IT Law Group | Publications

Protecting Against Identity Theft

Françoise Gilbert

Identity theft (or identity fraud) is the deliberate assumption of another person's identity, usually to gain access to the persons' finances. Other forms of identity theft may be used to enable illegal immigration, or may be associated with terrorism, espionage, or blackmail, if revealing the activities undertaken by the thief under the name of the victim would have serious consequences. The perpetrator may be someone previously known to the victim, who gains illegal access to financial statements, checks, or credit cards.

Techniques for obtaining identification information range from: stealing mail or rummaging through rubbish (dumpster diving), to stealing personal information in a computer database, using spyware, keyloggers, and other malware, or infiltrating organizations that store large amounts of personal information.

1. Recent Events - Breach of Security

Since the enactment of the Security Breach Notification laws, numerous companies, universities, and other entities have notified their customers, students, or personnel that tens or hundreds of thousands of individuals' records in their custody had been compromised and accessed by unauthorized third parties. On most cases, these records contained sensitive personal information, including social security numbers, credit cards access numbers, personal contact information, and other.

According to the reports, most losses resulted from hacking incidents, or because an employee's laptop was stolen or lost. In other cases, back up tapes or other media containing copies of customer information were lost in transit, and never recovered. Each of these incidents may have allowed authorized access to sensitive personal information, exposing their customers or employees to potential risk of identity theft.

2. Security Flaws Uncovered

Websites are leaking personal information of their customers through security holes. Companies using unprotected networks or wireless connections are also exposing sensitive data to any interested passerby. The Federal Trade Commission and State Attorney Generals have identified numerous websites that did not have adequate security measures, and risked exposing customer information to hackers. They have investigated numerous companies for their information security practices, even in the absence of a security incident (see B.J. Wholesale Club). After these investigations, the FTC and the State Attorney General have severally punished several well-known companies (and others) for their lack of adequate security.

3. Many Types of Scams

a. Phishing

The term "phishing" was coined to describe the use of lures to "fish" for users' financial information and passwords through phony means. Phishers create and use emails and websites designed to look like those of legitimate businesses in order to fraudulently obtain an individual's personal or financial information such as passwords and credit card details. The phisher sends emails to victims to lure them into providing sensitive information by masquerading as a trustworthy person or business in an apparently official electronic communication.

Victims are asked to provide missing information (such as a password, Social Security Number) by clicking on a link in the email, which takes them to a website that looks like the bank or store's website.

The damages caused by phishing range from loss of access to email to substantial financial loss. This style of identity theft is very successful because of the ease with which unsuspecting people divulge sensitive personal information to phishers.

Once this information is acquired, the phishers may use a person's details to create fake accounts in a victim's name, ruin a victim's credit, or even prevent victims from accessing their own accounts.

Between May 2004 and May 2005, for example, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately $ 1 billion. American businesses loose an estimated $2 billion a year, as their clients become victims of phishing frauds.

How to fight Phishing

If you receive an email that requires you to "update" or "verify" your information, you should not respond to that email. Do not reply to the email. Do not click on the links provided in the email.
Contact directly the company that is the subject of the email, or type in a trusted web address for the company's website into the address bar of your browser, to bypass the link in the suspected phishing message.
Do not email personal or financial information.
Report spam that is fishing for information to the company being impersonated.
If you believe you have been scammed, file a report with law enforcement, and a complaint with the Federal Trade Commission.
Use anti-virus software and a firewall and keep them up-to-date.

Legislative and judicial responses

California's "Anti-Phishing Act of 2005" was signed by the Governor in October 2005. Businesses may recover the greater of actual damages or $500,000. Individuals may recover the greater of three times actual damages or $5,000 per violation. Attorney General may seek civil penalties of up to $2,500 per violation.

In 2004, the Federal Trade Commission filed the first lawsuit against a suspected phisher. The defendant, a Californian teenager, allegedly created and used a webpage designed to look like the America Online website, so that he could steal credit card numbers.

b. Pharming

Pharming redirects an individual to an illegitimate website through technical means.

