PEF/Encon Position Paper on Identity Theft

Presented at the June 2002 LM Meeting



Identity theft is a very large issue, and while there are regulations and laws regarding it, there are virtually no policies regarding what to do in the event of an occurrence. The worker is powerless when it comes to the control of data that an employer holds.

With the recent events that have occurred in the State of California concerning the compromising of employee data, and the resulting confusion that has been caused by it (see MSNBC news article - attached at the end of this position paper), the State of New York should have in place a written and enforceable policy that outlines actions and responsibilities of both the state workforce administration and state workers in the event of such an occurrence here.

Just as there are written policies ranging from agency to state level in the event of a physical catastrophic incident or event occurring, the compromising of personal data (through either negligence or accident) can be just as devastating to individuals.

This policy should also include any outside agency or service bureaus contracted by the State that a compromise occurred; set limits as to the amount of time the State or Agency has to notify employees; provide help and assistance in rectifying any damage done; and keep information available on the status of the problem; as well as information on steps taken to ensure that the problem will not occur again.


There should be a written DEC policy concerning the subject of the compromise of data security in relation to state employees= personal information.

This policy should set (among other things):

    1. Personal information shall include but not be limited to payroll information, health record information, financial information, and other similar information held by the state for which the state is responsible to protect as private.
    2. Time limits by the state for notifying employees that personal information* has or may have been compromised.
    3. If a breach of security of personal information occurs, notification of what information has been compromised and when the information was compromised.
    4. Outline the actions that the state will be responsible for handling (i.e. notifications, etc.) in the case of a compromise.
    5. Outline the responsibilities of the employee, and suggestions of a course of action to be taken, depending on what kind of information has been compromised.
    6. Inclusion of A outsourcing@ or contracted services companies or bureaus as being under the umbrella of this policy.



Attachment to PEF/Encon Position Paper on Identity Theft

ID theft rampant; options limited

Ford, Bank One, California incidents reveal larger problem

By Bob Sullivan


May 29 C The State of California leaks the direct deposit records of 260,000 employees. A Bank One employee sells hundreds of customer records to a ring of identity thieves. Criminals gain access to Ford Motor company= s credit reference firm and order 13,000 credit reports. An insurance company C whose name still has not been disclosed C gives information on patient illnesses to a marketing firm. It= s been a bad month for personal privacy, a good one for identity thieves. And it has experts asking: Will all of us eventually be victims?

CAREFULLY GUARD YOUR social security number, the experts say. Don= t enter it in Web pages; don= t give it out to companies and watch your bank statements like a hawk. It= s all good advice. But for hundreds of thousands of victims who had their personal financial data stolen recently, it wouldn= t have helped. Even people who did everything by the book have seen their data exposed. Now it= s just a waiting game. Wait and see if their bank accounts are drained, if car loans are taken out in their names, if their homes are mortgaged and equity stolen right from under their roofs.

About 750,000 people had their identities copied last year and suffered the consequences, said Rob Douglas, CEO of American Privacy Consultants Inc. The massive California case and other high-profile incidents suggest that number could be much higher in 2002. The crime is so easy and risk-free that even drug dealers are turning to ID theft as a safer way to make money, Douglas said.

What= s can a concerned potential victim do? The truth is, not much.

A The problem is a little bit in the intractable category,@ said Larry Ponemon, CEO of the Privacy Council. A For the most part, we rely on the good intentions of companies (that have customers= personal data). But the empirical evidence says you cannot rely on that any more. Bad things will happen. ... Sooner or later it= s going happen. I don= t know if there= s really much we can do.@


The recent spate of high-profile data thefts suggests just that. In Ford= s case, there was no way potential victims could have protected themselves C they didn= t even have to be Ford customers.

Thieves were able to impersonate the company and order thousands of credit checks through Experian, one of the big three credit reporting companies. Experian thought Ford was requesting the data, and forked over 13,000 reports between April 2001 and February of this year before someone noticed the suspicious activity. Most victims weren= t customers of Ford Credit; the identity thieves simply used Ford= s name to get credit reports on victims living in affluent neighborhoods, according to the Detroit News, which first reported the theft. Ford sent letters to all the victims starting last month.

There have already been victims connected to the Ford data leak. The CUNA Mutual Group sent a memo to its member credit unions on Wednesday warning about financial fraud connected to the incident.

A At least one credit union has suffered losses from member account identity takeover because the member= s credit report was one of the stolen credit reports,@ the memo said.


California state employees victimized recently couldn= t have done much, either. Corporations and government agencies push hard to convince employees to receive their paychecks through direct deposit. It= s cheaper for banks and companies, and often more convenient for employees. But that convenience meant all that personal financial information was kept in one place, and now, it= s likely in the hands of financial thieves.

