The Price of Admission to the Digital Age
Identity theft is everywhere. It’s the crime of the millennium; it’s the scourge of the digital age. If it hasn’t happened to you, it’s happened to someone you know. Using Federal Trade Commission (FTC) data, Javelin Research estimates that about 9 million identity thefts occurred last year, which means that about 1 in 22 American adults was victimized in just one year. So far – knock wood – I’ve personally been spared, but in the course of running an enterprise identity theft solutions company, I’ve run across some amazing stories, including from close friends that I had not previously known were victims. One friend had her credit card repeatedly used to pay for tens of laptops, thousands of dollars of groceries, and rent on several apartments – in New York City, just prior to the 9/11 attacks. The FBI finally got involved, and discovered an insider at the credit card firm, and links to organizations suspected of supporting terrorists.
So what is this big scary threat, is it for real, and is there anything one can do other than install anti-virus software, check credit card statements, put your social security card in a safe deposit box, and cross one’s fingers? And perhaps even more important for the
corporate audience – what’s the threat to corporations (oh, yes, there’s a major threat) and what can be done to keep the company and its employees safe?
First, the basics. Identity theft is – as the name implies – any use of another person’s identity to commit fraud. The obvious example is using a stolen credit card to purchase items, but it also includes such activities as hacking corporate networks to steal enterprise information, being employed using a fraudulent SSN, paying for medical care using another person’s insurance coverage, taking out loans and lines of equity on assets owned by someone else, using someone else’s ID when getting arrested (so that explains my impressive rap sheet!) and much more. In the late 90s and early 2000s, identity theft numbers skyrocketed, but they have plateaued in the last 3 years at around 9-10 million victims per year – still an enormous problem: the most common consumer crime in America. And the cost to businesses continues to increase, as thieves become increasingly sophisticated – business losses from identity fraud in 2005 alone were a staggering $60 billion dollars. Individual victims lost over $1500 each, on average, in out of pocket costs, and required tens or even hundreds of hours per victim to recover. In about 16% of cases, losses were over $6000 and in many cases, the victims are unable to ever fully recover, with ruined credit, large sums owed, and recurring problems with even the simplest of daily activities.
The underlying cause of the identity theft crime wave is the very nature of our digital economy, making it an extremely difficult problem to solve. Observe yourself as you go through the day, and see how many times your identity is required to facilitate some everyday activity. Turn on the TV – the cable channels you receive are billed monthly to your account, which is stored in the cable company’s database. Check your home page – your Google or Yahoo or AOL account has a password that you probably use for other accounts as well, maybe your financial accounts or your secure corporate login. Check your stocks – and realize that anyone with that account info could siphon off your money in seconds. Get into the car – you’ve got your drivers license, car registration, and insurance, all linked to a drivers license number which is a surrogate national ID, and could be used to impersonate you for almost any transaction. Stop for coffee, or to pick up some groceries, and use one of your many credit cards, or a debit card linked to one of your several bank accounts – if any of those are compromised, you could be cleaned out in a hurry.
And in the office – a veritable playground of databases with your most sensitive data! The HR database, the applicant tracking system, the Payroll system, the Benefits enrollment system, and various corporate data warehouses – each one stores your SSN and many other sensitive pieces of identifying data. Also the facilities system, the security system, the bonus and commission and merit increase and performance management systems, your network login and email accounts, and all of your job-specific system accounts. Not to mention all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel provider’s systems? And let’s not forget how every outsourced system multiplies the risk – each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.
It’s a brave new digital world, where every step requires instant authentication of your identity – not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs – your drivers license number, your SSN, your userids and passwords, your card numbers – have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.
And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.
A Disaster Waiting to Happen?
Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (FACTA) went into effect that imposed significant penalties on any employer whose failure to protect employee information – either by action or inaction – resulted in the loss of employee identity data. Employers may be civilly liable up to $1000 per employee, and additional federal fines may be imposed up to the same level. Various states have enacted laws imposing even higher penalties. Second, several widely publicized court cases held that employers and other organizations that maintain databases containing employee information have a special duty to provide safeguards over data that could be used to commit identity fraud. And the courts have awarded punitive damages for stolen data, over and above the actual damages and statutory fines. Third, several states, beginning with California and spreading rapidly from there, have passed laws requiring companies to notify affected consumers if they lose data that could be used for identity theft, no matter whether the data was lost or stolen, or whether the company bears any legal liability. This has resulted in vastly increased awareness of breaches of corporate data, including some massive incidents such as the infamous ChoicePoint breach in early 2005, and the even larger loss of a laptop containing over 26 million veteran’s IDs a couple of months ago.
