Keeping Tabs On Internet Identity

But those numbers look small (except, of course, to the affected individuals) when compared with the identity-theft problem acknowledged by Bank of America — involving about 1.2 million federal employees.

Even more troubling is the compromise of confidential in-formation relating to 40 million credit card accounts as a result of security breach in the systems of payment processor CardSystems Solutions Inc.

As these recent cases demonstrate, e-commerce technology often allows the unauthorized access to information that facilitates identity theft. The methods of e-commerce often require that personal information be kept in electronic format, and generally that Internet accessibility to that information be maintained. Consistent with the growth of e-commerce is an explosion of consumers willing to provide their personal information in electronic format and companies who are retaining that information for commercial purposes.

Simultaneously, there has been a growth of online data businesses that make available to their clients the personal information, payment history and account records of customers. These online data businesses have exponentially increased the amount of information that can be obtained and the speed with which it is supplied. The data brokers, likewise, have no direct relationship with the individuals whose information they have collected and sold. So, it's not surprising that some of the most newsworthy security breaches concern data companies such as ChoicePoint, Lexis/Nexis and Card Systems.

It's Not Just Hackers

It would, however, be a mistake to assume that all Internet identity theft emanates from hacking into a data companies' systems. Small “click and mortar” companies and consumers themselves are often the direct source of the information that leads to identity theft. Recent media and other reports suggest that Americans are the victims of identity theft every 10 seconds, totaling about 3.2 million incidents per year.

Last year, according to a report by Consumer Sentinel, the complaint database developed and maintained by the Federal Trade Commission (FTC), the New York-Northern New Jersey-Long Island metropolitan area ranked 20th for identity theft-related complaints among major metropolitan areas with a population of 1 million or more (the Phoenix-Mesa-Scottsdale metropolitan area ranked first). New York ranked seventh among the states with 92 identity-theft victims per 100,000 in population. Admittedly, a good portion of these occurrences don't involve the Internet or technology at all, but rather result from more “typical” acts, such as the simple theft of a wallet or purse, “dumpster diving” — in which criminals pull confidential papers from garbage cans – or even sending a change of address form to the Postal Service so that a homeowner's mail is directed elsewhere and the information misappropriated that way.

Much identity theft, however, is committed through the Internet, by methods ranging from hacking into online databases such as ChoicePoint, CardSystems and Lexis/Nexis, to “phishing,” a fraud in which Web surfers are tricked into providing confidential information to con artists who copy legitimate Web site designs and logos. (For an FTC press release reporting on actions the FTC and Justice Department brought “to shut down a spam operation that hijacked logos from AOL and Paypal to con hundreds of consumers into providing credit card and bank account numbers,” see, www.ftc.gov/os/caselist/0323102/0323102zkhill.htm.)

The newest ruse is “pharming” — spoofing a domain name registered by a legitimate company so that it is reassigned, without the registrant's knowledge or consent, to a different Internet Protocol address where a fake Web site has been created.

In phishing, an affirmative action in response to an e-mail is required and it can usually be detected by the intended victim if he or she looks at the URL that appears after clicking on the e-mail link. By contrast, a pharming victim is unlikely to be aware that she or he has been directed to a fake site, because the URL displayed in the browser will display the correct information. Once the user accesses the fake Web site, it is a simple matter to collect information voluntarily provided by that user in reliance on what is believed to be a legitimate Web site. The information obtained by the thieves can be used to empty bank accounts, obtain services, get loans, file for benefits, and enter into leases and other contractual agreements.

The Bad Guys Are Getting Bolder

How brash are some Internet identity thieves? In February, the Internet Fraud Complaint Center, a partnership between the FBI and the National White Collar Crime Center, advised the public and law-enforcement personnel that the FBI had become aware of spam e-mail fraudulently claiming to be from the complaint center that was intended to entice the recipient to open the e-mail attachment containing a W32/Mydoom virus.

Consider, too, the every-day nature of spam attacks. The New York Times, for instance, reported earlier this year that 19,000 people who had signed up for a newsletter for the Broadway musical Spamalot may have had their names and postal and e-mail addresses exposed, possibly leading to their becoming spam recipients.

