Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Common InfoSec & Privacy Training Mistakes | Main | Not Providing Training and Awareness Is The Dumbest Idea For Information Security »

Rights for Privacy Breach Victims

I received a provacative question on Twitter last week from idExperts, "If you had a wish list of rights for identity theft victims, what would that be?"

Sounds like a great blog topic! :) Here are my thoughts...

"Identity theft" is such an over-used and mis-used term that it first must be well defined what is meant by "identity theft."

For instance, take the U.S. federal definition:

"The Identity Theft and Assumption Deterrence Act, enacted by Congress in October 1998 (and codified, in part, at 18 U.S.C. §1028) makes identity theft a federal crime.

Under federal criminal law, identity theft takes place when someone "knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, or in connection with, any unlawful activity that constitutes a violation of federal law, or that constitutes a felony under any applicable state or local law."

Under this definition, a name or Social Security number is considered a "means of identification." So is a credit card number, cellular telephone electronic serial number, or any other piece of information that may be used alone or in conjunction with other information to identify a specific individual.

Violations of the federal crime are investigated by federal law enforcement agencies, including the U.S. Secret Service, the FBI, the U.S. Postal Inspection Service, and the Social Security Administration's Office of the Inspector General. Federal identity theft cases are prosecuted by the U.S. Department of Justice.

For the purposes of the law, the FCRA defines identity theft to apply to consumers and businesses."


Not every country, organization, group, agency, individual, etc. uses this same definition.

The definition relies upon knowing or discovering that someone *actually did something bad*. There are likely huge numbers of bad things being done with stolen personally identifiable information (PII) that no one even knows about; at least not yet, if ever.

And, as the recent Identity Theft Resource Center® (ITRC) "Identity Theft: The Aftermath 2008" report demonstrates, there are many bad things that can occur when PII is stolen.

The statistics provided were a bit fuzzy in their descriptions and corresponding percentages, but the numbers are no less compelling:

  • "Criminal only identity theft crimes represented 5%"
  • "Governmental issues, which may involve employment, benefit fraud, tax fraud or someone using a fraudulent driver's license as an identifier, accounted for 2%."
  • "Financial and criminal (6%)"
  • "Financial and governmental (9%)"
  • "Combination of all three types (5%)"
  • "Medical Identity Theft: More than 2/3 of those responding to these questions reported that medical providers billed for services received by the imposter. Another 56% were contacted by a collection agency or billing department for those services. One-third of the respondents said there is now another person's information on their medical records and 11% were denied health or life insurance due to unexplained reasons."

All these types of PII breaches can happen to individuals in ANY country, not just the U.S. So, there needs to be equal concern for the stolen or lost PII of all individuals, not just those living in specific geographic locations.

I'd like for you to consider another related question; what are the rights of individuals whose PII has been compromised, such as lost, stolen, misused, and so on? This is the question being asked when considering compliance for most data protection laws. Wouldn't it be good to do as much as possible to prevent identity theft (known and unknown) by preventing PII from being stolen, or lost and subsequently compromised?

So, what should be the rights of individuals whose PII was lost, stolen or compromised from a business or organization?

1) Timely notification - covered in current breach notice laws, so I won't elaborate here.

2) Credit monitoring - many organizations provide this, but not all. And it is not a typical legal requirement. Usually is just for one year, which is not that effective, considering smart criminals (yes, there are many out there!) will often wait much more than a year to use PII. Whether or not credit monitoring is provided is a haphazard, inconsistent issue from breach to breach.

3) Penalties to the organization where the breach originated, being based upon the following factors:

a. Did the organization have a comprehensive risk-based information security program in place including
i. Documented information security and privacy policies, procedures and responsibilities?
ii. Validated effective and targeted regular training and ongoing awareness communications?
iii. Validated administrative, operational and technical safeguards? E.g., encryption, irreversible destruction of disposed information, etc.
iv. Documented personnel responsibilities for security and privacy?

b. Did the organization consistently enforce their policies?

c. Did the organization perform adequate due diligence activities to ensure their business partners, to whom they entrusted PII access, have stronge security and privacy practices in place, along with including detailed security requirements within their contracts?


