Via ARS Technica
By David Chartier | Published: October 22, 2008 – 10:29PM CT
The Identity Theft Task Force that President Bush created in May 2006 has just issued a 70-page report on its work over the past two years. Detailed in the tome is the Task Force’s progress on initiatives like data protection, public education, and the prosecution of identity thieves—an area where charges and conviction rates have both increased in recent years.
If you’re looking for sound-bite-worthy progress on data theft, there is some good news here. Charges and convictions of data thieves rose 26.9 and 26.7 percent, respectively, between the fiscal years 2006 and 2007. In 2006, 1,946 defendants were charged with violating one of the two main federal identity theft statutes, resulting in 1,534 convictions. 2007 saw higher numbers of 2,470 charges and 1,943 convictions.
One example case cited (without names) sounds nearly identical to a case we reported on in September 2007. Gregory Thomas Kopiloff allegedly used P2P networks like LimeWire to collect the identity information of over 80 people, then used that information to purchase over $73,000 in electronics and other goods.
Kopiloff’s indictment noted that he also used less-technical techniques, such as dumpster diving, to collect identity information. A study in October 2007 pointed out that thieves are still highly dependent on these low-tech approaches and the Identity Theft Task Force is very aware of the analog battlefield. In fact, many recommendations from the Strategic Plan the Task Force released in 2007 center on cleaning up the non-digital methods of collecting and storing private data. Per this new report, some of those steps have now been taken, including a redesign of government paperwork to reduce the amount of private data collected. The US Postal Service also delivered 146 million educational mailings earlier this year to US residents and businesses.
The new report contains 31 more recommendations that target data protection, avoiding data misuse, victim assistance, and deterrence. Recommendations include “better educate the private sector on safeguarding data” (it sure could use some lessons), “establish a national identity theft law enforcement center,” “develop and promote the acceptance of a universal identity theft report form,” and “encourage other countries to enact suitable domestic legislation criminalizing identity theft.”
Progress has been made towards many of these goals, such as the creation of the FTC’s Identity Theft Data Clearinghouse for ID theft complaints. President Bush also signed into law a bill that “filled the gaps in previous identity theft laws by ensuring that victims can recover the value of the time lost attempting to repair damage inflicted by identity theft, criminalizing additional acts of identity thieves, and expanding the definition of aggravated identity theft.”
Other initiatives, however, haven’t gotten off the launching pad. Real ID, for example, would establish minimum standards for state-issued driver’s licenses and ID cards. It would also require electronic verification of identity and lawful status, and it would enact stricter security requirements for card production facilities and the protection of personal data. As of May 13, though, Real ID is stuck behind state adoption deadline extensions granted by the Department of Homeland Security and has yet to be deployed across the country.
In the realm of risk, unmanaged possibilities become probabilities: These data breaches and thefts are due to a lagging business culture. As CIO, I’m always looking for ways to help my team, business teams, and ad hoc measures of various vendors, contractors and internal team members. A book that is required reading is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium.”
We keep a few copies kicking around – it would be a bit much to expect outside agencies to purchase it on our say-so. But, particularly when entertaining bids for projects and in the face of challenging change, we ask potential solutions partners to review relevant parts of the book, and it ensures that these agencies understand our values and practices.
The author, David Scott, has an interview here that is a great exposure: http://businessforum.com/DScott_02.html
The book came to us as a tip from one of our interns who attended a course at University of Wisconsin, where the book is in use. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. The real crux of the matter is education and training to the organization as a whole – and a recurring schedule of training – in building a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
I like to pass along things that work, in the hope that good ideas continue to make their way to me.