By Howard Ommert, Vice President, Global Information Protection Business Continuity, Bank of America
Tens of thousands of fake documents were sold along Roosevelt Avenue for years by two criminal organizations. . . . Two major identity theft “mills” were shut down as a result of the raids.
— “41 Arrested in Massive Identity-Theft Sting,” WNBC report, October 16, 20071
ive years ago, it would have been unlikely that many U.S. citizens would see a news article like the one cited above regarding identity theft—or even that they would recognize identity theft as a crime. Fortunately, awareness has grown, and the underlying crimes of fraud are directly linked to the overarching problem of stolen or lost personal information.
The increased awareness and attention to crimes associated with identity theft make this an ideal time to continue building on the existing public-private partnerships to better combat identity crimes. Bank of America has established such a partnership with the IACP, believing that a coordinated response has never been more important, providing the law enforcement community with the tools and information it needs for investigating identity crimes and working alongside the law enforcement community to identify and prosecute these crimes.
Combating Identity Theft
At present, support for public-private partnerships is encouraged at the highest levels of the federal government. In April 2007, the President’s Identity Theft Task Force released its long-awaited strategy for addressing identity theft.2 The underlying theme of this plan accurately identifies the need for coordination between the public and private sector; recognizes the limited resources in both the public and the private sectors; and highlights the growing concerns of the public. The strategic plan outlines four specific issues to be addressed:
- Keeping “sensitive customer data” safe through better security and education
- Making it difficult to use stolen data
- Providing assistance to victims of identity theft to improve their ability to recover
- Deterring identity theft with more aggressive prosecution and punishment3
This strategic plan takes an aggressive stance toward combating identity crimes and outlines specific recommendations in each of these critical areas. But although the strategy makes an outstanding effort to address identity theft, it falls short on helping those in the public or private sector directly involved with responding to or investigating identity crimes.
Identity Crime and the Private Sector
Businesses are the guardians of consumers’ most personal information, and they were the primary focus of this strategic plan. To be a reputable company and to operate in the world of online commerce, protecting customer information is critical to establishing, maintaining, and building the customer trust that is the foundation of the company’s reputation and business success. There is no room for shortcuts, because a single incident of lost or stolen data can destroy that customer trust in an instant.
For the private sector, the methods used to protect confidential customer data are increasingly difficult to implement and expensive to maintain. Companies must use specialized systems to encrypt confidential stored data, to secure communication channels between customers and businesses, and to authenticate those with whom they communicate confidential information—and those are just some of the requirements to protect information. The end result is that more effort is made to prevent data losses, and little to no effort is made to investigate the theft of this information or to prosecute offenders.
Support for Law Enforcement Agencies
Some regulatory requirements intend to bring the private sector into line with the investigative activities of law enforcement agencies. Most recently, the banking industry was given the final rules for provisions 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), which amends the Fair Credit Reporting Act (FCRA).4 These rules state specifically that financial institutions must develop and implement identity theft prevention programs by November 1, 2008. Moreover, the identity theft programs must incorporate policies and procedures for detecting, preventing, and mitigating identity theft. The detection piece of these programs will directly benefit the law enforcement community but might impose large numbers of cases on already beleaguered law enforcement agencies.
Because these agencies are already trying to find enough resources to fight traditional crimes, they may be unprepared to deal with the increased number of cases related to fraud and identity theft. With mounting case files and the amount of physical evidence that needs to be sifted through every day, how do law enforcement agencies cope with the mountains of paper or electronic records that come with investigating and prosecuting fraud?