The impact on victims of identity fraud, whether the individual or the company whose resources were abused, is profound. Individual consumers who have had their private information obtained following online transactions or unauthorized collection will be wary of more dealings with the specific company involved, and perhaps will be wary of engaging in e-commerce in general. In the case of mass disclosures, security breaches can result in class action lawsuits, state and federal investigation, and endanger the continued existence of the company.

For example, CardSystems has seen some of its major clients, such as Visa and American Express, cancel their accounts. CardSystems, as well as several credit card companies, has been sued in class actions seeking disclosure of the identity of the compromised accounts and damages as a result of the compromise, despite the fact that no actual misuse of the identifying information had, as of early August, been linked to the Card-Systems incursion. Nevertheless, CardSystems announced that it faces imminent extinction as “a result of the breach and industry's reaction to it,” according to a report last month in The Washington Post.

The impact on ChoicePoint's business as a result of the “2004 consumer fraud” has also been profound. ChoicePoint has created a separate linked Web site to offer assistance, information and resources regarding identity theft to consumers who were victims of the 2004 consumer fraud, as well as to current or potential commercial customers for ChoicePoint data. ChoicePoint also faces litigation by consumers allegedly defrauded as a result of the breach and has incurred expenses such as the retention of Ernst & Young to establish a best-practices policy to restore consumer comfort in ChoicePoint's continued collection and distribution of personal infor-mation for legitimate purposes. ChoicePoint stock dropped precipitously after the announcement of the infiltration and although ChoicePoint recovered, it announced a stock buy-back, in part to boost investor confidence.

What e-Businesses Can Do

It is impossible for businesses to operate and not collect or hold personally identifying information — names and addresses, Social Security Numbers, credit card or other account numbers — about customers, employees or business partners. When this information falls into the wrong hands, it could put these individuals at risk for identity theft and the companies at risk for lawsuits — each a situation assiduously to be avoided.

But not all personal information can lead to identity theft, and so businesses don't have to treat all personal information the same way. Still, there are some important steps that companies should take that will have the dual benefit of protecting this information and limiting their potential liability in the event that the wrong people were to gain access to the information. Most important, businesses should take steps to protect information before there has been access, including limiting their use of sensitive information, such as Social Security Numbers, to true necessity rather than mere convenience, protecting the integrity of their computer and Internet and intranet resources, and maintaining vigilance for early detection of problems.

When a company discovers that information has been stolen that could result in harm to a person or business, the company should contact its counsel and the local police to explain the situation and the potential risk for identity theft. Additionally, because local police are often unfamiliar with investigating information compromises — and it is often a problem of national, if not international, scope — the company should probably contact the local FBI office or the local U.S. Secret Service office. Where mail theft is involved, the U.S. Postal Inspection Service should also be notified.

A company that suffers a theft of confidential information may find that the theft has an impact on other businesses, such as banks or credit issuers. If a company discovers that account-access information such as credit card or bank account numbers has been stolen, it should notify the institutions that maintain the ac-counts. By the same token, when a business that collects or stores personal information on behalf of other companies discovers a security breach, it should notify those businesses for which it handles that data. Keeping partners that might be affected apprised of the information compromise can help those businesses institute their own theft-protection plans. They can also then monitor use of the stolen data and notify third parties connected to them who might also be affected, and, by doing that, widen the electronic and human dragnet cast for the thieves.

The major credit bureaus — Equifax, Experian and TransUnion – should be contacted if names and Social Security Numbers are stolen. It may be appropriate to have the credit bureaus inform the individuals whose information has been lost that they can request fraud alerts for their files.

Where an information compromise results from the improper posting of personal information on a Web site, the company should immediately remove the information from the site. It's important to understand, too, that Internet search engines store, or cache, information for a time. Search-engine companies can be contacted to ensure that they do not archive personal information that was posted in error.

Driving Notification Home

Another step that companies can take following an information breach is to notify the affected individuals — and the earlier, the better. Doing so can allow them to take steps to minimize the misuse of information.

Not every loss of data should necessarily lead to such notification, though. To determine whether to notify individuals, a company should consider:

• The nature of the compromise;
• The type of information taken;
• The likelihood of misuse; and
• The potential damage arising from misuse.

