Protecting your identity; private information theft has become a plague on modern society, but you can protect your business and yourself with the right technology and processes.At the Core This article: * Defines identity authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. techniques * Discusses the information manager's role in protecting privacy * Gives recommendations for protecting employee and client privacy An employee at a major New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of insurance company was charged in March with stealing colleagues' identities from a database of 60,000 names and selling them over the Internet as part of a credit card scam (SCSI Configured AutoMatically) A subset of Plug and Play that allows SCSI IDs to be changed by software rather than by flipping switches or changing jumpers. Both the SCSI host adapter and peripheral must support SCAM. See SCSI. . Last year, a Kansas woman's checkbook was stolen from her locked office, and false identification--with her name and address but with a photo of someone else--may have been used to cash the checks. The woman, a state senator Noun 1. state senator - a member of a state senate senator - a member of a senate , is currently proposing legislation to protect the financial privacy of other citizens. Considered one of the fastest-growing crimes in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. and already a large problem worldwide, identity theft has indelibly in·del·i·ble adj. 1. Impossible to remove, erase, or wash away; permanent: indelible ink. 2. left its mark on the countless businesses and individuals that make the news headlines each month. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the U.S. Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ), identity theft was the number-one source of consumer complaints in 2001, totaling 42 percent of all the complaints it received. While identity authentication technologies and legislative efforts have helped combat identity theft, there is still a long way to go. Business methodology and procedures must change, warns Gary Clayton Gary Clayton (born Sheffield, 2 February 1963) is an English former professional footballer. He also represented the England semi-professional football team.[1] , founder and chairman of the Privacy Council. "Until recently, businesses treated customer information like they treat the coffee cups in their kitchen they left them laying around," he says. "Companies should better manage information and be held accountable for mismanagement mis·man·age tr.v. mis·man·aged, mis·man·ag·ing, mis·man·ag·es To manage badly or carelessly. mis·man  age·ment n. ." A Closer Look at Identity Theft Credit card fraud Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. is among the most common forms of identity theft. A report by Gartner Inc. revealed that of more than 1,000 adult U.S. online consumers surveyed in January 2002, 5.2 percent were victims of credit card fraud in the prior year. Identity theft struck 1.9 percent. Identity theft most commonly occurs in the workplace, as was the case with Mari J. Frank, a California attorney, privacy consultant, and author of From Victim To Victor: A Step-By-Step Guide For Ending The Nightmare of Identity Theft. "More than $50,000 in credit was illegally applied for under my name," says Frank, who discovered that her credit report had been stolen by a temporary employee in a legal practice. "Not only was my financial identity stolen, but my professional identity as well." It took Frank almost one year to get her credit record back in order. When she became a victim, she says, there was no law in California making identity theft a crime against the consumer victim. The temporary employee was eventually found and arrested. When authorities entered the employee's home, they discovered business cards, checks, and credit card applications containing Frank's name. "I was really concerned. Was she accepting clients in my name? I could have been disbarred," she says. The awareness of identity theft, whether it consists of stealing a person's Social Security number, address, phone number, or all of the above, has been heightened in the workplace. Office personnel who deal with sensitive information are getting more attention. "It's about employees having access to data that they shouldn't have," Clayton explains. "Temporary employees have access to computer systems and can download customer information and then sell it or rise it themselves to perpetrate per·pe·trate tr.v. per·pe·trat·ed, per·pe·trat·ing, per·pe·trates To be responsible for; commit: perpetrate a crime; perpetrate a practical joke. fraud." With the proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of emerging technologies to protect electronic records, such as firewalls and public key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ), many companies may believe they are doing everything they can to prevent identity theft. In the process, they neglect commonsense com·mon·sense adj. Having or exhibiting native good judgment: "commonsense scholarship on the foibles and oversights of a genius" Times Literary Supplement. procedural issues. "Information is much more readily available today with desktop publishing desktop publishing, system for