Preventing Identity Theft: Industry Practices Are the Key

Preventing Identity Theft: Industry Practices Are the Key

Outline of remarks by Beth Givens, Director
U.S. Dept. of Treasury
Washington, D.C.

National Summit on Identity Theft
Panel on Prevention
March 15-16, 2000

 

Introduction

Discussions on preventing identity theft often focus on steps consumers can take, such as shredding their trash and restricting access to their Social Security number (SSN). But realistically, while such measures can reduce the odds of becoming a victim, there is little consumers can do to actually prevent identity theft. The key to prevention, rather, is for businesses to establish responsible information-handling practices and for the credit industry to adopt stricter application verification procedures, among other strategies (see below).

Business Practices

  • Develop comprehensive privacy policy that includes responsible info-handling practices.
  • Adhere to responsible info-handling practices such as proper document disposal (shredding).
  • Conduct regular staff training, new employee orientations, spot checks on proper info care.
  • Put limits on data collection to minimum info needed. For example, is SSN really required?
  • Put limits on data disclosure. For example, must SSN be printed on paychecks, parking permits, staff badges, time sheets, training program rosters, lists of who got promoted, on monthly account statements, on client reports, etc.
  • Restrict data access to staff with legitimate need to know; electronic audit trails; strict penalties for browsing and illegitimate access.
  • Conduct employee background checks. Screen cleaning services, temp services, etc.
  • Include responsible information-handling practices in business school courses, even in elementary schools when children are exposed to computers.

Social Security Number

  • Get SSN out of circulation. Analogy of environmental pollution -- information pollution.
  • Prohibit use as driver's license number, as health insurance ID, as student ID, military ID.
  • Prohibit commercial sale of SSN, available now on info broker web sites (credit header).
  • Revisit voluntary agreement between Individual Reference Services Group (IRSG) and FTC. Has not been effective in preventing commercial sale of SSNs to general public.

Departments of Motor Vehicles, Public Records

  • Maintain central clearinghouses in each state for lost and stolen driver's licenses.
  • Conduct better photo checking and ID checking for new, duplicate, and replacement Ids.
  • Restrict access to birth certificates in states where they are now public. Redact SSNs and other sensitive information from public records, especially when accessible on the Net.

Credit Issuers

  • Conduct better identity verification, especially when address is reported as changed or is different from what is indicated on credit report.
  • Conduct better identity verification for credit cards obtained via pre-approved offers of credit. Don't rely solely on SSN. Supplement with utility bills, tax record address, etc.
  • Improve identity checking procedures for "instant" credit, favored by identity thieves.
  • Put photographs on credit cards.
  • Enable customers to place passwords on credit accounts.
  • Truncate digits on account numbers printed on transaction slips at point-of-sale.
  • Use account profiling systems to detect unusual activity. Notify consumer of possible fraud.
  • Check if there is existing account in applicant's name.
  • Check master death index.
  • Reduce number of pre-approved offers of credit mailed to consumers. Don't mail to anyone under 18. Print opt-out phone number prominently on all such offers (888-5OPTOUT).
  • Prohibit convenience checks. Or at least provide opt-out to credit card and bank customers.

Credit Reporting Agencies

  • Provide consumers free credit report annually upon request in all states.
  • Require that when credit report is obtained by customer, the subject always gets a copy.
  • Conduct profiling and provide notice to subject when unusual activity is detected by CRA.
  • Notify subject whenever inquiry is made, with notice to the original address.
  • Always report fraud alert to credit issuer when only the credit score is requested. Credit issuer that grants credit to impostor after fraud alert has been established should be penalized.
  • Place fraud alerts more prominently on credit reports.
  • Provide ability for consumers to "freeze" credit files, or at least as in Vermont, require affirmative consent of subjects before any credit reports are issued to customers of CRAs.
  • Conduct better screening of CRA customers. Cancel contracts of any customers when consumer credit reports are accessed by staff without legitimate business purpose.
  • Enable consumers to easily obtain security alerts, even if they are not fraud victims, with a simple way to deactivate the alert when they need to obtain credit.
  • Comment: CRAs must make it easier for victims to reach "live" staff. Victims need one-stop shopping so they do not have to replicate their clean-up steps with each CRA.

Criminal Identity Theft (worst-case scenario -- when victim is burdened with a criminal record)

Solutions must be found to enable victims to detect errors, clear erroneous criminal records, and prevent proliferation of erroneous records in info brokers? data bases. (CA Task Force)

What about Biometrics?

  • Must be regulated to avoid abuse and prevent secondary uses ("function creep").

Publications

  • "Privacy Piracy: A Guide to Protecting Yourself from Identity Theft," by Mari Frank, Esq. and Beth Givens. (Office Depot, 1999 - currently out of print)
  • "Identity Theft: What to Do if It Happens to You," by Privacy Rights Clearinghouse and CALPIRG. Available at PRC and PIRG web sites.
  • "Coping with Identity Theft: What to Do When an Impostor Strikes," by Privacy Rights Clearinghouse. (Fact Sheet 17) www.privacyrights.org.
  • Identity Theft Prevention and Survival, by Mari Frank, Esq. Available at www.identitytheft.org.
  • "Identity Theft: When Bad Things Happen to Your Good Name," by Federal Trade Commission. (Feb. 2000) www.consumer.gov/idtheft. (800) 877-IDTHEFT

Web Sites