Preventing Identity Theft in Your Business Read online

  TABLE OF CONTENTS

  Cover

  Title

  Copyright

  Dedication

  ACKNOWLEDGMENTS

  PREFACE

  INTRODUCTION

  PART I: THE CURRENT STATE OF IDENTITY THEFT CHAPTER 1: WHAT IS AN “IDENTITY”? IDENTITY THEFT VERSUS IDENTITY CRIME

  “PERSONAL” IDENTITY THEFT

  “BUSINESS” IDENTITY THEFT

  IDENTITY THEFT AS AN “OVERARCHING” CRIME

  CHAPTER 2: IDENTITY THEFT: EFFECTS ON VICTIMS EFFECTS ON PERSONS

  EFFECTS ON BUSINESSES

  CHAPTER 3: IDENTITY CRIME IS ENTRENCHED HIPAA DATABASE

  CREDIT AGENCY DATABASES

  GOVERNMENT DATABASES

  CHAPTER 4: IDENTITY CRIMES ARE ESCALATING OUTSOURCING IDENTITIES

  JURISDICTIONAL PROBLEMS

  POLICE LACK RESOURCES

  LEGISLATION IS LACKING

  CHAPTER 5: LEGAL REQUIREMENTS FOR BUSINESSES MANY LAWS

  MANY “SUPERFICIAL” LAWS

  BISP SECURITY STANDARDS

  CHAPTER 6: CAVEAT LECTOR. LET THE READER BEWARE MESSAGE TO EXECUTIVES

  MESSAGE TO EMPLOYEES

  PART II: IDENTITY THEFT PREVENTION CHAPTER 7: THE BISP PLAN: TIGHTEN YOUR BUSINESS BORDERS BACKGROUND REVIEW: FOUR-FACTOR MODEL OF INFORMATION SECURITY

  SECURING THE FRONTS

  CHAPTER 8: BEGIN THE EXERCISES: IDENTIFY YOUR BUSINESS IDENTITIES STANDARD 1. WHAT ARE YOUR BUSINESS IDENTITIES?

  STANDARD 2. WHO HAS ACCESS TO YOUR BUSINESS IDENTITIES?

  CHAPTER 9: SECURING THE PEOPLE FRONT: THE SECURITY JOB ANALYSIS STANDARD 3. SCIENTIFIC JOB ANALYSIS FOR SECURITY DECISION MAKING

  CHAPTER 10: THE PEOPLE FRONT: RECRUITMENT FOR SECURITY STANDARD 4. RECRUITMENT FOR SECURITY

  CHAPTER 11: THE PEOPLE FRONT: PERSONNEL SELECTION FOR SECURITY STANDARD 5. PERSONNEL SELECTION FOR SECURITY

  CHAPTER 12: THE PEOPLE FRONT: SELECT FOR MOTIVATION STANDARD 6. SELECT FOR MOTIVATION

  CHAPTER 13: THE PEOPLE FRONT: SELECT FOR INTEGRITY AND SECURITY STANDARD 7. SELECT FOR INTEGRITY AND SECURITY

  CHAPTER 14: THE PEOPLE FRONT: SELECT FOR INTERPERSONAL SKILLS STANDARD 8. SELECT FOR INTERPERSONAL SKILLS

  CHAPTER 15: THE PEOPLE FRONT: SOCIALIZATION, COMPANY CULTURE, AND THE REALISTIC JOB PREVIEW STANDARD 9. COMPANY CULTURE AND THE REALISTIC JOB PREVIEW

  CHAPTER 16: THE PEOPLE FRONT: SOCIALIZING NEWCOMERS TO THE HONEST COMPANY CULTURE STANDARD 10. THE SECURITY ORIENTATION PROGRAM

  CHAPTER 17: THE PEOPLE FRONT: APPRAISAL AND FEEDBACK FOR PERFORMANCE AND SECURITY STANDARD 11. THE ORGANIZATIONAL APPRAISAL AND FEEDBACK SYSTEM

  INDIVIDUAL APPRAISAL

  GROUP APPRAISAL

  SELF-APPRAISAL

  DEPARTMENTAL ASSESSMENT

  A MESSAGE TO THE PROJECT TEAM

  CHAPTER 18: THE PROCESS FRONT: SECURE BUSINESS INFORMATION PROCESSES SELECT A NEW PROJECT TEAM

  QUALITY-TO-SECURITY TOOLS

  STANDARD 12. INFORMATION PROCESS RISK ASSESSMENT

  CHAPTER 19: THE PROPERTY FRONT: THE E-BUSINESS WEB SITE STANDARD 13. WEB SITE SECURITY ASSESSMENT

  PART III: MONITORING IDENTITY THEFT CHAPTER 20: THE CUSTOMER SECURITY PROGRAM STANDARD 14. CUSTOMER SECURITY PROGRAM

  CONCLUSION

  CHAPTER 21: E-COMMERCE “BEST PRACTICES” FOR CUSTOMERS STANDARD 15. E-COMMERCE “BEST PRACTICES”