Every website on the Internet has an IP Address which consists of four numbers, each between 0 and 255, which are separated by dots, for example "192.0.2.213". They work like telephone numbers. Websites usually also have a domain name, for example "www.google.com". The domain name servers are the machines responsible for resolving Internet names into their real addresses. They act as a "phone book" to associate the domain name of a website with its IP Address ("resolving the domain name").

Pharming exploits the DNS server software. A hacker engages in domain dame hijacking by redirecting all of a company's legitimate Internet traffic to an illegitimate site. If the web site receiving the traffic is a fake web site (for example, a website that is a copy of a bank's website), it can be used to "phish" or steal a computer user's passwords, PIN number or account number.

How to fight pharmers:

For businesses

Use digital certificates to differentiate your site from illegitimate site
Take prompt responses to any signs, such as decreased traffic.

For Individuals

Delete unsolicited emails and their attachments without opening them
Do not respond to call-to-action emails
Install antivirus software and update it daily

c. Malware

Malware ("malicious software") is a type of software designed to take over and/ or damage a computer's operating system, without the user's knowledge or approval. Once installed, it is often very difficult to remove.

Depending on the severity of the program installed, it can be slightly annoying (such as unwanted pop up ads while a user is performing regular computing tasks on or offline), or cause irreparable damage requiring the reformatting of one's hard drive.

Viruses and worms are two common types of malware. They are able to self-replicate and can spread copies. A worm operates independently of other files, whereas a virus depends on hosts to spread itself. A third, less common, type of self-replicating malware is the wabbit. A wabbit repeatedly replicates itself on a local computer. It can be programmed to have malicious side effects, in addition to the direct consequences of the quick self-replication.

Malware typically contains undesirable functions, such as display political or ideological messages when activated, activate on a date selected by the author, or delete files or format disks.

Malware is usually transmitted when the victim has unwittingly brought in the infection through failure to take sufficient steps to secure his/her computer against attacks, such as:

Downloading files from P2P programs
Opening emails from unknown sources, particularly those that contain attachments
Not installing security programs, such as spyware and adware detection; a firewall; or an anti-virus program
Not updating security software on a continuous basis
Installing software without properly checking whether it contains adware or spyware
Clicking on dialog boxes on various web sites requesting that you download certain programs
Not properly setting one's browser security settings high enough
Playing music CDs on a computer when they are equipped with intrusive copy protection schemes which install things on your system

d. Spyware

Spyware is a broad category of malicious software that subverts the computer's operation for the benefit of a third party. Spyware differs from viruses and worms in that it does not usually self-replicate.

Those who spread spyware intend to intercept or take partial control of a computer's operation without the user's informed consent. Spyware is generally designed to exploit infected computers for commercial gain, such as to deliver unsolicited pop-up advertisements; or steal personal information. It can also be used to verify compliance with a software license agreement (or EULA).

How to fight spyware

Install hardware and software firewalls
Keep your anti-spyware and anti-virus programs current and use them daily
Limit the number of cookies on your computer
Read EULAs before downloading or installing software

e. Keylogger

A keylogger is software that copies a computer user's keystrokes to a file, which it may later send to a hacker. Often the keylogger will only "awaken" when a computer user connects to a secure website, such as a bank. It then logs the keystrokes, which may include account numbers, PIN's and passwords, before they are encrypted by the secure website. For example, keyloggers have been used on ATM machines or on computers installed in public places (cyber café, airport lounge) to retrieve user ID and password information.

f. Adware (or advertising supported software)

An "adware" is a program that automatically plays, displays, or downloads advertising material to a computer. Some adware often takes the form of (a) spyware, in which information about the user's activity is tracked, reported, and often re-sold, often without the knowledge or consent of the user; or (b) malware, which may interfere with the function of other software applications, in order to force users to visit a particular web site.

Other adware programs are not spyware; they do not collect or upload personal information. However, they can result in spam, pop ups, or junk mail. They use storage space and bandwidth, overwork the CPU, and slow the system.

