Improving Government Handling of Sensitive Personal Data
Recommendation 1: The Task Force recommends that the Office of Management and Budget
(OMB) issue to all federal agencies the attached Task Force guidance that covers (a) the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach that poses a risk of identity theft, and (b) the factors that should be considered in deciding whether to offer services such as free credit monitoring.
Recommendation 2: To ensure that government agencies improve their data security programs, the Task Force recommends that OMB and the Department of Homeland Security (DHS), through the inter-agency effort already underway to identify ways to strengthen the ability of all agencies to identify and defend against threats, correct vulnerabilities, and manage risks: (a) outline best practices in the areas of automated tools, training, processes, and standards that would enable agencies to improve their security and privacy programs, and (b) develop a list of the top 10 or 20 “mistakes” to avoid in order to protect government information.
Recommendation 3: To limit the unnecessary use in the public sector of Social Security numbers(SSNs),the most valuable consumer information for identity thieves, the Task Force recommends the following:
• The Office of Personnel Management (OPM),in conjunction with other agencies,
should accelerate its review of the use of SSNs in its collection of human resource
data from agencies and on OPM-issued papers and electronic forms, and take steps
to eliminate, restrict, or conceal their use (including the assignment of employee
identification numbers, where practicable).
• OPM should develop and issue policy guidance to the federal human capital
management community on the appropriate and inappropriate use of an employee’s
SSN in employee records, including the proper way to restrict, conceal, or mask SSNs
in employee records and human resource management information systems.
• OMB should require all federal agencies to review their use of SSNs to determine
where such use can be eliminated, restricted, or concealed in agency business
processes, systems, and paper and electronic forms.
Recommendation 4: To allow agencies to respond quickly to data breaches, including by sharing information about potentially affected individuals with other agencies and entities that can assist in the response, the Task Force recommends that all federal agencies, to the extent consistent with applicable law, publish a new “routine use” for their systems of records under the Privacy Act,
VICTIM ASSISTANCE
Restitution for Identity Theft Victims
One reason that identity theft can be so destructive to its victims is the sheer amount of time and energy often required to re-mediate the consequences of the offense. This may be time spent clearing credit reports with credit-reporting agencies, disputing charges with individual creditors, or monitoring credit reports for additional impacts of the theft. The FTC estimated in 2003, based on the results of its Identity Theft Survey Report, that the average identity theft victim spends 30 hours resolving the problems created by identity theft. Those individuals who were victimized most seriously (from both the false opening of new accounts in their names and the unauthorized use of their validly-issued credit cards) spent an average of 60 hours resolving the problems.
Overall, according to the survey, approximately 297 million hours were expended in one year by consumers attempting to resolve identity theft-related problems.
While restitution is available for direct pecuniary costs of identity theft offenses, the federal restitution statutes, 18 U.S.C. § § 3663(b) and 3663A(b), do not provide for compensation for this time spent by consumers rectifying accounts and avoiding more harm. Moreover, courts have interpreted the restitution statutes in such a way that would likely preclude the recovery of such amounts from criminal defendants, absent explicit statutory authorization.
In order to better remediate the harm caused by identity theft, the Department of Justice has drafted amendments to the restitution statutes, reproduced in Attachment C, that would allow a victim to obtain restitution from a criminal defendant for the time reasonably spent trying to rectify the consequences of the offense. Under these proposed amendments, the district court judge would determine the amount of time reasonably spent and the value of the victim’s time. The Department of Justice can propose that Congress adopt these amendments immediately.
LAW ENFORCEMENT
Development of a Universal Police Report
Victims of identity theft often need police reports documenting the misuse of their
information in order to recover fully from the effects of the crime. For example, identity theft victims can use a detailed police report as an “identity theft report” under the Fair and Accurate Credit Transactions Act to request that fraudulent information on their credit report be blocked, or to obtain a seven-year fraud alert on their credit file. Further, identity theft victims also must have a police report to obtain documents relating to fraudulent applications and transactions, and creditors may require a police report before establishing the victim’s bona fides in challenging a fraudulent account or purchase. Filing a police report also makes it more likely that law enforcement will pursue an investigation of the identity theft.
Some victims report, however, that they are unable to get a police report. FTC complaint data show that during the last three years, about 25% of victims of new-account fraud who sought police reports were not able to obtain them, in part because of overtaxed local police departments and the time involved in preparing what often can be a highly detailed document.
Simplifying the process of writing and receiving a police report would both relieve the burden on local law enforcement and allow victims to more easily repair the damage to their credit from the crime. A universal law enforcement report that the victim could complete online and take to the local police department would help achieve this goal. Additionally, the data from such standardized reports would be in a format that is used by the FTC’s Identity Theft Data Clearinghouse, increasing the ability of law enforcement to effectively spot significant patterns of criminal activity.
At present, the FTC has an online complaint form that is used to enter data into its Identity Theft Data Clearinghouse, which is in turn made available to law enforcement nationwide through Consumer Sentinel. The FTC is also prepared to develop a revised online complaint form at www.ftc.gov/idtheft that victims can complete, print, and take to a local law enforcement agency for verification and incorporation into the police department’s report system. The victim will then have a valid, detailed police report; the police department will have a record of the crime; and the victim’s complaint information will have been entered into the FTC’s Identity Theft Data Clearinghouse. The Public Sector Liaison Committee of the International Association of Chiefs of Police supports and has been involved in this effort.
~~Excerpts from The Identity Theft Task Force
