Presentation on theme: "Data Theft and Identity Fraud Mark D. Rsach June 18, 2008."— Presentation transcript:
Data Theft and Identity Fraud Mark D. Rsach June 18, 2008
Definitions Identity theft: The unauthorized collection, possession, transfer, replication or other manipulation of another person’s personal information for the purpose of committing fraud or other crimes that involve the use of a false identity. Identity fraud: the gaining of money, goods, services, other benefits, or the avoidance of obligations, through the use of a false identity.
Identity Theft 2004-2005 9.3M - 8.9 Million Adult Americans Total Losses $5.44 – $5.66 Billion Average Losses $5,885 - $6,383 Median fraud amount per fraud victim $750 - $750 Average consumer cost $675 - $422 Average resolution time 28 hours - 40 hours Median resolution time 5 hours - 5 hours 68.2% Paper-based Theft 11.6% Computer Crime 50% Family Members, Friends, and Neighbors 28.8% Lost or Stolen Wallets and Checkbooks
Facts You Didn't Know Related to Identity Fraud It takes 467 days to discover that you are a victim of identity fraud (Experian). 79 percent of businesses make no effort to destroy sensitive material that is thrown away or being prepared for recycling. 40 percent of businesses risk their clients identities by throwing away information on their customers which includes home addresses, phone numbers and photocopies of passports - all of which can be used by a criminal to steal a persons identity (survey commissioned by Fellowes). Current address (or present address fraud) accounted for almost half of all identity fraud cases reported to Experian in the second half of 2006.
Most Useful Info ID documents/numbers – SIN, health, drivers license, passport, birth cert. – employee, student, member Account numbers/details – Bank, credit card, mortgage, phone, etc. Credit reports Home address Date of birth Passwords, PINs Employment details Biometric information
Techniques of ID Theft taking/stealing from individuals: – finders keepers: trash, used computer equip, lost wallet – theft of wallet, checkbook, credit card, mail – pretexting by phone or in person – scams: employment, surveys, contests…. – phishing, vishing, pharming, whaline – skimming - via ATMs, hidden machines – wireless eavesdropping – malware: keystroke loggers, etc
Techniques of ID Theft taking from public sources: – personal websites, social networking sites – online resumes – employer/association websites – online public records (eg, court/tribunal) – post-disaster missing person sites – obituaries – used vehicle info package (Ont.) owner’s name/address used to get copy of ownership permit
Techniques of ID Theft taking/stealing from organizations: – dumpster diving – used computer equipment – corrupt employees – pretexting (duped employees) purchase/subscribe (e.g., credit reports) – hacking – taking advantage of security holes
Intermediate Stages ID data trafficking – buy and sell personal information ID document “breeding” – create counterfeit documents – apply for new documents, ID numbers (forgery) Submit change of address to post office – divert victim’s mail
Purpose: ID Fraud use credit card, phone credit withdraw from bank account open new accounts (bank, utility, phone…) obtain loans mortgage/sell property (mortgage/title fraud) steal cars; order goods online using drop-site get insurance or government benefits get employment/hide criminal record create cover for other criminals/terrorists
Control Points Individuals: – limited control / ability to assess risk Organizations: – Service providers Online services, electronic banking, magnetic stripe cards, wireless communications, … – Software/hardware vendors/manufacturers – Data holders – Public records – Social networking sites
Market Responses Stronger authentication mechanisms – more passwords, two factor authentication – Credit card security code – Smart cards – Digital IDs; “information cards” – Biometrics New detection tools – ID Alarm – Better account monitoring/pattern recognition Industry standards – Financial transactions (Interac, etc.)
