New Federal Legislation Would Top List of Major Events Shaping America's Response to Identity Theft Threats

Business Wire, Oct 24, 2007

Data protection and identity theft response leader Kroll's Fraud Solutions highlights five events that put America's fastest-growing crime on the map

NASHVILLE, Tenn. -- This summer, the House Ways and Means Committee unanimously approved a bill that could drastically affect the national incidence of identity theft by eliminating the use of Social Security numbers - a key identifier - by businesses and government entities. Third party groups such as AARP and the U.S. Public Interest Research Group are among the bill's top supporters, advocating that until organizations make it more difficult for identity thieves to get the authentication they need to commit their crimes, potential victims will never be safe.

National identity theft expert, Brian Lapidus, senior vice president of Kroll's Fraud Solutions, agrees that, if passed, this legislation would have a lasting impact on the future of identity theft.

"Social Security numbers are the most desirable elements of sensitive personal data," says Mr. Lapidus, whose team of licensed investigators currently serves more than 10,000 businesses and millions of individuals dealing with data breaches and issues of identity theft. "As such, we caution our business clients to minimize their use as personal identifiers to better safeguard themselves and their customers in the event of an attack. Rather than wait for new legislation, organizations should be proactive about guarding against huge financial, market and reputational losses by changing their practices now."

Below, Mr. Lapidus outlines the top five events to-date that have paved the way for this legislation and, more importantly, changed the way consumers and businesses alike think about identity theft.

1. January 2007 - TJX Announces Major Data Breach, Reportedly Largest On Record: Earlier this year, TJX Companies, Inc. - parent to such retailers as T.J. Maxx, Marshalls and HomeGoods - announced that hackers had stolen more than 45.7 million consumer credit and debit card numbers from its IT systems over a period of 18 months. Another 455,000 customers who had returned merchandise without receipts had their data stolen, as well, including driver's license numbers. The magnitude of the breach - thought to be the largest in corporate history - continues to draw significant national attention to the topic of data security, specifically how data breaches should be handled and where the onus lies in terms of victim support and restitution. In response to growing concerns, Minnesota recently passed the Plastic Card Security Act that prevents retailers from storing customer credit information and holds them financially liable if that information is breached. Similar legislation is being considered in a number of other states, including California. Nearly 11 months after the breach was announced, experts are estimating total costs to the company at $256 million. But, with an investigation by the FTC and many class action law suits still pending, the total is expected to rise.

2. May/August 2006 - U.S. Department of Veterans Affairs Announces Two Data Breaches Affecting 26.5 Million Veterans and their Families: In two separate incidences, laptops containing the personal information (i.e., Social Security numbers, dates of birth, etc.) of 26.5 million veterans and their families were stolen from the U.S. Department of Veterans Affairs. Though the missing laptops were soon recovered and an examination of the files suggested they were never accessed, the magnitude of the breach - the third largest on record and the largest breach of Social Security numbers - combined with the national attention it generated make it the most influential data breach on record.

3. 2005 - The Year of the Breach Notification Bandwagon: In 2002, California was the only state to introduce legislation requiring companies and/or state agencies to disclose consumer security breaches involving personal information. The law, enacted in 2003, was the primary reason why the ChoicePoint security breach (see below) became a matter of public record. However, it was in 2005 that the domino effect of data breach notification laws raced through state legislatures, with at least 25 states introducing breach notification laws in that year alone. Today, 39 states have enacted such legislation - the most recent being Massachusetts and Oregon in the summer of 2007 - causing businesses and government entities to put a greater emphasis on the protection of consumer data. The legislation also gives more power to consumers, who are now equipped with increased rights and the knowledge necessary to protect themselves and their identities.

4. February 2005 - ChoicePoint Announces Breach Affecting 163,000: In late 2004, ChoicePoint discovered that identity thieves had stolen the personal information of 163,000 consumers nationwide. Initially, the company only intended to notify the 35,000 California consumers affected, as required by the state notification law (the first of its kind at the time). Eventually, under greater public scrutiny, ChoicePoint was forced to notify the remaining 128,000 victims. In January 2006, after two years of negotiations, ChoicePoint came to a $15 million agreement with the Federal Trade Commission (FTC) to settle legal disputes related to the incident. The $10 million civil fine included in the sum remains the largest in FTC history. The reputational costs of the breach have never been calculated.