Internet companies have become aware of the sensitivity of customers information. Posted privacy policies articulating care and handing of sensitive information have become common place. Options for handling information include restricting staff that has access to a business’s customer information to a few who have a need to know. Some companies conduct background checks on those who do have access to sensitive information. If an employee pockets a few thousand credit card numbers as a result of sloppy information practices, the company could be liable as well. Appropriate questions could be, how is that information secured and stored, and how do you dispose of it when it is no longer needed.
Paper shredders now cost $40 down at the local office supply store (I bought one for Christmas and let my kids shred anything with personal information on it). Safes and locking file cabinets are also very affordable.
Ebusinesses regularly make security a part of the business plan. They consider consider the security of interactions with the public and of online transactions. Could any of the “sploits of the month” defeat security efforts and permit a skript kiddy to rifle through data? Organizations designate an individual on staff to be responsible for the security of the network and data. Security and firewall can be designed with the confidentiality of data in mind. If a project is big enough, one can conduct a security audit. There are also available voluntary trust programs, like the Better Business Bureau or Truste that show customers that a site is taking prudent precautions.
As subscribers go online with broadband connections and fixed IP addresses, they are increasingly vulnerable to intruders rifling through hard drives. ISPs are increasingly attempting to educate subscribers about the dangers of the barbarians online. Some have added a firewall to the service package provided to new customers and recommend to new subscribers that they keep their sensitive data on removable media, like key chain drives, that are not always attached to the computer.
There are a number of laws that deal with your customer’s information. The FCC’s Customer Proprietary Network Information rules prohibit telephone carriers from stealing this information from you when you order telephone service. The Electronic Communications Privacy Act (ECPA) governs when it is appropriate for you to turn information over to federal agents and what documents they have to present to you before you should supply that information Any children’s information collected online falls under the Children’s Online Privacy Protection Act.
Some ISPs make this a part of the training for customer support staff. After all, when customers have trouble with Netscape, who do they call? When customers worried about Y2K, who did they call? They called their ISP. Identity Theft has become so endemic that some ISPs provide an FAQ on your company website linking to the appropriate identity theft information.
Derived From Identity Theft: Prevalence and Cost Appear to Be Growing , GAO-02-363, p. 11 (Mar. 2002)
Since our May 1998 report, various actions-particularly passage of federal and state statutes-have been taken to address identity theft. The federal statute,14 enacted in October 1998, made identity theft a separate crime against the person whose identity was stolen, broadened the scope of the offense to include the misuse of information as well as documents, and provided punishment-generally, a fine or imprisonment for up to 15 years or both. Under U.S. Sentencing Commission guidelines-even if (1) there is no monetary loss and (2) the perpetrator has no prior criminal convictions-a sentence as high as 10 to 16 months incarceration can be imposed. Regarding state statutes, at the time of our 1998 report, very few states had specific laws to address identity theft. Now, less than 4 years later, a large majority of states have enacted identity theft statutes.
In short, federal and state legislation indicate that identity theft has been widely recognized as a serious crime across the nation. As such, a current focus for policy makers and criminal justice administrators is to ensure that relevant legislation is effectively enforced. Given the frequently cross-jurisdictional nature of identity theft crime, enforcement of the relevant federal and state laws presents various challenges, particularly regarding coordination of efforts. Although we have not evaluated them, initiatives designed to address these challenges include the following:
After enactment of the 1998 Identity Theft Act, the Attorney General's Council on White Collar Crime established a Subcommittee on Identity Theft. Purposes of the Subcommittee are to foster coordination of investigative and postdoctoral strategies and promote consumer education programs. Subcommittee leadership is vested in the Fraud Section of the Department of Justice's Criminal Division, and membership includes representatives from various Justice, Treasury, and State Department components; SSA/OIG; the FTC; federal regulatory agencies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation; and professional organizations, such as the International Association of Chiefs of Police (IACP), the National Association of Attorneys General, and the National District Attorneys Association.
. Various identity theft task forces, with multiagency participation (including state and local law enforcement), have been established to investigate and prosecute cases. Such task forces enable law enforcement to more effectively pursue cases that have multijurisdictional elements, such as fraudulent schemes that involve illegal activities in multiple counties or states. At the time of our review, the Secret Service was the lead agency in 37 task forces across the country that were primarily targeting financial and electronic crimes, many of which may include identity theft-related elements.