New state legislation, as well as proposed federal and other proposed state legislation, may likewise impose duties of notification on the business under certain circumstances. Meanwhile, the FTC recommends that, when notifying individuals, a company:

• Consult with law enforcement ab-out the timing of the notification so it does not impede the investigation;
• Designate a contact person within the company to release information; Provide the contact person with the latest information about the breach, the company's response and how individuals should respond;
• Consider using letters, Web sites and toll-free phone numbers to communicate with people whose information may have been compromised;
• Explain the responses that may be appropriate for the type of information taken;
• Provide current information about identity theft; and
• Provide contact information for the law-enforcement officer working on the case (as well as the case report number, if applicable) for victims to use.

More information on reporting and dealing with identity theft is available at the Web sites listed below from the Federal Deposit Insurance Corp., the U.S. Department of Justice, the Social Security Administration and the Office of the Attorney General of New York:

• www.fdic.gov/consumers/consumer/alerts/theft.html;
• www.usdoj.gov/criminal/fraud/idt- heft.html;;
• www.ssa.gov/pubs/10064.html; and
• www.oag.state.ny.us/consumer/tips/id_theft_victim.html.

Legislation

Although most states have criminalized identity theft itself, few statutes directly regulate protection of data, such as standards for system security or notification requirements in case of breach. Federal legislation was recently proposed in response to the Checkpoint, CardSystems and Lexis/Nexis security breaches that are likely to have substantial impact on the conduct of e-commerce.

On July 29, the U.S. Senate Committee on Commerce, Science and Technology unanimously approved a bill intended to protect identity theft. In addition to remedies available to individual consumers, such as freezing their credit, the legislation would impose notice obligations in any case where there was a “reasonable risk” of identity theft as a result of a security breach in data held by any business, school or entity that “collects information,” and those businesses that purchase the information. The proposed legislation also would impose on those who hold sensitive personal information the duty to use “physical and technological safeguards” as required by the FTC. Also proposed is a ban on the solicitation and use of Social Security Numbers unless no alternative identifiers are available.

Although no private right of action is contained in the proposed legislation, the attendant costs of compliance with the notice and technology requirements – as well as the danger of consumer suits in the case of identity theft – have raised red flags in the e-commerce community. Also, many involved in the financial industry are concerned that the proposal will do little to curb identity theft and they posit that the problem can be addressed only by slowing down the pace of financial transactions to permit true identity validation rather than by artificial limitations on access to information.

Additional issues of varying state laws must always be considered by businesses engaged in e-commerce. For example, California and Wash-ington state require that, in certain situations, consumers must be notified when the security of their personal data has been breached, whether or not there is a known fraud that results from that breach. The New York legislature is considering a law similar to the California statute, otherwise known as S.B. 1386. New York's Assembly Bill 4254 and Senate Bill 2161 would require any state agency or business that owns or licenses a computerized database that includes “vulnerable personal information” to disclose any breach of security of such a system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person. The bills allow victims of such attacks recovery of damages. A4254 left the Assembly with approval on July 28 for Gov. George Pataki's office; the Senate Bill, 2161, remained in mid-August in the Energy and Telecom-munications Committee.

They define “personal information” as any information concerning a natural person that, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

“Vulnerable personal information” under the bill is personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted:

• Social Security Number;
• Driver's license number; and
• Account number, credit or debit card number, in combination with any required security code, access code or password that would permits access to an individual's financial account.

“Vulnerable personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.

Another bill, A. 5487, the Personal Information Protection Act, would require:

• Disclosure to people affected by businesses that experience breaches of data security systems;
• Administration by the Department of State;
• Use of the best available technology to detect breaches of security; and
• A private right of action.

It's important for companies to remain vigilant in their efforts to protect confidential information, even in the absence of governing legislation, as a way of minimizing litigation exposure and as a matter of good business policy. It's particularly relevant to the conduct of e-commerce that consumers maintain confidence that they will not be exposed to possible identity theft by relying on the security of their transactions and the reliability of the companies with which they conduct business.

No technology issue concerns – or should concern – individuals, e-commerce and government regulators more than Internet identity theft.

The statistics are staggering. In the last year, LexisNexis reported that unauthorized people apparently took personal information on more than 30,000 Americans from its database — by stealing logins and passwords of legitimate customers.