Software applications are available to help computer users search for and modify adware programs to block the presentation of advertisements and to remove spyware modules.

4. Key Laws and Regulations

a. FCRA / FACTA

The Fair and Accurate Credit Transactions Act (amending the Fair Credit Reporting Act) includes many requirements on consumer reporting agencies and on companies that use consumer reports or furnish information to consumer reporting agencies. Some of these requirements are designed to prevent and mitigate the effects of identity theft.

b. Document Disposal Rule

The Document Disposal Rule requires the proper disposal of consumer information derived from consumer reports. The Rule applies to any entity that, for business purposes, maintains or possesses consumer report information. This would include, for example, employers, property owners, car dealers, or mortgage brokers.

The Rule requires companies to take reasonable measures to protect consumer information in connection with the disposal of records, such as discarding or abandonment of consumer information, sale, donation, or transfer of computer equipment, upon which consumer information is stored.

The Rule requires entities that possess or maintain consumer information to take "reasonable measures" to properly dispose of such information, in order to protect the information from unauthorized access or use after its disposal. For example:

Implementing and monitoring compliance with policies and procedures that require burning, pulverizing, or shredding papers so that the information cannot practicably be read or reconstructed;
Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media so that the information cannot practicably be read or reconstructed;
Companies that use services of a third party to dispose of the material must conduct thorough due diligence, and enter into a contract with the service providers that details the measures to be taken to ensure the adequate destruction of the documents.

c. California Security Breach Notification Law - Cal. Civ. Code Sect. 1798.82, also known as "SB 1386"

California's SB 1386 requires any company that conducts business in California or owns or licenses computerized data that include personal information about California residents to disclose any breach of security of the computerized data to consumers whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.

Companies that maintain such information on behalf of other companies have to promptly notify the owner or licensee of the information of any actual or potential breach of security.

Affected customers may be sure to recover damages. Businesses that violate the act may be enjoined.

d. Other States Security Breach Disclosure Laws

As of January 2008, more than 40 states have enacted legislation similar to California's SB 1386.

e. California's Civil Code Section 1798.81.5, also known as "AB 1950"

Since January 1, 2005, California requires that all companies doing business in California and their subcontractors adopt reasonable security procedures and practices.

f. Federal Trade Commission

In the consent decrees published after investigating the security practices of several companies, the Federal Trade Commission has stressed that companies must have in place a comprehensive security program. The security program must be fully documented in writing, and be appropriate to the size of the company, its complexity, the nature and scope of its activities, and the sensitivity of the information collected. This includes:

Identification of material internal and external risks to the security, confidentiality, integrity of customer information that could result from unauthorized disclosure, misuse, alteration, and destruction. This should include assessment of employee training and management, assessment of information systems, information processing, storage, transmission and disposal, and evaluation of the methods used to detect, prevent, and respond to attacks, intrusions or other systems failures
Designing and implementing information safeguards to control the risks identified through risk assessment, and regularly testing or monitoring the effectiveness of the key controls, systems and procedures
Overseeing service providers
Evaluation and adjustment of the program in light of the results of the testing and ongoing monitoring of the program, material changes in the company's operations or business arrangements, or any other circumstances that may have a material impact on the effectiveness of the security program.

g. PCI Standards

Since 2005, the major payment card companies require all online retailers that accept credit cards and debit cards to submit to certain validation processes to ensure that they are meeting the mandatory standards for handling customer data. To be certified under the PCI Data Security Standards, all merchants who process purchases made with cards from Visa, MasterCard, American Express, etc. must comply with the PCI's 12 step security audit standards.