At the same time, the problem of employee data security is getting exponentially harder. The ongoing proliferation of outsourced workforce services – from background checks, recruiting, testing, payroll, and various benefit programs, up to full HR Outsourcing – makes it ever harder to track, let alone manage all of the potential exposures. Same thing for IT Outsourcing – how do you control systems and data that you don’t manage? How do you know where your data is, who has access, but shouldn’t, and what criminal and legal system governs any exposures occurring outside the country? The ongoing trend toward more remote offices and virtual networks also makes it much harder to control the flow of data, or to standardize system configurations – how do you stop someone who logs in from home from burning a CD full of data extracted from the HR system or data warehouse, or copying it to a USB drive, or transferring it over an infrared port to another local computer? And recent legislative minefields, from HIPAA to Sarbanes Oxley, not to mention European and Canadian data privacy regulations, and the patchwork of fast-evolving US federal and state data privacy legislation, have ratcheted up the complexity
of control, perhaps past the point of reasonability. Who among us can say that they understand all of it, let alone fully comply?
The result: a perfect storm – more identity data losses and thefts, much greater difficulty at managing and plugging the holes, much greater visibility to missteps, and much greater liability, all boiling in the cauldron of a litigious society, where loyalty to one’s employer is a bygone concept, and all too many employees look at their employer as a set of deep pockets to be picked whenever possible.
And it’s all about “people data” – the simple two-word phrase right at the heart of the mission of Human Resources and IT. The enterprise has a problem – its people data is suddenly high value, under attack, and at escalating risk – and they’re looking at you, kid.
The good news is that at least it’s a well-known problem. Indeed, although I hope I’ve done a good job of scaring you into recognizing that identity theft is not all hype – that it’s a genuine, long-term, big-deal problem – the reality has a hard time keeping up with the hype. Identity theft is big news, and lots of folks, from solution vendors to media infotainment hucksters of every stripe have been trumpeting the alarm for years now. Everyone from the boardroom on down is aware in a general way of all the big data thefts, and the problems with computer security, and the hazards of dumpster divers and so on. Even the Citibank ads have done their part to raise awareness. So you have permission to propose a reasonable way to address the problem – a serious, programmatic approach that will easily pay for itself in reduced corporate liability, as well as avoidance of bad publicity, employee dissatisfaction, and lost productivity.
The Journey of a Thousand Miles
In general, what I recommend is simply that you do, indeed, approach identity theft prevention and management as a program – a permanent initiative that is structured and managed just like any other serious corporate program. That means an iterative activity cycle, an accountable manager, and real executive visibility and sponsorship. That means going through cycles of baselining, identification of key pain points and priorities, visioning a next generation state and scope, planning and designing the modules of work, executing, measuring, assessing, tuning – and then repeating. Not rocket science. The most important step is to recognize and train a focus on the problem – put a name and a magnifying glass to it. Do as thorough a baseline review as you can, examine the company from the perspective of this substantial risk, engage your executive leadership, and manage an ongoing improvement program. After a couple of cycles, you’ll be surprised how much better a handle you have on it.
Within the scope of your identity theft program, you will want to target the following primary objectives. We’ll examine each one briefly, and outline the critical areas to address and some key success factors.
1) Prevent actual identity thefts to the extent possible
2) Minimize your corporate liability in advance for any identity thefts (not the same thing as #1 at all)
3) Respond effectively to any incidents, to minimize both employee damage and corporate liability
From an enterprise perspective, you can’t achieve identity theft prevention without addressing processes, systems, people, and policy, in that order.
o First, follow the processes and their data flows. Where does personal identity data go, and why? Eliminate it wherever possible. (Why does SSN have to be in the birthday tracking system? Or even in the HR system? One can tightly limit what systems retain this kind of data, while still preserving required audit and regulatory reporting capability for those few who perform this specific function). And by the way, assigning or hiring someone to try to “social engineer” (trick) their way into your systems, and also asking for employees to help identify all the little “under the covers” quick-and-dirty exposure points in your processes and systems can be very effective ways to get a lot of scary information quickly.