Another data broker, ChoicePoint Inc., reported a possible theft of similar data from as many as 145,000 people through individuals claiming to have legitimate and legal use for the data they purchased from ChoicePoint.

But those numbers look small (except, of course, to the affected individuals) when compared with the identity-theft problem acknowledged by Bank of America — involving about 1.2 million federal employees.

Even more troubling is the compromise of confidential in-formation relating to 40 million credit card accounts as a result of security breach in the systems of payment processor CardSystems Solutions Inc.

As these recent cases demonstrate, e-commerce technology often allows the unauthorized access to information that facilitates identity theft. The methods of e-commerce often require that personal information be kept in electronic format, and generally that Internet accessibility to that information be maintained. Consistent with the growth of e-commerce is an explosion of consumers willing to provide their personal information in electronic format and companies who are retaining that information for commercial purposes.

Simultaneously, there has been a growth of online data businesses that make available to their clients the personal information, payment history and account records of customers. These online data businesses have exponentially increased the amount of information that can be obtained and the speed with which it is supplied. The data brokers, likewise, have no direct relationship with the individuals whose information they have collected and sold. So, it's not surprising that some of the most newsworthy security breaches concern data companies such as ChoicePoint, Lexis/Nexis and Card Systems.

It's Not Just Hackers

It would, however, be a mistake to assume that all Internet identity theft emanates from hacking into a data companies' systems. Small “click and mortar” companies and consumers themselves are often the direct source of the information that leads to identity theft. Recent media and other reports suggest that Americans are the victims of identity theft every 10 seconds, totaling about 3.2 million incidents per year.

Last year, according to a report by Consumer Sentinel, the complaint database developed and maintained by the Federal Trade Commission (FTC), the New York-Northern New Jersey-Long Island metropolitan area ranked 20th for identity theft-related complaints among major metropolitan areas with a population of 1 million or more (the Phoenix-Mesa-Scottsdale metropolitan area ranked first). New York ranked seventh among the states with 92 identity-theft victims per 100,000 in population. Admittedly, a good portion of these occurrences don't involve the Internet or technology at all, but rather result from more “typical” acts, such as the simple theft of a wallet or purse, “dumpster diving” — in which criminals pull confidential papers from garbage cans – or even sending a change of address form to the Postal Service so that a homeowner's mail is directed elsewhere and the information misappropriated that way.

Much identity theft, however, is committed through the Internet, by methods ranging from hacking into online databases such as ChoicePoint, CardSystems and Lexis/Nexis, to “phishing,” a fraud in which Web surfers are tricked into providing confidential information to con artists who copy legitimate Web site designs and logos. (For an FTC press release reporting on actions the FTC and Justice Department brought “to shut down a spam operation that hijacked logos from AOL and Paypal to con hundreds of consumers into providing credit card and bank account numbers,” see, www.ftc.gov/os/caselist/0323102/0323102zkhill.htm.)

The newest ruse is “pharming” — spoofing a domain name registered by a legitimate company so that it is reassigned, without the registrant's knowledge or consent, to a different Internet Protocol address where a fake Web site has been created.

In phishing, an affirmative action in response to an e-mail is required and it can usually be detected by the intended victim if he or she looks at the URL that appears after clicking on the e-mail link. By contrast, a pharming victim is unlikely to be aware that she or he has been directed to a fake site, because the URL displayed in the browser will display the correct information. Once the user accesses the fake Web site, it is a simple matter to collect information voluntarily provided by that user in reliance on what is believed to be a legitimate Web site. The information obtained by the thieves can be used to empty bank accounts, obtain services, get loans, file for benefits, and enter into leases and other contractual agreements.

The Bad Guys Are Getting Bolder

How brash are some Internet identity thieves? In February, the Internet Fraud Complaint Center, a partnership between the FBI and the National White Collar Crime Center, advised the public and law-enforcement personnel that the FBI had become aware of spam e-mail fraudulently claiming to be from the complaint center that was intended to entice the recipient to open the e-mail attachment containing a W32/Mydoom virus.

Consider, too, the every-day nature of spam attacks. The New York Times, for instance, reported earlier this year that 19,000 people who had signed up for a newsletter for the Broadway musical Spamalot may have had their names and postal and e-mail addresses exposed, possibly leading to their becoming spam recipients.

