Privacy Blog April Archive

Prosecution Approaches and Initiatives

By Information at 04/27/07 09:49

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Survey current use of SSNs by federal government

Issue guidance on appropriate use of SSNs

Establish clearinghouse for "best" agency practices that minimize use of SSNs

Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Develop concrete guidance and best practices

Monitor agency compliance with data security guidance

Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issue data breach guidance to agencies

Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign

Enlist outreach partners

Increase outreach to traditionally underserved communities

Establish "Protect Your Identity" Days

Develop Online Clearinghouse for Current Educational Resources

Because security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal. An identity thief who wants to open new accounts in a victim's name must be able to (1) provide identifying information to allow the creditor or other grantor of benefits to access information on which to base a decision about eligibility; and (2) convince the creditor that he is the person he purports to be.

Authentication includes determining a person's identity at the beginning of a relationship (sometimes called verification), and later ensuring that he is the same person who was originally authenticated. But the process can fail: Identity documents can be falsified; the accuracy of the initial information and the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.

Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses - for example, multi-factor authentication or layered security - would go a long way toward preventing criminals from profiting from identity theft.

Hold Workshops on Authentication

Engage academics, industry, entrepreneurs, and government experts on developing and promoting better ways to authenticate identity

Issue report on workshop findings

Develop a Comprehensive Record on Private Sector Use of SSNs

Identity theft can be committed despite a consumer's best efforts at securing information. Consumers have a number of rights and resources available, but some surveys indicate that they are not as well-informed as they could be. Government agencies must work together to ensure that victims have the knowledge, tools, and assistance necessary to minimize the damage and begin the recovery process.

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

Train law enforcement officers

Provide educational materials for first responders that can be used as a reference guide for identity theft victims

Create and distribute an ID Theft Victim Statement of Rights

Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

Conduct assessment of FACT Act remedies under FCRA

Conduct assessment of state credit freeze laws

Strong criminal law enforcement is necessary to punish and deter identity thieves. The increasing sophistication of identity thieves in recent years has meant that law enforcement agencies at all levels of government have had to increase the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents, and analysts with multiple skill sets. When a suspected theft involves a large number of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

Enhance ability of law enforcement to receive information from financial institutions

Initiate discussions with financial services industry on countermeasures to identity theft

Initiate discussions with credit reporting agencies on preventing identity theft

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Government's Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Increase Prosecutions of Identity Theft

Designate an identity theft coordinator for each United States Attorney's Office to design a specific identity theft program for each district

Evaluate monetary thresholds for prosecution

Encourage state prosecution of identity theft

Create working groups and task forces

Conduct Targeted Enforcement Initiatives

Conduct enforcement initiatives focused on using unfair or deceptive means to make SSNs available for sale

Conduct enforcement initiatives focused on identity theft related to the health care system

Conduct enforcement initiatives focused on identity theft by illegal aliens

Review Civil Monetary Penalty Programs

Gaps in Statutes Criminalizing Identity Theft

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Survey current use of SSNs by federal government

Issue guidance on appropriate use of SSNs

Establish clearinghouse for "best" agency practices that minimize use of SSNs

Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Develop concrete guidance and best practices

Monitor agency compliance with data security guidance

Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issue data breach guidance to agencies

Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign

Enlist outreach partners

Increase outreach to traditionally underserved communities

Establish "Protect Your Identity" Days

Develop Online Clearinghouse for Current Educational Resources

Because security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal. An identity thief who wants to open new accounts in a victim's name must be able to (1) provide identifying information to allow the creditor or other grantor of benefits to access information on which to base a decision about eligibility; and (2) convince the creditor that he is the person he purports to be.

Authentication includes determining a person's identity at the beginning of a relationship (sometimes called verification), and later ensuring that he is the same person who was originally authenticated. But the process can fail: Identity documents can be falsified; the accuracy of the initial information and the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.

Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses - for example, multi-factor authentication or layered security - would go a long way toward preventing criminals from profiting from identity theft.