Criminal Law Existing ID Theft/Fraud crimes – fraud, forgery, personation, computer misuse – mere possession is not a crime; no deprivation Possible new ID Theft crimes – possession of [multiple] ID with intent to defraud remove deprivation requirement rebuttable presumption of intent (multiple ID, spec.data) – fraudulently obtaining personal info (Bill C-299) – trafficking in ID info/cards recklessly or knowingly – breach of trust (employee theft) – fraudulently redirecting mail
EU Convention on Cybercrime Adopted in 11/2001, in force since 7/2004 43 signatory states, 22 already ratified including the U.S. The Convention on Cybercrime (CCC) harmonizes domestic criminal substantive law provides investigation authorities with certain powers sets a system of international cooperation Influence on other legislative efforts EU Council Framework Decision 2005/222/JHA on attacks against information systems
Phishing and the CCC Computer related fraud (Art. 8): “causing a loss of property to another person by: a) any input, alteration, deletion or suppression of computer data; b) any interference with functioning of a computer system, with fraudulent and dishonest intent of procuring, without right, an economic benefit for oneself or for another person“ According to the Explanatory Report to the CCC, this criminal offence aims at “manipulation in the course of data processing with the intention to effect an illegal transfer of property.” Misleading internet users to disclose their private data
Pharming and the CCC Computer related fraud (Art. 8) committed by way of “interfering with the functioning of a computer system“ Illegal Access (Art. 2) accessing on-line bank accounts Infringement of copyright and related rights (Art. 10) creating bogus websites that resemble the original ones
Identity Theft and Assumption Deterrence Act 18 U.S.C. §1028 Makes identity theft a crime. October 1998 Punishes whoever: “knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law.” Name or SSN is considered a “means of identification.” So is a credit card number, cellular telephone electronic serial number or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual.
Caution Beware of unintended consequences… – shouldn’t criminalize socially accepted uses of alternative identities pseudonyms (eg, online privacy protection) kids’ use of adult ID to get cigarettes or booze investigative journalism/public interest research – mere possession is not enough eroding the presumption of innocence – how much uncaptured crime = acceptable cost of protecting innocent individuals from prosecution? – “knowingly and with intent to defraud…”
Red Flag Rules Go into effect November 1, 2008, The regulations apply to banks -- but also apply to any financial institution or creditor that holds a covered transaction account -
FACTA Red Flag Rules any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, must develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to: Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program; Detect red flags that have been incorporated into the Program; Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and Ensure the Program is updated periodically to reflect changes in risks from identity theft.
Purposes of Red Flag Rule In adopting FACTA Sections 114 and 315, Congress recognized that lax business practices played a significant role in aiding identity thieves. Prior law included Customer Identification Program rule adopted under section 326 of the USA PATRIOT Act, 31 USC 5318(l), (CIP rule) adopted as a counter-terrorism measure; and (2) the information security guidelines adopted under the Gramm-Leach-Bliley Act, 15 USC 6801, (GLB)
Report to Board of Directors and/or Senior Management Plan requires approval and reporting to the board of directors or “senior management.” [71 Fed Reg 40789] However, the principle that a Senior management level employee is responsible for the Program is not included for organizations without a board of directors. Instead of “designated employee,” the Agencies should specify that, absent a board of directors, a senior manager is charged with overseeing the Program.
Covered Entities The rules apply to any financial institution or creditor that holds a covered account. A financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a "transaction account" belonging to a consumer.
Definitions A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts. A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft - for example, small business or sole proprietorship accounts.
Identity Theft Prevention Program each financial institution and creditor that holds any "covered account" to develop and implement an Identity Theft Prevention Program designed to prevent, detect, and mitigate identity theft in connection with new and existing accounts. issuers of credit and debit cards to develop policies and procedures to assess the validity of an address change request when that request is followed closely by a request for an additional or replacement card. users of consumer credit reports to develop policies and procedures to respond to notices from credit reporting agencies regarding address discrepancies.
Requirements Written Identity Theft Prevention Program ("Program") to prevent, detect, and mitigate identity theft in connection with certain covered accounts. The programs must be uniquely tailored to a covered entity's size, complexity, and nature of operations.
Four Essential Features Identify and incorporate relevant patterns, practices, and specific forms of activity that are "red flags" signaling possible identity theft. vary depending on the nature of the business in question, based on the guidance provided by regulators and the covered entity's own experiences. Detect red flags that have been incorporated into the entity's Program. obtaining identifying information about, and verifying the identity of, a person opening an account, and, in the case of existing accounts, authenticating customers, monitoring transactions, verifying the validity of address change requests. Respond appropriately to any red flags that are detected, monitoring an account for evidence of identity theft, contacting the customer, calling law enforcement, changing any password or security device that permits account access, closing an account, etc. Update ID theft program periodically to reflect changes in risks to customers from identity theft, or to the safety and soundness of the covered entity.