o For those systems that do retain this data, implement access controls and usage restrictions to the extent possible. Remember, you are not tightening down data that drives business functions; you are merely limiting the access to and ability to extract your employee’s personal, private information. The only ones who should have access to this are the employee themselves and those with specific regulatory job functions. Treat this data as you would treat your own personal and private assets – your family heirlooms. Strictly limit access. And remember – it’s not only those who are supposed to have access that are the problem, it’s also those who are hacking – who have stolen one employee’s ID in order to steal more. So part of your mission is to make sure that your network and system passwords and access controls are really robust. Multiple, redundant strategies are usually required – strong passwords, multi-factor authentication, access audits, employee training, and employee security agreements, for example.
o Train your people – simply and bluntly – that this data is personal, and not to be copied or used anywhere except where necessary. It’s not the theft of laptops that’s the big issue; it’s that the laptops inappropriately contain employee’s personal data. Give your people – including any contractors and outsourced providers that serve you – the guidance not to place this data at risk, and where necessary, the tools to use it safely: standardized computer system monitoring, encryption, strong password management on systems that contain this data, etc.
o Develop policies for handling employee’s private data safely and securely, and that hold your employees and your service providers accountable and liable if they do not. Clearly, simply, and forcefully communicate this policy and then reinforce it with messages and examples from senior executives. Make this especially clear to every one of your external service providers, and require them to have policies and procedures that duplicate your own safeguards, and to be liable for any failures. This may seem a daunting task, but you will find that you are not alone – these service providers are hearing this from many customers, and will work with you to establish a timetable to get there. If they don’t get it, maybe that’s a good signal to start looking for alternatives.
Minimizing corporate liability is all about having “reasonable safeguards” in place. What does that mean in practice? – no one knows. But you’d better be able to pass the reasonability “smell test”. Just like obscentity, judges will know “reasonable safeguards” when they see them – or don’t. You can’t prevent everything and you’re not required to, but if you have no passwords on your systems and no physical access control over your employee files, you’re going to get nailed when there’s a theft. So you need to do precisely the kind of review and controls that I’ve outlined above, and you also need to do it in a well documented, measured, and publicized way. In short, you need to do the right thing, and you need to very publicly show that you’re doing it. It’s called CYA. That’s the way legal liability works, kids. And in this case, there’s very good reason for this rigor. It ensures the kind of comprehensive and thorough results that you want, and it will assist you greatly as you iterate the cycles of improvement.
This is why you want to make the effort to establish a formal program, and benchmark what some other companies do, and define a comprehensive plan and metrics after you complete your baselining and scoping steps, and report results to your executives, and iterate for continuous improvement. Because you need to both know and show that you’re doing all that could reasonably be expected to secure employee’s personal data which is in your care.
And yet, despite all your safeguards, the day will come when something goes wrong from an enterprise perspective. You absolutely can substantially reduce the probability, and the size of any exposure, but when over 90 million records were lost or stolen from thousands of organizations in just the last 18 months, sooner or later almost everyone’s data will be compromised. When that happens, you need to shift on a dime into recovery mode, and be ready to roll into action fast.
But not just fast – your response must be comprehensive and effective, specifically including the following:
o Clear, proactive communication – first to employees, then to the public.
o The communication must say what happened, that a small, empowered task force has been marshaled, that temporary “lock down” procedures are in place to prevent further similar exposure, that investigation is under way, that affected employees will be given recovery assistance and reimbursement of recovery expenses, and monitoring services to prevent actual identity thefts using any compromised data.
o Of course, all those statements need to be true, so:
o A task force of HR, IT, Security, and Risk Management professionals and managers must be identified and trained, and procedures for a “call to action” defined – in advance.
o They must be empowered to implement temporary lock down procedures on employee personal data. Procedures for likely scenarios (laptop loss, backup tape loss, network login breach, theft of physical HR files, etc.) should be predefined.
o Template communications – to employees, partners, and press – should be drafted.
o Qualified investigative services should be selected in advance
o Expert identity theft recovery assistance resources and identity theft threat monitoring services should be evaluated and selected in advance.
Nothing is more important to protect your company than a well-planned and effective response within the first 48 hours of an incident. If you’re not prepared and practiced well in advance, this will be impossible. If you are, it can actually be a positive public relations experience, and will drastically reduce legal, financial, and employee satisfaction impacts.
Identity theft is not a flash in the pan – it’s built into the way the world now works, and this heightens not only the risk, but also the damage. Companies are at special risk, because by necessity, they expose their employee’s data to other employees and to their providers and partners, and they bear responsibility for the risk that this creates. Those in HRIS, whose specific function is the management of “people data”, must take ownership of this emerging liability, and ensure that their companies are as safe and as prepared as possible.