By Kirk J. Nahra, CIPP
On April 23, 2007, the President's Identity Theft Task Force, led by the Attorney General and the Chair of the Federal Trade Commission (FTC), released a report that describes a coordinated strategic plan to reduce injuries from identity theft and take more aggressive action against identity thieves.
This report contains extremely useful information for companies and individuals interested in the ongoing fight against identify theft. In particular, aside from the vast array of useful detail about security practices, current privacy/security statutes and recent data breaches, the report focuses on the following key elements of the identity theft problem:
- Prevention, through providing enhanced security for information that can lead to identity theft;
- Prevention, in terms of making it more difficult for identity thieves to mis-use or take advantage of personal information;
- Improving identity theft victim recovery activities; and
- Law enforcement efforts to investigate, prosecute and punish identity thieves.
This coordinated strategy creates an ongoing series of action steps for the federal government, its state and local law enforcement partners and all entities that create and maintain personal information. The plan describes a continuing effort to make identity theft harder to commit, harder to profit from and easier to investigate and prosecute.
Action Plan and Key Elements for Private Companies
Beyond the key elements of the report, it is critical for private entities - the companies that collect, maintain and disclose the personal information that can be mis-used to commit identity theft - to review the key elements of the report and to understand the major action items and implications contained in it. Here are some of the key topics for Corporate America stemming from this report:
o Start a project related to SSNs
The Strategic Plan makes clear that the Social Security Number (SSN) is the single most sensitive piece of data, with the highest likelihood of identity theft risks. While there is an increasing variety of laws relating to the use, collection and disclosure of SSNs, these laws impose only modest formal restrictions on how they can be used and disclosed by private companies.
Despite this limited legal environment, however, all private companies should institute a specific management project to understand - across the company - how the SSN is obtained, collected, stored and disclosed. It is clear - throughout Corporate America - that SSNs are collected, disclosed and maintained for purposes that are either unnecessary or inappropriate. Most companies have no firm idea of all the places in the company where an SSN may exist. Each of these SSN contact points creates a realistic risk in connection with identity theft. It is only through an organized effort - by each individual company - that appropriate steps can be taken to reduce access to SSNs and the related risks of inappropriate use and or disclosure.
o Overall security practices
The report also emphasizes the importance of improving overall security practices, in both private industry and throughout the government. Companies in many industries face existing requirements to develop and implement appropriate security plans. Companies in all other industries should be aware of the B.J.'s Wholesale case, where the FTC imposed liability on a company for a failure to implement reasonable and appropriate security procedures, despite the absence of either a specific legal requirement or representations to customers about security practices. In addition, there is an increasing likelihood of formal federal legislation imposing broad security requirements across all industries.
Whether motivated by specific legal requirements or not, all companies should understand the need to develop and implement appropriate security practices. These practices do not need to meet a "perfection" standard. Instead, the existing legal standard requires "reasonable and appropriate" security practices. But these obligations require an ongoing effort to develop security policies and to impose stricter security practices across all aspects of a company. A failure to create reasonable and appropriate security creates both practical risks of security breaches and an increasing array of legal and financial potential liabilities.
In addition, the report highlights the need for an ongoing security program to stay abreast of both technological developments and new issues that become visible as security risks. The past year has featured a flood of cases involving stolen or lost laptops. Clearly, companies need to evaluate their use of laptops, including encryption programs and new practices related to the storage of information on laptops. Similarly, PDAs, Blackberries and other portable media create a new category of risks, often outside of the traditional security practices of companies. This need for re-evaluation of security practices is ongoing and crucial.
o Be aware of "low tech" security risks as well
While companies must evaluate their security practices, they must recognize that this is not simply an exercise in computer or network security. Instead, the report details a wide variety of "low tech" cases and risks, designed to focus attention on the wide variety of security breaches that do not require sophisticated electronic hacking skills. Instead, companies must be sure to incorporate basic document retention and security issues into an overall security plan. In addition, companies should be aware of the existing laws related to the appropriate disposal of information, regardless of the form of this information.
o The importance of customer notice
The rise in identity theft risks also focuses attention on the new breed of security breach issues related to the notification obligations in the event of a security breach. These laws - in place in more than 35 states with more on the way - likely will be followed in the near future by a national security breach notification standard. The widespread publicity associated with many security breaches has raised the complexity of these notice evaluations, in terms of mandating specific investigations and forcing companies to undertake a sophisticated analysis of whether notice is required (or whether it should be given even if not required), along with a host of related issues (should we provide credit monitoring, etc.). In addition, companies should be aware that regulators now are bringing the first enforcement actions related to these notice laws. In New York, the attorney general has brought an action alleging a violation of the New York security breach notification statute by CS STARS LLC, a Chicago-based claims management company (see www.oag.state.ny.us/press/ 2007/apr/apr26a_07.html for more information about this case).
