TESTIMONY FOR
THE UNITED STATES SENATE
SPECIAL
COMMITTEE ON AGING
SENATOR
JOHN BREAUX, CHAIRMAN
LARRY
E. CRAIG, RANKING MEMBER
SENATEíS
SPECIAL COMMITTEE ON AGING
INVESTIGATIVE
HEARING ON IDENTITY THEFT
HEARING
DATE: JULY 18, 2002 9:30A.M.
ROOM
SD-628
DIXON
SENATE OFFICE BUILDING
TESTIMONY
PROVIDED BY MARI J. FRANK, ESQ.
Good morning, Chairman Breaux,
Ranking Member Craig, honorable committee members, and invited guests. Thank
you very much for the opportunity to address you today regarding this hearing
on Identity Theft and the vulnerability of senior citizens to this crime.
My name is Mari Frank. I am an
attorney, privacy and identity theft consultant, and author of the Identity
Theft Survival Kit (Porpoise Press, 1998) from Laguna Niguel, California. I
serve as a Sheriff Reserve (Professional Services) for the Orange County,
California Sheriff Departmentís High Tech Crime Unit, and sit on the
Advisory Committee to the Office of Privacy in the State of Californiaís
Office of Consumer Affairs, which focuses on privacy and identity theft
protection for California citizens. Additionally, I have served on the Los
Angeles District Attorneyís Office Task Force on Identity Theft, which
sponsored legislation to help victims of identity theft, and assisted law
enforcement in the prosecution of this crime. As an advisory board member to
the non- profit consumer advocacy program, the Privacy Rights Clearinghouse
(San Diego, Ca.), I am privileged to consult with Director Beth Givens and
Linda Foley (Director of the Identity Theft Resource Center- an affiliate
program) regarding identity theft cases and proposals for legislation.
My own identity was stolen
(in 1996) by an impostor who paraded as an attorney and took over
$50,000 in my name. From that arduous nightmare, I gained great insight into
the tribulations that victims endure. Since
that time I have personally assisted myriad victims, many of who are between
the ages of 50 and 93 years old. Additionally, I have had the privilege of
testifying before several legislative bodies and have advised many national
corporations on how to protect their clients, customers, vendors and employees
and their company from problems of identity theft.
First I am grateful to this
honorable committee for focusing on the growing problem of Identity Theft with
regard to our aging population. Your desire to expose the scope of its
prevalence and its causes deserves commendation. I am also thankful to this
esteemed panel of witnesses who will assist you in creating solutions to the
unique challenges of dealing with this white-collar crime.
Youíve asked that I
concentrate my testimony in the following areas:
I. Explain the vulnerability of seniors to identity theft, and provide brief case histories.
II. Describe the financial and emotional impact on senior victims of Identity Theft.
III. Clarify what seniors can and cannot do to avoid Identity Theft.
IV.
Propose actions that private sector and government should take to protect
seniors from becoming victims of Identity Theft.
I.
THE VULNERABILITY OF SENIORS TO IDENTITY THEFT
To understand
the unique problems facing the aging with regard to identity theft, I will
clarify what actually happens to victims. There are many types of fraud that
fall under the category of identity theft.
It could be as simple as ìaccount take overî where the thief steals
an ATM VISA or MasterCard, credit card, or just the account number, and makes
purchases on-line, by phone or in person. By stealing your mail or trash, a
fraudster can either use your checks or create new checks using your account
number to drain the funds from your bank accounts.
You only find out when your checks start bouncing or you canít use
your ATM to obtain cash.
Fraudulent
purchases can also be made without your knowledge if your credit cards are
ìskimmedî. A ìdirty
employeeî at a retail store, restaurant, or hotel simply duplicates the
metal strip on the back of your credit card using a skimmer (a small handheld
device designed to copy information from the magnetic strip on a card) to
later create a new card with your account information- thus your credit card
bill arrives normally with purchases you never made- yet your credit card sits
safely in your wallet.
The
more invasive and lucrative type of identity theft- ìtrue name fraudî or
ìapplication fraudî occurs when your ìevil twinî obtains your social
security number, (thatís often all they need) pretends to be you, and
applies for credit at his/her address or a mail drop. The thief, needing a
photo ID, obtains a driverís license- either a ìvalidî duplicate from
the state Department of Motor Vehicles (many states are less than careful in
issuing duplicate licenses, i.e.: California issued over 100,000 duplicate
ìvalidî licenses with the impostorís photo to fraudsters in the year
2000), or buys a high tech phony license on the street for $25.00. With just
these documents, the ìidentity cloneî can create havoc in your life. The
impostor can obtain more credit cards, credit lines, a mortgage, an apartment,
purchase cars, open utilities accounts, get a cellular phone, make cash
advances, obtain health care, purchase life insurance in the victimís name,
(making the fraudster the beneficiary), order a passport, work under your name
(and of course the IRS comes after you), become a ìlegalî citizen, steal
your professional identity (even create business cards), create e-mail
accounts and web sites, and worse yet, commit crimes ruining your good name
and destroying your reputation.
Although every one of us is vulnerable to this crime (since our personal information including our social security number is readily available offline and on line and its use, sale and transfer is often beyond our control), seniors are a more susceptible for a variety of reasons:
1.
Seniors Place Value on Creditworthiness and Owning a Mortgage-Free
Home
Typically, seniors establish a more conservative financial profile as they get older. Many have acquired wealth, a home, financial stability and a better credit score than younger people. A savvy identity thief can access and be extended more credit for purchases for a longer period of time if they target an older person with higher credit line availability.
Sidney, a wealthy retired executive learned that his identity was
stolen many months after he and his wife purchased a new home. His loan
application, with his 3 in one credit report attached, revealed his credit
score, his checking, savings, and investment accounts, social security number,
and all necessary information for an impostor to become Sidney. His
masquerader had gotten a copy of Sidneyís loan application and opened new
credit card accounts, purchased computers, electronic equipment, furniture,
rented an apartment, obtained utilities, etc, stealing almost $100,000.
Allan and Marcia are retired
and living in a gate guarded community, in a mortgage free home. They felt
sure that their mail and finances would be safe inside the gate, yet they
learned that convenience checks were stolen from their mail box, and thousands
of dollars were spent in their name. Also their own checks were stolen, credit
cards were opened in their name, purchases were made across the country using
their credit card numbers on the Internet. After several months, they learned
that their ìmortgage-freeî home now had a large mortgage and a lender was
threatening forclosure.
2. Seniors At Risk for Pre-text Calling
Elderly persons who are weak or
ill may be prone to deceptive approaches such as pre-text calling which is a
method that a fraudster can use to extract personal information to then use to
steal from the victim.
David a 70-year-old diabetic from Detroit had received
a call at 10:00 PM one evening supposedly from the local court system telling
him it was time to serve on jury duty. They required his social security
number, birth date and other personal information Fearful of repercussions; he
answered all the questions posed to him.
He never received any call for jury duty, but he did receive calls from
collection agencies several months later regarding new credit accounts that he
hadnít opened.
3. Many Seniors Dependent on Caregivers
Nursing homes and Board and Care Home employees as well as in-home caregivers are often placed in a tempting situation where they have access to personal information and they are in a position of trust. Very ill seniors, especially those with Alzheimerís and other disabilities often are at the mercy of the caregiver to help them with banking, health care information (which usually includes the social security number) and even Living Trusts and insurance. Hereís an example:
Mary, a 70 year old blind woman, was living with her
adult son who hired a practical nurse to help his mother while he was at work.
The nurseís aid took Mary to doctorsí appointments, the bank, and also to
the cleaners ñliterally and figuratively- she stole Maryís identity using
her social security number to obtain credit cards, utilities, a new car, and
an apartment and even left Mary with a warrant for unpaid parking tickets. The
family didnít learn of the theft until the caregiver was nowhere to be
found.
4. Older Americans Lack Emotional Energy to Deal with Overwhelming Issues of ID Theft
Addressing the issues of regaining oneís financial
creditworthiness is very challenging for anyone, but the elderly are
especially vulnerable when they live alone or have experienced the loss of
their spouse after many years of marriage.
Loraine, a 65 year old widow of a deceased decorated
United States Air Force General, found out several months after her
husbandís death that his identity was stolen to commit security crimes and
credit card fraud. Not only is she left to deal with her grieving, but also
the tremendous burden of repairing her husbandís tarnished reputation and
addressing her own financial disaster of trying to convince the collection
agencies that the debts didnít belong to her late husband. Although her
identity wasnít stolen she became the victim.
5. Health
Challenges Exacerbate Problems- especially with Criminal ID Theft
George, a 55 year old disabled veteran living in
Colorado was suddenly denied his disability payments, and hit with a large IRS
bill for the income that his impostor had earned working under his name in
Tennessee. Upon investigation, we learned that Georgeís impostor had also
established a criminal record in yet another state and there was a warrant for
Georgeís arrest.
Delores, 62, takes kidney dialysis treatment three
times a week at a hospital clinic near her home.
She learned that she and several other patients had their identities
stolen by an employee who had access to their personal information. She has no
financial resources and no children to help her. She feels lost and terrified.
6. The
Elderly Victimized by their Children or Relatives - Fearful of Law Enforcement
Sadly some unscrupulous relatives, like vultures, take
advantage of the finances and good nature of their family. They bank on the
fact that the victims wonít go to the police telling the truth about the
fraudulent use of their identity and credit. This hinders law enforcement and
may cause the victimsí reputation to be ruined.
John Sr. a 75-year-old retired engineer learned that
John Jr. had been using dadís credit to make purchases and buy a car.
Rather than turn in his son, John Sr. made payments for years to the
various companies until he found out that Junior had also taken a second
mortgage on his parentsí home. He is fearful of losing his home and
doesnít want to put his son in jail. His
health is failing and his heart is breaking.
7.
The Information Age, lightening speed data transfer, and technology
overwhelm seniors
Our aging population has had to adjust to the
information age- new technologies, which are challenging to grasp for those
who grew up with typewriters. For
many elderly persons, it is just too overwhelming to get help on the Internet,
protect themselves on-line or understand all the precautions to take on the
Internet.
Susan, a 60ish hip grandma, signed up for e-mail
and Internet access with a reputable Internet Service Provider. When she
received e-mail from her provider asking her to give her personally
identifying information, including her social security number, to renew her
account, she found out that it was a ploy by hackers to get her information.
It was a false e-mail set up to look like her provider.
She later became the victim of identity Theft with thousands of dollars
worth of purchases on the Internet with credit cards she didnít know she
had.
The above cases caused great anguish to the victims
who called us. The time spent
trying to regain their lives and the out of pocket costs were minimal compared
to the tremendous emotional turmoil these seniors experience.
II. FINANCIAL
AND EMOTIONAL IMPACT ON SENIOR VICTIMS OF IDENTITY THEFT
1.
Financial Aspects:
Most seniors who are victims of credit card fraud are
protected by federal law with regard to the fraudulent charges, however for
those who experience ATM VISA and MasterCard fraud and check fraud, regaining
the money into their checking account has been far more challenging and many
victims find they cannot handle the issue without the help of legal counsel.
This of course is an out of pocket cost.
Additionally, sending letters return receipt requested, hiring help to
type the letters, long distance phone calls, missing time from work, doctor
bills from increased health problems, credit monitoring services, private
investigators, notary fees, and attorney fees all increase the out of pocket
costs expenses. Further research among senior victims will be necessary to
assess the true financial devastation. My
experience hearing from the elderly is that if they donít have family
members to help them make the calls and write the letters, and they cannot
afford an attorney, they feel overwhelmed, give up and pay bills that are
fraudulent. Some have reported that they resorted to bankruptcy since they
felt they had no other choice.
In May of 2000, Calpirg and The Privacy Rights
Clearinghouse issued a report entitled ìNowhere to Turn: Victims Speak Out
on Identity Theftî. The victims in that study (although not specifically
over 50 years of age) reported an average
of 175 hours and $808 in out of pocket costs ñ but only 45% of the
victims included in the averaged costs considered their cases to be solved.
55% of those surveyed whose cases were still open reported that their
cases had already been open almost 4 years.
Victims reported spending between $30 and
$2000 not including attorney fees. (See www.privacyrights.org/ar/idtheft2000.htm
for complete report)
II.
The Emotional and Psychological Impact on Aging Victims of ID Theft
Victims feel extremely violated by the criminal
perpetrator, but even worse, the victims often experience blame and disbelief
by the creditors, lack of cooperation and concern by the credit reporting
agencies, and refusal by law enforcement to investigate.
Victims often report that creditors demand payment,
and treat the victim like a deadbeat. Credit
card companies and banks normally refuse to provide documentation of the
billing statements and applications, and may sell the ìdelinquentî
accounts to collection agencies even after fraud is reported.
Then the collection agencies hound victims, threatening lawsuits.
Victims report great difficulty in contacting the
credit reporting agencies since there are no live persons to assist them upon
reporting the fraud. Also reading
the credit reports and understanding them causes great frustration since all
three companies use different formats. Confusion also occurs since the credit
report that the consumer receives is different from the one that the creditor
receives. Even after a fraud alert is placed on the credit profile, victims
feel insecure because careless creditors will issue new fraud accounts without
any negative consequences for the creditor or the credit reporting agencies.
Many victims also report that once fraudulent activity is removed from the
credit report it may reappear on subsequent reports without re-reporting from
the creditor. Cleaning up the credit mess may take months or years.
Although most state and federal law ensures that
consumer victims have standing to make at least an informational police report
in the jurisdiction where they live, many law enforcement offices still refuse
to issue a report and most victims find that unless there is a suspected fraud
ring or a very high dollar loss, there will be no investigation. If there is
no inquiry, the impostor can strike again- leaving the victim feeling
terrified. Hurdle after hurdle causes feelings of dread, rage and fear.
Identity Theft is a frightening and overwhelming
experience for anyone at any age, however for our older citizens it is often
compounded by health challenges and other vulnerabilities unique to the
elderly. This crime is like a cancer in that it strikes without warning and
disrupts your whole life-it may go into remission, but you donít know when
it will strike again, especially if the impostor isnít caught. In only 10%
of the cases is there an arrest.
The elderly victims with whom I have personally spoken and those that report to the Privacy Rights Clearinghouse and the Identity Theft Resource Center all have very similar feelings of frustration, violation, fear, helplessness, anger, rage, anguish, powerlessness, and even despair. Victims feel out of control since most do not know who is doing this to them, why this is happening and they just canít stop it. Those who experience this crime, like victims of violent crime also experience posttraumatic stress disorder- they report they are unable to sleep, extreme loss or gain of weight, feelings of isolation, paranoia, intense distrust and even embarrassment that someone will think that because this happened to them that they are old and incompetent.
The negative psychological response may even cause
physiological reactions and physical manifestations-the stress and anxiety
have caused heart palpitations (one of our victims had a heart attack), high
blood pressure, back and neck spasms, shortness of breath, stomach upsets,
headaches, eczema, sexual dysfunction, depression, and night terrors. One
distraught law enforcement fraud investigator in South Florida called me to
tell me that one of his elderly victims committed suicide from the extreme
depression she experienced from dealing with her ìidentity theft hellî.
Without intervention, many of the elderly seniors could be in great psychological danger. We recommend emotional counseling services, but encourage the development of strong victim assistance programs to provide support groups and therapy.
III.
WHAT SENIOR CITIZENS CAN AND CANNOT DO TO PROTECT THEMSELVES FROM IDENTITY
THEFT
Weíve
heard numerous identity theft stories- with numbers of victims ranging from
500,000 to over a million a year. In the year 2001 Trans Union, one of the
three major credit reporting agencies, reported an average of 3,500 calls a
day to their fraud hotline. Some of those reporting had lost their wallets or
their information was stolen and they had not yet become victims, so we are
not sure of how many of those became victims, however the number is
significant. Our current
statistics from the Federal Trade Commission do not reflect the true extent of
Identity Theft, because most victims still do not know to report to that
entity- the credit reporting agencies are still in the best position to share
the statistics that they have with the FTC and should be required to do so to
assist in adequate research.
What can elderly victims do to protect themselves?
Under current law, they have very little control how their personal
information is disseminated or accessed, but they can do simple common sense
things to minimize their risk-
Here are the
top four protection measures:
1.
Get a copy of your credit reports at least twice a year. Carefully
scrutinize all information and correct all errors, including the inquiries. If
something looks strange, call and write to the creditor and place fraud alerts
on the credit profiles of the three major credit reporting agencies. If you
monitor your reports and fraud accounts are opened, at least you will minimize
your losses with early notification. Do your own background search on yourself
once a year to see if any fraudulent criminal activity appears.
2.
Donít give out your social security number unless required by law.
Donít carry it with you and if it is on your health care cards, make a copy
redacting the first 5 numbers and carry only the copy with you.
Carry as little information about you as possible in your wallet.
Donít submit to the use of your biometric information (fingerprint, iris
scan, etc) unless required by law and you understand the purpose for which it
is collected, how it will be maintained, the secondary use if any, the
safeguards ensuring its accuracy and security and the place to contact if a
problem arises.
3.
Guard your personal information with great caution.
Donít give out information at retail stores, on warranty cards, when
a company calls you on the phone, or on the Internet. Donít keep
personal information on your computer if it is accessible on the Internet.
Shred all documents that you are discarding, including utility bills,
check statements, old wills and trusts, anything
with personal and financial information.
4. When dealing with others in a trusted position, such as a caregiver, or a trusted advisor, make sure you check references, licenses, and other background information. Share as little personal and financial data with this person as possible, and donít give them responsibility to manage your assets without your approval- donít give out your ATM VISA pin number or allow them to sign checks for you. The less access to your financial and personal data the more secure your identity.
CAUTION-
INFORMATION ACCESS BEYOND YOUR CONTROL- MAJOR CAUSE OF IDENTITY THEFT
Even if you diligently take every precaution
delineated on informative web sites such as www.identitytheft.org;
or www.privacyrights.org or www.idtheftcenter.org
or the FTC website at www.consumer.gov/idtheft
and all the other websites that repeat the same advice, you are
still very vulnerable to becoming a
victim of identity theft given the present situation where consumers have no
control over limiting access to personal information. With the tools below,
someone can easily masquerade as you and destroy your good name.
1.
Mail Theft- although you can
minimize your risk with outgoing mail by placing your checks and payments in
the box at the post office and not your own mailbox, you have no control over
insider mail theft by employees, by thieves stealing from mail trucks, post
offices, or from those with whom you do business.
2. Insider-
dirty employees, unscrupulous relatives- workplace identity theft is an
epidemic. Your information is
stored in your doctorís office, your accountantís office, hospitals,
nursing homes, dental offices, credit card companies, credit reporting
agencies, the IRS, banks, investment companies, mortgage brokers, etc.
You have no idea who has
access to that information and what they may do with it illegally.
3.
Hackers-whether or not you use the Internet, your personal
information may be sitting on a computer or a web site and without your
knowledge a hacker may get access to that information and sell it for fraud
purposes.
4. Dumpster Diving- Even if you shred all your personal and financial information, you have no control what governmental and commercial entities are doing with your sensitive information when they discard it. California and Wisconsin have laws, which require complete destruction by commercial companies when discarding personal information. This should be federal law and it should also to governmental agencies as well.
5. Information
Brokers-Private investigators and onñline brokers, who are not under
strict scrutiny, gather information about you from various data bases and
re-sell that information- even your social security number.
For a price, you can order almost any information you wish about
anyone. With the information
obtained one can easily steal anotherís identity.
6. Obtaining
Your Credit Report-many businesses have subscription services with the
credit reporting agencies (real estate offices, attorney offices, lenders,
credit card companies, etc.) Someone can allege that they have a permissible
purpose to obtain your credit report and have all the information needed to
assume your identity.
7.Burglary at office buildings, hospitals your home, your car, etc.
A burglar at your bank, an employer, former employer,
a former friend or estranged or disloyal family member, roommates or employees
at your home could all steal enough information to become your ìevil
twinî.
8. Pretext Calling-
Someone intending to get information about you may
call your employer, doctor, investment office, or even your friends or family
to gain information to steal your identity.
9. Credit
Industry Carelessness
Credit grantors facilitate this crime by issuing
credit far too easily. Billions of pre-approved offers are sent each year
without prior consent (a report by the New York Times reported 11 Billion
pre-approved offers for credit in the year 1999) as are ìconvenience
checksî that can easily be cashed by an impostor.
Many creditors issue credit to impostors even after
fraud alerts are posted on the credit profile.
In their zeal to issue quick credit, credit card companies fail to
match names, addresses and other information to verify identity when issuing
credit lines and credit cards.
10. Public
Record Access
Birth Certificates and especially death certificates
make identity theft very easy. A
death certificate has the social security number of the deceased.
In fact when Kevin Mitnick, the famous hacker, called to interview me
about identity theft (for his radio show) he personally told me he committed
identity theft by stealing the death certificates of young children. Then he
could hide out and work under the assumed names, get credit cards, apartments
and all he needed.
The Myth of
Prevention of Identity Theft
The points above are just a few of the ways that your
information can be accessed and used for a criminal purpose without your
knowledge or control. When I became a victim, my impostor had accessed my
credit report from a law office when she pretended to be a private detective
who allegedly had a permissible purpose, I had no way to prevent this crime
from happening.
Giving
senior citizens tips on how to ìavoidî identity theft is misleading.
Although we may educate them to stay conscious and guard their
information as best as possible, I urge this committee to take notice that we
should not give any false sense of
security to anyone with regard to identity theft.
There are steps that could be taken to prevent financial identity theft
that I will address in my section on ìproposed actions to be taken by the
private sector and government.î
Clearly, the elderly need to be educated to understand
how to minimize the dissemination of their information, but they should also
understand that they must demand accountability by the various industries that
have collected their information. Hopefully, we can collaborate with the
financial industry, governmental entities and all businesses, to see how
secure information handling practices and respect for privacy is a value added
to enhance trust with seniors.
IV. PROPOSED
ACTIONS FOR THE GOVERNMENT AND PRIVATE INDUSTRY TO PREVENT SENIORS FROM
BECOMING VICTIMS OF IDENTITY THEFT
1. Both governmental entities and private industry should limit the use of the social security number since it is the key to identity theft for financial fraud.
As
a member of the advisory committee in the Office of Privacy Protection in the
California Office of Consumer Affairs, I had the privilege of assisting in the
development of the recently issued ì Recommended Practices for Protecting
the Confidentiality of Social Security numbersî (July 25, 2002 www.privacy.ca.gov).
The following should be considered by both pubic and private sector entities
to protect all consumers. These provisions are especially beneficial for the
protection of seniors.
Recommended
Practices for Protecting the Confidentiality of SSNs by the Office of Privacy
Protection of the California Office of Consumer Affairs
The Office of Privacy Protectionís recommendations
are intended to serve as guidelines to assist organizations in moving towards
the goal of aligning their practices with the widely accepted fair information
practice principles described below. These
recommended practices address, but are not limited to, the provisions of
California Civil Code section 1798.85.
The recommendations are relevant for private- and public
sector organizations, and they apply to the handling of all SSNs in the
possession of an organization: those of customers, employees and business
partners.
1.
Reduce the collection of SSNs.
ß
Collect SSNs preferably only where
required to do so by federal or state law.
ß
When collecting SSNs as allowed, but
not required, by law, do so only as reasonably necessary
for the proper administration of lawful business activities.
ß
If a unique personal identifier is
needed, develop your own as a substitute for the SSN.
2.
Inform individuals when you request their SSNs.
ß
Whenever you collect SSNs as required
or allowed by law, inform the individuals of
the purpose of the collection, the intended use, whether the law requires the
number to be provided or not, and the consequences of not providing the
number.
ß
If required by law, notify individuals
(customers, employees, business partners, etc) annually of their right to
request that you do not post or publicly display their SSN or do any of
the other things prohibited in Civil Code Section 1798.85(a).
Eliminate public display of SSNs.
ß
Do not put SSNs on documents that are
widely seen by others, such as identification cards, badges, time cards,
employee rosters, bulletin board postings, and other materials.
ß
Do not send documents with SSNs on
them through the mail, except on applications or forms or when required by law[i].
ß
When sending applications, forms or
other documents required by law to carry SSNs through the mail, place the SSN
where it will not be revealed by an envelope window.
Where possible, leave the SSN field on forms and applications blank and
ask the individual to fill it in before returning the form or application.
ß
Do not send SSNs by email unless the
connection is secure or the SSN is encrypted.
ß
Do not require an individual to send
his or her SSN over the Internet or by email, unless the connection is secure
or the SSN is encrypted.
ß
Do not require individuals to use SSNs
as passwords or codes for access to Internet web sites or other services.
Control access to SSNs.
ß Limit access to records containing SSNs only to those who need to see the numbers for the performance of their duties.
ß Use logs or electronic audit trails to monitor employeesí access to records with SSNs.
ß
Protect records containing SSNs,
including back-ups, during storage by encrypting the numbers in electronic
records or storing records in other media in locked cabinets.
ß Do not store records containing SSNs on computers or other electronic devices that are not secured against unauthorized access.
ß
Avoid sharing SSNs with other
companies or organizations except where required by law.
ß
If you do share SSNs with other
companies or organizations, including contractors, use written agreements to
protect their confidentiality.
ß
Prohibit such third parties from
re-disclosing SSNs, except as required by law.
ß
Require such third parties to use
effective security controls on record systems containing SSNs.
ß Hold such third parties accountable for compliance with the restrictions you impose, including monitoring or auditing their practices.
ß
If SSNs are disclosed inappropriately and the individuals whose
SSNs were disclosed are put at risk of identity theft or other harm, promptly
notify the individuals potentially affected.
ß
Protect SSNs with security safeguards.
ß
Develop a written security plan for
record systems that contain SSNs.
ß
Develop written policies for
protecting the confidentiality of SSNs, including but not limited to the
following:
ß
Adopt ìclean desk/work areaî
policy requiring employees to properly secure records containing SSNs.
ß
Do not leave voice mail messages
containing SSNs and if you must send an SSN by fax, take special measures to
ensure confidentiality.
ß
Require employees to ask individuals
(employees, customers, etc.) for identifiers other than the SSN when looking
up records for the individual.
ß
Require employees to promptly report
any inappropriate disclosure or loss of records containing SSNs to
their supervisors or to the organizationís privacy officer.
ß
When discarding or destroying records
in any medium containing SSNs, do so in a way that protects their
confidentiality, such as shredding.[ii]
ß
Make your organization accountable for
protecting SSNs.
ß
Provide training and written material
for employees on their responsibilities in handling SSNs.
ß
Conduct training at least annually.
ß
Train all new employees, temporary
employees and contract employees.
ß
Impose discipline on
employees for non-compliance with organizational policies and practices for
protecting SSNs.
ß
Conduct risk assessments and regular
audits of record systems containing SSNs.
ß
Designate someone in the organization
as responsible for ensuring compliance with policies and procedures for
protecting SSNs.
2.
Destruction of Confidential Information-Governmental Agencies
and Private Industry should be required to completely destroy personal
information that they are discarding by shredding, burning or whatever means
is necessary to protect the information from dumpster diving.
3.
Governmental and Private industry should be required to truncate credit
card numbers ñ No company or entity
shall print more than the last 5 digits of a credit card number or account
number or the expiration date upon any receipt provided to a cardholder.
4.
Security Breach Notification Governmental
Agencies and Private industry should be held accountable to timely notify all
employees and or clients or customers of computer security breaches which have
exposed their personal identifying information.