A My only consolation regarding the whole payroll screwup is that it affects everyone from the board members on down,@ wrote one victim to A For 20 years I= ve never had a single late payment on anything but now my credit history could be toast due to some lowly paid state worker.@

Both the Ford incident and the California problem stem from a computer mishap.


Bank One= s leak was much more old-fashioned, but equally as difficult for consumers to stop. In that incident, a 21-year-old former female employee of the firm= s Pewaukee, Wis., office sold hundreds of financial records to an identity theft ring. Tom Kelly, a Bank One spokesperson, said the firm only found 250 stolen records during an investigation. But WISN 12 News, which first reported the incident, suggested thousands more records were sold.

The incident also highlights what privacy experts say as the biggest problem surrounding identity theft incidents C corporate secrecy. Bank One never told its customers about the problem. Disclosure only came eight months after the theft C when a victim received a call from the Secret Service, discovered someone had purchased a Jaguar in his name, and contacted WISN.

A We were a little tardy in telling customers,@ Kelly admits. A We should have told them sooner.@

In fact, it= s common that consumer victims aren= t told about a break-in, as companies try to avoid the potential embarrassment and cross their fingers that no crimes will actually be committed with the stolen data. Bank One played that kind of Russian roulette with its customer data and lost. But Bank One is hardly alone.

A Most of these still go unreported and are swept under the carpet,@ Ponemon said. A God forbid, you lose confidence in your bank or insurance company.@


Ponemon said he is currently engaged in a difficult conversation with a client, trying to convince it to come clean with a data leakage. The client is a small insurance company that gave customer information to A an organization developing a marketing database to people who have certain illnesses,@ Ponemon said. An employee who didn= t understand the insurance firm= s privacy policies gave away thousands of records, he said. So far, the company is following legal advice not to disclose the leak.

A They think we= ll open up a Pandora= s box to litigation,@ Ponemon said. He= s still trying to convince the firm to come clean. A Those conversations are very difficult.@


And sometimes, even the disclosures victims do receive are hardly complete. Douglas, from American Privacy Consultants, thinks California= s warning to state employees was too vague.

A letter sent to employees says someone may have accessed a data center containing payroll information, but adds that A there is no indication the information contained in the database was targeted or will be used for any unlawful purposes.@

That leaves employees wondering what really happened, what was really taken, and what to do. Should they close all their bank accounts, or just sit and wait for the bad news? What are the odds that a theft will occur?

A I think the California government has a responsibly to be more forthcoming about what happened, what have they determined from the logs ... so employees can make an educated decision on what do to,@ Douglas said. A Just making public statements released late on a Friday afternoon doesn= t cut it.@

State officials say the data breech occurred on April 5, and was discovered during security checks on May 7. Computer logs and intrusion detection software can often indicate what files were taken from a computer and how long an intruder had access, but state officials and investigators haven= t revealed how much they know about the intruder in the case.

One state employee who contacted said she was frustrated by the advice she= d heard so far from state officials. She still hadn= t received official notice, but was told she= d receive a letter with the paycheck on Thursday.

A Personally, the time lapse and lack of notification is very disturbing,@ she wrote. A I= ve been following the recommendations, but until there= s something tangible, it seems pointless. Our bank put an alert on our account, they suggested we close the account and open a new one. Groan.@


Douglas said the state should go even further than full disclosure C its should fix the problem it created with sloppy security practices. He said he A yelled out loud@ when he read that employees are being left to fend for themselves, told to order credit reports at their own expense.

A Doesn= t the state have some obligation to do something for these people?@ he said. A Their data is compromised .. and then they tell employees > Here= s all the things you should do to protect yourself.= Why don= t they contact the credit agencies themselves? The state isn= t doing diddlysquat other than to go protect themselves.@

Helpless consumers can only hope that ultimately companies and state agencies face some legal obligations when a data breech occurs, said privacy consultant Richard Smith, who operates Mistakes do happen, but in the world of computer security A very small mistakes can have really bad results,@ he said.

A This gets back to getting a liability system in place,@ Smith said. A Now the state of California has some bad press. But if actually turns into identity theft, shouldn= t the state have liability?@

Customers who find their credit reports marred by car loans or other illegal financial activity should have recourse against companies that failed to disclose a data breach, he said. A Like Bank One. The fact that they knew and didn= t tell customers, that= s inexcusable. There ought to be the threat of liability hanging over it.@


PEF/Encon Home Page          Back

Last Updated on November 29, 2016 04:03 PM