Tài liệu The President’s Identity Theft Task Force Combating IDENTITY THEFT A Strategic Plan ppt

LINK DOWNLOAD MIỄN PHÍ TÀI LIỆU "Tài liệu The President’s Identity Theft Task Force Combating IDENTITY THEFT A Strategic Plan ppt": http://123doc.vn/document/1050238-tai-lieu-the-president-s-identity-theft-task-force-combating-identity-theft-a-strategic-plan-ppt.htm

v
COMBATING IDENTITY THEFT A Strategic Plan
Glossary of Acronyms
AAMVA–American Association of
Motor Vehicle Administrators
AARP–American Association of
Retired Persons
ABA–American Bar Association
APWG–Anti-Phishing Working Group
BBB–Better Business Bureau
BIN–Bank Identification Number
BJA–Bureau of Justice Assistance
BJS–Bureau of Justice Statistics
CCIPS–Computer Crime and
Intellectual Property Section (DOJ)
CCMSI–Credit Card Mail Security
Initiative
CFAA–Computer Fraud and Abuse Act
CFTC–Commodity Futures Trading
Commission
CIO–Chief Information Officer
CIP–Customer Identification Program
CIRFU–Cyber Initiative and Resource
Fusion Center
CMRA–Commercial Mail Receiving
Agency
CMS–Centers for Medicare and
Medicaid Services (HHS)
CRA–Consumer reporting agency
CVV2–Card Verification Value 2
DBFTF–Document and Benefit Fraud
Task Force
DHS–Department of Homeland Security
DOJ–Department of Justice
DPPA–Drivers Privacy Protection
Act of 1994
FACT Act–Fair and Accurate Credit
Transactions Act of 2003
FBI–Federal Bureau of Investigation
FCD–Financial Crimes Database
FCRA–Fair Credit Reporting Act
FCU Act–Federal Credit Union Act
FDI Act–Federal Deposit Insurance Act
FDIC–Federal Deposit Insurance
Corporation
FEMA–Federal Emergency
Management Agency
FERPA–Family and Educational Rights
and Privacy Act of 1974
FFIEC–Federal Financial Institutions
Examination Council
FIMSI–Financial Industry Mail Security
Initiative
FinCEN–Financial Crimes Enforcement
Network (Department of Treasury)
FISMA–Federal Information Security
Management Act of 2002
FRB–Federal Reserve Board of
Governors
FSI–Financial Services, Inc.
FTC–Federal Trade Commission
FTC Act–Federal Trade Commission
Act
GAO–Government Accountability
Office
GLB Act–Gramm-Leach-Bliley Act
HHS–Department of Health and Human
Services
HIPAA–Health Insurance Portability
and Accountability Act of 1996
IACP–International Association of
Chiefs of Police
IAFCI–International Association of
Financial Crimes Investigators
IC3–Internet Crime Complaint Center
ICE–U.S. Immigration and Customs
Enforcement
IRS–Internal Revenue Service
IRS CI–IRS Criminal Investigation
Division
vi
IRTPA–Intelligence Reform and
Terrorism Prevention Act of 2004
ISI–Intelligence Sharing Initiative (U.S.
Postal Inspection Service)
ISP–Internet service provider
ISS LOB–Information Systems Security
Line of Business
ITAC–Identity Theft Assistance Center
ITCI–Information Technology
Compliance Institute
ITRC–Identity Theft Resource Center
MCC–Major Cities Chiefs
NAC–National Advocacy Center
NASD–National Association of
Securities Dealers, Inc.