The more of these listed basic security and privacy factors that the organization does not meet, the more significant the penalty should be, including such things as:
a. Restitution to the individuals whose PII was breached, determined by a judge or intermediary based upon each situation. Plus...

b. 10 - 20 years of required ongoing third party reviews, similar to what the FTC usually includes within their consent decrees. Plus...

c. The organization must subsidize information security and privacy programs for K-12 and undergraduate education for schools in their area. This may sound a bit radical or harsh, but think about it; if a company can help ensure our leaders of tomorrow grow up with an information security and privacy mindset, they will help to dramatically reduce the number of privacy incidents that occur in the future. If organizations cause incidents, then they should help to provide education to make sure their mistakes are not repeated by others in the near future.


History shows, and psychology research confirms, that people must be motivated to do things they otherwise would not do on their own accord. These types of penalties would provide much more motivation for business leaders to implement strong security and privacy programs than current laws and regulations provide.

A blog post is not the place to do this topic justice. I haven't even touched upon the considerations that must be made for the insider threat. But, I need to get back to doing my work to bring home some bacon!

However, I hope I've given some good food for thought about this very important issue of how to make amends to individuals whose PII was lost, stolen and possibly misuse through no fault of their own! Individuals should not have to continue paying for the bad security practices of organizations who should have prevented incidents from occurring in the first place.

Let me know your thoughts!

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on June 3, 2009 11:38 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/996

Comments

Rebecca, you answered their query in a much more robust manner than I. Thought perhaps my thoughts on the topic may reinforce your own.
--
-- Suggest defining Breach, Theft, Loss
- Breach - technological defense compromised - enterprise infrastructure or laptop
- Theft - information was stolen, may be via technology breach or physical expropriation(i.e. stealing paper off a desk)
- Loss - unintentional misplacement of an item - laptops left on trains, wrong box out the door etc.
-- Suggest defining Exposed and Exploited
- Exposed - in Breach, Theft & Loss data may be recovered or may simply be gone. In either case the data should be considered to be in an "exposed" state - that is it is no longer being controlled by the trusted custodian. Individuals, often times are mandated to entrust, their personal identifying information (PII) to entities in order to receive goods or services. The expectation that the data will be protected is universal. When the data is outside of the protective environment, it is in an exposed state and therefore at risk.
- Recommendation: During this at risk state, mandatory notification to the individual should be required. Notification should include - totality of the data placed at risk, date,time, circumstances. Include recommendations on how the individual should monitor for exploitation. If such recommendations include a "for fee" recommendation, that "for fee" service should be covered by the entity who allowed the individuals data to be exposed.
Example: Heartland Breach - it is known that many credit card numbers were exposed during a breach of Heartland's infrastructure. Most banks acted swiftly to replace those exposed credit card numbers. That is all to the good. Unfortunately, the Credit Bureaus log the event as a "lost credit card" no explanation and it indistinguishable between the consumer having been negligent or a vendor losing your data. And the FICO is affected. This unexpected change of credit card number carries with it the requirement for the individual to engage all their vendors and change their business documentation. So we have the individual expending time and resources, we have all of that individual's vendors expending their time and resources and all due to an action over which none of these had control or oversight.
- Recommendation: When adjustments to credit cards or other items are required due to an event not of the individual's creation, the appropriate notifications should distinguish the circumstances. An avenue to garner reimbursement for time/expenses involved in straightening up ones identity, credit, vendor relationship associated with the event should be afforded reasonable reimbursement.
-Exploited - exposed data does not always evolve to exploited data. However, when it does, then the individual should be fully protected.
- Recommendation: Reimbursement of expenses in straightening up their identity when ID Theft is confirmed. Exonerating documentation provided - a standard format should be used which is (a) verifiable and (b) widely acceptable. How many times do the victims end-up being perceived as the criminal - we need a way to universally protect the victim.

In sum, this year alone there have been 185 incidents affecting more than 3.6 million individuals* - this is disturbing (in 2008 there were 598 reported incidents which touched approximately 83.7 million individuals). If companies, large or small handling PII or PCI type data don't protect it voluntarily, states in the United States context and governments in the global context will attempt to regulate to protect their constituencies.

Posted by: Christopher Burgess | June 4, 2009 5:42 PM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for the past two decades. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the world's best privacy experts and on their list of the best privacy consulting firms in both 2007 and 2008. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 13th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.