Protecting your identity; private information theft has become a plague on modern society, but you can protect your business and yourself with the right technology and processes.
* Defines identity authentication techniques
* Discusses the information manager's role in protecting privacy
* Gives recommendations for protecting employee and client privacy
An employee at a major New York insurance company was charged in March with stealing colleagues' identities from a database of 60,000 names and selling them over the Internet as part of a credit card scam. Last year, a Kansas woman's checkbook was stolen from her locked office, and false identification--with her name and address but with a photo of someone else--may have been used to cash the checks. The woman, a state senator, is currently proposing legislation to protect the financial privacy of other citizens.
Considered one of the fastest-growing crimes in the United States and already a large problem worldwide, identity theft has indelibly left its mark on the countless businesses and individuals that make the news headlines each month. According to the U.S. Federal Trade Commission (FTC), identity theft was the number-one source of consumer complaints in 2001, totaling 42 percent of all the complaints it received.
While identity authentication technologies and legislative efforts have helped combat identity theft, there is still a long way to go. Business methodology and procedures must change, warns Gary Clayton, founder and chairman of the Privacy Council. "Until recently, businesses treated customer information like they treat the coffee cups in their kitchen they left them laying around," he says. "Companies should better manage information and be held accountable for mismanagement."
A Closer Look at Identity Theft
Credit card fraud is among the most common forms of identity theft. A report by Gartner Inc. revealed that of more than 1,000 adult U.S. online consumers surveyed in January 2002, 5.2 percent were victims of credit card fraud in the prior year. Identity theft struck 1.9 percent.
Identity theft most commonly occurs in the workplace, as was the case with Mari J. Frank, a California attorney, privacy consultant, and author of From Victim To Victor: A Step-By-Step Guide For Ending The Nightmare of Identity Theft.
"More than $50,000 in credit was illegally applied for under my name," says Frank, who discovered that her credit report had been stolen by a temporary employee in a legal practice. "Not only was my financial identity stolen, but my professional identity as well."
It took Frank almost one year to get her credit record back in order. When she became a victim, she says, there was no law in California making identity theft a crime against the consumer victim. The temporary employee was eventually found and arrested. When authorities entered the employee's home, they discovered business cards, checks, and credit card applications containing Frank's name.
"I was really concerned. Was she accepting clients in my name? I could have been disbarred," she says.
The awareness of identity theft, whether it consists of stealing a person's Social Security number, address, phone number, or all of the above, has been heightened in the workplace. Office personnel who deal with sensitive information are getting more attention.
"It's about employees having access to data that they shouldn't have," Clayton explains. "Temporary employees have access to computer systems and can download customer information and then sell it or rise it themselves to perpetrate fraud."
With the proliferation of emerging technologies to protect electronic records, such as firewalls and public key infrastructure (PKI), many companies may believe they are doing everything they can to prevent identity theft. In the process, they neglect commonsense procedural issues.
"Information is much more readily available today with desktop publishing and the Internet," says Russell Poore, general manager of secured destruction services, Recall Corp. "As we see an improvement in technologies available to perpetrate the crime, it's easier to print checks. Most of us don't pay attention. We don't get our credit reports once a year, we throw credit card applications in the trash."
Some organizations collect too much information about their customers. Access to too much customer information, such as Social Security numbers, may be putting customers and organizations at greater risk for identity theft, notes Chris Hoofnagle, a legislative counsel with the Electronic Privacy Information Center.
"For marketing or other reasons, companies collect information that is unnecessary to collect," Hoofnagle says. "Why does a company need to collect a Social Security number in the first place? If they're not running a credit history, they don't need it."
Answers to the identity theft problem have come by way of technological innovations, corporate policy changes, and legislative efforts. Everything from employee background checks to retina scans that uniquely identify employees are currently being implemented in organizations worldwide.
Identity Authentication Technologies
In today's era of firewalls and e-mail encryption to protect information, businesses are implementing various technologies to protect their employees and customers. Some technologies, however, have been met with ethical concerns by individuals worried about the security and privacy of information collected by these devices.
Biometrics, among the most controversial, encompasses such identifier technologies as face recognition, retina scans, fingerprint authentication, voice/speech verification, and handwriting analysis. Genetic engineering goes one step further in its identification methods, which include analyzing the DNA components of human fluids and cells.