NCFTA–National Cyber Forensic
Training Alliance
NCHELP–National Council of Higher
Education Loan Programs
NCUA–National Credit Union
Administration
NCVS–National Crime Victimization
Survey
NDAA–National District Attorneys
Association
NIH–National Institutes of Health
NIST–National Institute of Standards
and Technology
NYSE–New York Stock Exchange
OCC–Office of the Comptroller of the
Currency
OIG–Office of the Inspector General
OJP–Office of Justice Programs (DOJ)
OMB–Office of Management and
Budget
OPM–Office of Personnel Management
OTS–Office of Thrift Supervision
OVC–Office for Victims of Crime (DOJ)
PCI–Payment Card Industry
PIN–Personal Identification Number
PMA–President’s Management Agenda
PRC–Privacy Rights Clearinghouse
QRP–Questionable Refund Program
(IRS CI)
RELEAF–Operation Retailers & Law
Enforcement Against Fraud
RISS–Regional Information Sharing
Systems
RITNET–Regional Identity Theft
Network
RPP–Return Preparer Program (IRS CI)
SAR–Suspicious Activity Report
SBA–Small Business Administration
SEC–Securities and Exchange
Commission
SMP–Senior Medicare Patrol
SSA–Social Security Administration
SSL–Security Socket Layer
SSN–Social Security number
TIGTA–Treasury Inspector General for
Tax Administration
UNCC–United Nations Crime
Commission
USA PATRIOT Act–Uniting and
Strengthening America by Providing
Appropriate Tools Required to Intercept
and Obstruct Terrorism Act of 2001
(Pub. L. No. 107-56)
USB–Universal Serial Bus
US-CERT–United States Computer
Emergency Readiness Team
USPIS–United States Postal Inspection
Service
USSS–United States Secret Service
VHA–Veterans Health Administration
VOIP–Voice Over Internet Protocol
VPN–Virtual private network
WEDI–Workgroup for Electronic Data
Interchange
GLOSSARY OF ACRONYMS
vii
Identity Theft Task Force Members
Alberto R. Gonzales, Chairman
Attorney General
Deborah Platt Majoras, Co-Chairman
Chairman, Federal Trade Commission
Henry M. Paulson
Department of Treasury
Carlos M. Gutierrez
Department of Commerce
Michael O. Leavitt
Department of Health and Human Services
R. James Nicholson
Department of Veterans Affairs
Michael Chertoff
Department of Homeland Security
Rob Portman
Office of Management and Budget
John E. Potter
United States Postal Service
Ben S. Bernanke
Federal Reserve System
Linda M. Springer
Office of Personnel Management
Sheila C. Bair
Federal Deposit Insurance Corporation
Christopher Cox
Securities and Exchange Commission
JoAnn Johnson
National Credit Union Administration
Michael J. Astrue
Social Security Administration
John C. Dugan
Office of the Comptroller of the Currency
John M. Reich
Office of Thrift Supervision
viii
LETTER TO THE PRESIDENT
Letter to the President
APRIL 11, 2007
The Honorable George W. Bush
President of the United States
The White House
Washington, D.C.
Dear Mr. President:
By establishing the President’s Task Force on Identity Theft by Executive
Order 13402 on May 10, 2006, you launched a new era in the fight against
identity theft. As you recognized, identity theft exacts a heavy financial and
emotional toll from its victims, and it severely burdens our economy. You
called for a coordinated approach among government agencies to vigorously
combat this crime. Your charge to us was to craft a strategic plan aiming
to make the federal government’s efforts more effective and efficient in the
areas of identity theft awareness, prevention, detection, and prosecution. To
meet that charge, we examined the tools law enforcement can use to prevent,
investigate, and prosecute identity theft crimes; to recover the proceeds of
these crimes; and to ensure just and effective punishment of identity thieves.
We also surveyed current education efforts by government agencies and
the private sector on how individuals and corporate citizens can protect
personal data. And because government must help reduce, rather than
exacerbate, incidents of identity theft, we worked with many federal agencies
to determine how the government can increase safeguards to better secure the
personal data that it and private businesses hold. Like you, we spoke to many
citizens whose lives have been uprooted by identity theft, and heard their
suggestions on ways to help consumers guard against this crime and lessen the
burdens of their recovery. We conducted meetings, spoke with stakeholders,
and invited public comment on key issues.
Alberto R. Gonzales, Chairman
Attorney General
Deborah Platt Majoras, Co-Chairman
Chairman, Federal Trade Commission
ix
COMBATING IDENTITY THEFT A Strategic Plan
The views you expressed in the Executive Order are widely shared. There
is a consensus that identity theft’s damage is widespread, that it targets all
demographic groups, that it harms both consumers and businesses, and that
its effects can range far beyond financial harm. We were pleased to learn that
many federal departments and agencies, private businesses, and universities
are trying to create a culture of security, although some have been faster than
others to construct systems to protect personal information.
There is no quick solution to this problem. But, we believe that a coordinated
strategic plan can go a long way toward stemming the injuries caused by
identity theft and, we hope, putting identity thieves out of business. Taken as
a whole, the recommendations that comprise this strategic plan are designed
to strengthen the efforts of federal, state, and local law enforcement officers;
to educate consumers and businesses on deterring, detecting, and defending
against identity theft; to assist law enforcement officers in apprehending and
prosecuting identity thieves; and to increase the safeguards employed by
federal agencies and the private sector with respect to the personal data with
which they are entrusted.
