The Identity Theft Task Force at work

The Identity Theft Task Force has gone to work in Washington, offering some really good ideas on what should be done to curb and slow the growth of Identity Theft.
One interesting point from the article at Information Week is this:

Victims of identity theft should be allowed to seek restitution from defendants for time spent undoing damage from the offense, according to interim recommendations issued Tuesday by a federal task force on ID theft.

This is an excellent suggestion. There is, however, a challenge with it. That challenge is to ask the question, who is the defendant?

When we’re talking about Identity Theft as a society, we’re generally not talking about the whole picture of Identity Theft.
As I have talked about in previous posts, there is a reseller network at work, who wants to steal your information. And they will do whatever they need to do in order to profit from your information.
The article says that

Businesses were the source of information breaches in 30% of cases. Of these, data breaches accounted for 6% of the overall total, fraudulent transaction processing accounted for 7%, and employee wrongdoing accounted for 15%.

So here’s a possible process for Identity Theft to take place:
Employer –> hires employee –> sells information to crook by physically handing them a disk –> uploads information to online forum for sale to information broker –> sells information to reseller –> sells information to a criminal –> criminal activity committed in the name of the defendant.
Who’s responsible? Who’s the “defendant”?
Well, generally, the criminals can be pretty hard to track. Only 1 in 700 people taking part in Identity Theft are actually prosecuted. So who becomes the defendant?
If the information loss can be tracked back to the business, then the employee will likely be arrested or charged.
But is the employee the defendant, or is the employer the defendant? According to the Federal Trade Commission, a widening of the laws under Gramm Leach Bliley, as well as the FACTA disposal provision, and even the expansion of HIPAA, as well as some state statutes, BOTH are responsible if proper provisions haven’t been put in place.
Kind of makes employers feel all warm and fuzzy.
What I’m recommending is that employers contact a Certified Identity Theft Risk Management Professional to help them be sure they’re in full compliance with this whole new set of issues. If you are interested in learning more about protecting your company, I’d be happy to take a few minutes with you. You can contact me here.