Betsy Broder of FTC on: Identity Protection Strategies
Broder: Good morning, how are you.
Swart: Doing well. I'd like to start by talking about consumer issues, and I'd like to know, what is the FTC hearing from consumers about the ID theft problem? Is anything getting better?
Broder: Well, we still receive a fair flow of victim complaints about identity theft. In any given week, we may receive between 15,000 and 20,000 contacts from consumers who are either concerned about identity theft, or have, indeed, become victims of identity theft. Now, a lot of people think that it is an evolving crime, and it certainly is. It can take place when someone steals information from your trash, from your wallet, or from your hard drive. So, we are seeing a certain migration into more high tech crimes, but as you say, consumers are very concerned about this, and that is not going away.
Swart: With this new migration to high tech crimes, what is actually changing? Is it just the sophistication of the attacks against consumers?
Broder: Well, phishing. No one talked about phishing ten years ago, that you would get an unsolicited e-mail that appeared to come from your financial institution. But, I think we are very aware now that that is a real threat to consumer security. At the same time, consumers are becoming more aware of these surreptitious attempts to trick them into giving up their information. But, again, phishing is increasing. Keystroke loggers, spyware, none of this stuff really existed in any sophisticated form five or ten years ago, but these are new threats to consumer security and to their personal information.
Swart: We know that a lot of financial institutions are implementing very aggressive employee awareness and also customer education practices. What are some of the best practices, or best examples that have been shown to be very helpful.
Broder: Well, I'll tell you, the best thing that any institution that has consumer information can do is to develop a plan based upon the threats that currently exist, and then continually reevaluate it. Just as the risk to consumers change as technology changes, the risk to data security changes, as crooks become more adaptive, figure out new ways of getting information, or misusing information. So, it is essential for any financial institution or other entity that has this sensitive consumer information, to continually reassess data security. Having said that, the FTC's approach to data security is pretty straightforward. There is nothing sneaky or difficult about it. We expect companies to use reasonable data security practices that are appropriate for the type of information that they collect. So, for example, if all you are collecting is name and address, you would have a certain level of data security associated with that, but maybe not as elaborate as for the type of information involving passwords, Social Security numbers, or account numbers. So, it's a scalable process. We expect companies to be aware of what the tools are that they can use to ensure protection of this information. I just also wanted to add, we are talking generally about data security in various sectors. The FTC has broad jurisdiction over many sectors of the economy, but we do not have jurisdiction over banks, many federally-chartered credit unions and other financial institutions that are regulated by other federal regulators. But, our approach is a general one, and we expect companies to use appropriate and reasonable data security that is geared toward the type of information that they collect and that they use. There may be other, additional requirements from other federal regulators that banks and credit unions need to be aware of in ensuring their compliance with these provisions.
Swart: Can you tell us a little bit more about how the FTC is working with other federal agencies to combat identity theft?
Broder: We recognize that any meaningful approach to identity theft has to be a coordinated one, and in fact, last spring the President, by Executive Order, established an Identity Theft Task Force that brought together seventeen federal agencies. It was chaired by the Chairman of the FTC and the Attorney General, and the goal was to develop a strategic plan for addressing identity theft by the federal government. So, working together with these many federal agencies, we did develop a strategic plan that was released in the fall that had a series of recommendations, many of which pertain to all of these agencies. The first one is improved data security. Now, the federal government realizes that this is not just a private sector problem, that there are issues in the public sector, and in particular in the federal government, on data security, so we are taking our own medicine. The Task Force had a number of recommendations for federal agencies to improve their data security measures, improve education of employees, minimize uses of Social Security numbers, and the like. As for private sector entities, the Task Force again recommended that there be efforts to improve data security, that authentication methods be strengthened, so that if the information does fall into the wrong hands, it is less likely to be used to commit identity theft. The Task Force recommended a coordinated approach for improved criminal prosecution, because at the end of the day, identity theft is a crime and it needs to be prosecuted, and incentives need to be put in there for people not to do this crime. Then finally, we recognize that under any circumstance, there still will be victims of identity theft. So, this coordinated approach, developed by these 17 agencies, had a series of recommendations, to make it easier for victims to recover from what often is a very devastating crime.
