PRESIDENTS TASK FORCE RECOMMENDATIONS - TOO LITTLE, TOO LATE

The Presidents Identity Theft Task Force has released this week its summary of “Interim Recommendations”. The report contains specific recommendations for prevention, victim assistance, and law enforcement. The report fails to address the root causes of identity theft crimes and resorts to simple solutions for complex issues. The net result of these recommendations is simply allowing the crime wave of credit frauds, impersonation crimes, and criminal identity theft to continue unabated.

KnightsBridge Castle’s services are particularly effective in identity theft prevention and we awaited the Presidents Task Force recommendations with some hopeful expectation. Included within the recommendations for PREVENTION were the following elements:
--Guidelines to government agencies on when to provide breach notices and when to provide for free “credit monitoring.”
--Recommends that the Office of Management and Budget (OMB) and Homeland Security (HSD) help agencies identify and defend against threats.
--Limit the un-necessary use in the public sector of Social Security Numbers.
--Allow agencies to quickly respond to data breaches and to share information under a new “routine use” practice drafted by the Department of Justice.
--The government should hold a workshop to determine improved identity verification and authentication techniques.

With respect to VICTIM ASSISTANCE the report called for allowing victims to recover for the time lost in correcting the harm suffered. The report recommends that the federal laws be changed to allow for the recovery of money damages for time lost from the thief.

In the LAW ENFORCEMENT SECTION the report calls for a standardized police report form to ease the collection of data into a uniform database to be maintained by the Federal Trade Commission (FTC).

KnightsBridge Castle’s view of these recommendations is as follows:

PREVENTION:
Guidelines are always good, however they need teeth. Guidelines should be regulations not suggestions for handling a breach.
Credit monitoring is a sham solution to breach problems. This guideline clearly indicates that the Task Force misunderstood either Identity Theft crimes or the limited nature of credit monitoring. Another potential factor is that the recommendation included the economic interest of the credit reporting companies in promoting their deeply flawed credit monitoring solutions. (Note: we have covered the question of the value of credit monitoring in earlier posts).
OMB and HSD assistance in preventing and following up government breaches is positive. However, recent HSD expenditures and management deficiencies, have indicated that we can expect little real help from the agency in the near term.
Limiting the unnecessary use of SSN’s is a real positive recommendation. However this will require congressional action and will be opposed by the financial community and the credit reporting agencies. To implement this plan congress must act in the public interest rather than in the commercial interest of the financial community.
Sharing information and adopting the “routine use” provision in data breaches will have no material effect in preventing data breaches in government.
Holding a workshop on authentication and verification is laughable. Alternative methods, both technical and procedural, for authentication of identity have been understood for years. The intense debate in the security and financial community about the utility of “biometrics” continues and will not be resolved in a government “workshop”.

The single VICTIM ASSISTANCE recommendation of allowing victims to seek restitution from criminals for the value of “time lost” is also of no real value. How is time lost to be measured? How is the time to be valued and how will the value of the time be proven. If a victim takes time off from work what documentation is required? If the victim takes time on a weekend is this also to be valued? These very real limitations are today preventing victims with insurance from recovering any real costs.

However all these valuation issues are moot, because the cost recovery action is taken against a criminal. Will the criminal really pay restitution? Or will he just run from the law and continue his criminal acts? We continue to follow Eric Drew’s restitution case, covered elsewhere on this bolg, and we will keep you informed if this restitution effort is successful or not.

The LAW ENFORCEMENT recommendation is the most absurd of all these recommendations. The FTC currently collects identity theft information using their ID Theft Affidavit. While a uniform police form will greatly improve the collection of data, the “Sentinel” database into which this information is input has proven to be of no value to police departments in stemming this crime wave. (Note: we have covered the “Sentinel” database and its limitations elsewhere in this bolg)

CONCLUSION:
The report of the Presidents Task force is of no real value in addressing the critical issues of identity theft reduction. It does nothing to provide police with the resources (e.g. Money and training) needed to catch and prosecute these criminals. The recommendation does nothing to lengthen prison sentences for these damaging criminal acts. The use of “credit monitoring” as a potential assistance to victims, does not benefit victims in any meaningful way, but rather it guarantees significant income to the credit reporting agencies that are often at the center of facilitation of this crime.

Link to Presidential Identity Theft Task Force Interim Report.
http://www.ftc.gov/os/2006/09/060916interimrecommend.pdf