Feds Want Tougher Penalties For Insider Identity Theft

A federal proposal to combat identity theft takes a particularly hard line on people who abuse insider access to information to commit the crime.

The House Judiciary Committee earlier this month passed a bill, the Identity Theft Penalty Enhancement Act, that would establish a new crime of aggravated identity theft--the use of a stolen identity to commit certain crimes--and increase applicable penalties. The bill also includes an amendment that directs the U.S. Sentencing Commission to revise its guidelines to include stronger punishment for those who abuse a position of trust to commit insider identity theft. The bill is likely to be brought to the full House for a vote in the near future.

The intent is to remind employees of the consequences for their actions, but there's a message in it for companies, too, says the bill's sponsor, U.S. Rep. John R. Carter, R-Texas. "It also raises a flag to the corporations and entities like schools and governmental agencies that this is serious business, and you have some responsibility to be preserving and protecting this information that you're being entrusted with," he says.

The Federal Trade Commission received 516,740 identity-theft complaints last year, up from 404,000 in 2002. An FTC report issued in September estimates that more than 27 million Americans have been victims of identity theft during the past five years.

According to "Predator Profiles," a forthcoming report from Michigan State University's identity-theft research center, at least half of identity theft now results from the theft of personal information stored on business databases. Noting that her organization's research has since been corroborated by two other studies, MSU researcher Judith Collins says that at least 50%, and potentially as much as 70%, of identity thefts originate in the workplace by employees or people impersonating employees. "Contrary to what most people believe, according to this research, the majority of identity thefts are actually inside jobs," Collins says. "Our research also showed that the majority of those identities were stolen first and foremost from health-care-related institutions, and secondly from financial institutions."

Perhaps the highest-profile case of insider identity theft broke in late 2002, when the Department of Justice charged a help-desk worker at financial data company Teledata Communications Inc. with fraud and conspiracy in connection with an identity-theft scheme that involved more than 30,000 victims. The worker allegedly used his insider status to access thousands of credit reports, which he sold for $60 apiece through a co-conspirator.

Not all such data leakage is the result of criminal activity. An information security officer at a Fortune 500 financial-services firm, who asked that he not be identified, suggests that most data policy violations are the result of ignorance rather than malice or criminal intent.

Organizations outside health care and finance are by no means immune. Last year a University of Texas student who was trusted with access the university's database stole 55,000 Social Security numbers. It's this case that Rep. Carter cites in backing stiffer penalties for insiders.

While Carter, a former judge, says stronger penalties will deter identity theft and will lead to more proactive data-protection policies, Collins argues that identity-theft legislation focuses too much on punishment and not enough on prevention. "We have no security standards in the workplace to secure the borders of the workplace," she says. "We have no security standards for selecting personnel or for securing the processes by which proprietary information is processed in the workplace."

Unisys chief security adviser Sunil Misra tells of a case where a member of the senior IT staff at a large supermarket chain created a secret backdoor so he could access and sell protected information. The insider threat needs to be considered for any kind of security, particularly since it's much easier for those on the inside to do damage than it is for those who have to hack their way in, he says. And he contends that sending data offshore adds to the risk.

Echoing Collins' concerns, Misra believes more attention has to be placed on business-process controls, so that sensitive information is handled securely. "I hate to sound paranoid," he says, "but you have to assume that bad things are everywhere."