5. Precautions Against Identity Theft

There are many ways for individuals to guard against identity theft. The Federal Trade Commission and the California Office of Privacy have prepared excellent materials. For example, consult the FTC Booklet "Take Charge: Fighting Against Identity Theft". In addition, the FTC also recently launched its new consumer information website: www.OnGuardOnline.gov

Example of common sense measures include:

Protect your personal information.
Minimize the use of mail for sending or receiving financial documents.
Have your name removed from junk mail lists.
Mail letters from the post office.
Lock your mailbox.
Check your bank accounts each week online or at an ATM to monitor your account activity.
Shred all documents that contain personal information, such as credit-card receipts, junk mail (e.g. credit card applications).
Never give out personal information in response to telemarketers.
Do not respond to any e-mails that ask you to "log in" using a hyperlink embedded in the e-mail message to update your information.
If in doubt about a phone call or email from an entity with which you do business, call back rather than directly responding to the telemarketer or company that called or emailed you.
When shopping online, make sure the company is reputable and displays an approved security symbol.
Log out of a site when finished.
Request your own credit report each year and check the report for inaccuracies. See www.annualcreditreport.com. You are permitted a free copy of your credit report once a year from any credit reference agency.
Consider fee-based credit monitoring services, which will notify you of any new accounts or credit inquiries made that relate to your name.
Limit the amount of personal information you publish on the web. Small fragments here and there may be enough for someone to impersonate you in many ways.
Be especially careful with information used as security keywords for banks, e.g. mother's maiden name.
Do not divulge personal information such as date of birth to organizations that have no need of it - nearly all commercial organizations.
Do not routinely carry identity documents unless obliged by law to do so.
Do not allow anyone to copy your identification documents. If commercial organizations require you to submit a copy as a condition of doing business either don't do business with them, or retrieve the copy when your business ends (a written statement that they have not taken further copies should be obtained).
If someone calls you claiming to be from a financial institution you do business with asking for personal information, ask why they want the information, hang up, and then call the institution using contact information from a source other than the caller.
Do not display your driver's license, social security number or your address on your checks.
Protect your social security number.
Do not carry your social security card with you.
Do not give out your social security number unless it is necessary or legally required (employers, landlords etc.). In states where your driver's license number is your social security number, be equally careful about who sees your license.
If you are a target, keep copies of police reports and record dates and names of individuals with whom you spoke to back up the claim of fraud.

6. How Businesses Can Protect Their Clients' Information

a. Safeguarding Customer Information

Companies that collect, handle, store, or process personal information of their customer or personnel should urgently take measures to ensure the security of sensitive data in their custody.

First, they should identify reasonable foreseeable internal and external risks to the security, confidentiality, integrity of customer information that could result from unauthorized disclosure, misuse, alteration, destruction, and assess the sufficiency of any safeguards in place to control the risks, including: for example, information systems, information processing, storage, transmission and disposal. They should evaluate the risks to these assets and tests the methods used for detecting, preventing, and responding to attacks, intrusions, or other systems failures.

Then they should design and implement information safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the key controls, systems, and procedures.

In connection with their outsourcing or subcontracting practices, they should oversee their service providers to ensure that they, as well, provide sufficient security to the personal information in their custody. Measures should include, for example:

Selecting and retaining service providers that are able to maintain appropriate safeguards for the customer information
Requiring, by contract, the service providers to implement and maintain safeguards
Evaluating and readjusting the program in light of the result of period testing and auditing, and other events.

b. FDIC Guidance for Financial Institutions

The FDIC has issued Guidance for Financial Institutions, urging them to educate consumers about protecting themselves from phishing scams, develop enhanced incident response programs to fraud schemes and take actions to mitigate risk associated with email and Internet related fraudulent schemes.

Steps to mitigate risks associated with email and internet-related fraudulent schemes may include:

Improving authentication methods and procedures to protect against the risk of theft of userID and passwords
Reviewing, and as necessary, enhancing practices for protecting confidential customer data
Increasing suspicious activity monitoring and employing additional identify verification controls
Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious email messages
Training customer service staff to refer customer concerns regarding suspicious email requests to internal security staff.

Businesses other than financial institutions should use these guidelines as a checklist for implementing their own procedures and processes.

REPRINTS

Permission is granted to make copies of this document, if credit is given to the author, and this notice is reproduced on the copies.

More Information...