Recommendations Come in Advance of Final Report Set for November
WASHINGTON – The President’s Identity Theft Task Force has adopted interim recommendations on measures that can be implemented immediately to help address the problem of identity theft, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. The Identity Theft Task Force, which was established by Executive Order of the President on May 10, 2006, and is now comprised of 17 federal agencies and departments, will deliver a final strategic plan to the President in November.
The interim recommendations of the Identity Theft Task Force were announced following a meeting of the Task Force today at the Justice Department.
“As with any crime, victims of identity theft suffer feelings of violation and stress, but in these cases, victims have the added burden of cleaning up the mess that the identity thieves leave behind,” said Attorney General Gonzales. “The President created the Identity Theft Task Force to oversee the implementation of real and practical solutions at the federal level to defeat this ongoing intrusion into the lives of law-abiding Americans. Today’s recommendations move that process forward.”
“Conquering identity theft demands that we work as a team to develop tools that strengthen law enforcement, practices that enhance data security, and programs that help consumers in prevention and recovery,” said FTC Chairman Majoras. “Through these initiatives, we are taking solid steps toward eradicating this persistent consumer problem.”
The Identity Theft Task Force’s interim recommendations to the Administration include the following:
Data Breach Guidance to Agencies: In light of several, large data breaches suffered in recent months by government agencies, the Task Force recommends that the Office of Management and Budget (OMB) issue to all federal agencies a Task Force memorandum, which covers the factors that should govern whether and how to give notice to affected individuals in the event of a government agency data breach, and the factors that should be considered in deciding whether to offer services such as free credit monitoring. Such guidance is the first comprehensive road map of the steps that agencies should take to respond to a breach and to mitigate the risk of identity theft.
Development of Universal Police Report for Identity Theft Victims: To ensure that identity theft victims have easy access to police reports documenting the misuse of their personal information – which are necessary in order for the victims to, for example, request that fraudulent information on their credit report be blocked, or to obtain a seven-year fraud alert on their credit file – the Task Force recommends the development of a “universal police report” that an identity theft victim can complete online, print and take to a local law enforcement agency for verification and incorporation into the police department’s report system. The use of universal police reports will also ensure that identity theft complaints will flow into the FTC's ID Theft Data Clearinghouse, and thereby will assist law enforcement officers in responding to such complaints.
Extending Restitution for Victims of Identity Theft: To allow identity theft victims to recover for the value of the time that they spend attempting to make themselves whole – for example, the hours spent disputing fraudulent accounts with creditors that may be compromised or spent correcting credit reports – the Task Force recommends that Congress amend the criminal restitution statutes, 18 U.S.C. 3663(b) and 3663A(b), to require that defendants pay identity theft victims for the value of their lost time.
Reducing Access of Identity Thieves to Social Security Numbers: In order to limit the unnecessary use in the public sector of Social Security Numbers (SSNs) – which are the most valuable pieces of consumer information for identity thieves – the Task Force recommends the following:
- The Office of Personnel Management (OPM) should accelerate its review of the use of SSNs, and take steps to eliminate, restrict or conceal their use, including assignment of employee identification numbers where practicable.
- OPM should develop and issue policy guidance to the federal human capital management community on the appropriate and inappropriate use of an employee's SSN in employee records, including the appropriate way to restrict, conceal and/or mask SSNs in employee records and human resource management information systems.
- OMB should require all federal agencies to review their use of SSNs to determine where such use can be eliminated, restricted or concealed in agency business processes, systems and paper and electronic forms.
Developing Alternative Methods of “Authenticating” Identities: Developing reliable methods of authenticating the identities of individuals, such as “biometrics,” would make it more difficult for identity thieves to misuse existing accounts or open new accounts using other individuals’ information. The Task Force recommends that agencies gather together academics, industry experts and entrepreneurs who are exploring ways to encourage greater development and use of authentication systems, and hold a workshop or workshops focused on developing and promoting improved means of authenticating the identities of individuals.
Improving Data Security in the Government: To ensure that government agencies improve their data security programs, the Task Force recommends that OMB and the Department of Homeland Security (DHS), through the interagency effort already underway to identify ways to strengthen the ability of all agencies to identify and defend against threats, correct vulnerabilities, and manage risks: (a) outline best practices in the areas of automated tools, training, processes, and standards that would enable agencies to improve their security and privacy programs, and (b) develop a list of the top 10 or 20 “mistakes” to avoid in order to protect government information.
Improving Agencies’ Ability to Respond to Data Breaches in the Government: In order to allow agencies to quickly respond to any data breaches, including by sharing information about those who may be affected with other agencies and entities that can assist in the response to the breach, all federal agencies should publish a “routine use” for their systems of records under the Privacy Act that would allow for the disclosure of such information in the course of responding to a breach of federal data.
Anyone wishing to ask a question about identity theft or to report identity theft may call 1-877-ID-THEFT, or visit the FTC’s Web site, http://www.ftc.gov/idtheft, or the Department of Justice’s Web site, http://www.usdoj.gov/criminal/fraud/idtheft.html.