Identity Theft

1
Identity Theft

• Carol Romej
• May 24, 2005
• Butzel Long

2
How ID Theft Occurs

• Employees steal your ID information from the
  files of their Employers
• Bribing Employees who have access to ID
  information
• Dumpster Diving
• Skimming
• Stealing mail (change of address)
• Steal ID information from your home

3
What Happens?

• Spending sprees with your current credit cards
• Spending sprees with new credit cards opened with
  your ID
• Establish new loans with your ID, or cell service
• Open a bank account with your ID and write bad
  checks on the account

4
The Identity Theft Protection Act

• Effective March 1, 2005
• Prohibitions on the use of Personal Identifying
  Information
• PII name, phone no.,driver license no., social
  security no., passport no., mothers maiden
  name.
• Prohibits using or attempting to use PII for
  credit, goods, services, employment

5
SSN Privacy Act

• An act to establish the Social Security Number
  Privacy Act in the state of Michigan.
• Effective March 1, 2005
• Restricts use of SSN for
• - Employees
• - Students
• - Other Individuals

6
The Identity Theft Resource Center

• ITRC Nonprofit program dedicated to identity
  theft
• Supports and advises victims, legislators,
  governmental agencies and law enforcement
• www.idtheftcenter.org
• 2004 Crime Victims Service Award from the US Dept
  of Justice

7
The Organization Responsibilities

• Information Acquisition
• Storage
• Access
• Disposal
• Distribution
• Personnel

8
Federal Trade Commission

• SPAM
• ID THEFT
• Pretexting
• Credit Reporting
• Gramm Leach Bliley
• Privacy

9
Online Consumers FTC Enforcement

• Privacy Statements
• Terms of Use

10
Petco Animal Supplies,Inc.

• Privacy Statement At PETCO.COM our customers
  data is strictly protected against any
  unauthorized access. PETCO.COM also provides a
  100 Safeguard Your Shopping Experience
  Guarantee so you never have to worry about the
  safety of your credit card information.

11
PETCO.COM

• Payment statements Entering your credit card
  number via our secure server is completely safe.
  The server encrypts all of your information no
  one except you can access it. At PETCO.COM,
  protecting your information is our number one
  priority, and your personal data is strictly
  shielded from unauthorized access.

12
SQL Injection Attack

• Such an attack occurs when an attacker enters
  certain characters in the address (or URL) bar of
  a standard web browser to direct an application
  to obtain information from a database that
  supports or connects to a website. By such an
  attack, respondents application can be accessed
  in clear readable text.

13
FTC A failure to implement reasonable and
appropriate measures to protect personal
information

• Failed to detect reasonably foreseeable
  application vulnerabilities
• Failed to prevent web site visitors from
  exploiting such vulnerabilities and obtaining
  unauthorized access to sensitive consumer
  information.

14
Violation of Sec. 5(a) FTC

• The representation in the Privacy Statement was
  false and misleading Personal data was NOT
  encrypted
• The representation, expressly or by implication,
  represented that Petco implemented reasonable and
  appropriate measures to protect against
  unauthorized access to personal consumer
  information
• Petcos website has been vulnerable to commonly
  known or reasonably foreseeable attacks from
  third parties attempting to gain access

15
FTC Order

• Petco shall not misrepresent in any manner,
  expressly or by implication, the extent to which
  respondent maintains and protects the privacy,
  confidentiality, security, or integrity of any
  personal information collected from or about
  consumers.

16
FTC Order

• Petco shall maintain a comprehensive information
  security program that is reasonably designed to
  protect the security, confidentiality, and
  integrity of personal information collected from
  or about consumers.

17
Security Program

• Documented in Writing
• Address Administrative, Technical and Physical
  Safeguards
• Designate an Employee to be Accountable for the
  Security Program
• Implement a Risk Assessment

18
Assessment

• By objective independent third party
• Who reports on the specific administrative,
  technical and physical safeguards that Petco has
  implemented, and how they meet or exceed this
  order
• Third party shall be prepared by a qualified
  person CISSP, or CISA, GIAC, or such person
  approved by the FTC

19
HIPAA The Privacy Rule
20
Covered Entities

• Health Care Providers
• Doctors
• Clinics
• Hospitals
• Health Care Clearinghouses

21
Covered Entities

• Health Plans
• HMOs
• Insurance Companies
• Employer-sponsored group health plans

22
Types of Group Health Plans

• Medical
• Dental
• Vision
• Prescription Drug
• FSAs
• EAPs that provide health care

23
Protected Health Information

• PHI is information that is individually
  identifiable transmitted or maintained in any
  form or medium and relates to past, present, or
  future, physical or mental condition, provision
  of health care, or payment for health care

24
Penalties

• Civil 100 per violation, up to 25,000 per
  standard per year
• Criminal Fines up to 250,000 and 10 years
  imprisonment

25
Identity Theft Case

• Medical Technician at Seattle Cancer Care
  Alliance used his access to patient records
  (name, date of birth, social security) to obtain
  four credit cards in their names

26
DOJ HIPAA Violation

• R. Gibson The First Person in the U.S. to be
  sentenced for the wrongful disclosure of PHI
  under HIPAAs Privacy Rule

27
Organization Exposure

• The Privacy Rules enforcement provision has been
  expanded TAKE NOTE!
• An extension to Employees could also include
  Business Associates in the future
• Exposure to the Covered Entity could increase if
  the CE knew or should have known of the improper
  acts

28
Resources and References

• www.consumer.gov/idtheft
• 1-877-IDTHEFT
• File No. 0323221, Petco
• www.idtheftcenter.org
• www.hhs.gov/ocr/hipaa

29
Identity Theft

• Carol Romej
• May 24, 2005
• Butzel Long