Hold Workshops on Authentication

Engage academics, industry, entrepreneurs, and government experts on developing and promoting better ways to authenticate identity

Issue report on workshop findings

Develop a Comprehensive Record on Private Sector Use of SSNs

Identity theft can be committed despite a consumer's best efforts at securing information. Consumers have a number of rights and resources available, but some surveys indicate that they are not as well-informed as they could be. Government agencies must work together to ensure that victims have the knowledge, tools, and assistance necessary to minimize the damage and begin the recovery process.

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

Train law enforcement officers

Provide educational materials for first responders that can be used as a reference guide for identity theft victims

Create and distribute an ID Theft Victim Statement of Rights

Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

Conduct assessment of FACT Act remedies under FCRA

Conduct assessment of state credit freeze laws

Strong criminal law enforcement is necessary to punish and deter identity thieves. The increasing sophistication of identity thieves in recent years has meant that law enforcement agencies at all levels of government have had to increase the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents, and analysts with multiple skill sets. When a suspected theft involves a large number of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

Enhance ability of law enforcement to receive information from financial institutions

Initiate discussions with financial services industry on countermeasures to identity theft

Initiate discussions with credit reporting agencies on preventing identity theft

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Government's Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Increase Prosecutions of Identity Theft

Designate an identity theft coordinator for each United States Attorney's Office to design a specific identity theft program for each district

Evaluate monetary thresholds for prosecution

Encourage state prosecution of identity theft

Create working groups and task forces

Conduct Targeted Enforcement Initiatives

Conduct enforcement initiatives focused on using unfair or deceptive means to make SSNs available for sale

Conduct enforcement initiatives focused on identity theft related to the health care system

Conduct enforcement initiatives focused on identity theft by illegal aliens

Review Civil Monetary Penalty Programs

Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted

Add new crimes to the list of predicate offenses for aggravated identity theft offenses

Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications

Penalize creators and distributors of malicious spyware and keyloggers

Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion

Ensure That an Identity Thief's Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Law Enforcement Training

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Survey current use of SSNs by federal government

Issue guidance on appropriate use of SSNs

Establish clearinghouse for "best" agency practices that minimize use of SSNs

Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Develop concrete guidance and best practices

Monitor agency compliance with data security guidance

Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issue data breach guidance to agencies

Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign

Enlist outreach partners

Increase outreach to traditionally underserved communities

Establish "Protect Your Identity" Days

Develop Online Clearinghouse for Current Educational Resources

Because security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal. An identity thief who wants to open new accounts in a victim's name must be able to (1) provide identifying information to allow the creditor or other grantor of benefits to access information on which to base a decision about eligibility; and (2) convince the creditor that he is the person he purports to be.

Authentication includes determining a person's identity at the beginning of a relationship (sometimes called verification), and later ensuring that he is the same person who was originally authenticated. But the process can fail: Identity documents can be falsified; the accuracy of the initial information and the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.

Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses - for example, multi-factor authentication or layered security - would go a long way toward preventing criminals from profiting from identity theft.

Hold Workshops on Authentication

Engage academics, industry, entrepreneurs, and government experts on developing and promoting better ways to authenticate identity

Issue report on workshop findings

Develop a Comprehensive Record on Private Sector Use of SSNs

Identity theft can be committed despite a consumer's best efforts at securing information. Consumers have a number of rights and resources available, but some surveys indicate that they are not as well-informed as they could be. Government agencies must work together to ensure that victims have the knowledge, tools, and assistance necessary to minimize the damage and begin the recovery process.

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

Train law enforcement officers

Provide educational materials for first responders that can be used as a reference guide for identity theft victims

Create and distribute an ID Theft Victim Statement of Rights

Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

Conduct assessment of FACT Act remedies under FCRA

Conduct assessment of state credit freeze laws

Strong criminal law enforcement is necessary to punish and deter identity thieves. The increasing sophistication of identity thieves in recent years has meant that law enforcement agencies at all levels of government have had to increase the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents, and analysts with multiple skill sets. When a suspected theft involves a large number of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

Enhance ability of law enforcement to receive information from financial institutions

Initiate discussions with financial services industry on countermeasures to identity theft

Initiate discussions with credit reporting agencies on preventing identity theft

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Government's Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Increase Prosecutions of Identity Theft

