Privacy Blog April Archive

Letter to the President

By Information at 04/27/07 09:49

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

I. Executive Summary

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

A. Introduction

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

B. The Strategy

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

PREVENTION--Keeping Consumer Data Out of the Hands of Criminals

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Data Security in Public Sector

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Survey current use of SSNs by federal government

Issue guidance on appropriate use of SSNs

Establish clearinghouse for "best" agency practices that minimize use of SSNs

Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Develop concrete guidance and best practices

Monitor agency compliance with data security guidance

Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issue data breach guidance to agencies

Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign

Enlist outreach partners

Increase outreach to traditionally underserved communities

Establish "Protect Your Identity" Days

Develop Online Clearinghouse for Current Educational Resources