Face recognition, among the most advanced of the biometric technologies, is being studied extensively by the U.S. Department of Defense (DoD) Counterdrug Technology Development Program Office, the National Institute of Justice, and related entities in hopes of fine-tuning its accuracy. A report by Duane M. Blackburn on behalf of the two agencies shows just how sophisticated and complex this technology is.
Face recognition, the report states, uses a three-fold process: 1) a sensor takes an observation of the face, producing a person's "biometric signature"; 2) a computer algorithm "normalizes" the biometric signature so that it is in the same format (view, resolution, size, etc.) as other signatures on the computer system's database; and 3) a matcher then compares the normalized signature with the set (or subset) of normalized signatures on the system's database and provides a "similarity score" that compares the individual's normalized signature with each signature in the database (or subset).
As with all emerging technologies, businesses must take the time to become acquainted with biometric applications and properly train staff on their appropriate use.
"I'm not afraid of it; I just think we need to understand what it is," Clayton says. "If a business has that type of information, what are they doing with it? Who pays for it?"
Cost is another concern. Because of the extensive research involved, the cost of sophisticated technologies is high. The retina scan, which identifies part of an individual's eye, is an example of a device whose expenses could outweigh the practicality of its use. Notes Frank, "With a retina scan, it can be very expensive, so the cost is transferred to us, the consumers."
Less intrusive authentication techniques include PKI--whose uses range from allowing employees to remotely access company data to enabling business partners to place online orders--and smart cards, which are increasingly used by credit card companies to uniquely identify customers. Both are being met with mixed feelings by consumers. According to a Gartner report, PKI, smart cards, and disposable card numbers, while beginning to be adopted more frequently by credit card companies, receive far less consumer support.
Software Magazine's Paul Desmond examines the challenges to successfully using PKI technology in his article," PKI Distribution Dilemma." "Longer term, many see the technology as being a key enabler of more dynamic online marketplaces for both business-to-business and business-to-consumer applications," Desmond writes. "But the security inherent in any PKI system may well hinge on a decidedly nontechnical issue: how to ensure that the right people are given access to the system."
Improper document filing and incomplete records disposal are common procedural mistakes that can put organizations at risk of identity theft crimes. As Clayton's coffee mug analogy illustrates, information recorded on paper is often treated with little regard for security or privacy.
While authentication technology continues to gain upper management support, the policies and procedures governing an organization's identity management programs may be neglected. The proper handling of paper documents is a commonsense issue that continues to get overlooked.
"The right processes need to be in place to protect the physical location where information is used and stored," Poore says.
Another overlooked issue is employees who handle sensitive information. Employee background checks, while gaining more acceptance by organizations and staff, often are viewed as a waste of company time and money and an infringement on individual privacy.
"There is an increase in employee background checks and that is one way that companies have been looking at security, but it emphasizes the gatekeeper or fortress mentality (of monitoring your employees)," Hoofnagle says.
In many cases, as with Frank's identity theft experience, the individuals stealing sensitive information are temporary employees. Organizations must therefore decide whether company-wide background checks are feasible and practical for temporary workers.
When it comes to properly handling information, company-wide training may be required. An information management professional within the company or a privacy consultant may be called on to educate staff about proper procedures.
"I encourage a business to work with an outside group, with a very specific target area, to help the business identify proper processes," Clayton says. This should be followed by internal training that is "ongoing for the life of the company."
Frank cites the following as being critical to organizational identity management programs:
* Do background checks on employees handling sensitive information.
* Have employee password protection that limits access to certain information.
* Leave an audit trail of who got into which files and when.
* Don't throw away any sensitive information without shredding it first.
* Train staff by creating a security handbook that protects customers and employees.
* Enlist a private or government agency, such as the Federal Bureau of Investigation, to conduct programs on a variety of privacy and identity protection issues.
According to Hoofnagle, "Starting with good data collection and maintenance protections can go a long way. Proper information practices can protect you from a lot [of liability]."
Information Managers' Role
Technology-based identity measures raise important information management issues: Who is collecting information? How is the information being collected and stored? What retention schedules are in place for this information? How is the information being destroyed?
"If we don't put up safeguards, it can be very scary," Frank says. "How is this information going to be used? Are there going to be safeguards against its use? What scares me is the sharing of this information."
