Welcome!
If you have an account, please:
Log in

ID Theft Taskforce Issues Final Recommendations and Strategic Plan

Federal Trade Commission
(Image is in the Public Domain)

On April 23rd, the ID Theft Task Force that's chaired by Alberto Gonzales (the US Attorney General) and co chaired by Deborah Platt Majores (the chairwoman of the FTC) has released their final recommendations for reducing identity theft.

Here are a few of their better recommendations:

  • Decrease the unnecessary use of social security numbers in the public sector
    For example, the federal Office of Personnel Management (OPM) has already done an internal review and realized that they were using SSNs in many cases where it wasn't necessary. They havebegun issuing employee numbers instead of just using SSNs. Dang straight! Stopping data brokering is a very good first step.
  • Develop comprehensive record on private sector use of SSNs
    What they mean by this is that they need to study how SSNs are used in businesses to determine how much is legitimate use and how much should be stopped, controlled, or altered. They plan to have completed this study and made recommendations to the president by first quarter '08. Ditto above: Stopping data brokering is a very good first step.
And here are some of their less-thought-out ones:
  • Educate Federal Agencies on how to Protect Their Data and Monitor Compliance With Existing Guidance
    Okay… Granted, bringing laptops home to get stolen was stupid the first time and got successively stupider as time went. Theoretically, by teaching the agencies obvious security and then monitoring compliance, we should be able to stop or reduce that particular type of data loss. The important point to note here is that if an agency fails to protect data properly, they will be harshly punished by having that fact noted on their PMA scorecard *rolls eyes*. What this means and what the consequences are (if any), I have no idea.
  • Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
    This means they're going to develop a set of guidelines on how to handle breaches and issue it to all agencies (which they've already done). The guidlines will (emphasis mine):
    set forth the factors that should be considered in deciding whether, how, and when to inform affected individuals of the loss of personal data that can contribute to identity theft, and whether to offer services such as free credit monitoring to the persons affected.
    Ugh. So they might not even tell you that they messed up by losing your data now? That's some good accountability there. And credit monitoring? Are they still going on about this? I find it so hard to trust the opinion of someone who suggests credit monitoring as any kind of response to a data breach.
  • Establish National Standards Extending Data Protection Safeguards Requirements and Breach Notification Requirements
    They want to create a national standard of safeguards that applies to all "private entities that maintain sensitive consumer information". More importantly, they say that all such entities must be required to notify law enforcement and consumers of a breach. Though this requirement would only come into effect if there was "significant risk of identity theft" due to the breach. Their justification for this is that consumers wouldn't want to be "overwhelmed" by breach notifications. That's crap. If a company has to send out an "overwhelming" amount of breach notifications, perhaps enough people would leave that company to make said company actually implement some security. This loophole also fails in that there's a lot of wiggle room in "significant risk". Who decides what's significant risk or not? The company? If so, I bet all breaches will be labeled "low risk". Ah yes, and let's not forget our favorite clause. This legislation will preempt state laws on data breaches.

Where's the Freeze recommendation?

For those who don't know my site, I am a big proponent of credit security freezes. I am severely disappointed in this final set of recommendations in that they softened the language from their initial recommendations from
For residents of states in which state law authorizes a credit freeze, consider placing a credit freeze on their credit file.7 This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. A credit freeze cuts off third party access to a consumer’s credit report, thereby effectively preventing the issuance of new credit in the consumer’s name.
to
Among the state-enacted remedies without a federal counterpart is one granting consumers the right to obtain a credit freeze. Credit freezes make a consumer’s credit report inaccessible when, for example, an identity thief attempts to open an account in the victim’s name. State laws differ in several respects, including whether all consumers can obtain a freeze or only identity theft victims; whether credit reporting agencies can charge the consumer for unfreezing a file (which would be necessary when applying for credit); and the time allowed to the credit reporting agencies to unfreeze a file. These provisions are relatively new, and there is no "track record" to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers. An assessment of how these measures have been implemented and how effective they have been would help policy makers in considering whether a federal credit freeze law would be appropriate. Accordingly, the Task Force recommends that the FTC, with support from the Task Force member agencies, assess the impact and effectiveness of credit freeze laws, and report on the results in the first quarter of 2008.

This is very weak and isn't even a recommendation of it's own, just a sub-component of "Assess Efficacy of Tools Available to Victims". So it went from the nice, solid (and correctly worded) "effectively preventing the issuance of new credit in the consumer’s name" to "there is no 'track record' to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers". Alberto Gonzales and Deborah Platt Majores should be ashamed of themselves for putting their names on this worthless report.

Update 9/27/2007

It looks like the credit reporting companies are starting to read the bones and pre-emptively offer credit freezes before they get legislated into having to provide it on worse terms and lower fees. Two out of three have jumped onto the bandwagon with only one holding out so far.