Designate an identity theft coordinator for each United States Attorney's Office to design a specific identity theft program for each district

Evaluate monetary thresholds for prosecution

Encourage state prosecution of identity theft

Create working groups and task forces

Conduct Targeted Enforcement Initiatives

Conduct enforcement initiatives focused on using unfair or deceptive means to make SSNs available for sale

Conduct enforcement initiatives focused on identity theft related to the health care system

Conduct enforcement initiatives focused on identity theft by illegal aliens

Review Civil Monetary Penalty Programs

Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted

Add new crimes to the list of predicate offenses for aggravated identity theft offenses

Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications

Penalize creators and distributors of malicious spyware and keyloggers

Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion

Ensure That an Identity Thief's Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Enhance Training for Law Enforcement Officers and Prosecutors

Develop course at National Advocacy Center focused on investigation and prosecution of identity theft

Increase number of regional identity theft seminars

Increase resources for law enforcement on the Internet

Review curricula to enhance basic and advanced training on identity theft

Measuring the Success of Law Enforcement

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Survey current use of SSNs by federal government

Issue guidance on appropriate use of SSNs

Establish clearinghouse for "best" agency practices that minimize use of SSNs

Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Develop concrete guidance and best practices

Monitor agency compliance with data security guidance

Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issue data breach guidance to agencies

Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign

Enlist outreach partners

Increase outreach to traditionally underserved communities

Establish "Protect Your Identity" Days

Develop Online Clearinghouse for Current Educational Resources

Because security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal. An identity thief who wants to open new accounts in a victim's name must be able to (1) provide identifying information to allow the creditor or other grantor of benefits to access information on which to base a decision about eligibility; and (2) convince the creditor that he is the person he purports to be.

Authentication includes determining a person's identity at the beginning of a relationship (sometimes called verification), and later ensuring that he is the same person who was originally authenticated. But the process can fail: Identity documents can be falsified; the accuracy of the initial information and the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.

Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses - for example, multi-factor authentication or layered security - would go a long way toward preventing criminals from profiting from identity theft.

Hold Workshops on Authentication

Engage academics, industry, entrepreneurs, and government experts on developing and promoting better ways to authenticate identity

Issue report on workshop findings

Develop a Comprehensive Record on Private Sector Use of SSNs

Identity theft can be committed despite a consumer's best efforts at securing information. Consumers have a number of rights and resources available, but some surveys indicate that they are not as well-informed as they could be. Government agencies must work together to ensure that victims have the knowledge, tools, and assistance necessary to minimize the damage and begin the recovery process.

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

Train law enforcement officers

Provide educational materials for first responders that can be used as a reference guide for identity theft victims

Create and distribute an ID Theft Victim Statement of Rights

Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

Conduct assessment of FACT Act remedies under FCRA

Conduct assessment of state credit freeze laws

Strong criminal law enforcement is necessary to punish and deter identity thieves. The increasing sophistication of identity thieves in recent years has meant that law enforcement agencies at all levels of government have had to increase the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents, and analysts with multiple skill sets. When a suspected theft involves a large number of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

Enhance ability of law enforcement to receive information from financial institutions

Initiate discussions with financial services industry on countermeasures to identity theft

Initiate discussions with credit reporting agencies on preventing identity theft

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Government's Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Increase Prosecutions of Identity Theft

Designate an identity theft coordinator for each United States Attorney's Office to design a specific identity theft program for each district

Evaluate monetary thresholds for prosecution

Encourage state prosecution of identity theft

Create working groups and task forces

Conduct Targeted Enforcement Initiatives

Conduct enforcement initiatives focused on using unfair or deceptive means to make SSNs available for sale

Conduct enforcement initiatives focused on identity theft related to the health care system

Conduct enforcement initiatives focused on identity theft by illegal aliens

Review Civil Monetary Penalty Programs

Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted

Add new crimes to the list of predicate offenses for aggravated identity theft offenses

Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications

Penalize creators and distributors of malicious spyware and keyloggers

Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion

Ensure That an Identity Thief's Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Enhance Training for Law Enforcement Officers and Prosecutors