The impact on victims of identity fraud, whether the individual or the company whose resources were abused, is profound. Individual consumers who have had their private information obtained following online transactions or unauthorized collection will be wary of more dealings with the specific company involved, and perhaps will be wary of engaging in e-commerce in general. In the case of mass disclosures, security breaches can result in class action lawsuits, state and federal investigation, and endanger the continued existence of the company.

For example, CardSystems has seen some of its major clients, such as Visa and American Express, cancel their accounts. CardSystems, as well as several credit card companies, has been sued in class actions seeking disclosure of the identity of the compromised accounts and damages as a result of the compromise, despite the fact that no actual misuse of the identifying information had, as of early August, been linked to the Card-Systems incursion. Nevertheless, CardSystems announced that it faces imminent extinction as “a result of the breach and industry's reaction to it,” according to a report last month in The Washington Post.

The impact on ChoicePoint's business as a result of the “2004 consumer fraud” has also been profound. ChoicePoint has created a separate linked Web site to offer assistance, information and resources regarding identity theft to consumers who were victims of the 2004 consumer fraud, as well as to current or potential commercial customers for ChoicePoint data. ChoicePoint also faces litigation by consumers allegedly defrauded as a result of the breach and has incurred expenses such as the retention of Ernst & Young to establish a best-practices policy to restore consumer comfort in ChoicePoint's continued collection and distribution of personal infor-mation for legitimate purposes. ChoicePoint stock dropped precipitously after the announcement of the infiltration and although ChoicePoint recovered, it announced a stock buy-back, in part to boost investor confidence.

What e-Businesses Can Do

It is impossible for businesses to operate and not collect or hold personally identifying information — names and addresses, Social Security Numbers, credit card or other account numbers — about customers, employees or business partners. When this information falls into the wrong hands, it could put these individuals at risk for identity theft and the companies at risk for lawsuits — each a situation assiduously to be avoided.

But not all personal information can lead to identity theft, and so businesses don't have to treat all personal information the same way. Still, there are some important steps that companies should take that will have the dual benefit of protecting this information and limiting their potential liability in the event that the wrong people were to gain access to the information. Most important, businesses should take steps to protect information before there has been access, including limiting their use of sensitive information, such as Social Security Numbers, to true necessity rather than mere convenience, protecting the integrity of their computer and Internet and intranet resources, and maintaining vigilance for early detection of problems.

When a company discovers that information has been stolen that could result in harm to a person or business, the company should contact its counsel and the local police to explain the situation and the potential risk for identity theft. Additionally, because local police are often unfamiliar with investigating information compromises — and it is often a problem of national, if not international, scope — the company should probably contact the local FBI office or the local U.S. Secret Service office. Where mail theft is involved, the U.S. Postal Inspection Service should also be notified.

A company that suffers a theft of confidential information may find that the theft has an impact on other businesses, such as banks or credit issuers. If a company discovers that account-access information such as credit card or bank account numbers has been stolen, it should notify the institutions that maintain the ac-counts. By the same token, when a business that collects or stores personal information on behalf of other companies discovers a security breach, it should notify those businesses for which it handles that data. Keeping partners that might be affected apprised of the information compromise can help those businesses institute their own theft-protection plans. They can also then monitor use of the stolen data and notify third parties connected to them who might also be affected, and, by doing that, widen the electronic and human dragnet cast for the thieves.

The major credit bureaus — Equifax, Experian and TransUnion – should be contacted if names and Social Security Numbers are stolen. It may be appropriate to have the credit bureaus inform the individuals whose information has been lost that they can request fraud alerts for their files.

Where an information compromise results from the improper posting of personal information on a Web site, the company should immediately remove the information from the site. It's important to understand, too, that Internet search engines store, or cache, information for a time. Search-engine companies can be contacted to ensure that they do not archive personal information that was posted in error.

Driving Notification Home

Another step that companies can take following an information breach is to notify the affected individuals — and the earlier, the better. Doing so can allow them to take steps to minimize the misuse of information.

Not every loss of data should necessarily lead to such notification, though. To determine whether to notify individuals, a company should consider:

• The nature of the compromise;
• The type of information taken;
• The likelihood of misuse; and
• The potential damage arising from misuse.

