President's ID theft task force gets mixed review

By Bill Brenner, Senior News Writer 26 Apr 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

"There are some excellent recommendations in the report, but so many recent breaches involve the federal government," said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA). "It's a poignant and significant oversight that this wasn't addressed more specifically."

Attorney General Alberto Gonzales and Federal Trade Commission (FTC) Chairman Deborah Platt Majoras unveiled the President's Identity Theft Task Force Strategic Plan Monday on the FTC's Web site. They said the goal is "to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."

Identity theft: Veterans Affairs data theft should be 'call to arms': Security experts say the recent VA data theft should serve as a wake-up call in the halls of Congress and the boardrooms of corporate America. How to begin identity management and access control implementation: Looking to build an identity management and access control program from scratch? In this expert Q&A, Joel Dubin explains what you'll need to do first. ID theft victim to TJX customers: Mind your data: Customers should guard their own data, says one ID theft victim. Meanwhile, some in the banking industry say TJX may have stored more data than necessary.

Majoras said, "Identity theft is a blight on America's privacy and security landscape. Identity thieves steal consumers' time, money, and security, just as sure as they steal their identifying information, and they cost businesses enormous sums."

The task force recommends reducing the unnecessary use of Social Security numbers by federal agencies, establishing national standards that require private organizations to safeguard the personal data they compile and provide notice to consumers when a breach occurs; implementing a "broad, sustained awareness campaign" by federal agencies to educate consumers, the private sector and the public on methods to deter, detect and defend against identity theft; and creating a national identity theft law enforcement center that helps law enforcement agencies coordinate efforts to investigate and prosecute identity thieves more effectively.

The task force also recommends several pieces of legislation to make these things happen. While there are already several laws at the state and federal levels to hunt down and prosecute identity thieves, the task force believes sharper teeth need to be added to what's already on the books.

"Although much has been done to combat identity theft, the specific recommendations outlined in the strategic plan -- from broad policy changes to small steps -- are necessary to wage a more effective fight against identity theft and reduce its incidence and damage," the task force said.

While the report offers plenty of helpful guidance for organizations to better protect sensitive data, Gasster said she was hoping for a clearer picture of what the government is doing to clean up its own house.

Media attention has been largely focused on private sector data breaches in recent months, most notably the security failure of TJX Companies Inc., where a sustained network breach exposed at least 45.7 million credit and debit card holders to identity fraud. But Gasster cited a number of serious breaches at the government level, such as the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year that exposed 26.5 million veterans and active duty personnel to identity fraud, and a more recent incident where the U.S. Department of Agriculture (USDA) admitted the private data of about 38,700 people was accessible to the public on a government-wide Web site.

"As citizens, when we provide information to the government we have no choice, unlike the private sector entities we deal with," she said. "So it's all the more important for the government to treat sensitive information with care and properly inform us when there is a breach."

Paul Schmehl, an information security officer for the University of Texas at Dallas, said he likes the task force's recommendation to compensate identity theft victims for the time they must spend restoring their credit. Clarifying the meaning of loss by multiple victims with regard to sentencing guidelines is helpful as well, he said.

But he also sees room for improvement.

"I'd like to see stronger action taken against credit issuers for failure to perform due diligence in determining identity," he said in an email exchange. "Perhaps a cooling off period before issuing credit over a certain threshold [$500, for example] would be helpful as well -- say 72 hours. During that time, an automated phone call could be placed to the telephone number of record for the involved party notifying them of the transaction and providing instructions for protesting or preventing the transaction if they so choose."

The task force's legislative recommendations was of particular interest to Janine Spears, a doctoral candidate in supply chain and information systems at Pennsylvania State University's Smeal College of Business. She said she has interviewed many IT security managers as part of her dissertation research on Sarbanes-Oxley's security impact. While she has gotten a variety of responses, she said legislation is widely seen as something that sets a baseline for acceptable practices.

"Those companies that were already on the ball generally did not need legislative prompting," she said in response to an entry on the task force recommendations in the SearchSecurity.com Security Bytes blog. "In some cases, companies may even be discouraged from performing beyond baseline security requirements. However, laggards may need external pressure (from laws, suppliers, etc.) to prompt them to meet at least a baseline."

Tags: Identity Theft and Data Security Breaches,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Data Privacy and Protection How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Bruce Schneier and Marcus Ranum Face-Off: Should We Have an Expectation of Online Privacy? Kodak CISO on virtualization, compliance Federal efforts to secure cyberinfrastrucure Attackers cash in on fundamental data handling mistakes, Verizon finds RSA panel to discuss surveillance, privacy concerns Mass. officials explain new data protection regulations HIPAA changes force healthcare to improve data flow Data Privacy and Protection Research Identity Theft and Data Security Breaches How to prevent and build protection against online identity theft Heartland breach highlights PCI limitations FBI investigates coordinated ATM scam Encrypt now to meet new Mass. data protection law Recovery plans essential for preventing data loss disasters Internal auditors and CISOs mitigate similar risks Cybersecurity expert sees PCI DSS problems ahead for retailers PCI is about eliminating data, not securing it, former QSA says Data breach discovery, disclosure outpaces 2007 PCI groups to focus on wireless, pre-authorization changes Identity Theft and Data Security Breaches Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary