CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

The biggest invitation to ID theft

Vontu CEO Joseph Ansanelli explains why Congress still doesn't know what to do about corporate identity theft.

Recent findings by the Federal Trade Commission confirm what many had feared: The rate of identity theft is reaching unprecedented heights.

In the past five years this crime category has boomed, and it now affects more than 27 million Americans. What's more, it costs business and financial institutions almost $48 billion a year. As the incidence and financial damage of identity theft escalates, so does the public's demand that policy makers enact new laws and regulations to stop this personal crime.

But in a rush to legislate, Congress has so far overlooked one area of identity theft that if unaddressed would still leave consumers highly vulnerable to identity theft.

Recent movement in the House of Representatives on legislation to reauthorize the Fair Credit Reporting Act is a quintessential example of how this rush to legislate may result in leaving consumers vulnerable.

This new legislation does contain many measures to speed notification to consumers after their identity has been stolen, but there are no new provisions that might prevent identity theft from happening in the first place. Most importantly, the legislation carries not a single new measure to block identity theft by "insiders," workers in corporate or government jobs who have access to the most sensitive of consumer information.

In fact, law enforcement is beginning to ring the alarm bell on this "insider" theft more loudly. The FTC survey found that 26 percent of the victims knew the identity of the thief. Of those who knew, a quarter said it was someone employed by a company who had access to their personal information.

Timothy Caddigan, a special agent who leads the Criminal Investigations Division of the Secret Service, testified during a recent hearing before a subcommittee of the House Financial Services Committee that he believes the identity theft by the "collusive employee" may be the most difficult for law enforcement to stop. Just weeks after Caddigan's appearance, the Secret Service announced it was commencing--in conjunction with Carnegie Mellon--an extensive study of this "insider" threat.

Congress should act now to ensure consumers are better protected.
While this study will no doubt be instructive, Congress should act now to ensure consumers are better protected. I can tell you now that the Secret Service is going to learn through this study there is only one clear way to better protect consumers from this insider threat. And that's by encouraging companies and government entities to better use technology to protect sensitive information stored on databases.

I think it's essential that Congress act quickly to develop a basic Consumer Data Security standard. Ensuring a national, unified and standard approach to protecting consumer information will help to stop one of the main and growing sources of identity theft.

Ensuring a national, unified and standard approach to protecting consumer information will help to stop one of the main and growing sources of identity theft.
I believe any standard must recognize that the fight against identity theft is an ever-shifting target. Therefore, this standard should be broad enough to allow constant upgrades, yet specific enough to provide guidance to organizations. Any such standard should include the following principles:

• Corporate security policies should be published and publicly available. Every company' security policies should be publicly available and regularly reviewed and updated, and audited and approved by the board of directors.

• Employee education and awareness should be mandated. A recent survey by Harris Interactive indicated that almost one-third of workers and managers had not read or did not even know if their employers had a written consumer data protection policy.

• Data protection and control should be an obligation of every company that keeps consumer information. Both the physical and electronic world should be covered and a core set of policies for accessing customer information should be mandatory.

• There should be commitment to ongoing compliance monitoring. Organizations should regularly monitor and report that their personnel are complying with government regulations and their own organization's security policies on access, use and distribution of sensitive consumer information.

With the surge in identity theft, the need to protect customers' personal information has never been greater. By approaching the problem with flexibility and constant vigilance, businesses can go a long way toward maintaining their public image and consumer trust.