Over the past few years few would say the federal government has had much success in preventing data loss and identity theft. But in the face of what seem like insurmountable odds, it is trying.
A report issued today by the President's Identity Task Force said federal agencies have worked to eliminate unnecessary uses of Social Security numbers (SSNs) in their programs. For example, the Social Security Administration has removed SSNs almost entirely from its internal human resources forms. The Department of Defense has issued a plan to reduce its internal use of SSNs, including their removal from military ID cards. The Internal Revenue Service has been redacting taxpayer SSNs to the last four digits on all federal tax lien documents filed in public records and issued to taxpayers.
The Identity Theft Task Force has at its heart an executive order charging 15 federal departments and agencies with crafting a comprehensive national strategy to combat identity theft and to aid victims.
The report goes on to say that in 2007, the Office of Management and Budget and the Department of Homeland Security alerted all federal Chief Information Officers to ten common data security risks and noted the best ways to address them. In addition, the FTC continues to work with federal agencies to share best practices and offer guidance on privacy, data security, and incident response.
Task Force agencies have conducted policymaking, outreach, and enforcement initiatives to encourage similar efforts in the private sector and to educate consumers about identity theft. For example, in February 2008, the US Postal Service mailed identity theft protection information to 146 million individuals and businesses.
In the meantime, the FTC held two public workshops that explored both ways to reduce the unnecessary uses of SSNs in the private sector and measures to improve consumer authentication processes and prevent criminals from using stolen personal information to access existing accounts or open new ones, the report states.
The report comes on the heels of a successful FBI sting operation that targeted online fraudsters and netted 56 arrests and prevented millions of dollars in economic losses. The FBI said it had infiltrated online "carder" forums hosted on the DarkMarket.ws Web site, which was widely used by online scammers to buy and sell stolen credit card numbers, other financial information, and even the devices used to make fake banking cards. Before it was shut down earlier this month, the Web site had registered more than 2,500 members.
In addition as part of its ongoing effort to battle the growing identity theft blight, the FTC's "Red Flag rules" go into effect in November. Under these rules banks and other financial institutions must offer for the identification, detection, and response to patterns, practices, or specific activities - known as "red flags" - that could indicate identity theft. Banks and other financial institutions typically account for about half of the identity theft complaints filed with the FTC.
Still, identity theft is the number one consumer fraud problem, according to the FTC. For the seventh year in a row, identity theft was the number one problem and it is showing no signs of letting up, the FTC said. Of 813,899 total complaints received in 2007, 258,427, or 32%, were related to identity theft. Consumers reported fraud losses totaling more than $1.2 billion; the median monetary loss per person was $349, the report states.
The flip side of all this good news is the fact that federal watchdogs at the Government Accountability Office say that when it comes to securing your private information the US government has a long way to go. A GAO report issued in February found that only 2 of 24 agencies it had implemented all of the security requirements mandated by the Office of Management and Budget last year to protect personal information.
According to the GAO report the Treasury Department and the Department of Transportation had implemented the strongest security while National Science Foundation and the Small Business Administration were worst.
The feds have seen significant exposures of personally identifiable information in the past few years. According to a 2006 congressional staff report, since January 2003, 19 departments and agencies reported at least one loss of personally identifiable information that could expose individuals to identity theft.
That story followed another GAO report in January that said the IRS, has "persistent information security weaknesses that place [it] at risk of disruption, fraud or inappropriate disclosure of sensitive information." The agency, which collected about $2.7 trillion in taxes in 2007, has fixed just 29 of 98 information security weaknesses identified in a report released last March, the report said.
There is also the notion that despite all these efforts, good and bad, identity theft continues to grow. Over the past five years, 43 states have adopted data breach notification laws, but such legislation has not cut down on identity theft. There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is part of the team that published a state-by-state analysis of data supplied by the FTC.
In fact, there may be good reasons that explain why breach laws have not cut down on identity theft. Many consumers simply ignore breach notification letters. And Romanosky believes that security firms are still not doing enough to protect data themselves. "In so many of these cases, the breaches occur because of ridiculous security practices," he said in a recent IDG News Service story.
Layer 8 in a box
Check out these other hot stories:
Lunar spacecraft compete for $2 million NASA prize
Are we being chiseled further at the gas pump?
Is the tech industry immune to current financial mess?
FTC wilts mega "male enhancement" spam operation