New state legislation, as well as proposed federal and other proposed state legislation, may likewise impose duties of notification on the business under certain circumstances. Meanwhile, the FTC recommends that, when notifying individuals, a company:

• Consult with law enforcement ab-out the timing of the notification so it does not impede the investigation;
• Designate a contact person within the company to release information; Provide the contact person with the latest information about the breach, the company's response and how individuals should respond;
• Consider using letters, Web sites and toll-free phone numbers to communicate with people whose information may have been compromised;
• Explain the responses that may be appropriate for the type of information taken;
• Provide current information about identity theft; and
• Provide contact information for the law-enforcement officer working on the case (as well as the case report number, if applicable) for victims to use.

More information on reporting and dealing with identity theft is available at the Web sites listed below from the Federal Deposit Insurance Corp., the U.S. Department of Justice, the Social Security Administration and the Office of the Attorney General of New York:

• www.fdic.gov/consumers/consumer/alerts/theft.html;
• www.usdoj.gov/criminal/fraud/idt- heft.html;;
• www.ssa.gov/pubs/10064.html; and
• www.oag.state.ny.us/consumer/tips/id_theft_victim.html.

Legislation

Although most states have criminalized identity theft itself, few statutes directly regulate protection of data, such as standards for system security or notification requirements in case of breach. Federal legislation was recently proposed in response to the Checkpoint, CardSystems and Lexis/Nexis security breaches that are likely to have substantial impact on the conduct of e-commerce.

On July 29, the U.S. Senate Committee on Commerce, Science and Technology unanimously approved a bill intended to protect identity theft. In addition to remedies available to individual consumers, such as freezing their credit, the legislation would impose notice obligations in any case where there was a “reasonable risk” of identity theft as a result of a security breach in data held by any business, school or entity that “collects information,” and those businesses that purchase the information. The proposed legislation also would impose on those who hold sensitive personal information the duty to use “physical and technological safeguards” as required by the FTC. Also proposed is a ban on the solicitation and use of Social Security Numbers unless no alternative identifiers are available.

Although no private right of action is contained in the proposed legislation, the attendant costs of compliance with the notice and technology requirements – as well as the danger of consumer suits in the case of identity theft – have raised red flags in the e-commerce community. Also, many involved in the financial industry are concerned that the proposal will do little to curb identity theft and they posit that the problem can be addressed only by slowing down the pace of financial transactions to permit true identity validation rather than by artificial limitations on access to information.

Additional issues of varying state laws must always be considered by businesses engaged in e-commerce. For example, California and Wash-ington state require that, in certain situations, consumers must be notified when the security of their personal data has been breached, whether or not there is a known fraud that results from that breach. The New York legislature is considering a law similar to the California statute, otherwise known as S.B. 1386. New York's Assembly Bill 4254 and Senate Bill 2161 would require any state agency or business that owns or licenses a computerized database that includes “vulnerable personal information” to disclose any breach of security of such a system to any resident of New York state whose unencrypted personal information may have been acquired by an unauthorized person. The bills allow victims of such attacks recovery of damages. A4254 left the Assembly with approval on July 28 for Gov. George Pataki's office; the Senate Bill, 2161, remained in mid-August in the Energy and Telecom-munications Committee.

They define “personal information” as any information concerning a natural person that, because of name, number, personal mark, or other identifier, can be used to identify such natural person.

“Vulnerable personal information” under the bill is personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted:

• Social Security Number;
• Driver's license number; and
• Account number, credit or debit card number, in combination with any required security code, access code or password that would permits access to an individual's financial account.

“Vulnerable personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.

Another bill, A. 5487, the Personal Information Protection Act, would require:

• Disclosure to people affected by businesses that experience breaches of data security systems;
• Administration by the Department of State;
• Use of the best available technology to detect breaches of security; and
• A private right of action.

It's important for companies to remain vigilant in their efforts to protect confidential information, even in the absence of governing legislation, as a way of minimizing litigation exposure and as a matter of good business policy. It's particularly relevant to the conduct of e-commerce that consumers maintain confidence that they will not be exposed to possible identity theft by relying on the security of their transactions and the reliability of the companies with which they conduct business.