What You Should Do Look for patterns, practices, and activities that indicate possible risk of identity theft. Evaluate the list (which is not exhaustive) and include in its Program those red flags that are appropriate to its business. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services; The presentation of suspicious documents; The presentation of suspicious personal identifying information, such as a suspicious address change or a social security number listed in the Social Security Administration's Death Master File; The unusual use of, or other suspicious activity related to, a covered account; and Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts.
Other Requirements Program must be in WRITING Obtain approval of the initial written Program by the Board of Directors or a committee of the Board; Involve the Board of Directors, a committee of the Board, or senior management in the development, implementation, and administration of the Program; Report, at least annually, to the Board of Directors, a committee of the Board, or senior management, on compliance with the red flag regulations; Train staff to implement the Program effectively; and Exercise appropriate and effective oversight of arrangements with third-party and affiliated service providers
Organizations limit collection/retention of personal information don’t create or contribute to data warehouses control (minimize?) outsourcing minimize disclosures of personal information – eg., credit card receipts security safeguards – computer firewalls, access controls – trash: shredding docs, cleaning used computer equip. – validation, authentication of customers employee screening, training, monitoring warnings; notice to potential victims
Privacy is Dead Now What? Mark D. Rasch Managing Director - Technology FTI Consulting
Privacy Generally No General Legal Protections for Privacy Hodgepodge of Federal and State Laws Deal With Particular Subject Matters Constitutional implied or penumbra rights Fourth Amendment Search and Seizure Fifth Amendment Self Incrimination Ninth Amendment – delegation Griswald v. Conn., Doe reproductive rights cases “right to be left alone”
What do we MEAN by Privacy? Right to be left alone Right to integrity of person Right to CONTROL of data collected BUT Who OWNS the data about us? Who has a right to access? What circumstances?
Threats to Privacy Data Collection Voluntary collection Compelled collection “Ambient” information “Public” information Surveillance Data Dissemination Data non-anonymization Data Aggregation Subject profiling
Federal Privacy Laws Privacy Act (1974) Federal Trade Commission Act (1914) Fair Credit Reporting Act (1970) Family Educational Rights and Privacy Act, Public Law 93-380, 1974 Cable Communications Policy Act (1984) Cable Privacy Protection Act of 1984 Electronic Communications Privacy Act (1986) Title III Wiretap Provisions Computer Matching and Privacy Protection Act (1988) Tax Reform Act of 1976, The Right to Financial Privacy Act of 1978 Video Privacy Protection Act (1988) Telephone Consumer Protection Act (1991) Drivers Privacy Protection Act, PL 103-322, 1994 "Children's Online Privacy Protection Act" (1998) HIPPA (1996) GLBA (2000)
Data Collection Website collection EU Data Privacy Laws US “Safe Harbor” Provisions FTC Section 5 “false and deceptive trade practices” Lilly Case Do what you say – say what you do Google Doubleclick – finalized March 10, 2008 Privacy policies
Who owns collected data? Data Subject? Data Collector? Sale of Data? Data Sharing? Profiling? Mining?
Anonymity Anonymous speech Postings Blogging Takedown notices Copyright infringement P2P Defamation? As a general rule – anonymity loses
GRAMM-LEACH-BLILEY ACT ● Financial Services Modernization Act of 1999 ● FTC implementation - Privacy Rule in 2000 – Higher education is exempt if compliant with FERPA - Safeguards Rule in 2002 – applies to “financial Institutions” including higher education - Information Security Programs were required beginning May 23, 2003
SAFEGUARDS RULE (16 CFR PT. 314) Requires development, implementation, and maintenance of “ a comprehensive information security program ” containing “ administrative, technical, and physical safeguards that are appropriate ” for the size, complexity, nature and scope of your activities, and the sensitivity of the protected information.
Elements - Designation of an employee or employees to coordinate the information security program. - Employee training and management; - Risk Assessment, including focus on: ▪ Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and ▪ Detecting, preventing and responding to attacks, intrusions, or other systems failures. - Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures. - Oversee service providers, by: ▪ Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and ▪ Requiring your service providers by contract to implement and maintain such safeguards. - Periodic Evaluations and Adjustments of information security program to account for any material changes to your operations or business arrangements or any other circumstances that you know or have reason to know may have a material impact on your information security program.
