"As with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind," said Attorney General Alberto Gonzales in a statement. "The President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today's recommendations move that process forward."
The Task Force issued seven recommendations. These include 1) directing the Office of Management and Budget to issue guidance to federal agencies on how to handle data breaches; 2) strengthening data security in the government; 3) accelerating and broadening the review of where Social Security numbers are used by agencies; 4) establishing a new "routine use" by which agencies would be allowed to share information otherwise restricted by the Privacy Act to facilitate responding to a data breach; 5) holding workshops for academics and businesses to develop better methods to authenticate identities; 6) amending criminal statutes to allow identity theft victims to seek restitution from defendants for time spent undoing damage from the offense; and 7) developing a universal police report to make it easier to report identity theft and enter it into existing systems.
The Task Force was established by order of the President on May 10, 2006, to curb identity theft and now includes 17 federal agencies and departments. Among them, the FBI, the U.S. Secret Service, the U.S. Postal Inspection Service, and the Social Security Administration Office of the Inspector General investigate identity theft.
Not surprisingly, those agencies have been busy. In 2005, the Justice Department charged 226 defendants with aggravated identity theft. In the first half of 2006, the Justice Department charged 432 defendants with the same crime. The FBI says it has 1,587 cases related to identity theft under way, having opened 662 cases in 2005 and 272 in 2006 to date. Postal inspectors opened 1,530 identity theft-related cases and made 2,277 arrests in 2005, and opened 1,012 identity theft-related cases and made 1,294 arrests in the first half of 2006. The SSA OIG Office of Investigations said it opened 1,566 cases involving the misuse of Social Security numbers in 2005, and 812 such cases in the first half of 2006.
In recent years, the incidence of identity theft has been on the decline, though the resulting financial loss has risen. A Javelin Strategy and Research report released in January found that the number of U.S. adult victims of identity fraud decreased from 10.1 million in 2003 to 9.3 million in 2005 and projects a further decline to 8.9 million in 2006. At the same time, the total one-year fraud amount rose from $53.2 billion in 2003 to $54.4 billion in 2005. The Javelin report projects a fraud loss from identity theft of $56.6 billion in 2006.
The situation is one of fewer victims being taken for greater amounts of money. However, most identity theft victims (68%) incur no costs, according to the Javelin report. The average cost incurred by victims is projected to decline to $422 in 2006.
Among the cases where the source of the data breach is known, 63% of identity theft incidents involved information under the victim's control, according to the report, a statistic arguing for consumer education and greater paranoia. These incidents can be divided into four major categories: 30% involved lost or stolen items, such as wallets or credit cards; 15% involved trusted associates; 9% involved stolen mail or garbage; and 9% involved home computer compromises.
Businesses were the source of information breaches in 30% of cases. Of these, data breaches accounted for 6% of the overall total, fraudulent transaction processing accounted for 7%, and employee wrongdoing accounted for 15%.
Jay Foley, executive director of the nonprofit Identity Theft Resource Center, says the government is moving in the right direction and deserves credit for trying, but takes issue with some of the recommendations and would like to see more done. For example, he's skeptical that the Task Force's recommendation to consider extending free credit monitoring to victims will do much good.
"At no time do I believe that free credit monitoring should be offered in a breach situation," Foley says. "It's nonsensical. It's an unnecessary cost and expense. Credit monitoring is up to 70% accurate. It's not effective enough to be viable."
Foley says he'd also like to see more attention paid to policies and procedures for information redaction, since information that shouldn't be published by government agencies continues to be posted online and elsewhere.
As to whether identity theft is getting worse or better, Foley says it's not increasing so much as shifting from credit card fraud to check and debit card fraud. "The credit card companies invested in good analytic software to stop this," he explains. "The banking industry doesn't have the ability to put that software into place."
Evan Hendricks, editor and publisher of Privacy Times, a subscription newsletter that's been going since 1981, likewise sees merit in the recommendations. "You want to welcome positive steps, even if they're baby steps," he says.
Hendricks believes more resources need to be allocated to state and local agencies to support identity theft investigation specialists. He would also like to see more resources for postal inspectors, whom he credits with catching more identity thieves than anyone else.
Hendricks hopes the recommendations will encourage businesses to evaluate their data handling practices, too. "The old legacy practices of the financial services industry really facilitate ID theft, such as the focus on Social Security numbers," he says.
Absent from the recommendations is any specific consideration of the role the Internet plays in identity theft. Social Security numbers, for example, can easily be found using any of the major search engines. But the Task Force was charged with developing a government response to identity theft rather than solving the problem entirely. A comprehensive solution will require action on the part of the government, businesses, and individuals. And that may take a while.
"It's hard to imagine it getting much better," says Hendricks. "There are a lot of incentives to turn to ID theft because it's a low-risk, high-payoff crime."