producing printed materials that consists of a personal computer or computer workstation, a high-resolution printer (usually a laser printer), and a computer program that allows the user to select from a variety of type fonts and sizes, and the Internet," says Russell Poore, general manager of secured destruction services, Recall Corp. "As we see an improvement in technologies available to perpetrate the crime, it's easier to print checks. Most of us don't pay attention. We don't get our credit reports once a year, we throw credit card applications in the trash." Some organizations collect too much information about their customers. Access to too much customer information, such as Social Security numbers, may be putting customers and organizations at greater risk for identity theft, notes Chris Hoofnagle, a legislative counsel with the Electronic Privacy Information Center Electronic Privacy Information Center or EPIC is a public interest research group in Washington D.C.. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values in the . "For marketing or other reasons, companies collect information that is unnecessary to collect," Hoofnagle says. "Why does a company need to collect a Social Security number in the first place? If they're not running a credit history, they don't need it." Answers to the identity theft problem have come by way of technological innovations, corporate policy changes, and legislative efforts. Everything from employee background checks to retina scans that uniquely identify employees are currently being implemented in organizations worldwide. Identity Authentication Technologies In today's era of firewalls and e-mail encryption E-mail encryption refers to encryption, and often authentication, of e-mail messages. E-mail encryption usually relies on public-key cryptography. E-mail encryption protocols Popular protocols for e-mail encryption include:
Biometrics, among the most controversial, encompasses such identifier technologies as face recognition, retina scans, fingerprint authentication, voice/speech verification, and handwriting analysis. Genetic engineering goes one step further in its identification methods, which include analyzing the DNA DNA: see nucleic acid. DNA or deoxyribonucleic acid One of two types of nucleic acid (the other is RNA); a complex organic compound found in all living cells and many viruses. It is the chemical substance of genes. components of human fluids and cells. Face recognition, among the most advanced of the biometric technologies, is being studied extensively by the U.S. Department of Defense (DoD) Counterdrug Technology Development Program Office, the National Institute of Justice, and related entities in hopes of fine-tuning its accuracy. A report by Duane M. Blackburn on behalf of the two agencies shows just how sophisticated and complex this technology is. Face recognition, the report states, uses a three-fold process: 1) a sensor takes an observation of the face, producing a person's "biometric signature An authentication method that uses the dynamics of a person's handwritten signature. The pen pressure and duration of the signing process, which is done with a stylus on a touch screen or digital-based pen tablet, is recorded as an algorithm that is compared against future signatures. "; 2) a computer algorithm "normalizes" the biometric signature so that it is in the same format (view, resolution, size, etc.) as other signatures on the computer system's database; and 3) a matcher then compares the normalized signature with the set (or subset) of normalized signatures on the system's database and provides a "similarity score In Sabermetrics and APBRmetrics, similarity scores are a method of comparing baseball and basketball players (usually in MLB or the NBA) to other players, with the intent of discovering who the single most similar historical player is to a certain player. " that compares the individual's normalized signature with each signature in the database (or subset). As with all emerging technologies, businesses must take the time to become acquainted with biometric applications and properly train staff on their appropriate use. "I'm not afraid of it; I just think we need to understand what it is," Clayton says. "If a business has that type of information, what are they doing with it? Who pays for it?" Cost is another concern. Because of the extensive research involved, the cost of sophisticated technologies is high. The retina scan, which identifies part of an individual's eye, is an example of a device whose expenses could outweigh the practicality of its use. Notes Frank, "With a retina scan, it can be very expensive, so the cost is transferred to us, the consumers." Less intrusive authentication techniques include PKI--whose uses range from allowing employees to remotely access company data to enabling business partners to place online orders--and smart cards Example of widely used contactless smart cards are Hong Kong's Octopus card, Paris' Calypso/Navigo card and Lisbon' LisboaViva card, which predate the ISO/IEC 14443 standard. The following tables list smart cards used for public transportation and other electronic purse applications. , which are increasingly used by credit card companies to uniquely identify customers. Both