Data Breach Notification Vary from State to State Differing definitions of Personally Identifiable Information Vary on HOW to report What to report When to report To WHOM to report What to do BESIDES report Who has the obligation to report
FACTA and Disposal Rules FACTA – what credit card information you can collect/print Disposal rule – 16 CFR Part 182 Part of duty to protect personal information Credit information Social Security Information Related Financial Information
LEGAL LIABILITY- CASE LAW ● Case law/experts suggest an emerging duty to provide data security – Kahle v. Litton (May 16, 2007): court recognized that the defendant mortgage company owed a duty to safeguard the plaintiff mortgagee’s data – Bell v. Michigan Council (February 15, 2005): court recognized a fiduciary duty to safeguard PII between a union and its members – Corbell v. Norton (December 3, 2004): D.C. Court of Appeals cites Interior’s obligation ‘as a fiduciary’ to maintain and preserve information – Daly v. Met Life (May 20, 2004): NYS court found a fiduciary duty requiring insurer to protect insured’s personal information
Superior Mortgage September 28, 2005 FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley Act, requires financial institutions to implement reasonable policies and procedures to ensure the security and confidentiality of sensitive customer information. Superior maintained customers’ Social Security numbers, credit histories, and credit card numbers, among other sensitive information.
GLBA Regulations S-P GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the SEC, and investment companies to provide an annual notice of their privacy policies and practices to their customers (and notice to consumers before sharing their nonpublic personal information with nonaffiliated third parties outside certain exceptions). 15 U.S.C. 6803(a); 17 CFR 248.4; 17 CFR 248.5. describe the institutions’ policies and practices with respect to disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties. 15 U.S.C. 6803; 17 CFR 248.6. provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties. 15 U.S.C.6802(b); 17 CFR 248.7. where applicable under the FCRA, a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates.) Sections 13, 14, and 15 of Regulation S- P (17 CFR 248.13, 17 CFR 248.14,and 17 CFR 248.15) set out exceptions from these general notice and opt out requirements under GLBA. Exceptions for sharing information with other financial institutions under joint marketing agreements and with certain service providers. Exceptions for sharing information for everyday business purposes, such as maintaining or servicing accounts.
Amendments to Reg S-P On March 4, 2008, the Securities and Exchange Commission announced proposed changes to Regulation to address identity theft of securities industry customers. Reg S-P was adopted seven years ago under the Gramm-Leach- Bliley Act (“GLBA”) and the Fair Credit Reporting Act, Requires financial institutions under the authority of the SEC (including investment advisers, mutual funds, broker-dealers and SEC- registered transfer agents) to adopt policies and procedures to protect client information. Disposal rule and FACTA require secure disposal of personal information. The two requirements of Reg S-P relating to safeguarding and disposal of confidential information have not kept pace with bank and other regulators’ detailed programs for information privacy and data security.
More Specific Requirements More specific standards under the safeguards rule of Reg S-P, including physical, technical and administrative safeguards, written policies and required responses to data security breach incidents. require the financial institution to develop and execute a more detailed “information security program” similar to programs required by other federal regulators. be in writing designate an employee in charge of information security, identify anticipated threats and implement controls to address those threats. require staff training, regular testing coordination with service providers to maintain the program’s effectiveness.
Requirements (i) designate in writing an employee or employees to coordinate the information security program; (ii) identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information or personal information systems; (iii) design and document in writing and implement information safeguards to control the identified risks; (iv) regularly test or otherwise monitor and document in writing the effectiveness of the safeguards’ key controls, systems, and procedures, including the effectiveness of access controls on personal information systems, controls to detect, prevent and respond to attacks, or intrusions by unauthorized persons, and employee training and supervision; (v) train staff to implement the information security program; (vi) oversee service providers by taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for the personal information at issue, and require service providers by contract to implement and maintain appropriate safeguards (and document such oversight in writing); (vii) evaluate and adjust their information security programs to reflect the results of the testing and monitoring, relevant technology changes, material changes to operations or business arrangements, and any other circumstances that the institution knows or reasonably believes may have a material impact
Goals of Information Security Program A financial institution’s information security program must be reasonably calculated to prevent the breach and misuse of client information that results in “substantial harm or inconvenience,” “personal injury, or more than trivial financial loss, expenditure of effort or loss of time.” identify theft and extortion would likely cause “substantial harm or inconvenience,” inadvertent mis-delivery of an account statement would not.