. Also, under the 1998 Identity Theft Act, the FTC established a toll-free number for victims to call and is compiling complaint information in a national Identity Theft Data Clearinghouse. FTC's Consumer Sentinel Network makes this information available to federal, state, and local law enforcement. According to FTC staff, use of the Consumer Sentinel Network enables law enforcement to coordinate efforts and to pinpoint high-impact or other significant episodes of identity theft.
Furthermore, there is general agreement that, in addition to investigating and prosecuting perpetrators, a multipronged approach to combating identity theft must include prevention efforts, such as limiting access to personal information. In this regard, federal law enacted in 1999, the Gramm-Leach-Bliley Act,15 directed financial institutions-banks, savings associations, credit unions, broker-dealers, investment companies, investment advisers, and insurance companies-to have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information and to deter fraudulent access to such information. Prevention efforts by financial institutions are particularly important, given FTC data showing that a large majority of consumer complaints regarding identity theft involve financial services-new credit card accounts opened, existing credit card accounts used, new deposit accounts opened, and newly obtained loans.
Finally, given indications that the prevalence and cost of identity theft have increased in recent years, most observers agree that such crime certainly warrants continued attention from law enforcement, industry, and consumers.16 Also, due partly to the growth of the Internet and other communications technologies, there is general consensus that the opportunities for identity theft are not likely to decline.
"Under the Identity Theft and Assumption Deterrence Act, the Federal Trade Commission is responsible for receiving and processing complaints from people who believe they may be victims of identity theft, providing informational materials to those people, and referring those complaints to appropriate entities, including the major credit reporting agencies and law enforcement agencies. For further information, please check the FTC's identity theft Web pages . You can also call your local office of the FBI or the U.S. Secret Service to report crimes relating to identity theft and fraud." - USDOJ Identity Theft and Fraud
- Identity Theft and Assumption Deterrence Act of 1998 Public Law 105-318 (1998) [TEXT] [PDF]
- Credit Cards
- 15 U.S.C. § 1643
- "a consumer's liability for the unauthorized use of her credit card may not exceed $50 if she does not report the loss before the credit card is used. If she notifies the card issuer before any use, she is not responsible for any charges she did not authorize."
- 15 U.S.C. § 1693 et seq the Electronic Funds Transfer Act
- Debit Cards
- 15 U.S.C. § 1601The Truth in Lending Act as amended by the Fair Credit Billing Act
- "If a person fails to report to her bank that money has been taken from her debit card account more than 60 days after she receives the statement, there is no limit to her liability and she could lose all the money in her account. "
- 18 U.S.C. § 1028 [TEXT]
- U.S. Congress, House Committee on Ways and Means, Role of Social Security Numbers in Identity Theft and Options to Guard Their Privacy, 112th Cong., 1st sess., April 13, 2011.
- "Identity Theft: Restoring Your Good Name " Senate Judiciary Committee Subcommittee on Technology, Terrorism and Government Information DATE: March 20, 2002
- February 14, 2002 Subcommittee Hearing "Privacy, Identity Theft, and the Protection of Your Personal Information in the 21st Century?"
- Prepared Statement Of The Federal Trade Commission On Identity Theft Before The Committee On Banking And Financial Services United States House Of Representatives Washington, D.C. September 13, 2000
- REMIJAS v. NEIMAN MARCUS GROUP, LLC, Court of Appeals, 7th Circuit 2015
- Class plaintiffs have suffered harms as a result of hack of personal information. "the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an "objectively reasonable likelihood" that such an injury will occur."
- Resnick v. AvMed, Inc., 693 F.3d 1317, 1328 (11th Cir. 2012)
- Standing: reasoning that the plaintiff had financial injury from paying higher premiums in light of defendant's failure to implement security policies
- In re Target Corp. Data Sec. Breach Litig., MDL No. 14-2522 (PAM/JJK), 2014 WL 7192478, at *2 (D. Minn. Dec. 18, 2014)
- Standing: "Plaintiffs' allegations plausibly allege that they suffered injuries that are `fairly traceable' to Target's conduct. This is sufficient at this stage to plead standing. Should discovery fail to bear out Plaintiffs' allegations, Target may move for summary judgment on the issue."
- In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK, 2014 WL 4379916, at *8 (N.D. Cal. Sept. 4, 2014)
- Addressing issue of harm: "Unlike in Clapper, where respondents' claim that they would suffer future harm rested on a chain of events that was both `highly attenuated' and `highly speculative,' the risk that Plaintiffs' personal data will be misused by the hackers who breached Adobe's network is immediate and very real."