Some companies are designating privacy officers or establishing departments to train staff on legal implications and privacy issues involved with information handling. This individual or department also plays a strategic role in creating an information privacy/security handbook.
While hiring a privacy officer may be the solution for some organizations, others may find that they currently have information management staff who can assume some or all of a privacy officer's identity protection duties. Information managers can play a key role in preventing identity theft within organizations. Many of the information manager's responsibilities dovetail with prevention measures: creating retention schedules, properly tracking and filing information, and training staff on information management procedures. New opportunities await records and information managers who are open to additional responsibilities.
"Information managers, privacy managers, and senior managers are all responsible for monitoring data flow," Clayton explains. He says they should be the ones who step in and help the company understand the laws regarding privacy and security. In addition, these managers need to train each individual employee on privacy and security.
"Privacy and security do not work if you do not have top-level buy-in," he says. "Information managers might very well be the key people within the organization (to help accomplish this)."
The Identity Theft and Assumption Deterrence Act of 1998 makes identity theft in the United States a federal crime with penalties of up to 15 years imprisonment and a maximum fine of $250,000.
"Legislative attempts have pushed the responsibilities back on corporations to protect the information they collect," says Russell Poore, general manager of secured destruction services, Recall Corp.
As a result of the 1998 law, the Federal Trade Commission (FTC) has established a toll-free hotline to provide victim assistance and consumer counseling. The FTC also has developed a database clearinghouse of identity theft complaints and launched a consumer and business education campaign. More than 270 U.S. law enforcement agencies have signed confidentiality agreements, granting them access to the Identity Theft Data Clearinghouse.
The FTC also has worked with public and private sector entities to encourage investigations and prosecutions of identity theft cases. The FTC and the U.S. Secret Service have launched an identity theft case referral program to help detect and prosecute identity thieves.
READ MORE ABOUT IT
Frank, Esq., Mari. J. From Victim To Victor: A Step-By-Step Guide For Ending The Nightmare of Identity Theft. Porpoise Press Inc.: Laguna Niguel, CA. 1998.
Blackburn, Duane M. "Face Recognition 101: The Technology and Its Applications." Department of Defense Counterdrug Technology Development Program Office. Available at www.dodcounterdrug.com/ facialrecognition/DLs/FR101.pdf (accessed 21 March 2002).
Department of Justice Canada. "Privacy Act." Available at http://laws.justice.gc.ca/en/P-21/87221.html#rid-87227 (accessed 21 March 2002).
Department of Justice Canada. "Personal Information Protection and Electronic Documents Act." Available at http://laws.justice. gc.ca/en/P-8.6/85538.html (accessed 21 March 2002).
Desmond, Paul. "PKI Distribution Dilemma." Software Magazine. Available at http://softwaremag.com (accessed 22 March 2002).
Fries, Jacob H. "Worker Accused of Selling Colleagues' IDs Online." The New York Times. Available at www.nytimes.com/2002/03/02/technology/02INTE.html?todaysheadlines (accessed 4 March 2002).
Gartner Inc. "Consumers Embrace Online Credit Card Security Systems." Available at www.4gartner.com/ resources/104500/104547/104547.pdf (accessed 11 March 2002).
Identity Theft: Prevention and Survival Web Site. "Identity Theft and Assumption Deterrence Act of 1998." Available at www.identitytheft.org/title18.htm (accessed 11 March 2002).
Petterson, John L. "Plan to Fight Identity Theft Moves Forward." The Kansas City Star, 12 March 2002.
U.S. Federal Trade Commission. "FTC Testimony on Identity Theft." Available at www.ftc.gov/opa/2002/03/ idtestimony.htm (accessed 21 March 2002).
Shanna Groves is a freelance writer in Kansas and formerly an associate editor for The Information Management Journal. She may be reached at email@example.com.
|Printer friendly Cite/link Email Feedback|
|Publication:||Information Management Journal|
|Article Type:||Statistical Data Included|
|Date:||May 1, 2002|
|Previous Article:||Safeguarding the world's new currency; privacy requires a willingness and ability to take a different perspective on how data is and should be used....|
|Next Article:||Privacy: what every manager should know: companies can't afford to ignore the fact that consumers are increasingly concerned about how businesses use...|