first to employees, then to the public.
The communication must say what happened, that a small, empowered task force has been marshaled, that temporary lock down procedures are in place to prevent further similar exposure, that investigation is under way, that affected employees will be given recovery assistance and reimbursement of recovery expenses, and monitoring services to prevent actual identity thefts using any compromised data.
Of course, all those statements need to be true, so:
A task force of HR, IT, Security, and Risk Management professionals and managers must be identified and trained, and procedures for a call to action defined in advance.
They must be empowered to implement temporary lock down procedures on employee personal data. Procedures for likely scenarios (laptop loss, backup tape loss, network login breach, theft of physical HR files, etc.) should be predefined.
Template communications to employees, partners, and press should be drafted.
Qualified investigative services should be selected in advance
Expert identity theft recovery assistance resources and identity theft threat monitoring services should be evaluated and selected in advance.
Nothing is more important to protect your company than a well-planned and effective response within the first 48 hours of an incident. If youre not prepared and practiced well in advance, this will be impossible. If you are, it can actually be a positive public relations experience, and will drastically reduce legal, financial, and employee satisfaction impacts.
Identity theft is not a flash in the pan its built into the way the world now works, and this heightens not only the risk, but also the damage. Companies are at special risk, because by necessity, they expose their employees data to other employees and to their providers and partners, and they bear responsibility for the risk that this creates. Those in HRIS, whose specific function is the management of people data, must take ownership of this emerging liability, and ensure that their companies are as safe and as prepared as possible.
To learn more or arrange an in-person briefing, contact Peter Marshall at the Identity Theft Defense Center:
Address: 4521 Campus Drive, Ste. 300, Irvine, CA 92612
\r Web: http://www.idtheftdefensecenter.com
\r Email: pmarshall@idtheftdefensecenter.com
\r Office: (949) 485-5015
\r Toll Free: (866) 99-THEFT
Peter has been a leader in HRIT and workforce effectiveness for almost two decades. Prior to his current role as CEO of the ID Theft Defense Center, he was Director of consulting practices at KPMG Consulting and Siebel Systems, the co-founder and CTO of Cipient Networks, and a long-term strategic advisor to major HR outsourcers, enterprise application vendors, and other Fortune 500 firms. He also managed HRIS teams at Disney and FHP, and was Manager in KPMGs Peoplesoft practice. Peter is an acknowledged expert on enterprise systems, identity theft, and workforce services, and brings this unique combination of expertise to this critical and timely topic.
The Identity Theft Defense Center provides in-depth corporate training and program development services, as well as a comprehensive and low-cost identity theft benefit program. For more information, visit our website at http://www.myidcenter.com, call us at (866) 99-THEFT, or email us at sales@myidcenter.com
Are You a Target for Identity Theft? Equal Opportunity Crime Regardless of Your Age-Race-or Gender
Are you a target for identity theft, or are you sure it will only happen to the other person? Have you already been victimized? When was the last time you checked your credit card and bank statements to see if there are any unauthorized transactions on them? Do you keep your receipts? I could go on with these types of questions, but if you are like most people, you will not know you are a victim of identity theft until it is too late. A recent st...
Do You Know the Tricks of the Trade? Identities are All the Thieves Want! Is Yours Safe?
Criminals are becoming more creative in how they steal your identity. Bravery is not a requirement anymore, nor is guns and knives or any physical harm. It could be your neighbor or a person you pass in the mall. From mail theft to account invasion to dumpster diving, whatever the system, the end result is the same: An innocent person like you is ripped off.Think about this for a moment; a very low-tech method use by thieves to commit identity th...
Crisis Intervention What To Do in the Event of a Crisis? Part 1
More so than in other counselling situation, in crisis counselling the social worker or counsellor has the obligation to apply a more directive approach in order to keep the client safe, move her away from the crisis situation where imminent danger might be present, and enable her to take advantage of the resources.The following story is a good an analogy for crisis counselling:She reached a point where the fog was so strong there was no way she ...
How to Avoid Identity Theft - Keeping your Financial Records Safe
You just got your latest credit card bill, and are shocked to see over $5,000 in charges for items you have never purchased. You have just become an identity theft victim. So what steps can you take to avoid identity theft?In order to prevent this kind of scenario, here are some important safety tips about identity theft. When using ATM or credit cards on machines, do not leave the receipts. Even though these receipts may not have the entire a...
Identity Theft
But identity theft, which credit card companies such as the aforementioned are trying to thwart, is anything but humorous. Its a crime that ruins people financially, personally and professionally, often taking years to recover from.And while credit card companies and the like are doing their best to make it difficult for these thieves to succeed, the Federal Trade Commissions 2005 statistics on complaints filed about fraud and identity theft off...