- FTC Report, National and State Trends in Fraud and Identity Theft Jan. - Dec. 2004 (Feb. 1, 2005)
- Financial Institutions and Customer Data: Complying with the Safeguards Rule [TXT] [PDF]
- Information Compromise and the Risk of Identity Theft: Guidance for Your Business [TXT] [PDF]
- OnGuard ID Theft
- Sasha Romanosky, Carnegie Mellon University , Richard Sharp, Carnegie Mellon University , Alessandro Acquisti, Carnegie Mellon University Data Breaches and Identity Theft:Data Breaches and Identity Theft: When is Mandatory Disclosure Optimal? TPRC 2010
- Press Release, Identity Theft - Victim's Perspective ITRC 6 th Annual Study Released , Identity Theft Resource Center (May 27, 2009).
- Gartner Says Number of Identity Theft Victims has Increased More Than 50 Percent Since 2003 , Gartner Newsroom (Mar. 6, 2007)
- Latanya Sweeney, AI Technologies to Defeat Identity Theft Vulnerabilities, CS 3/4/2005
- Most ID Theft Begins At Home , Computer Crime Research Center (Jan. 30, 2005)
- Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 HASTINGS L.J. 1227 (2003).
- FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule, FTC 6/1/2010
- Keep Your Personal Data Off the Market, CW 5/5/2010
- FBI, DOJ Identity Theft Programs Fall Short, Internet News 4/1/2010
- Bank Sues Identity Fraud Victim After $800,000 Removed From Its Account, Techdirt 1/28/2010
- Bank's antifraud tactics stun security expert, CW 12/15/2009
- FTC Offers 'Red Flags' Web Site To Help Creditors and Financial Institutions Design Identity Theft Prevention Programs, FTC 4/2/2009
- President's Identity Theft Task Force Issues Report on Steps Taken to Implement Strategic Plan, FTC 10/21/2008
- Opinion: FTC's new Red Flag Rules cast wide identity theft net, CW 10/15/2008
- Citibank ATM breach reveals PIN security problems, Globe and Mail 7/3/2008
- Identity 'at risk' on Facebook, BBC 5/1/2008
- Stolen Data So Plentiful, The Market For It Has Collapsed, Techdirt 4/10/2008
- Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy, FTC 11/1/2007
- Data miners 'dig' your life story, CNET 8/29/2007
- Identity attack spreads; 1.6M records stolen from Monster.com, CW 8/21/2007
- Loose-Lipped Facebookers Tell All to ID Thieves, Ecommerce Times 8/15/2007
- IRS Found Lax in Protecting Taxpayer Data, Wash Post 4/5/2007
- ID Thieves: Smarter by The Day, Internet News 3/8/2007
- Protecting Yourself Against Online Identity Theft, Newsfactor 2/6/2007
- VA investigating another missing hard drive, CW 2/6/2007
- U.S. identity theft losses fall: study, Register 2/1/2007
- ID Thefts Slam Online Brokers, CW 10/30/2006
- 'ID theft risk' on bank websites, BBC 10/24/2006
- AT&T Hack Part of Larger ID Theft Scam - 19,000 accounts 'immediately' used in phishing attempt, Broadband Reports 9/1/2006
- Teens Charged in VA Laptop Theft, Internet News 8/8/2006
- VA Suffers Another Data Loss, Wash Post 8/8/2006
- Stolen Lives: Identity Thief Finds Easy Money Hard to Resist, NYT 7/5/2006
- U.S. agency loses data containing 26 million IDs, Network World 5/23/2006
- Aetna says laptop stolen with data on 38,000 members, CW 4/28/2006
- ID Theft Hits 3.6 Million U.S. Households, Internet Week 4/5/2006
- IRS Notices More Identity Theft Attempts, Wash Post 3/14/2006
- People's Bank Loses Tape Containing Confidential Data, eweek 1/13/2006
- Bank tape lost with data on 90,000 customers, NWNetflash 1/13/2006
- Computer Theft Case Shows Database Perils, Wash Post 8/12/2005
- Congress Nears Final Identity Theft Legislation, eweek 7/22/2005
- ChoicePoint Data Scandal Costs Broker $11 Million, Internet Week 7/22/2005
- Not even 2, and girl has had identity stolen twice, USA Today 7/19/2005
