Editorial: The Threat We Ignore at Our Peril

Identity theft poses greater devastation in bad economic times

January 2009

–    A crisis is an opportunity riding the dangerous wind. 

During this time of financial tumult, the familiar Chinese proverb bears repeating. The opportunity, of course, is that of the Obama administration implementing its platform of “change”— through policies that help create jobs and foster trade. But why stop there? As too many Americans edge ever closer to the brink of financial ruin, creating a plan to improve consumer financial security is an obvious lockstep strategy.  Specifically, the Obama administration must take the issue of identity theft seriously, as so many of us are in such a tenuous financial situation that even one so-called minor instance of fraud committed against us could deal the final devastating blow. 

If you look at identity theft statistics, you’ll see there is no shortage of need for a comprehensive strategy to fight the crime. Federal Trade Commission complaint data published in February 2008 indicated that identity theft complaints to be at an all-time high. Observations from law enforcement officers, prosecutors and nonprofit organizations that study the identity theft problem, meanwhile, bear the same bleak message—that the mushroom cloud of identity theft is rising and ever-growing.  

The ailing economy is but an accelerant. As Richard Rosenfeld, a sociologist at University of Missouri-St. Louis, recently observed in The New York Times, “Every recession since the late ’50s has been associated with an increase in crime and, in particular, property crime and robbery, which would be most responsive to changes in economic conditions.” Because identity theft is relatively easy to commit—the ultimate lazy man’s (or woman’s) crime in which the perpetrator almost never comes face-to-face with the victim—it would seem to be an attractive alternative to good old-fashioned breaking and entering. The Identity Theft Assistance Center, a nonprofit consortium of financial services companies, has voiced concerns about “hard-pressed consumers” turning to fraud and worries about a recession “forc(ing) state and local governments to cut their budgets, law enforcement agencies could be asked to do more with less,” according to a recent statement. 

Meanwhile, cyber-crime continues to grow and evolve—its tentacles extending from and around all reaches of the globe. Speaking with Forbes magazine, Gartner analyst Avivah Litan warned back in November of a spike in fraud related to the use of stolen data. She claimed some pretty good sources: Gartner’s own banking clients. And here’s the kicker: Litan proposed that the attacks were the handiwork of thousands of IT workers who had recently found themselves jobless “with the technical abilities needed to steal data or perpetrate fraud along with specific knowledge of their former employer’s IT systems,” according to Forbes.  “In times like these, people need the cash,” the magazine quoted Litan. “You have disgruntled IT employees that leave companies, take customer records with them to sell them on the black market.” 

Bottom line: If what we’ve been reading is true, we are facing a legion of new criminals, and at this point we’re woefully under-educated, under-resourced and out-gunned in the war against them. The good news? While the Obama administration may not hold the magical universal cure to this labyrinthine problem, it does have an unprecedented opportunity to effect sorely needed change at the highest level of government. 

During the primary campaign season, Obama put forth a Technology and Innovation Plan (opens in .pdf) that laid out some high-level ideas on how problems of identity-related fraud might be tackled. The highlights included proposals to:

–    Provide “robust protection against misuses of particularly sensitive kinds of information, such as e-health records and location data that do not fit comfortably within sector-specific privacy laws.”

–    Implement restrictions on how information in “powerful databases containing information on Americans that are necessary tools in the fight against terrorism” can be used. He also would enact measures to verify how the information actually has been used. 

–    Increase the Federal Trade Commission’s enforcement budget and step up international cooperation to track down cyber-criminals, thus enabling U.S. law enforcement to better prevent and punish “spam, spyware, telemarketing and phishing intrusions into the privacy of American homes and computers.” 

Those are good enough ideas— especially the parts about protecting e-health records and going after cyber- crooks overseas. But where should the new president begin? Let’s start with what the Obama administration shouldn’t do. It shouldn’t support Congressional efforts that would undermine hard-earned state statutes designed to protect consumer interests. In 2006, for example, The Financial Data Protection Act introduced by Rep. Steve LaTourette (R-OH), would have preempted data breach and credit freeze laws passed by various state legislatures. Fortunately, that bill never made it out of committee. Many states have enacted and implemented, and will likely continue to enact and implement, strong consumer protections. Their efforts shouldn’t be negated with a broad legislative brushstroke. 

Here’s another important should-not: The Obama administration should not allow federal agencies to treat sensitive consumer data like ordinary office supplies. A January 2008 report from the Government Accountability Office noted that between 2003 and 2006, 19 federal agencies had reported at least one compromise of personal identifying information that could expose individuals to identity theft. The Office of Management and Budget responded with strong security mandates for all federal agencies, including those requiring data encryption, but even by July 2008, many had been woefully slow to respond. During a 2006 Senate hearing on the Department of Veterans Affairs data breach that resulted in the loss of 28.6 million veterans’ Social Security numbers, then-Senator Barack Obama noted that “The system is so poorly designed that one employee can compromise the whole thing.”  It is imperative that under the Obama administration, the changes recommended during the previous administration are heeded by all agencies, all the time.  

Those are a few things President Obama shouldn’t do, but what about the thornier question of where to start? If there’s a common thread to be found in the recommendations of the identity theft experts consulted for this month’s newsletter, it’s that of intelligence. We need to be able to pool crime data collected by disparate law enforcement, private and government agencies in order to provide a more timely and complete snapshot of the identity theft problem—and that requires significant funding and organization.  Streamlining, cooperation and focus will also need to be emphasized in federal law enforcement. Among the 31 recommendations of the President’s Identity Theft Task Force, an assemblage of representatives from 17 federal agencies convened by the Bush Administration 2006, was a suggestion for the establishment of a “national identity theft law enforcement center.” This seems a reasonable goal, and perhaps one that could be coordinated along with Dixon’s suggestion that the FTC be the go-to agency for victims. 

As conversations with Jay Foley, Pam Dixon and Chris Hoofnagle attest, there is no shortage of ideas as to how we may assert greater control over the identity theft pandemic. Now it’s up to the new president, as a great listener and mediator, to bring all voices to the table and apply to the identity theft problem that simple yet profoundly important ideal we heard about so much in the campaign season: Change.