There will be a greater need to provide law enforcement agencies with training to handle the white-collar crimes associated with identity theft. Similarly, companies have to improve relationships with the federal law enforcement level to ensure that criminal activity gets reported to the right agencies. Because most identity theft crimes extend across state lines or beyond the borders of the United States, this might become a limiting factor for smaller companies who are unable to work alongside a federal law enforcement agency. The WNBC report cited earlier is encouraging because it demonstrates that identity theft is being pursued aggressively through cooperative efforts among local, state, and federal law enforcement authorities. This type of task force approach represents an excellent opportunity for providing a coordinated effort to fight identity crimes. Further, it suggests that such task force operations could have the added benefit of involving the private sector in their work. An excellent example of extended task force operations already exists with such successful public-private partnerships as Digital Phishnet.5 This group facilitates the collaborative enforcement operations around the identity theft crime of phishing by uniting law enforcement agencies with industry leaders in technology, financial services, online retail services, and academia.
In light of the increasing demands on the law enforcement community, some effort will need to be made to address the biggest problem areas of identity theft. The scope of the problem with identity theft has never really been measured, and there are limited statistics available to focus any work correctly on the right issues. The level of interest is certainly precipitated by the fact that identity theft is so pervasive and damaging. For the seventh year in a row, identity theft remains the number one consumer fraud complaint, according to the Federal Trade Commission.6 Many questions still remain on whether financial institutions are being targeted specifically due to weak security measures, if commercial credit products are too easily obtained, or if there are other issues contributing to these crimes. The exchange of information between the public and private sectors will be necessary to arrive at some consensus on the issues and to focus everyone’s efforts on attacking the right problems.
Anyone who has worked in law enforcement or the private sector battling identity crime will not be surprised that the WNBC report cited earlier mentions ties to an organized criminal group. Unfortunately, this further compounds the problem. Some of the most difficult identity crimes to investigate are those in which organized groups of Internet denizens use personal information to set up fictitious accounts to launder money. Even more serious are those suspected of having ties with terrorist organizations. Cases like these reflect the possibility that organized crime groups might be the norm rather than the exception. With the amount of money to be gained by using stolen identities and the low risk of getting caught, it is very likely that organized criminal rings are behind a great deal of this activity. Again, partnerships between the private and public sectors may better illuminate this problem with the proper exchange of information.
Cooperation on a Complex Problem
The problem of identity crime is difficult and complex. Coordination between the public and private sectors is imperative to combat identity theft successfully. As demonstrated by the IACP and Bank of America partnership, public-private partnerships create a number of practical benefits. Most importantly, these partnerships increase public awareness to help people learn how to avoid, prevent, and recover from identity theft incidents. Public-private partnerships can reach large numbers of people, from business customers to entire communities. Additionally, these partnerships can be of great benefit in investigating identity crimes. For example, financial institutions must work with law enforcement agencies to understand the behaviors and criminal patterns associated with identity crimes to improve detection.
With informative exchanges of data, the public and private sectors increase the chances of successfully investigating identity crimes, leading to the arrest and prosecution of identity thieves. Through their common interest, the public and private sectors can be more influential on legislators and judicial bodies to enact and enforce laws against identity crimes. Together, these partnerships illuminate the key issues to help determine new methods for keeping identity theft from occurring in the first place. ■
1The article may be viewed at http://www.wnbc.com/investigations/14351857/detail.html (accessed March 31, 2008).
2President’s Identity Theft Task Force, Combating Identity Theft: A Strategic Plan, April 2007, http://www.idtheft.gov/reports/StrategicPlan.pdf (accessed March 31, 2008).
4“Agencies Issue Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy,” Federal Trade Commission, October 31, 2007, http://www.ftc.gov/opa/2007/10/redflag.shtm (accessed March 31, 2008).
5Digital Phishnet (www.digitalphishnet.org) is sponsored by the National Cyber-Forensics and Training Alliance under the guidance of the U.S. Federal Bureau of Investigation.
6Ruth Mantell, “Identity Theft Is Top Consumer Complaint,” Dow Jones MarketWatch Web site, February 14, 2008, http://www.marketwatch.com/news/story/identity-theft-no-1-consumer/story.aspx?guid=%7BF9E47195-1F2E-4EFA-BD46-E37B000F238E%7D (accessed March 31, 2008).