Tags: , , ,

The Failure of the President’s ID Theft Task Force

Federal Trade Commission - Forgot their job apparently
(Image used under: Creative Commons 2.0 [SRC])

On May 10th, 2006, President Bush signed an executive order to create an Identity Theft Task force in order to identify concrete steps to reducing the identity theft problem.

On Dec 26th, 2006, the task force put out a public call for comments to "improve the effectiveness and efficiency of federal government efforts to reduce identity theft".

Of course, I submitted details about implementing Credit Freezes and halting data abuse

There were off to a good start when the interim results of the task force included language about Credit Freezes:

For residents of states in which state law authorizes a credit freeze, consider placing a credit freeze on their credit file. This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. A credit freeze cuts off third party access to a consumer’s credit report, thereby effectively preventing the issuance of new credit in the consumer’s name.

But problems started when the press release mysteriously omitted the information. They'd already failed to include it in their consumer education initiative though they're happy to recommend Fraud alerts or Credit monitoring for FREE! Well, whee! That's just great. Thanks for paying for my worthless monitoring service which will tell me in horrific real time that I'm being ripped off rather than actually do anything to stop it.

April 17th, 2007 Update

I called the FTC office of media relations and was directed to Claudia Bourne Farrell who apparently was the one who drafted the press release. She contends that credit freeze language was ~"probably stripped for brevity" and politely, but firmly persisted that the release was fine the way it was. She did provide her e-email before we concluded the call so I took one more opportunity to educate her about the issue:

Dear Ms. Bourne-Farrell,

If you understand how credit freezes work as you say, I hope you will see that they are far more effective than fraud alerts (which are optional for retailers to follow), and credit monitoring (which only alerts you to bad activity without actually stopping it). Freezes fully prevent ANY kind of check of one's credit report without express consent.

While stopping the proliferation of private data and the loss thereof is a huge part of the problem, I and all other Americans would sleep better knowing that in many cases, it doesn't matter who has the data because they can't use it for anything that requires a credit check.

Please, understand that I don't mean to be offensive when I ask this, but how is the FTC doing their job when they won't even list credit freezes as an important tool for consumers along with fraud alerts (which are temporary and of questionable effectiveness) and credit monitoring (which doesn't stop anything plus costs a monthly fee)?

Thank you for listening,

Sincerely,

Jeremy Duffy

And here is the one I sent to Alberto Gonzales, Chair of the ID Theft Task Force:

Dear Mr. Gonzales,

I have begun following some of the developments of the Identity Theft Task force and am extremely concerned. Credit Freezes are the best way to ensure consumer peace of mind, and I see that the task force has mentioned it in your interim recommendations (which is good). However, your press release didn't include it.

I have contacted the FTC's media relations department and am unsure if my message will be acted on. I am hoping that they will not repeat this mistake in the release of your final recommendations, but I am doubtful. Please make sure, for all our sakes, that the Task Force's message of credit security freezes is heard loud and clear, not just in the full documents, but the press releases as well.

Thank you for your time,

Jeremy Duffy

Failing to include credit freeze information was nothing short of incompetence.

Sadly, on release of the final recommendations some time later, freezes were only barely mentioned and even then, discouraged. This is hardly the first time I've seen government incompetence up close, but considering the importance of the issue, it was still discouraging. Bottom line, the FTC and in particular Ms. Bourne Farrell and Alberto Gonzales failed the President and the citizens they are supposed to serve.

Tags: , , , , ,

Federal Trade Commission Seeks Public Comment on ID Theft

Id Theft
(Image is in the Public Domain)

From the FTC website:

Notice for public comment: The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft.

What could I tell them about? Hmm… Let's see… Oh! How about how easy it would be to reduce ID Theft with a good Credit Security Freeze law? How about how we desperately need strong, swift protection against data mining and sharing companies?

It's fairly simple really. First we need better control of our data and second, we need to limit what can be done with the data once it's been breached.

The e-mail address to write to is hidden in a document, so here it is "Taskforcecomments AT idtheft.gov" (@ replaced to prevent bot Spam). Be sure the subject is "Identity Theft Task Force" and that you include contact information. They prefer that the substance of your comments be in WordPerfect, MS Word or PDF format as an attachment.

Tags: , ,

ID Theft Tops FTC List of Consumer Complaints for the 6th Year

ID Theft is a problem. It's a shame no one is talking about the solution.
(Image is in the Public Domain)

EPIC reports in their newsletter that for the 6th year in a row, Identity Theft is the #1 consumer complaint for the year. It's interesting to know that despite the massive and growing problem, the Credit Freeze remedies that would greatly curb the problem aren't being made available to most people.

Tags: , ,

If you want to learn more about my professional background, click here to learn more. Otherwise, let’s get started - how can I help?

Online learning
On-site learning
Read my blog

Credit Freeze

Setting a credit report freeze is the fastest and most effective way to actually block and reduce your risk of ID Theft. And it's free.

[Click for full description]

Credit Freeze

Setting a credit report freeze is the fastest and most effective way to actually block and reduce your risk of ID Theft. And it's free.

[Click for full description]