Protecting Yourself from Identity Theft

Business and Economic Review, Jul-Sep 2005 by Bauknight, Trevor Zion

"There are steps you can take to ensure the security of both your and your customers' identities while still taking full advantage of all the Internet has to offer."

You've probably seen horror stones on the news about identity theft recently, or seen the tongue-in-cheek commercials in which the identity-theft victim talks in the thief's voice about all the things the thief was able to buy and do with the stolen identity. It's a very real problem, and in our technological age, with all our reliance on computers and the Internet, it's getting worse.

Recent weeks have seen startling news stories about identity theft affecting hundreds of thousands of Americans in connection with security breaches involving two of the largest personal data merchants in the industry. The Federal government has begun to look into regulating that industry just as it regulates credit reporting agencies. No amount of regulation will fully protect you, however, because the problem continues to evolve much faster than the response. You must take steps to protect yourself and your business, and keep yourself aware of new developments in this area just as vigilantly as you watch other trends emerging in your field.

What's Going On Here?

Recently, high-level representatives from three of the personal data industry's leading firms, well-known privacy advocates, and representatives of the Federal Trade Commission, the Secret Service, and the FBI were called to testify before a U.S. Senate Judiciary Committee exploring the issue of securing personal electronic data.

Two of the firms, ChoicePoint and Lexis-Nexis, have been in the news in recent weeks because of breakdowns in the human element of their security that protects the massive amounts of personal data they collect about virtually every American.

Unauthorized persons were able, through clever "social engineering" (loosely defined as the art of deceiving trusted persons to reveal the sensitive information they guard), to obtain real ChoicePoint and Lexis-Nexis accounts, which they were then able to use for nefarious purposes. On nearly 100 occasions, identity thieves using legitimate accounts were able to purchase sensitive personal data such as Social Security numbers, driver's license information, addresses, etc., about hundreds of thousands of people across the country.

The problem doesn't begin and end with lax security practices at large data merchants like ChoicePoint, however. They are simply another means to an end for elements of what can only be described as organized crime operating in the shadows of the vast and largely ungovernable Internet. The "information superhighway" that has become such a vital resource for business and academe is rife with scams and con artists. Fortunately, however, there's no need to throw the baby out with the bathwater. There are steps you can take to ensure the security of both your and your customers' identities while still taking full advantage of all the Internet has to offer.

What Should You Do?

From a business perspective, you're faced with this problem on two fronts. The first is that you must work with companies such as data merchants and credit reporting bureaus in order to ensure that your customers are who they say they are. The second is that you must be able to interface with your customers in a way that reassures them that you are engaged in the protection of the personal data they give you.

There are several steps you can take to accomplish both these goals:

* Don't use or depend on a customer's Social security number. It was designed for a single purpose, and the fact that it is now used in ways it was never intended is a big part of the problem of identity theft. The SSN is certainly a unique number that your customers should know, but it is not and should not be treated as an authenticating key or PIN. Once it gets in the hands of the ill-intentioned, it can do great harm that, because of the widespread trust placed in it, can take years to undo. The U.S. government is considering legislation to restrict its use to its intended purpose, and your getting ahead of the game on that issue certainly can't hurt.

* Demand more accountability from the private data brokers and credit reporting agencies. You're paying them for the information they provide, and you should be able to do so with a reasonable expectation that it is accurate and secure. The government is finally waking up to the problems, and securing privately collected personal data is a nonpartisan issue. The government itself relies on much of the same information. (ChoicePoint claims as customers at least 35 Federal government agencies and numerous state and local agencies.) The Small Business Administration (http://www.sba.gov) and the Federal Trade Commission (http://www.ftc.gov) are excellent resources to help you find out what you need to know and who you need to contact with your concerns.

* Establish policies governing interactions dealing with the exchange of personal data with customers and potential customers, and don't waver from them. Be suspicious of requests to do things and provide information differently for people, even if they seem to be the right people, or they know the right jargon or know things that only authorized persons should know. Such manipulation is at the heart of "social engineering" that put hundreds of thousands of ChoicePoint and Lexis-Nexis customers at risk of identity theft.