Thank you for the privilege of serving on this Task Force. Our work is
ongoing, but we now have the honor, under the provisions of your Executive
Order, of transmitting the report and recommendations of the President’s
Task Force on Identity Theft.
Very truly yours,
Alberto R. Gonzales, Chairman Deborah Platt Majoras, Co-Chairman
Attorney General Chairman, Federal Trade Commission
1
COMBATING IDENTITY THEFT A Strategic Plan
I. Executive Summary
From Main Street to Wall Street, from the back porch to the front office, from
the kitchen table to the conference room, Americans are talking about identity
theft. The reason: millions of Americans each year suffer the financial and
emotional trauma it causes. This crime takes many forms, but it invariably
leaves victims with the task of repairing the damage to their lives. It is a prob-
lem with no single cause and no single solution.
A. INTRODUCTION
Eight years ago, Congress enacted the Identity Theft and Assumption
Deterrence Act,
1
which created the federal crime of identity theft and
charged the Federal Trade Commission (FTC) with taking complaints from
identity theft victims, sharing these complaints with federal, state, and local
law enforcement, and providing the victims with information to help them
restore their good name. Since then, federal, state, and local agencies have
taken strong action to combat identity theft. The FTC has developed the
Identity Theft Data Clearinghouse into a vital resource for consumers and
law enforcement agencies; the Department of Justice (DOJ) has prosecuted
vigorously a wide range of identity theft schemes under the identity theft
statutes and other laws; the federal financial regulatory agencies
2
have
adopted and enforced robust data security standards for entities under their
jurisdiction; Congress passed, and the Department of Homeland Security
issued draft regulations on, the REAL ID Act of 2005; and numerous other
federal agencies, such as the Social Security Administration (SSA), have
educated consumers on avoiding and recovering from identity theft. Many
private sector entities, too, have taken proactive and significant steps to protect
data from identity thieves, educate consumers about how to prevent identity
theft, assist law enforcement in apprehending identity thieves, and assist
identity theft victims who suffer losses.
Over those same eight years, however, the problem of identity theft
has become more complex and challenging for the general public, the
government, and the private sector. Consumers, overwhelmed with weekly
media reports of data breaches, feel vulnerable and uncertain of how to
protect their identities. At the same time, both the private and public sectors
have had to grapple with difficult, and costly, decisions about investments
in safeguards and what more to do to protect the public. And, at every level
of government—from the largest cities with major police departments to the
smallest towns with one fraud detective—identity theft has placed increasingly
pressing demands on law enforcement.
Public comments helped the Task Force define the issues and challenges
posed by identity theft and develop its strategic responses. To ensure that the
Task Force heard from all stakeholders, it solicited comments from the public.
2
In addition to consumer advocacy groups, law enforcement, business, and
industry, the Task Force also received comments from identity theft victims
themselves.
3
The victims wrote of the burdens and frustrations associated
with their recovery from this crime. Their stories reaffirmed the need for the
government to act quickly to address this problem.
The overwhelming majority of the comments received by the Task Force
strongly affirmed the need for a fully coordinated approach to fighting the
problem through prevention, awareness, enforcement, training, and victim
assistance. Consumers wrote to the Task Force exhorting the public and
private sectors to do a better job of protecting their Social Security numbers
(SSNs), and many of those who submitted comments discussed the challenges
raised by the overuse of Social Security numbers as identifiers. Others,
representing certain business sectors, pointed to the beneficial uses of SSNs
in fraud detection. The Task Force was mindful of both considerations, and
its recommendations seek to strike the appropriate balance in addressing SSN
use. Local law enforcement officers, regardless of where they work, wrote
of the challenges of multi-jurisdictional investigations, and called for greater
coordination and resources to support the investigation and prosecution of
identity thieves. Various business groups described the steps they have taken
to minimize the occurrence and impact of the crime, and many expressed
support for risk-based, national data security and breach notification
requirements.
These communications from the public went a long way toward informing
the Task Force’s recommendation for a fully coordinated strategy. Only an
approach that encompasses effective prevention, public awareness and edu-
cation, victim assistance, and law enforcement measures, and fully engages
federal, state, and local authorities will be successful in protecting citizens and
private entities from the crime.
B. THE STRATEGY
Although identity theft is defined in many different ways, it is, fundamentally,
the misuse of another individual’s personal information to commit fraud.
