Financial scams and incidents of medical identity theft are on the rise - and they're among the main threats to business and consumers in 2010.
This is the warning from Jay Foley, executive director of the Identity Theft Resource Center. In an exclusive interview, Foley discusses:
Responding to an explosive rise in identity theft crimes, Jay and Linda Foley established the Identity Theft Resource Center (ITRC) in 1999 in order to provide education and victim assistance to consumers and businesses. As Executive Director of the ITRC, Jay is today recognized nationally as an expert on identity theft issues.
Frequently addressing national, state and community organizations, Jay travels throughout the United States providing training for businesses, consumers and law enforcement. He has appeared before state legislatures and in Congress recommending new laws to protect against the crime of identity theft and he is a regular on San Diego news programs.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Jay Foley, Executive Director of the Identity Theft Resource Center. Jay, thanks so much for joining me.
JAY FOLEY: Thanks for having me on Tom.
FIELD: Jay, for people that haven't encountered the ITRC before, could you tell us a little bit about yourself and the organization please.
FOLEY: Well, the Identity Theft Resource Center is a non-profit group. We operate out of San Diego, California. And what we do is we assist victims of identity theft all across the United States. In fact, right now we are actually working around the world with U.S. citizens who are in foreign countries dealing with identity theft issues here in the U.S.
FIELD: Jay, what have been the dominant identity theft stories that you have dealt with in 2009?
FOLEY: Well, the biggest stories have had to focus around the activities of Mr. Albert Gonzales, who was responsible for the Heartland Security Breach. The fact that he stole over 130 million credit cards and debit cards has made a lot of people nervous. The next story after that would probably have to do with the medical records. The number of various medical facilities out there that have personally identifiable information that has just gone missing or is not being considered as a problem because, 'oh gee, your personal information went astray, but your diagnosis didn't, so it is not a breach,' when in fact, if either go astray it is a breach.
FIELD: Now Jay, you have got new research out about the trends as we look into 2010. Just to give our audience a bit of a teaser, what do you see as the major trends of the New Year?
FOLEY: Well, first and foremost we are going to see a lot more scams. Because of the tough economic times, we are seeing a lot of scammers come out of the woodwork and try to suck you into this quick job, that quick job, here make a little extra money, and invariably what happens is you find yourself on the hook for greater debt and greater problems because you went to work with these scammers.
Other things that we are seeing out there is that we are going to see an increase in medical identity theft. A lot more people are having trouble making ends meet, and one of the first things that seems to slip is going to be medical insurance. ' I haven't got medical insurance, so what I do is I go down to the hospital and I give them somebody else's name and Social Security number, and I piggyback on their insurance.' It is becoming more and more of a thing, and it is becoming more and more alarming.
FIELD: Now you have mentioned healthcare here a couple of times, Jay. As you look at the risks, are there any specific industries or even government agencies that you find to be at greater risk of identity theft than others?
FOLEY: If I were going to categorize the most sensitive industries, the first one I would go at would be the payment industry, the payment services industry, and that is the companies that process credit card and debit card transactions. Why? Because that is where the money is right at the moment. If a thief can get into your software and can get into your data, they have ready cash right there at their fingertips.
After that, the next industry I would be worried about would be the medical profession. For many, many years the medical profession has operated in a unique environment. They have been collecting Social Security numbers and writing them down on every document they have. It has been their ad hoc file number for individual patients for years and years and years. And let's face it, your doctor does not keep your medical record under lock and key; he keeps it in a file room in his office. Not to mention the fact that we are now moving into a more computerized medical health system.
If we don't take the steps now to clearly delineate a security policy for this information, we are going to have two types of breaches. We are going to have those breaches like the Farrah Fawcett breach, where people actually broke into her medical records who had no business being there, and that information got blared out to the tabloids. Or we are going to have those that are going to get in there and are stealing the information out of your medical record and using it to create fraud, debt and general havoc in your life.
FIELD: Jay, what has your experience been with government agencies, whether they be state and local or federal? How are they doing in protecting identities and protecting themselves from some of the risks that are out there?
FOLEY: Many government agencies are actually stepping up to the plate and looking at this situation seriously. They are looking at ways that they can curb the issue. But there are still a large number of agencies out there that 'This is what my job is; I am the County Clerk, I record this, I do this, I do this,' and unfortunately they are not thinking about doing those things in an information environment.
An example of that would be the County Clerk of Hamilton County, Ohio who a few years ago was publishing traffic tickets on the internet. You get a traffic ticket, he publishes it on the internet. The problem with that is that your Social Security number is written on that ticket.
FOLEY: Not a good thing.
FIELD: Jay, what do you see as the challenges for information security professionals that are charged with helping these organizations do a better job protecting critical data?
FOLEY: First and foremost, they need to realize the biggest threat is not actually coming from outside the system. The numbers come out almost every year, and they have said for the past eight or nine years that 70% of all hacking happens internal to the company. It is somebody within your company that is going places who should not be in your data, not somebody outside the company.
A little more audit focus, a little more control focus as to who is going where and what they are doing needs to be addressed by each and every IT professional out there. You need to know who is going where and what they are doing and why they are doing it. You need to set up established parameters for who gets to go into the data.
FIELD: Now I feel a little bit like Scrooge talking to the Ghost of Christmas' Yet to Come when I ask you this, but what is it that we can do now to potentially change the future you have outlined with the threats and the risks that face us in 2010? What can we do to make the situation better?
FOLEY: There is only one thing that I can think of. In every project you undertake and every job that you do, in every aspect of your life, you need to look at it and stop and think, 'Okay, how can I mess this up? How can a thief exploit this? How can I loose control of my information? ' For those who are taking possession of it, how can the thief get in? How can I reduce the ability of the thief to get in? You don't have to build a foolproof system; you just have to build a system that is stronger than all of your friends because you will be the last system they attack.
FIELD: One last question for you, Jay: Given what you know now about trends, what do you see as being the top identity theft story as we go into the New Year?
FOLEY: Well, the biggest thing I see coming into the New Year is you are going to see a lot younger thieves. You are going to see some more serious computer hacks. Mr. Gonzales is off the street, but he has just pled guilty and he is going to go to prison. Do you think he is the only one doing that? We are seeing kids in the high school level who are setting up websites, selling products that don't exist, taking the credit cards and going to town on them. We are seeing young people who are getting into information just on a lark. Well, that lark is going to change because that is going to be the way they are going to start making their money.
I once thought about it, a company that manufactures a product, that is a very specific product that goes into a very specific industry -- let's say it's carburetors going to car manufacturers, and somebody steals my design for the new carburetor. The only place they can sell that is to another carburetor manufacturer or somebody in the car industry. But if somebody steals the Social Security numbers and names and information of all my employees, they can sell that to anyone else in the world who may want to use it for criminal purposes. Which is more valuable? My personal information on my employees, or the secret plans for my new carburetor to get 29 miles to the gallon?
FIELD: Great point, Jay. I appreciate your time and your insight today.
FOLEY: You are more than welcome. Anytime.
FIELD: Jay for people that want to know more about the Identity Theft Resource Center and your research, where should they go?
FOLEY: Go to www.IDTHeftCenter.org.
FIELD: Very good. Jay ,thanks so much for your time today.
FOLEY: You are more than welcome.
FIELD: We have been talking with Jay Foley of the Identity Theft Resource Center. For Information Security Media Group, I'm Tom Field. Thank you very much.