are being met with mixed feelings by consumers. According to a Gartner report, PKI, smart cards, and disposable card numbers, while beginning to be adopted more frequently by credit card companies, receive far less consumer support. Software Magazine's Paul Desmond Paul Desmond (25 November 1924 - 30 May 1977), born Paul Emil Breitenfeld, was a jazz alto saxophonist and composer born in San Francisco, best known for the work he did in the Dave Brubeck Quartet and for penning that group's greatest hit, "Take Five". examines the challenges to successfully using PKI technology in his article," PKI Distribution Dilemma." "Longer term, many see the technology as being a key enabler of more dynamic online marketplaces for both business-to-business and business-to-consumer applications," Desmond writes. "But the security inherent in any PKI system may well hinge on Verb 1. hinge on - be contingent on; "The outcomes rides on the results of the election"; "Your grade will depends on your homework" depend on, depend upon, devolve on, hinge upon, turn on, ride a decidedly nontechnical issue: how to ensure that the right people are given access to the system." Procedural Issues Improper document filing and incomplete records disposal are common procedural mistakes that can put organizations at risk of identity theft crimes. As Clayton's coffee mug analogy illustrates, information recorded on paper is often treated with little regard for security or privacy. While authentication technology continues to gain upper management support, the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental governing an organization's identity management programs may be neglected. The proper handling of paper documents is a commonsense issue that continues to get overlooked. "The right processes need to be in place to protect the physical location where information is used and stored," Poore says. Another overlooked issue is employees who handle sensitive information. Employee background checks, while gaining more acceptance by organizations and staff, often are viewed as a waste of company time and money and an infringement on individual privacy. "There is an increase in employee background checks and that is one way that companies have been looking at security, but it emphasizes the gatekeeper In an H.323 IP telephony or video environment, a gatekeeper is a device that manages domains and provides call control. It is used to translate user names into IP addresses, to authenticate users and to manage network resources. or fortress mentality (of monitoring your employees)," Hoofnagle says. In many cases, as with Frank's identity theft experience, the individuals stealing sensitive information are temporary employees. Organizations must therefore decide whether company-wide background checks are feasible and practical for temporary workers. When it comes to properly handling information, company-wide training may be required. An information management professional within the company or a privacy consultant may be called on to educate staff about proper procedures. "I encourage a business to work with an outside group, with a very specific target area, to help the business identify proper processes," Clayton says. This should be followed by internal training that is "ongoing for the life of the company." Frank cites the following as being critical to organizational identity management programs: * Do background checks on employees handling sensitive information. * Have employee password protection that limits access to certain information. * Leave an audit trail of who got into which files and when. * Don't throw away any sensitive information without shredding shred n. 1. A long irregular strip that is cut or torn off. 2. A small amount; a particle: not a shred of evidence. tr.v. it first. * Train staff by creating a security handbook that protects customers and employees. * Enlist a private or government agency, such as the Federal Bureau of Investigation Federal Bureau of Investigation (FBI), division of the U.S. Dept. of Justice charged with investigating all violations of federal laws except those assigned to some other federal agency. , to conduct programs on a variety of privacy and identity protection issues. According to Hoofnagle, "Starting with good data collection and maintenance protections can go a long way. Proper information practices can protect you from a lot [of liability]." Information Managers' Role Technology-based identity measures raise important information management issues: Who is collecting information? How is the information being collected and stored? What retention schedules are in place for this information? How is the information being destroyed? "If we don't put up safeguards, it can be very scary," Frank says. "How is this information going to be used? Are there going to be safeguards against its use? What scares me is the sharing of this information." Some companies are designating privacy officers or establishing departments to train staff on legal implications and privacy issues involved with information handling. This individual or department also plays a strategic role in creating an information privacy/security handbook. While hiring a privacy officer may be the solution for some