Identity theft has at least three stages in its “life cycle,” and it must be attacked
at each of those stages:
First, the identity thief attempts to acquire a victim’s personal
information.
Criminals must first gather personal information, either through low-tech
methods—such as stealing mail or workplace records, or “dumpster diving”
—or through complex and high-tech frauds, such as hacking and the use
of malicious computer codes. The loss or theft of personal information by
itself, however, does not immediately lead to identity theft. In some cases,
thieves who steal personal items inadvertently steal personal information
EXECUTIVE SUMMARY
3
COMBATING IDENTITY THEFT A Strategic Plan
that is stored in or with the stolen personal items, yet never make use of the
personal information. It has recently been reported that, during the past year,
the personal records of nearly 73 million people have been lost or stolen, but
that there is no evidence of a surge in identity theft or financial fraud as a
result. Still, because any loss or theft of personal information is troubling and
potentially devastating for the persons involved, a strategy to keep consumer
data out of the hands of criminals is essential.
Second, the thief attempts to misuse the information he has acquired.
In this stage, criminals have acquired the victim’s personal information and
now attempt to sell the information or use it themselves. The misuse of stolen
personal information can be classified in the following broad categories:
Existing account fraud: This occurs when thieves obtain account
information involving credit, brokerage, banking, or utility accounts
that are already open. Existing account fraud is typically a less costly,
but more prevalent, form of identity theft. For example, a stolen credit
card may lead to thousands of dollars in fraudulent charges, but the
card generally would not provide the thief with enough information to
establish a false identity. Moreover, most credit card companies, as a
matter of policy, do not hold consumers liable for fraudulent charges,
and federal law caps liability of victims of credit card theft at $50.
New account fraud: Thieves use personal information, such as Social
Security numbers, birth dates, and home addresses, to open new
accounts in the victim’s name, make charges indiscriminately, and then
disappear. While this type of identity theft is less likely to occur, it
imposes much greater costs and hardships on victims.
In addition, identity thieves sometimes use stolen personal information to
obtain government, medical, or other benefits to which the criminal is not
entitled.
Third, an identity thief has completed his crime and is enjoying the
benets, while the victim is realizing the harm.
At this point in the life cycle of the theft, victims are first learning of the
crime, often after being denied credit or employment, or being contacted by a
debt collector seeking payment for a debt the victim did not incur.
In light of the complexity of the problem at each of the stages of this life
cycle, the Identity Theft Task Force is recommending a plan that marshals
government resources to crack down on the criminals who traffic in stolen
identities, strengthens efforts to protect the personal information of our
nation’s citizens, helps law enforcement officials investigate and prosecute
identity thieves, helps educate consumers and businesses about protecting
themselves, and increases the safeguards on personal data entrusted to federal
agencies and private entities.
4
The Plan focuses on improvements in four key areas:
keeping sensitive consumer data out of the hands of identity thieves
through better data security and more accessible education;
making it more difficult for identity thieves who obtain consumer data to
use it to steal identities;
assisting the victims of identity theft in recovering from the crime; and
deterring identity theft by more aggressive prosecution and punishment
of those who commit the crime.
In these four areas, the Task Force makes a number of recommendations
summarized in greater detail below. Among those recommendations are the
following broad policy changes:
that federal agencies should reduce the unnecessary use of Social
Security numbers (SSNs), the most valuable commodity for an identity
thief;
that national standards should be established to require private sector
entities to safeguard the personal data they compile and maintain and
to provide notice to consumers when a breach occurs that poses a
significant risk of identity theft;
that federal agencies should implement a broad, sustained awareness
campaign to educate consumers, the private sector, and the public sector
on deterring, detecting, and defending against identity theft; and
that a National Identity Theft Law Enforcement Center should be
created to allow law enforcement agencies to coordinate their efforts
and information more efficiently, and investigate and prosecute identity
thieves more effectively.
The Task Force believes that all of the recommendations in this strategic
plan—from these broad policy changes to the small steps—are necessary to
wage a more effective fight against identity theft and reduce its incidence and
damage. Some recommendations can be implemented relatively quickly;
others will take time and the sustained cooperation of government entities
and the private sector. Following are the recommendations of the President’s
Task Force on Identity Theft:
PREVENTION: KEEPING CONSUMER DATA OUT OF THE
HANDS OF CRIMINALS
Identity theft depends on access to consumer data. Reducing the opportuni-
ties for thieves to get the data is critical to fighting the crime. Government,
the business community, and consumers have roles to play in protecting data.
EXECUTIVE SUMMARY