Develop course at National Advocacy Center focused on investigation and prosecution of identity theft

Increase number of regional identity theft seminars

Increase resources for law enforcement on the Internet

Review curricula to enhance basic and advanced training on identity theft

Enhance the Gathering of Statistical Data Impacting the Criminal Justice System's Response to Identity Theft

Gather and analyze statistically reliable data from identity theft victims

Expand scope of national crime victimization survey

Review U.S. Sentencing Commission data

Track prosecutions of identity theft and resources spent

Conduct targeted surveys

II. The Contours of the Identity Theft Problem

ApriL 11, 2007

The Honorable George W. Bush, President of the United States, The White House, Washington, D.C.

Dear Mr. President:

By establishing the President's Task Force on Identity Theft by Executive Order 13402 on May 10, 2006, you launched a new era in the fight against identity theft. As you recognized, identity theft exacts a heavy financial and emotional toll from its victims, and it severely burdens our economy. You called for a coordinated approach among government agencies to vigorously combat this crime. Your charge to us was to craft a strategic plan aiming to make the federal government's efforts more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution. To meet that charge, we examined the tools law enforcement can use to prevent, investigate, and prosecute identity theft crimes; to recover the proceeds of these crimes; and to ensure just and effective punishment of identity thieves. We also surveyed current education efforts by government agencies and the private sector on how individuals and corporate citizens can protect personal data. And because government must help reduce, rather than exacerbate, incidents of identity theft, we worked with many federal agencies to determine how the government can increase safeguards to better secure the personal data that it and private businesses hold. Like you, we spoke to many citizens whose lives have been uprooted by identity theft, and heard their suggestions on ways to help consumers guard against this crime and lessen the burdens of their recovery. We conducted meetings, spoke with stakeholders, and invited public comment on key issues.

The views you expressed in the Executive Order are widely shared. There is a consensus that identity theft's damage is widespread, that it targets all demographic groups, that it harms both consumers and businesses, and that its effects can range far beyond financial harm. We were pleased to learn that many federal departments and agencies, private businesses, and universities are trying to create a culture of security, although some have been faster than others to construct systems to protect personal information.

There is no quick solution to this problem. But, we believe that a coordinated strategic plan can go a long way toward stemming the injuries caused by identity theft and, we hope, putting identity thieves out of business. Taken as a whole, the recommendations that comprise this strategic plan are designed to strengthen the efforts of federal, state, and local law enforcement officers; to educate consumers and businesses on deterring, detecting, and defending against identity theft; to assist law enforcement officers in apprehending and prosecuting identity thieves; and to increase the safeguards employed by federal agencies and the private sector with respect to the personal data with which they are entrusted.

Thank you for the privilege of serving on this Task Force. Our work is ongoing, but we now have the honor, under the provisions of your Executive Order, of transmitting the report and recommendations of the President's Task Force on Identity Theft.

Very truly yours,

Alberto R. Gonzales, ChairmanAttorney General

U.S. Department of Justice logo Deborah Platt Majoras, Co-ChairmanChairman, Federal Trade Commission

United States of America Federal Trade Commission logo

From Main Street to Wall Street, from the back porch to the front office, from the kitchen table to the conference room, Americans are talking about identity theft. The reason: millions of Americans each year suffer the financial and emotional trauma it causes. This crime takes many forms, but it invariably leaves victims with the task of repairing the damage to their lives. It is a problem with no single cause and no single solution.

Eight years ago, Congress enacted the Identity Theft and Assumption Deterrence Act,1 which created the federal crime of identity theft and charged the Federal Trade Commission (FTC) with taking complaints from identity theft victims, sharing these complaints with federal, state, and local law enforcement, and providing the victims with information to help them restore their good name. Since then, federal, state, and local agencies have taken strong action to combat identity theft. The FTC has developed the Identity Theft Data Clearinghouse into a vital resource for consumers and law enforcement agencies; the Department of Justice (DOJ) has prosecuted vigorously a wide range of identity theft schemes under the identity theft statutes and other laws; the federal financial regulatory agencies2 have adopted and enforced robust data security standards for entities under their jurisdiction; Congress passed, and the Department of Homeland Security issued draft regulations on, the REAL ID Act of 2005; and numerous other federal agencies, such as the Social Security Administration (SSA), have educated consumers on avoiding and recovering from identity theft. Many private sector entities, too, have taken proactive and significant steps to protect data from identity thieves, educate consumers about how to prevent identity theft, assist law enforcement in apprehending identity thieves, and assist identity theft victims who suffer losses.

Over those same eight years, however, the problem of identity theft has become more complex and challenging for the general public, the government, and the private sector. Consumers, overwhelmed with weekly media reports of data breaches, feel vulnerable and uncertain of how to protect their identities. At the same time, both the private and public sectors have had to grapple with difficult, and costly, decisions about investments in safeguards and what more to do to protect the public. And, at every level of government - from the largest cities with major police departments to the smallest towns with one fraud detective - identity theft has placed increasingly pressing demands on law enforcement.

Public comments helped the Task Force define the issues and challenges posed by identity theft and develop its strategic responses. To ensure that the Task Force heard from all stakeholders, it solicited comments from the public.

In addition to consumer advocacy groups, law enforcement, business, and industry, the Task Force also received comments from identity theft victims themselves.3 The victims wrote of the burdens and frustrations associated with their recovery from this crime. Their stories reaffirmed the need for the government to act quickly to address this problem.

The overwhelming majority of the comments received by the Task Force strongly affirmed the need for a fully coordinated approach to fighting the problem through prevention, awareness, enforcement, training, and victim assistance. Consumers wrote to the Task Force exhorting the public and private sectors to do a better job of protecting their Social Security numbers (SSNs), and many of those who submitted comments discussed the challenges raised by the overuse of Social Security numbers as identifiers. Others, representing certain business sectors, pointed to the beneficial uses of SSNs in fraud detection. The Task Force was mindful of both considerations, and its recommendations seek to strike the appropriate balance in addressing SSN use. Local law enforcement officers, regardless of where they work, wrote of the challenges of multi-jurisdictional investigations, and called for greater coordination and resources to support the investigation and prosecution of identity thieves. Various business groups described the steps they have taken to minimize the occurrence and impact of the crime, and many expressed support for risk-based, national data security and breach notification requirements.

These communications from the public went a long way toward informing the Task Force's recommendation for a fully coordinated strategy. Only an approach that encompasses effective prevention, public awareness and education, victim assistance, and law enforcement measures, and fully engages federal, state, and local authorities will be successful in protecting citizens and private entities from the crime.

Although identity theft is defined in many different ways, it is, fundamentally, the misuse of another individual's personal information to commit fraud. Identity theft has at least three stages in its "life cycle," and it must be attacked at each of those stages:

First, the identity thief attempts to acquire a victim's personal information.

Criminals must first gather personal information, either through low-tech methods - such as stealing mail or workplace records, or "dumpster diving" - or through complex and high-tech frauds, such as hacking and the use of malicious computer codes. The loss or theft of personal information by itself, however, does not immediately lead to identity theft. In some cases, thieves who steal personal items inadvertently steal personal information that is stored in or with the stolen personal items, yet never make use of the personal information. It has recently been reported that, during the past year, the personal records of nearly 73 million people have been lost or stolen, but that there is no evidence of a surge in identity theft or financial fraud as a result. Still, because any loss or theft of personal information is troubling and potentially devastating for the persons involved, a strategy to keep consumer data out of the hands of criminals is essential.

Second, the thief attempts to misuse the information he has acquired.

In this stage, criminals have acquired the victim's personal information and now attempt to sell the information or use it themselves. The misuse of stolen personal information can be classified in the following broad categories:

Existing account fraud: This occurs when thieves obtain account information involving credit, brokerage, banking, or utility accounts that are already open. Existing account fraud is typically a less costly, but more prevalent, form of identity theft. For example, a stolen credit card may lead to thousands of dollars in fraudulent charges, but the card generally would not provide the thief with enough information to establish a false identity. Moreover, most credit card companies, as a matter of policy, do not hold consumers liable for fraudulent charges, and federal law caps liability of victims of credit card theft at $50.