Swart: There's been quite a bit of discussion recently about national breach notification laws, and other changes in the regulatory environment that affect data privacy. Can you give us an update on what might be happening, or maybe just suggestions on how financial institutions should prepare for this changing regulatory environment?
Broder: Well, let's just talk first about what is happening, at the moment, not a whole lot. At this last session there were a number of bills having to do with breach notification requirements, as well as data security requirements. In fact, among the initial recommendations of the task force were to develop national standards for both breach notification and data security. A number of states, in fact, the majority of states, now have breach notification laws. But, there is no standard that applies across the board as to when notification is required following a breach. Some states say when there is unauthorized acquisition of the information, you need to alert people. Other states say when people are presented with the risk of identity theft, with a reasonable risk of identity theft, there are all sorts of differences in the various state laws, which is why the task force thought it important to have a uniform standard across the nation, so that in those states that don't have breach notification, their residents can be alerted when their information puts them at risk of identity theft. So, the federal recommendation from the Task Force was that the standard be that when there is a significant risk of identity theft, consumers
should be notified. We were really concerned that if the standard was anything but a significant risk of identity theft, consumers would be receiving notices all the time, and eventually they would start ignoring them. They would no longer serve their purpose. We also thought it was important that this law preempt state laws, but give state Attorneys General the authority to enforce it. Finally, we thought that it was not advisable in these circumstances to provide a private right of action. So, that was one major recommendation. The other on data security was that, again, there be a national standard for data security. Many institutions, and in particular financial institutions already are compelled under the Graham-Leach-Bliley Act, to develop safeguards on reasonable security, but many sectors of the economy have no such requirements.
So, the recommendation was, again, to have federal preemptive legislation for those entities that are not already compelled to have a data security safeguards program.
Swart: Good information. Well, let's shift to the victim for a minute. When a customer of a financial institution becomes a victim of identity theft, what things can a financial institution do to help that customer recover?
Broder: You know, this is an issue that has not gotten enough notice, I think, that at the end of the day, again, there is a victim of this crime. So, some financial institutions have banded together and developed a program called "The Identity Theft Assistance Center," or ITAC. And someone who experiences identity theft at one of these institutions can get the benefit of this organization, ITAC, they will assign an ombudsman to work with this person, to get a copy of their credit report, and to work through the various accounts where fraud has occurred. I think they have already worked with over 15,000 consumers of these financial institutions, and that is a great thing. But, you don't need to be a part of this consortium to provide meaningful assistance to victims. It is important in financial institutions to have someone that the consumer knows that they can call. Frequently, people say, "I'm a victim of identity theft," and they get shifted from one desk to another, and no one knows how to work with them. So, having a single person whose responsibility it is to work with the victims is great. We also think it is important to give information to make it less likely that people will become victims of identity theft. A number of banks on their websites link to the Federal Trade Commission's website on identity theft, and that is ftc.gov/idtheft. Others have included in mailings a little insert that has information on learning more about protecting yourself from identity theft, or some material from the FTC, which we gladly share. All of these are ways of helping consumers. And finally, I would say, it had been the practice that if someone were a victim of identity theft, and say, accounts were opened at five different institutions, they would have to fill out five different fraud affidavits, which was really a tremendous burden on victims of identity theft. So, the FTC developed a single-form affidavit that could be used at multiple institutions, so the victim only has to fill it out once, and then provide it to the various institutions, and it alleviates a lot of the burden on them. The FTC has a lot of victim assistance materials and resources at our website, and in fact, this whole process can be made easier if you direct victims to our website. They can fill out an online complaint form and print it out, and that becomes the basis of an identity theft report that they can provide to the bank, and they can use to exercise other rights under federal law, and at the same time, the consumer's information goes into a central database housed at the FTC that we share with criminal law enforcement around the country, so that they are better able to spot trends, initiate investigations, prosecute, and ultimately sentence identity crooks.
Swart: That's great advice for institutions to follow, and I think it is important that they do focus on the victims more. Well, thank you for your time today, Betsy, it's been great talking to you.
Broder: It's been a pleasure. Thank you so much.
Swart: Well, thank you for listening to another podcast with the Information Security Media Group. To listen to a selection of other podcasts, or to find other educational content regarding information security for the banking and finance community, you can visit www.BankInfoSecurity.com or www.CUInfoSecurity.com