In this context, companies should be aware of the ongoing debate about a "risk" standard for security breach notifications. The state laws vary on the standard for notification, with some states clearly limiting notice to situations where a risk of harm is "reasonable." Other states have different (and often lesser) standards. The notice standard is a key component of the debate at the federal level. The FTC is on record as being concerned about the risk of "over-notice," where a "too low" standard bombards consumers with multiple notices that individuals ultimately ignore or have no reasonable basis to evaluate their own potential harm.
o The crucial issue of authentication
The report focuses attention on one issue that often receives less attention - inhibiting the ability of potential identity thieves to profit from the information they have taken. If a thief obtains a consumer's SSN, but is unable to obtain new credit cards because of the authentication practices of a credit card company, the information becomes less valuable and the losses plummet. Companies must re-evaluate their customer and personnel authentication practices. In particular, while authentication issues are not new, "better" authentication practices often have taken a back seat to improved ease of use by customers. The task force's report shows us that companies may need to re-evaluate this balance. If identity thieves cannot use stolen information, identity theft losses decrease. This new reality must be a component of the assessment as companies review their authentication practices.
o Be aware of growing litigation
To the extent that further encouragement is needed, companies also need to be aware of the rising tide of privacy and security litigation, much of it driven by identity theft concerns. To be clear, there still is no flood of privacy and litigation. Yet, there is a consistent increase, from both consumer driven cases and litigation between companies, typically involving who is responsible for specific identity theft losses. The pending and expanding TJX breach should be watched closely as a potential tipping point. The case provides a privacy/security "Perfect Storm," with a longstanding, ongoing security beach -apparently driven by weak security practices, resulting in substantial harm.
o Recognize that notice doesn't get you out of litigation
When considering the litigation environment and the complexities of various notification laws, companies need to reconcile the tension between notification and the risks of litigation. It is critical to understand - and focus on - the fact that compliance with a notification law does not preclude privacy or security litigation. Instead, compliance with the notification laws is just that - compliance with these laws, without any preclusion of other enforcement or litigation activity related to the breach. The purpose of the notification laws is to permit consumers to take action proactively in an effort to prevent harm from identity theft. Obviously, these steps are designed to reduce harm. But from a legal perspective, they also can mitigate or reduce any actual damages resulting from a security breach. Proving actual damages remains a key hurdle for any plaintiff pursuing privacy or security breach litigation.
Companies providing notice should of course be aware that, in many circumstances, the notification is the first time that a consumer will learn of a security breach, and may itself lead to breach-related litigation. So, in addition to reviewing the requirements of notification laws, companies also need to consider carefully the mitigation and public relations impacts of this notification. This challenge may be particularly difficult in situations where a company's obligation is to notify its corporate clients, rather than consumers directly. This notification process pushes the corporate client - the "owner" of the data under most statutes - to develop a notification plan that places blame on the agent. Companies need to work with their clients to develop a plan that is fair and accurate, without unduly placing blame or unnecessarily scaring consumers.
o Recognition that there are substantial weaknesses in government systems
The task force report also highlights many weaknesses in federal government security practices. The report is only the most recent description of the wide range of security flaws in governmental information systems (the GAO has a long set of reports cataloguing the failures of virtually every major federal agency). These practices are even weaker at many state and local levels. In addition, there have been recent cases involving state Freedom of Information Acts. These cases demonstrate that, even where security practices are appropriate, the rules for government entities may require disclosure of information to unintended sources through routine "open government" information requests.
These concerns should motivate private companies to be wary of government information requests, and to be cognizant of these risks when providing information to governmental entities. Recognizing that there may be times when companies have no choice, companies should always review whether information must be provided, including in all instances where there are means of reducing the private information provided or otherwise encouraging additional protections for personal information about private customers and employees.
o Recognition of non-credit aspects of identity theft and other security harms
Lastly, businesses must begin to consider the range of identity theft concerns that extend beyond simple credit risks. Obviously, credit risks are significant and extensive. But as the report and other recent studies make clear, credit risks are not the only concerns with identity theft. The World Privacy Forum, for example, recently published a groundbreaking study (available at www.worldprivacyforum.org/ medicalidentitytheft.html) on the risks of medical identity theft. In addition, the FTC, in its February 2006 report, "Take Charge: Fighting Back Against Identity Theft," (available at www.ftc.gov/bcp/ edu/pubs/ consumer/idtheft/idt04.htm), identifies the following "specific problems" that can occur in connection with identity theft:
- Bank Accounts and Fraudulent Withdrawals
- Bankruptcy Fraud
- Credit Cards
- Criminal Violations
- Debt Collectors
- Driver's License
- Investment Fraud
- Mail Theft
- Passport Fraud
- Phone Fraud
- SSN Misuse
- Student Loans
- Tax Fraud
The FTC report details each of these harms, and describes specific means of responding to each kind of injury.
Identity theft remains a substantial problem in this country and around the world. The task force report identifies an aggressive effort to attack this problem, along with the recognition that there is a long way to go. While this government effort clearly is worthwhile, this report highlights for businesses the key areas of risk and some of the most important steps that companies can take to play their part in combating identity theft. Companies cannot view this issue as someone else's problem. It is time for companies to take these steps to fulfill their obligation to attack the problem of identity theft.
Kirk J. Nahra is a Partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling for companies facing compliance obligations in these areas. He is chair of the firm's Privacy Practice. He is a Certified Information Privacy Professional. He serves as the Chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC). He can be reached at
(The FTC's Strategic Plan, called "Combating Identity Theft: A Strategic Plan," is available at www.idtheft.gov/ reports/StrategicPlan.pdf. A second volume of the report - containing a wide variety of very useful resources related to identity theft and the privacy and security of personal information, is available at www.idtheft.gov/reports/VolumeII.pdf.)
This article was reprinted with permission from Wiley Rein's Privacy in Focus newsletter (June 2007).