New account fraud: Thieves use personal information, such as Social Security numbers, birth dates, and home addresses, to open new accounts in the victim's name, make charges indiscriminately, and then disappear. While this type of identity theft is less likely to occur, it imposes much greater costs and hardships on victims.

In addition, identity thieves sometimes use stolen personal information to obtain government, medical, or other benefits to which the criminal is not entitled.

Third, an identity thief has completed his crime and is enjoying the benefits, while the victim is realizing the harm.

At this point in the life cycle of the theft, victims are first learning of the crime, often after being denied credit or employment, or being contacted by a debt collector seeking payment for a debt the victim did not incur.

In light of the complexity of the problem at each of the stages of this life cycle, the Identity Theft Task Force is recommending a plan that marshals government resources to crack down on the criminals who traffic in stolen identities, strengthens efforts to protect the personal information of our nation's citizens, helps law enforcement officials investigate and prosecute identity thieves, helps educate consumers and businesses about protecting themselves, and increases the safeguards on personal data entrusted to federal agencies and private entities.

The Plan focuses on improvements in four key areas:

• keeping sensitive consumer data out of the hands of identity thieves through better data security and more accessible education;
• making it more difficult for identity thieves who obtain consumer data to use it to steal identities;
• assisting the victims of identity theft in recovering from the crime; and
• deterring identity theft by more aggressive prosecution and punishment of those who commit the crime.

In these four areas, the Task Force makes a number of recommendations summarized in greater detail below. Among those recommendations are the following broad policy changes:

• that federal agencies should reduce the unnecessary use of Social Security numbers (SSNs), the most valuable commodity for an identity thief;
• that national standards should be established to require private sector entities to safeguard the personal data they compile and maintain and to provide notice to consumers when a breach occurs that poses a significant risk of identity theft;
• that federal agencies should implement a broad, sustained awareness campaign to educate consumers, the private sector, and the public sector on deterring, detecting, and defending against identity theft; and
• that a National Identity Theft Law Enforcement Center should be created to allow law enforcement agencies to coordinate their efforts and information more efficiently, and investigate and prosecute identity thieves more effectively.

The Task Force believes that all of the recommendations in this strategic plan - from these broad policy changes to the small steps - are necessary to wage a more effective fight against identity theft and reduce its incidence and damage. Some recommendations can be implemented relatively quickly; others will take time and the sustained cooperation of government entities and the private sector. Following are the recommendations of the President's Task Force on Identity Theft:

Identity theft depends on access to consumer data. Reducing the opportunities for thieves to get the data is critical to fighting the crime. Government, the business community, and consumers have roles to play in protecting data.

Data compromises can expose consumers to the threat of identity theft or related fraud, damage the reputation of the entity that experienced the breach, and carry financial costs for everyone involved. While "perfect security" does not exist, all entities that collect and maintain sensitive consumer information must take reasonable and appropriate steps to protect it.

Decrease the Unnecessary Use of Social Security Numbers in the Public Sector by Developing Alternative Strategies for Identity Management

Survey current use of SSNs by federal government

Issue guidance on appropriate use of SSNs

Establish clearinghouse for "best" agency practices that minimize use of SSNs

Work with state and local governments to review use of SSNs * Educate Federal Agencies on How to Protect Data; Monitor Their Compliance with Existing Guidance

Develop concrete guidance and best practices

Monitor agency compliance with data security guidance

Protect portable storage and communications devices

Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies

Issue data breach guidance to agencies

Publish a "routine use" allowing disclosure of information after a breach to those entities that can assist in responding to the breach

Data Security in Private Sector

Establish National Standards for Private Sector Data Protection Requirements and Breach Notice Requirements

Develop Comprehensive Record on Private Sector Use of Social Security Numbers

Better Educate the Private Sector on Safeguarding Data

Hold regional seminars for businesses on safeguarding information

Distribute improved guidance for private industry

Initiate Investigations of Data Security Violations

Initiate a Multi-Year Public Awareness Campaign

Develop national awareness campaign

Enlist outreach partners

Increase outreach to traditionally underserved communities

Establish "Protect Your Identity" Days

Develop Online Clearinghouse for Current Educational Resources

Because security systems are imperfect and thieves are resourceful, it is essential to reduce the opportunities for criminals to misuse the data they steal. An identity thief who wants to open new accounts in a victim's name must be able to (1) provide identifying information to allow the creditor or other grantor of benefits to access information on which to base a decision about eligibility; and (2) convince the creditor that he is the person he purports to be.

Authentication includes determining a person's identity at the beginning of a relationship (sometimes called verification), and later ensuring that he is the same person who was originally authenticated. But the process can fail: Identity documents can be falsified; the accuracy of the initial information and the accuracy or quality of the verifying sources can be questionable; employee training can be insufficient; and people can fail to follow procedures.

Efforts to facilitate the development of better ways to authenticate consumers without burdening consumers or businesses - for example, multi-factor authentication or layered security - would go a long way toward preventing criminals from profiting from identity theft.

Hold Workshops on Authentication

Engage academics, industry, entrepreneurs, and government experts on developing and promoting better ways to authenticate identity

Issue report on workshop findings

Develop a Comprehensive Record on Private Sector Use of SSNs

Identity theft can be committed despite a consumer's best efforts at securing information. Consumers have a number of rights and resources available, but some surveys indicate that they are not as well-informed as they could be. Government agencies must work together to ensure that victims have the knowledge, tools, and assistance necessary to minimize the damage and begin the recovery process.

Provide Specialized Training About Victim Recovery to First Responders and Others Offering Direct Assistance to Identity Theft Victims

Train law enforcement officers

Provide educational materials for first responders that can be used as a reference guide for identity theft victims

Create and distribute an ID Theft Victim Statement of Rights

Design nationwide training for victim assistance counselors

Develop Avenues for Individualized Assistance to Identity Theft Victims

Amend Criminal Restitution Statutes to Ensure That Victims Recover the Value of Time Spent in Trying to Remediate the Harms Suffered

Assess Whether to Implement a National System That Allows Victims to Obtain an Identification Document for Authentication Purposes

Assess Efficacy of Tools Available to Victims

Conduct assessment of FACT Act remedies under FCRA

Conduct assessment of state credit freeze laws

Strong criminal law enforcement is necessary to punish and deter identity thieves. The increasing sophistication of identity thieves in recent years has meant that law enforcement agencies at all levels of government have had to increase the resources they devote to investigating related crimes. The investigations are labor-intensive and generally require a staff of detectives, agents, and analysts with multiple skill sets. When a suspected theft involves a large number of potential victims, investigative agencies often need additional personnel to handle victim-witness coordination.

Coordination and Information/Intelligence Sharing

Establish a National Identity Theft Law Enforcement Center

Develop and Promote the Use of a Universal Identity Theft Report Form

Enhance Information Sharing Between Law Enforcement and the Private Sector

Enhance ability of law enforcement to receive information from financial institutions

Initiate discussions with financial services industry on countermeasures to identity theft

Initiate discussions with credit reporting agencies on preventing identity theft

Encourage Other Countries to Enact Suitable Domestic Legislation Criminalizing Identity Theft

Facilitate Investigation and Prosecution of International Identity Theft by Encouraging Other Nations to Accede to the Convention on Cybercrime

Identify the Nations that Provide Safe Havens for Identity Thieves and Use All Measures Available to Encourage Those Countries to Change Their Policies

Enhance the United States Government's Ability to Respond to Appropriate Foreign Requests for Evidence in Criminal Cases Involving Identity Theft

Assist, Train, and Support Foreign Law Enforcement

Increase Prosecutions of Identity Theft

Designate an identity theft coordinator for each United States Attorney's Office to design a specific identity theft program for each district

Evaluate monetary thresholds for prosecution

Encourage state prosecution of identity theft

Create working groups and task forces

Conduct Targeted Enforcement Initiatives

Conduct enforcement initiatives focused on using unfair or deceptive means to make SSNs available for sale

Conduct enforcement initiatives focused on identity theft related to the health care system

