More than a dozen major U.S. companies in the first half of the year reported that personal information under their watch was compromised. Whether these security breaches involved sophisticated networking hacks, clever conmen, stolen laptops or missing data tapes, the sensitive data of roughly 50 million people potentially rests now in the wrong hands.
Yet, for all these stories about security breaches and data theft, only a fraction have involved actual arrests and prosecutions. If individuals are caught and convicted, they face severe penalties. For example, the 1998 Federal Identity Theft and Assumption Deterrence Act prohibits "knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." The offense carries a maximum 15-year term and loss of any personal property used or intended to be used to commit the crime.
A number of other statutes outlaw various types of fraud related to identity theft (e.g., credit card fraud, identification fraud, wire fraud), and they carry substantial penalties – in some cases, as high as 30 years' imprisonment, fines and criminal forfeiture. And just last year, Congress passed the Identity Theft Penalty Enhancement Act that adds a two-year prison term (or five-year term where terrorism is implicated) to any punishment that a person already receives for certain felony violations if, in the course of that crime, the person "knowingly transfers, possesses, or uses, without lawful authority, a means of identification of another person or a false identification document."
Why, then, in the face of so many laws penalizing identity theft, are so many security breaches still occurring? Have the identity theft laws failed to deter data thieves? Or are we simply hearing about breaches more?
First, more than a dozen states now have security breach notification laws on their books – laws that require entities doing business in these states to disclose security breaches that compromise computerized, unencrypted personal data. Lawmakers on
Capitol Hill are looking at similar legislation. So there is no question that security breaches are being made public in far greater numbers than before.
Second, for all the ID theft and fraud laws that impose heavy penalties on convicted data thieves, there remains a lucrative black market for stolen data and therefore a strong incentive to risk arrest and prosecution. This highly structured online black market for credit card numbers, bank account numbers, and other valuable consumer information uses buyers, sellers, intermediaries and even service industries -- all operating on complex websites that have been created to streamline the process of exchanging stolen data. There's also that the data thieves who hack into networks to steal personal data aren't located in the United States.
Yet there is some good news. There is evidence that the number of security breaches – and, consequently, identity theft due to network vulnerabilities – is actually declining. A 2004 study by the FBI and the Computer Security Institute (CSI) shows that the "overall frequency of (successful) attacks on computer systems declined [in 2004], continuing the trend that began in 2001." Can this data be linked to identity theft laws? It's unlikely, although not impossible. What's more likely is a decline in breaches due to better security practices.
Nevertheless, as long as the lure of the black market for personal data – especially personal financial data – exists, data thieves have a strong incentive to run the risk of getting caught for violating identity theft laws. But given the existence of this phenomenon and in light of increasing evidence that the most sophisticated data thieves are organized crime gangs located in other countries, it may be unfair to question if our identity theft laws work. Rather, it may be more appropriate to question what Congress is doing in terms of funding and otherwise supporting efforts to investigate data theft and prosecute those responsible, as well as to ask lawmakers and industry alike to come up with solutions for making it far more difficult – or even impossible – for data thieves to use stolen personal information to commit fraud and identity theft.
Emily Hancock is corporate attorney and contributor to Security Wire Perspectives.