ApriL 11, 2007The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.
Dear Mr. President:
By establishing the President's Task Force on Identity Theft by Executive
Order 13402 on May 10, 2006, you launched a new era in the fight against
identity theft. As you recognized, identity theft exacts a heavy financial and
emotional toll from its victims, and it severely burdens our economy. You
called for a coordinated approach among government agencies to vigorously
combat this crime. Your charge to us was to craft a strategic plan aiming
to make the federal government's efforts more effective and efficient in the
areas of identity theft awareness, prevention, detection, and prosecution. To
meet that charge, we examined the tools law enforcement can use to prevent,
investigate, and prosecute identity theft crimes; to recover the proceeds of
these crimes; and to ensure just and effective punishment of identity thieves.
We also surveyed current education efforts by government agencies and
the private sector on how individuals and corporate citizens can protect
personal data. And because government must help reduce, rather than
exacerbate, incidents of identity theft, we worked with many federal agencies
to determine how the government can increase safeguards to better secure the
personal data that it and private businesses hold. Like you, we spoke to many
citizens whose lives have been uprooted by identity theft, and heard their
suggestions on ways to help consumers guard against this crime and lessen the
burdens of their recovery. We conducted meetings, spoke with stakeholders,
and invited public comment on key issues.
The views you expressed in the Executive Order are widely shared. There
is a consensus that identity theft's damage is widespread, that it targets all
demographic groups, that it harms both consumers and businesses, and that
its effects can range far beyond financial harm. We were pleased to learn that
many federal departments and agencies, private businesses, and universities
are trying to create a culture of security, although some have been faster than
others to construct systems to protect personal information.
There is no quick solution to this problem. But, we believe that a coordinated
strategic plan can go a long way toward stemming the injuries caused by
identity theft and, we hope, putting identity thieves out of business. Taken as
a whole, the recommendations that comprise this strategic plan are designed
to strengthen the efforts of federal, state, and local law enforcement officers;
to educate consumers and businesses on deterring, detecting, and defending
against identity theft; to assist law enforcement officers in apprehending and
prosecuting identity thieves; and to increase the safeguards employed by
federal agencies and the private sector with respect to the personal data with
which they are entrusted.
Thank you for the privilege of serving on this Task Force. Our work is
ongoing, but we now have the honor, under the provisions of your Executive
Order, of transmitting the report and recommendations of the President's
Task Force on Identity Theft.
Very truly yours,
Alberto R. Gonzales, ChairmanAttorney General
U.S. Department of Justice logo
Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission
United States of America Federal Trade Commission logo
From Main Street to Wall Street, from the back porch to the front office, from
the kitchen table to the conference room, Americans are talking about identity
theft. The reason: millions of Americans each year suffer the financial and
emotional trauma it causes. This crime takes many forms, but it invariably
leaves victims with the task of repairing the damage to their lives. It is a problem
with no single cause and no single solution.
Eight years ago, Congress enacted the Identity Theft and Assumption
Deterrence Act,1 which created the federal crime of identity theft and
charged the Federal Trade Commission (FTC) with taking complaints from
identity theft victims, sharing these complaints with federal, state, and local
law enforcement, and providing the victims with information to help them
restore their good name. Since then, federal, state, and local agencies have
taken strong action to combat identity theft. The FTC has developed the
Identity Theft Data Clearinghouse into a vital resource for consumers and
law enforcement agencies; the Department of Justice (DOJ) has prosecuted
vigorously a wide range of identity theft schemes under the identity theft
statutes and other laws; the federal financial regulatory agencies2 have
adopted and enforced robust data security standards for entities under their
jurisdiction; Congress passed, and the Department of Homeland Security
issued draft regulations on, the REAL ID Act of 2005; and numerous other
federal agencies, such as the Social Security Administration (SSA), have
educated consumers on avoiding and recovering from identity theft. Many
private sector entities, too, have taken proactive and significant steps to protect
data from identity thieves, educate consumers about how to prevent identity
theft, assist law enforcement in apprehending identity thieves, and assist
identity theft victims who suffer losses.
Over those same eight years, however, the problem of identity theft
has become
more complex and challenging for the general public, the
government, and the private sector. Consumers, overwhelmed with weekly
media reports of data breaches, feel vulnerable and uncertain of how to
protect their identities. At the same time, both the private and public sectors
have had to grapple with difficult, and costly, decisions about investments
in safeguards and what more to do to protect the public. And, at every level
of government - from the largest cities with major police departments to the
smallest towns with one fraud detective - identity theft has placed increasingly
pressing demands on law enforcement.
Public comments helped the Task Force define the issues and challenges
posed by identity theft and develop its strategic responses. To ensure that the
Task Force heard from all stakeholders, it solicited comments from the public.
In addition to consumer advocacy groups, law enforcement, business, and
industry, the Task Force also received comments from identity theft victims
themselves.3 The victims wrote of the burdens and frustrations associated
with their recovery from this crime. Their stories reaffirmed the need for the
government to act quickly to address this problem.