Conduct enforcement initiatives focused on identity theft by illegal aliens

Review Civil Monetary Penalty Programs

Close the Gaps in Federal Criminal Statutes Used to Prosecute Identity Theft-Related Offenses to Ensure Increased Federal Prosecution of These Crimes

Amend the identity theft and aggravated identity theft statutes to ensure that identity thieves who misappropriate information belonging to corporations and organizations can be prosecuted

Add new crimes to the list of predicate offenses for aggravated identity theft offenses

Amend the statute that criminalizes the theft of electronic data by eliminating the current requirement that the information must have been stolen through interstate communications

Penalize creators and distributors of malicious spyware and keyloggers

Amend the cyber-extortion statute to cover additional, alternate types of cyber-extortion

Ensure That an Identity Thief's Sentence Can Be Enhanced When the Criminal Conduct Affects More Than One Victim

Enhance Training for Law Enforcement Officers and Prosecutors

Develop course at National Advocacy Center focused on investigation and prosecution of identity theft

Increase number of regional identity theft seminars

Increase resources for law enforcement on the Internet

Review curricula to enhance basic and advanced training on identity theft

Enhance the Gathering of Statistical Data Impacting the Criminal Justice System's Response to Identity Theft

Gather and analyze statistically reliable data from identity theft victims

Expand scope of national crime victimization survey

Review U.S. Sentencing Commission data

Track prosecutions of identity theft and resources spent

Conduct targeted surveys

Every day, too many Americans learn that their identities have been compromised, often in ways and to an extent they could not have imagined. Identity theft victims experience a sense of hopelessness when someone steals their good name and good credit to commit fraud. These victims also speak of their frustration in fighting against an unknown opponent.

"I was absolutely heartsick to realize our bank accounts were frozen, our names were on a bad check list, and my driver's license was suspended. I hold three licenses in the State of Ohio - my driver's license, my real estate license, and my R.N. license. After learning my driver's license was suspended, I was extremely fearful that my professional licenses might also be suspended as a result of the actions of my imposter."

Maureen Mitchell Testimony Before House Committee on Financial Services, Subcommittee on Financial Institutions and Consumer Credit June 24, 2003

Identity theft - the misuse of another individual's personal information to commit fraud - can happen in a variety of ways, but the basic elements are the same. Criminals first gather personal information, either through low-tech methods such as stealing mail or workplace records, or "dumpster diving," or through complex and high-tech frauds such as hacking and the use of malicious computer code. These data thieves then sell the information or use it themselves to open new credit accounts, take over existing accounts, obtain government benefits and services, or even evade law enforcement by using a new identity. Often, individuals learn that they have become victims of identity theft only after being denied credit or employment, or when a debt collector seeks payment for a debt the victim did not incur.

Individual victim experiences best portray the havoc that identity thieves can wreak. For example, in July 2001, an identity thief gained control of a retired Army Captain's identity when Army officials at Fort Bragg, North Carolina, issued the thief an active duty military identification card in the retired captain's name and with his Social Security number. The military identification, combined with the victim's then-excellent credit history, allowed the identity thief to go on an unhindered spending spree lasting several months. From July to December 2001, the identity thief acquired goods, services, and cash in the victim's name valued at over $260,000. The victim identified more than 60 fraudulent accounts of all types that were opened in his name: credit accounts, personal and auto loans, checking and savings accounts, and utility accounts. The identity thief purchased two trucks valued at over $85,000 and a Harley-Davidson motorcycle for $25,000. The thief also rented a house and purchased a time-share in Hilton Head, South Carolina, in the victim's name.4

In another instance, an elderly woman suffering from dementia was victimized by her caregivers, who admitted to stealing as much as $200,000 from her before her death. The thieves not only used the victim's existing credit card accounts, but also opened new credit accounts in her name, obtained financing in her name to purchase new vehicles for themselves, and, using a fraudulent power of attorney, removed $176,000 in U.S. Savings Bonds from the victim's safe-deposit boxes.5

In these ways and others, consumers' lives are disrupted and displaced by identity theft. While federal agencies, the private sector, and consumers themselves already have accomplished a great de