Plenty of praise has been heaped upon a White House ID theft task force for the steps it recommended Monday to better protect people from fraud. But a group representing private industry says something important is missing -- guidelines to help federal agencies address their own security shortcomings.
"There are some excellent recommendations in the report, but so many recent breaches involve the federal government," said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA). "It's a poignant and significant oversight that this wasn't addressed more specifically."
Attorney General Alberto Gonzales and Federal Trade Commission (FTC) Chairman Deborah Platt Majoras unveiled the President's Identity Theft Task Force Strategic Plan Monday on the FTC's Web site. They said the goal is "to improve the effectiveness of criminal prosecutions of identity theft; enhance data protection for sensitive consumer information maintained by the public sector, private sector, and consumers; provide more comprehensive and effective guidance for consumers and the business community; and improve recovery and assistance for consumers."
Majoras said, "Identity theft is a blight on America's privacy and security landscape. Identity thieves steal consumers' time, money, and security, just as sure as they steal their identifying information, and they cost businesses enormous sums."
The task force recommends reducing the unnecessary use of Social Security numbers by federal agencies, establishing national standards that require private organizations to safeguard the personal data they compile and provide notice to consumers when a breach occurs; implementing a "broad, sustained awareness campaign" by federal agencies to educate consumers, the private sector and the public on methods to deter, detect and defend against identity theft; and creating a national identity theft law enforcement center that helps law enforcement agencies coordinate efforts to investigate and prosecute identity thieves more effectively.
The task force also recommends several pieces of legislation to make these things happen. While there are already several laws at the state and federal levels to hunt down and prosecute identity thieves, the task force believes sharper teeth need to be added to what's already on the books.
"Although much has been done to combat identity theft, the specific recommendations outlined in the strategic plan -- from broad policy changes to small steps -- are necessary to wage a more effective fight against identity theft and reduce its incidence and damage," the task force said.
While the report offers plenty of helpful guidance for organizations to better protect sensitive data, Gasster said she was hoping for a clearer picture of what the government is doing to clean up its own house.
Media attention has been largely focused on private sector data breaches in recent months, most notably the security failure of TJX Companies Inc., where a sustained network breach exposed at least 45.7 million credit and debit card holders to identity fraud. But Gasster cited a number of serious breaches at the government level, such as the theft of a Department of Veterans Affairs (VA) laptop and external hard drive last year that exposed 26.5 million veterans and active duty personnel to identity fraud, and a more recent incident where the U.S. Department of Agriculture (USDA) admitted the private data of about 38,700 people was accessible to the public on a government-wide Web site.
"As citizens, when we provide information to the government we have no choice, unlike the private sector entities we deal with," she said. "So it's all the more important for the government to treat sensitive information with care and properly inform us when there is a breach."
Paul Schmehl, an information security officer for the University of Texas at Dallas, said he likes the task force's recommendation to compensate identity theft victims for the time they must spend restoring their credit. Clarifying the meaning of loss by multiple victims with regard to sentencing guidelines is helpful as well, he said.
But he also sees room for improvement.
"I'd like to see stronger action taken against credit issuers for failure to perform due diligence in determining identity," he said in an email exchange. "Perhaps a cooling off period before issuing credit over a certain threshold [$500, for example] would be helpful as well -- say 72 hours. During that time, an automated phone call could be placed to the telephone number of record for the involved party notifying them of the transaction and providing instructions for protesting or preventing the transaction if they so choose."
The task force's legislative recommendations was of particular interest to Janine Spears, a doctoral candidate in supply chain and information systems at Pennsylvania State University's Smeal College of Business. She said she has interviewed many IT security managers as part of her dissertation research on Sarbanes-Oxley's security impact. While she has gotten a variety of responses, she said legislation is widely seen as something that sets a baseline for acceptable practices.
"Those companies that were already on the ball generally did not need legislative prompting," she said in response to an entry on the task force recommendations in the SearchSecurity.com Security Bytes blog. "In some cases, companies may even be discouraged from performing beyond baseline security requirements. However, laggards may need external pressure (from laws, suppliers, etc.) to prompt them to meet at least a baseline."