Expanded Coverage of Reg S-P’s Scope SEC proposes to broaden the type of information and persons covered by the SEC safeguards and disposal rules. SEC proposes to have both rules protect “personal information,” which encompasses “nonpublic personal information” under the GLBA and “consumer report information” under the Fair and Accurate Credit Transactions Act of 2003. While “personal information” means personally identifiable financial information, “consumer report information” focuses on information generally contained in consumer reports.
Information Security Coordinator Require firms of all sizes to designate an employee to coordinate the information security program. Would have “sufficient authority and access to the institution’s managers, officers and directors to effectively implement the program and modify it as necessary.” Many firms have no such individual – thus they would Add duties to IT managers with no experience in security Add duties to security personnel with no experience in IT No option to “outsource” compliance through consulting agreements Difference between responsibility and expertise
Testing Require every institution to regularly test or otherwise monitor the effectiveness of the safeguards. Broker-dealers, Commission registered investment advisers and investment companies are already subject to rules that require testing of policies and procedures. Broker-dealers must comply with FINRA Rule 3520 and Commission Rules 38a-1 and 206(4)-7 which require investment companies and investment advisers, respectively, to conduct testing and an annual review of their policies and procedures that should include privacy and information safeguarding. Not clear if S-P requirements are supplemental or different
Third Party Providers Financial institutions should ensure TSPs implement and maintain controls sufficient to appropriately mitigate risk. In higher-risk relationships the institution by contract may prescribe minimum control and reporting standards, obtain the right to require changes to standards as external and internal environments change, obtain access to the TSP for institution or independent third-party evaluations of the TSP’s performance against the standard. In lower risk relationships the institution may prescribe the use of standardized reports, such as trust services reports or a Statement of Auditing Standards 70 (SAS 70) report.
Employee Information in addition to nonpublic personal information and consumer report information of “consumers,” “personal information” also would include information identified with any employee, investor or security holder who is a natural person that is handled by the institution or maintained on the institution’s behalf. covers employees rather than only clients of financial institutions, including employee user names and passwords, which, if compromised, could undermine the integrity of a financial institution’s information security system.
Explicit Coverage The SEC safeguards rule would also apply to registered transfer agents in addition to the brokers, dealers, registered investment advisers, and investment companies. However, registered broker-dealers, would be excluded from the safeguards rule
Disposal Rule The SEC disposal rule would apply to “natural persons who are associated persons of a broker or dealer, supervised persons of a registered investment adviser, and associated persons of a registered transfer agent.” The rule would continue to cover broker-dealers, investment companies, registered investment advisers and registered transfer agents.
Record-keeping. creates record-keeping requirements for policies and procedures to comply with the proposed regulation, as well as documentation of compliance Doesn’t say how detailed the records must be Includes plans on how to comply Why a particular plan or solution was chosen Why it is appropriate to the size and complexity of the business, and to the sensitivity of the data protected Written plans on privacy, security, training and incident response.
Broker Mobility. Exception allowing a broker who is changing firms to take limited personal information to the new firm in order to maintain relationships with clients Is this a “disclosure” to the new firm? Can customer “opt out?” of this disclosure
Breach Notification A financial institution would need to notify the affected individual and, potentially, the SEC in the event of a data security breach. notify the affected individual when the institution becomes aware of unauthorized access to personal information and determines that misuse of personal information has occurred or is reasonably possible. This “risk of harm” standard is similar to that used in the guidance relating to customer notification of security breaches issued by the bank regulatory agencies. SEC would require notification to the SEC only when the breach poses a significant risk of substantial harm or inconvenience to a consumer or when someone has intentionally obtained “sensitive personal information,” such as a social security number. Financial institutions must report the incident to the SEC on proposed Form SP-30. Requires written procedures for responding to a data security breach
Breach Notification If third party with Broker/Dealer information suffers breach, WHO has duty to notify? Data Collector – has personal relationship with data subject, and has the “contract” for privacy Data Collector has presumably selected the third party to share information Who is the “owner” of the information? Who has the “duty” to notify, whose expense, and who is liable for inadequate or untimely notification
Federal Preemption Financial institutions subject to the bank regulatory agency guidance providing notice of a security breach under that standard are exempt from the requirements of several of the numerous state data security breach notice laws. Those financial institutions providing notice under the new SEC standard will now also be permitted under many state laws to provide notice to consumers under the federal standard rather than the different state standards.
For More Information Mark D. Rasch Managing Director, Technology FTI Consulting, Inc. Mark.Rasch@FTIConsulting.com (202) 312-9174