On April 23rd, the ID Theft Task Force that's chaired by Alberto Gonzales (the US Attorney General) and co chaired by Deborah Platt Majores (the chairwoman of the FTC) has released their final recommendations for reducing identity theft.
Here are a few of their better recommendations:
- Decrease the unnecessary use of social security numbers in the public sector
For example, the federal Office of Personnel Management (OPM) has already done an internal review and realized that they were using SSNs in many cases where it wasn't necessary. They havebegun issuing employee numbers instead of just using SSNs. Dang straight! Stopping data brokering is a very good first step.
- Develop comprehensive record on private sector use of SSNs
What they mean by this is that they need to study how SSNs are used in businesses to determine how much is legitimate use and how much should be stopped, controlled, or altered. They plan to have completed this study and made recommendations to the president by first quarter '08. Ditto above: Stopping data brokering is a very good first step.
- Educate Federal Agencies on how to Protect Their Data and Monitor Compliance With Existing Guidance
Okay… Granted, bringing laptops home to get stolen was stupid the first time and got successively stupider as time went. Theoretically, by teaching the agencies obvious security and then monitoring compliance, we should be able to stop or reduce that particular type of data loss. The important point to note here is that if an agency fails to protect data properly, they will be harshly punished by having that fact noted on their PMA scorecard *rolls eyes*. What this means and what the consequences are (if any), I have no idea.
- Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
This means they're going to develop a set of guidelines on how to handle breaches and issue it to all agencies (which they've already done). The guidlines will (emphasis mine):set forth the factors that should be considered in deciding whether, how, and when to inform affected individuals of the loss of personal data that can contribute to identity theft, and whether to offer services such as free credit monitoring to the persons affected.
- Establish National Standards Extending Data Protection Safeguards Requirements and Breach Notification Requirements
They want to create a national standard of safeguards that applies to all "private entities that maintain sensitive consumer information". More importantly, they say that all such entities must be required to notify law enforcement and consumers of a breach. Though this requirement would only come into effect if there was "significant risk of identity theft" due to the breach. Their justification for this is that consumers wouldn't want to be "overwhelmed" by breach notifications. That's crap. If a company has to send out an "overwhelming" amount of breach notifications, perhaps enough people would leave that company to make said company actually implement some security. This loophole also fails in that there's a lot of wiggle room in "significant risk". Who decides what's significant risk or not? The company? If so, I bet all breaches will be labeled "low risk". Ah yes, and let's not forget our favorite clause. This legislation will preempt state laws on data breaches.
Where's the Freeze recommendation?For those who don't know my site, I am a big proponent of credit security freezes. I am severely disappointed in this final set of recommendations in that they softened the language from their initial recommendations from
This is very weak and isn't even a recommendation of it's own, just a sub-component of "Assess Efficacy of Tools Available to Victims". So it went from the nice, solid (and correctly worded) "effectively preventing the issuance of new credit in the consumer’s name" to "there is no 'track record' to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers". Alberto Gonzales and Deborah Platt Majores should be ashamed of themselves for putting their names on this worthless report.
It looks like the credit reporting companies are starting to read the bones and pre-emptively offer credit freezes before they get legislated into having to provide it on worse terms and lower fees. Two out of three have jumped onto the bandwagon with only one holding out so far.Tags: Accountability, FTC, Identity Theft, Utter Failure