The overwhelming majority of the comments received by the Task Force
strongly affirmed the need for a fully coordinated approach to fighting the
problem through prevention, awareness, enforcement, training, and victim
assistance. Consumers wrote to the Task Force exhorting the public and
private sectors to do a better job of protecting their Social Security numbers
(SSNs), and many of those who submitted comments discussed the challenges
raised by the overuse of Social Security numbers as identifiers. Others,
representing certain business sectors, pointed to the beneficial uses of SSNs
in fraud detection. The Task Force was mindful of both considerations, and
its recommendations seek to strike the appropriate balance in addressing SSN
use. Local law enforcement officers, regardless of where they work, wrote
of the challenges of multi-jurisdictional investigations, and called for greater
coordination and resources to support the investigation and prosecution of
identity thieves. Various business groups described the steps they have taken
to minimize the occurrence and impact of the crime, and many expressed
support for risk-based, national data security and breach notification
requirements.
These communications from the public went a long way toward informing
the Task Force's recommendation for a fully coordinated strategy. Only an
approach that encompasses effective prevention, public awareness and education,
victim assistance, and law enforcement measures, and fully engages
federal, state, and local authorities will be successful in protecting citizens and
private entities from the crime.
Although identity theft is defined in many different ways, it is, fundamentally,
the misuse of another individual's personal information to commit fraud.
Identity theft has at least three stages in its "life cycle," and it must be attacked
at each of those stages:
First, the identity thief attempts to acquire a victim's personal
information.
Criminals must first gather personal information, either through low-tech
methods - such as stealing mail or workplace records, or "dumpster diving"
- or through complex and high-tech frauds, such as hacking and the use
of malicious computer codes. The loss or theft of personal information by
itself, however, does not immediately lead to identity theft. In some cases,
thieves who steal personal items inadvertently steal personal information
that is stored in or with the stolen personal items, yet never make use of the
personal information. It has recently been reported that, during the past year,
the personal records of nearly 73 million people have been lost or stolen, but
that there is no evidence of a surge in identity theft or financial fraud as a
result. Still, because any loss or theft of personal information is troubling and
potentially devastating for the persons involved, a strategy to keep consumer
data out of the hands of criminals is essential.
Second, the thief attempts to misuse the information he has acquired.
In this stage, criminals have acquired the victim's personal information and
now attempt to sell the information or use it themselves. The misuse of stolen
personal information can be classified in the following broad categories:
Existing account fraud: This occurs when thieves obtain account
information involving credit, brokerage, banking, or utility accounts
that are already open. Existing account fraud is typically a less costly,
but more prevalent, form of identity theft. For example, a stolen credit
card may lead to thousands of dollars in fraudulent charges, but the
card generally would not provide the thief with enough information to
establish a false identity. Moreover, most credit card companies, as a
matter of policy, do not hold consumers liable for fraudulent charges,
and federal law caps liability of victims of credit card theft at $50.
New account fraud: Thieves use personal information, such as Social
Security numbers, birth dates, and home addresses, to open new
accounts in the victim's name, make charges indiscriminately, and then
disappear. While this type of identity theft is less likely to occur, it
imposes much greater costs and hardships on victims.
In addition, identity thieves sometimes use stolen personal information to
obtain government, medical, or other benefits to which the criminal is not
entitled.
Third, an identity thief has completed his crime and is enjoying the
benefits, while the victim is realizing the harm.
At this point in the life cycle of the theft, victims are first learning of the
crime, often after being denied credit or employment, or being contacted by a
debt collector seeking payment for a debt the victim did not incur.
In light of the complexity of the problem at each of the stages of this life
cycle, the Identity Theft Task Force is recommending a plan that marshals
government resources to crack down on the criminals who traffic in stolen
identities, strengthens efforts to protect the personal information of our
nation's citizens, helps law enforcement officials investigate and prosecute
identity thieves, helps educate consumers and businesses about protecting
themselves, and increases the safeguards on personal data entrusted to federal
agencies and private entities.
The Plan focuses on improvements in four key areas:
- keeping sensitive consumer data out of the hands of identity thieves
through better data security and more accessible education;
- making it more difficult for identity thieves who obtain consumer data to
use it to steal identities;
- assisting the victims of identity theft in recovering from the crime; and
- deterring identity theft by more aggressive prosecution and punishment
of those who commit the crime.
In these four areas, the Task Force makes a number of recommendations
summarized in greater detail below. Among those recommendations are the
following broad policy changes:
- that federal agencies should reduce the unnecessary use of Social
Security numbers (SSNs), the most valuable commodity for an identity
thief;
- that national standards should be established to require private sector
entities to safeguard the personal data they compile and maintain and
to provide notice to consumers when a breach occurs that poses a
significant risk of identity theft;
- that federal agencies should implement a broad, sustained awareness
campaign to educate consumers, the private sector, and the public sector
on deterring, detecting, and defending against identity theft; and
- that a National Identity Theft Law Enforcement Center should be
created to allow law enforcement agencies to coordinate their efforts
and information more efficiently, and investigate and prosecute identity
thieves more effectively.
The Task Force believes that all of the recommendations in this strategic
plan - from these broad policy changes to the small steps - are necessary to
wage a more effective fight against identity theft and reduce its incidence and
damage. Some recommendations can be implemented relatively quickly;
others will take time and the sustained cooperation of government entities
and the private sector. Following are the recommendations of the President's
Task Force on Identity Theft:
Identity theft depends on access to consumer data. Reducing the opportunities
for thieves to get the data is critical to fighting the crime. Government,
the business community, and consumers have roles to play in protecting data.
Data compromises can expose consumers to the threat of identity theft or
related fraud, damage the reputation of the entity that experienced the breach,
and carry financial costs for everyone involved. While "perfect security" does
not exist, all entities that collect and maintain sensitive consumer information
must take reasonable and appropriate steps to protect it.