- FTC chair's credit card info stolen in DSW data breach, USAToday 7/5/2005
- Senate Takes up Data Security Law, Internet news 6/15/2005
- Senate, FTC Push For Identity Theft Law, Internet Week 6/15/2005
- Banks Not Doing Enough To Stop ID Theft: Report, Internet Week 6/15/2005
- Congress considers identity theft legislation, USA Today 4/15/2005
- Ralph Lauren, HSBC in data breach debacle, Register 4/15/2005
- Congress Primed To Pass Laws Requiring Disclosure Of Data Thefts, Infoweek 4/15/2005
- Equifax chairman's compensation grows, Bizjournals 4/15/2005
- Data on 310,000 People Feared Stolen, Wash Post 4/11/2005
- New federal rules dictate bank ID theft notifications, Standard 3/29/2005
- FTC chief calls for ChoicePoint regulation, MSNBC 3/11/2005
- Senators rip into ChoicePoint, Bank of America, Infoworld 3/11/2005
- Shoe chain says customer data stolen, MSNBC 3/9/2005
- ID fraud touches one in four, BBC 3/4/2005
- Lawmakers call for ChoicePoint investigation, CW 3/4/2005
- Bank loses credit card info of 1.2M federal workers, CW 3/2/2005
- Missing Bank of America Tapes Underscore Encryption Need, Gartner 3/2/2005
- ID Theft Victims Could Lose Twice, Wired 2/25/2005
- ChoicePoint data theft widens to 145,000 people, CNET 2/22/2005
- ID theft scam spreads across USA, USA Today 2/22/2005
- Big ID Theft in California, Wired 2/18/2005
- Break-In at SAIC Risks ID Theft of Powerful, Wash Post 2/15/2005
- Online banking victim files suit; $90,000 lifted from account traced to Latvia, Sun Sentinel 2/8/2005
- Identity Theft Focus of National Consumer Protection Week 2005, FTC 2/8/2005
- Study: Most Identity Theft Occurs Offline, AP 2/1/2005
- Prison for Man Who Pleaded Guilty to ID Theft, Wash Post 1/11/2005
- Identity Theft Is Epidemic. Can It Be Stopped?, NYT 10/26/2004
- FTC Issues Alert about Identity Theft Scam, FTC 3/11/2004
- Congressman raises offshore ID theft concerns, CNET 2/26/2004
- ID Theft Triples, USA Today 10/27/2003
- ID theft undermining integrated terror watch lists, CW 10/3/03
- Study: ID Theft Goes Unrecognized, Internet News 9/24/03
- Identity Crisis, Wash Post 9/24/03
- Identity bills approved, USA Today 9/11/03
- FTC: Identity theft strikes 1 in 8 adults, CNN 9/5/03
- Identity theft explodes in US, BBC 7/23/03
- U.S.: Identity Theft Complaints Skyrocket, Newsfactor 1/24/03
- Identity theft raises questions about security, NWFusion 12/2/02
- Identity thieves strike eBay, CNET 11/20/02
- Online job listing an ID theft scam MSNBC 11/5/02
- Busboy pleads guilty to ID theft, CNET 10/3/02
- 'Sweeping' Up After Identity Theft, Newsfactor 8/14/02
- 13,000 Credit Reports Stolen by Hackers, NYT 5/17/02
- ID Thieves Mine For Gold On Jail Sites, MSNBC 5/13/02
- eBay identity theft hits close to home , CNN 2/20/02
- ID Theft, Web Scams Top Complaints, Newsfactor 1/24/02
- ID Theft, Web Auction Fraud Top FTC Consumer Complaints, Wash Tech 1/24/02
- Identity Theft Heads the FTC's Top 10 Consumer Fraud Complaints of 2001, FTC 1/24/02
- NAAG: Protect Yourself From Identity Theft Jan 2002
- Identity Thieves Thrive in Information Age, Washtech 06/01/01
- Social Security numbers at risk on the Net, CNET 5/23/01
- House Panel Looks at How to Stop Identity Theft, Newsfactor 5/23/01
- Radical solutions eyed in Net identity theft battle, USAToday 5/23/01
- Online identity thief caught in New York, CW 3/21/01
- IRS snafu raises fears of identity theft Mercury News , 1/26/01
- FTC To Host ID Theft Workshop Oct 20, 2000 newsbytes
- FTC: Net Contributes To Identity Theft C|NET 8/30
- Net Blamed for Identity Theft Spike InternetNews 8/30
- FTC: Identity theft, tech fraud up, CNN 1/23/2004
- FTC: ID Theft Remains Top Complaint, Wash Post 1/23/2004