organizations, others may find that they currently have information management staff who can assume some or all of a privacy officer's identity protection duties. Information managers can play a key role in preventing identity theft within organizations. Many of the information manager's responsibilities dovetail dovetail (dov´tāl), n a widened or fanned-out portion of a prepared cavity, usually established deliberately to increase the retention and resistance form. with prevention measures: creating retention schedules, properly tracking and filing information, and training staff on information management procedures. New opportunities await records and information managers who are open to additional responsibilities. "Information managers, privacy managers, and senior managers are all responsible for monitoring data flow," Clayton explains. He says they should be the ones who step in and help the company understand the laws regarding privacy and security. In addition, these managers need to train each individual employee on privacy and security. "Privacy and security do not work if you do not have top-level buy-in," he says. "Information managers might very well be the key people within the organization (to help accomplish this)." Legislative Efforts The Identity Theft and Assumption Deterrence Act of 1998 makes identity theft in the United States a federal crime with penalties of up to 15 years imprisonment Imprisonment See also Isolation. Alcatraz Island former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218] Altmark, the German prison ship in World War II. [Br. Hist. and a maximum fine of $250,000. "Legislative attempts have pushed the responsibilities back on corporations to protect the information they collect," says Russell Poore, general manager of secured destruction services, Recall Corp. As a result of the 1998 law, the Federal Trade Commission (FTC) has established a toll-free hotline to provide victim assistance and consumer counseling. The FTC also has developed a database clearinghouse of identity theft complaints and launched a consumer and business education campaign. More than 270 U.S. law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). have signed confidentiality agreements, granting them access to the Identity Theft Data Clearinghouse. The FTC also has worked with public and private sector entities to encourage investigations and prosecutions of identity theft cases. The FTC and the U.S. Secret Service have launched an identity theft case referral program to help detect and prosecute identity thieves. READ MORE ABOUT IT Frank, Esq., Mari. J. From Victim To Victor: A Step-By-Step Guide For Ending The Nightmare of Identity Theft. Porpoise porpoise, small whale of the family Phocaenidae, allied to the dolphin. Porpoises, like other whales, are mammals; they are warm-blooded, breathe air, and give birth to live young, which they suckle with milk. Press Inc.: Laguna Niguel, CA. 1998. References Blackburn, Duane M. "Face Recognition 101: The Technology and Its Applications." Department of Defense Counterdrug Technology Development Program Office. Available at www.dodcounterdrug.com/ facialrecognition/DLs/FR101.pdf (accessed 21 March 2002). Department of Justice Canada Noun 1. Department of Justice Canada - an agency of the Canadian government that provides litigation and legal advice and opinions to the government DoJC . "Privacy Act." Available at http://laws.justice.gc.ca/en/P-21/87221.html#rid-87227 (accessed 21 March 2002). Department of Justice Canada. "Personal Information Protection and Electronic Documents Act The Personal Information Protection and Electronic Documents Act (abbreviated PIPEDA or PIPED Act) is a Canadian law relating to data privacy. It governs how private-sector organizations collect, use and disclose personal information in the course of commercial ." Available at http://laws.justice. gc.ca/en/P-8.6/85538.html (accessed 21 March 2002). Desmond, Paul. "PKI Distribution Dilemma." Software Magazine. Available at http://softwaremag.com (accessed 22 March 2002). Fries, Jacob H. "Worker Accused of Selling Colleagues' IDs Online." The New York Times. Available at www.nytimes.com/2002/03/02/technology/02INTE INTE Interrupt Enable .html?todaysheadlines (accessed 4 March 2002). Gartner Inc. "Consumers Embrace Online Credit Card Security Systems." Available at www.4gartner.com/ resources/104500/104547/104547.pdf (accessed 11 March 2002). Identity Theft: Prevention and Survival Web Site. "Identity Theft and Assumption Deterrence Act of 1998." Available at www.identitytheft.org/title18.htm (accessed 11 March 2002). Petterson, John L. "Plan to Fight Identity Theft Moves Forward." The Kansas City Kansas City, two adjacent cities of the same name, one (1990 pop. 149,767), seat of Wyandotte co., NE Kansas (inc. 1859), the other (1990 pop. 435,146), Clay, Jackson, and Platte counties, NW Mo. (inc. 1850). Star, 12 March 2002. U.S. Federal Trade Commission. "FTC Testimony on Identity Theft." Available at www.ftc.gov/opa/2002/03/ idtestimony.htm (accessed 21 March 2002). Shanna Groves is a freelance writer in Kansas and formerly an associate editor for The Information Management Journal. She may be reached at sgrovesus@msn.com. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion