What You Need to Know About ID Theft Laws

By eweek  |  Posted 2007-08-23

What You Need to Know About ID Theft Laws

Lisa Vaas: So, Eric, could you start by telling us about what laws were looking at here in Massachusetts when it comes to businesses having to inform everybody about data breaches? Whats going on?

Eric Greenberg: Massachusetts has put into place a law thats similar to what has been put in place in a number if not the majority of states right now. Theyre either there or are being put into place. The majority of these laws are based on laws that were developed by an organization called the U.S. PIRG, which is the federation of state Public Interest Research Groups. And so, basically, if you look at their template, youll see that Massachusetts and some other state, most of the other states, have actually worked from that template.

Vaas: How many states right now have legislation or are looking at legislation?

Greenberg: I dont have the exact number. I havent counted them up. I know that as of a couple of years ago, more than 25 of them did. So I would say the majority of them. You have to check with your individual state to know if they are, and as well talk about, there are a few differences.

Vaas: I would guess that the businesses, online retailers and, well, anybody dealing with data right now who might be subjected to this law are going to have to deal with a hodgepodge of legislation. Is that correct?

Greenberg: Oh, yes, absolutely. In fact, California, who was a leader in some of this, kind of brought this to the awareness of retailers and folks that take credit cards quickly. Because if you run an online site - so many businesses do today, whether youre a department store or what have you - you dont know whether youre going to have customers from California. So if theres one state that requires it, youre aware that theres a notification requirement to at least that one state. So, yeah, they have notification laws, sort of, they have knowledge of it.

Vaas: So were talking about notification laws. Im assuming that what these laws require differ greatly. I mean, there are time elements involved. Could you delve a little bit into the differences in the laws right now?

Greenberg: Lets first talk about the Massachusetts law, which is based on the U.S. PIRG. Lets talk about the three components. One of them is the notification we talked about, which is breach notification. It requires the commercial entity and government to notify the consumer if enough of their personal information has been acquired by an unauthorized person or purpose. Were going to talk about that a little bit more because therere differences, and its from state to state on how thats interpreted. Theres credit report security freeze. What this means is that you have the ability to lock your credit report so that it cannot be accessed for the purposes of validating whether you should be given a credit card. So if your credit report is locked, someone cant issue credit in your name because they cannot get a credit report. Thats the idea behind the credit report security freeze. That impacts the credit reporting agencies. And there are differences from state to state about how much money you have to pay if you put your lock on and then want to take it off and put it back on again and take it off. Naturally, sometimes you need to take the lock off.

Vaas: And were talking about paying money to whom? The credit reporting agencies?

Greenberg: The credit reporting agency who would be responsible for locking your credit report.

Vaas: Okay. I just dont know why they arent required to pay us for our credit histories, but I guess thats a topic for another day.

Greenberg: Yes. And, in fact, there are five different topics that weave in and out of this that that we could talk about. And I may actually dare weave in a few of them before were done.

Vaas: Well, you know how people get enraged over this kind of thing. I dont think were the only ones feeling that way for sure. But these state laws, who are they protecting exactly?

Greenberg: Okay. And I want to add that the third [component of the Massachusetts law] is a police report. You have the ability to get a police report through that state legislation. You need that police report in order to actually clean up the mess. And in the past its been difficult for some folks to get that. So those are the three components.


Next Page: Not a police priority.

Not a police priority

Vaas: Is that right? You would think that that would be our constitutional right, to get a police report on ourselves.

Greenberg: The police departments basically down play these types of items as being not within the [category of] someones been shot at, someones broken into something, someones been hit by something. So theyre overwhelmed and theyve sort of had an unwillingness to issue police reports on this. The legislation in Massachusetts and in a number of other states allows you to get your police report, which you need.

Vaas: Tell me how businesses and retailers are being affected by legislation such as this.

Greenberg: First, they need to put a breach notification in place. The thing that does vary from state to state is therere two different types of breach notifications. One is called risk based, which says that the commercial entity is allowed to make an assessment as to what they think the risk is of that breach resulting in unauthorized use of the citizens information. Therefore, there could be a breach, but because the risk is considered low, they may not have to report it. The language around that determination of that risk varies. The other type is an absolute one, which simply says you absolutely must notify it if any breach happens, even if you considered it to be very minimal risk. So states will vary in their implementation of that.

Vaas: Well, I think it would be odd, you know, the notion of having a business self-identify the risk involved in its own breach. Greenberg: Right, its questionable. Getting back to your question on how it affects these businesses, well, it means theres an amount of due diligence that theyre expected to carry out. I will say that - outside of my current position at Unisys and in previous lives - I have witnessed entities stop investigating breaches because the more they learn the more notification they needed to do. And so that then falls into gray areas of interpretation. Thats one of the risk areas to the consumer, which is that the law is good and Massachusetts has done a good thing and these states have done a good thing. However, there are still ways to wiggle through this and avoid the problem. Not necessarily doing so in all forms legal, but in, you know...

Vaas: Is it legal to initiate an investigation into a breach and then call it off because its...

Greenberg: What basically happens is, you know, somebody on high makes the decision that says we have investigated the problem enough. We have accumulated enough information to assess this, the determination has been made and then they move forward. And so thats always the risk. From a commercial entity or government standpoint, to be responsible about this they will have internal policies which talk about full investigation of all data paths, all sources of information and, you know, basically have sign-off on that, accountable sign-off within the organization so that hand waving does not make its way through this. Instead theres a checklist that says, you know, have we fully investigated all forms of databases containing this information on the compromised machine?

Vaas: Is that something that Unisys customers are following through on, or do you see a broad spectrum of people acting responsibly and then maybe less so?

Greenberg: Well, in Unisys, our federal customers are actually very responsible on this. But they have the law on their side. Its more of being a governmental entity. The example I gave was not a Unisys customer. It was prior to my joining Unisys. I also want to point out one other risk to the consumer, which is that the notion that notification occurs is wonderful and good. Now, somebody calls you up today and says, "Hi, Im notifying you of this and Id like to give you the opportunity to freeze your report and do all of these things." Lets say youre in the state of Ohio. You might say, "Well, I heard that there was a breach." And therefore, you know, youre plugged in, so you start cooperating with that e-mail or that individual on the phone or even a letter. Theres a new form of fraud going on. Im calling the term notification fraud where entities are, criminals are, basically latching on to these announcements and then going out to people and taking advantage of the shock and catching their guard down and gathering, actually stealing their identity by telling them theyre providing them notification services.


Next Page: Scalable technologies.

Scalable technologies

Vaas: Therere so many layers of ironic and nasty its hard to even bite into that pie.

Greenberg: It is, but it points to the core of the issue, which is that while this initiative is good, PIRG is good, what has been done here is good. We are using technologies to manage an individuals identity and their attributes that do not scale to the networked world that we are in. Numbers in the clear, long strings of credit card numbers and the like dont work ultimately within our infrastructures. So there is technology out there that solves a lot of these issues in the form of smart cards and, you know, Unisys has deployed more smart cards worldwide, I mean, to entire countries, so, you know, we have an investment in that. But that type of technology solves this problem by holding your identity in a cryptographic safe and only proving that you have something in that safe but not divulging whats in it. Thats the basis of public key infrastructure, PKI. And thats what provides a way through this. But from the credit card companies all the way through to Social Security and so forth, business decisions have been made which use your Social Security number not a smart card; a credit card number not a smart card.

Vaas: Just this week I was filling out a medical form that asked for my Social Security number as an identifier. I cant even count how many times I just write, "why?"

Greenberg: And they want to take it for insurance purposes. Its what the insurance companies use. This data is spread everywhere. How are we going to herd the cats now? Were not going to get the smart card infrastructure we need out there. What are new technologies and new things that we can do on the retail side, on the commercial side, on the government side? One of the things were working on, and actually have available, is a content loss and privacy management service offering which uses new technologies which crawl and intercept the movement of data through an infrastructure down to a USB thumb drive. As it moves through the infrastructure, it looks at the velocity of data, watches it and determines if data that shouldnt be there is there, and if it is there, it stops it. So, for example, imagine an agent that intercepts data, intercepts your ability and prevents you from copying over a file onto a thumb drive that has Social Security numbers but will let you copy to your thumb drive your calendar.

Vaas: What else can businesses do to ensure theyre not turning into TJX?

Greenberg: Given the current confines, I mean, adhering to Visa PCI is important. I would encourage them to not just try to get compliance, but to try to get at the meaning of it. Let me give you an example: Visa PCI, which is a standard that the credit card issuing companies have said you must follow in varying degrees if you handle credit cards. Visa PCI has a requirement in there for an intrusion detection system. It says thou shall put an IDS or an Intrusion Detection System in your infrastructure. I cant tell you how many times Ive seen Intrusion Detection Systems placed on a segment that has no meaning. But its there. Ive actually seen IDSs deployed, again, outside of Unisys. Im relatively new to Unisys; Ive only been here for three months. IDSs need to be placed, you know, you need to not just be compliant, you need to be meaningful in your security because Visa and increasingly the states now, the states are now requiring PCI compliance and putting laws in that put the liability down to the retailer or the merchant. So, if you argue compliance, but it is proven that there was gross negligence or a misrepresentation you will, you can be held liable. So what you need to do is put a quality program in place along with your PCI compliance that says Im not just getting the check mark, how effective is it? Do some tests. Determine what you can detect or not detect. Try to move data in and out of the organization in a way that shouldnt be and see what happens.


Rocket Fuel