  CHAPTER 22: THE LEGISLATIVE PROCESS STANDARD 16. IDENTITY THEFT LEGISLATIVE PROCESS

  CHAPTER 23: THE HIPAA DATABASE THE BISP SECURITY STANDARDS AND HIPAA

  APPENDICES APPENDIX A: THE SECURITY STANDARD CHECKLIST IDENTITY THEFT PREVENTION

  APPENDIX B: CHECKLIST OF TEAM PREREQUISITES

  APPENDIX C: STRUCTURED AND FORMAL BRAINSTORMING: STEP-BY-STEP INSTRUCTIONS DEFINITION OF FORMAL BRAINSTORMING

  STEP-BY-STEP INSTRUCTIONS

  APPENDIX D: CAUSE AND EFFECT ANALYSIS: STEP-BY-STEP INSTRUCTIONS

  APPENDIX E: THE SECURITY FOCUS GROUP INTERVIEW

  APPENDIX F: THE SECURITY JOB DESCRIPTION THE INFORMATION SECURITY RESEARCH INSTITUTE, LLC

  THE SECURITY JOB DESCRIPTION

  APPENDIX G: INDUSTRIAL AND ORGANIZATIONAL SPECIALISTS IN TEST DEVELOPMENT AND VALIDATION

  APPENDIX H: ONE COMPANY’S SHORT- AND LONG-TERM STRATEGIC PLAN

  APPENDIX I: THE INFORMATION PROCESS: DEFINITION, DESCRIPTION, AND ILLUSTRATION DEFINING THE INFORMATION PROCESS

  DESCRIBING AN INFORMATION PROCESS

  ILLUSTRATING THE INFORMATION PROCESS RISK ASSESSMENT

  A KEY POINT

  APPENDIX J: THE PARETO ANALYSIS: DEFINITION, DESCRIPTION, AND ILLUSTRATION DEFINING PARETO ANALYSIS

  DESCRIBING PARETO ANALYSIS

  ILLUSTRATING THE PARETO DIAGRAM

  APPENDIX K: FORERUNNERS IN THE SUPPORT OF IDENTITY THEFT LEGISLATION U.S. SENATORS

  STATE OFFICIALS

  OTHERS

  NOTES

  INDEX

  END USER LICENSE AGREEMENT

  List of Tables

  CHAPTER 9: SECURING THE PEOPLE FRONT: THE SECURITY JOB ANALYSIS EXHIBIT 9.1 Job Competency Checklist for Job of Computer Forensic Analyst

  CHAPTER 16: THE PEOPLE FRONT: SOCIALIZING NEWCOMERS TO THE HONEST COMPANY CULTURE EXHIBIT 16.1 The Security Orientation Program of the Information Security Research Institute

  CHAPTER 17: THE PEOPLE FRONT: APPRAISAL AND FEEDBACK FOR PERFORMANCE AND SECURITY EXHIBIT 17.1 Job Competency Appraisal Instrument

  EXHIBIT 17.2 Work Group Appraisal Instrument

  CHAPTER 19: THE PROPERTY FRONT: THE E-BUSINESS WEB SITE EXHIBIT 19.1 Example of a Web Site Security Assessment

  APPENDIX C: STRUCTURED AND FORMAL BRAINSTORMING: STEP-BY-STEP INSTRUCTIONS EXHIBIT C.1 A Brainstorming Task Statement

  EXHIBIT C.2 A Brainstorming List

  APPENDIX D: CAUSE AND EFFECT ANALYSIS: STEP-BY-STEP INSTRUCTIONS EXHIBIT D.1 Cause-and-Effect Analysis for Incoming Identities

  EXHIBIT D.2 Cause-and-Effect Analysis of Sources of SSN Thefts

  APPENDIX I: THE INFORMATION PROCESS: DEFINITION, DESCRIPTION, AND ILLUSTRATION EXHIBIT I.1 Common Flow Chart Symbols

  EXHIBIT I.2 Flow Chart Tracing the Route of a Fax Document through a Department—Each Location and Transfer Path Can Be Secured

  APPENDIX J: THE PARETO ANALYSIS: DEFINITION, DESCRIPTION, AND ILLUSTRATION EXHIBIT J.1 Frequencies for Pareto Analysis

  EXHIBIT J.2 Bar Chart for Pareto Frequencies

  Preventing Identity Theft in Your Business

  How to Protect Your Business, Customers, and Employees

  Judith M. Collins

  This book is printed on acid-free paper. ∞

  Copyright © 2005 by John Wiley & Sons, Inc. All rights reserved.

  Published by John Wiley & Sons, Inc., Hoboken, New Jersey

  Published simultaneously in Canada

  No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, e-mail: [email protected].

  Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they mak
e no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

  For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

  Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

  Library of Congress Cataloging-in-Publication Data

  Collins, Judith M.

  Preventing identity theft in your business : how to protect your business, customers, and employees / Judith M. Collins.

  p. cm.

  Includes index.

  ISBN 0-471-69469-X (cloth)

  1. Identity theft—United States—Prevention. I. Title.

  HV6679.C653 2005

  658.4’72—dc22

  2004022093

  To victims of identity theft and employees who help prevent it

  ACKNOWLEDGMENTS

  More than a faithful colleague and meticulous research assistant, Sandra Hoffman is a valued friend. As associate director, Sandra diligently, skillfully, and solely managed the bustling activities of Identity Theft Crime and Research Lab for three months so that I could write this book. I publicly acknowledge that without Sandra this book would not have been possible. With deep appreciation, I thank you, Sandra.

  I also am indebted to my editor at John Wiley & Sons, Tim Burgard. Tim took the time to read my manuscript and recognized its potential importance for businesses. He provided the logistical and organizational support necessary to bring this book to fruition and along the way provided many constructive suggestions for improvements. Moreover, throughout the summer of 2004, Tim routinely and consistently prompted me for the next “batch” (of chapters). Because of Tim, this book moved from “in progress” to “in production.” Thank you, Tim, for the guidance you’ve given me and also for believing with me that this book can positively impact businesses and people.

  With appreciation, I especially thank my son, Michael Collins. Michael read every word of every chapter and offered many recommendations for modifications. I made them all. I now find it difficult to adequately express my deep gratitude to Michael, who unselfishly shared with me considerable time and his intellectual talents in reviewing chapter writes and rewrites. Thank you, son, for your invaluable contributions.

  And to Larry Collins, my husband, mentor, and enthusiastic supporter of each next “project,” thank you for being alongside me throughout these life’s adventures.

  PREFACE

  All companies that engage in financial transactions are bound by law to establish and enforce information security programs to prevent identity theft. Security “standards” are required by at least five federal laws, including the Fair Credit Reporting Act, the Federal Trade Commission’s Privacy Rule, the Banking Guidelines, the Health Insurance Portability and Accountability Act, and the Gramm-Leach-Bliley Safeguards Rule. But there are problems. Nowhere do any of these laws describe how to develop, maintain, and enforce an information security program. In effect, the laws fail to stipulate what constitutes an “information security program” or “standards” for security.

  Granted, the laws do specify information technology (IT) security—the security of computers and networks. Indeed, the main theme at the September 2004 American Banking Association’s Identity Theft Symposium was “Technology to the Rescue.” Bankers were informed of online products and protections and advised to prevent identity theft by using tools such as encryption, authentication, and software programs that guard against email and other computer fraud. But computers do not steal identities.

  Rather, recent studies indicate that at least 50 percent or more of identity thefts are committed inside the workplace by a dishonest few employees who steal the Social Security, credit card, banking, or other numbers from their coworkers and customers. Federal laws fail, however, to cover people within businesses who have access to personal identities and the work processes used to manage and maintain such information.

  The federal laws fall short. Computer security alone will not work. To secure company borders from the threat of identity theft requires an inclusive and exhaustive three-fold approach to secure people, processes, and the IT property. And the techniques used to develop, maintain, and enforce such an information security program would use universally established and widely documented methods known to be reliable and valid and that are inexpensive and accessible for all businesses, large and small. Fortunately, such methods exist and so, therefore, do the security solutions.

  Preventing Identity Theft in Your Business shows how employee-manager teams can develop a set of Security Standards using step-by-step instructions written in lay language and using methods from industrial and organizational psychology, the management sciences, and the field of criminal justice. The methods are inexpensive, comprehensive, and universally applicable to all businesses regardless of size, type, or geographic location. Within six months or less, employees and their managers can bring any company into compliance with all current as well as any future-enacted laws.

  Preventing Identity Theft in Your Business shows how all companies can build effective corporate policies to protect the identities of employees and their customers without impacting budgets and business operations. What’s more, these Security Standards incorporate performance standards: Businesses will meet regulatory requirements while gaining competitive advantages. Using strategies proven to be effective, personal and business identities no longer are jeopardized and financial institutions no longer risk noncompliance. In short, identity theft stops here.

  INTRODUCTION

  Identity theft can be prevented. Contrary to common thought, most identities are stolen from businesses; fewer are stolen from garbage Dumpsters or by online hackers. Although thefts do occur from these sources (as well as from homes, cars, and persons), the majority of identity thefts are committed inside the workplace by a relatively few dishonest employees who steal the personal identification data of their coworkers and customers—a company’s most valued assets. To safeguard these potential victims, and the company’s interests, the workplace must be secured.

  Because identity thefts occur so often in the workplace, businesses also are victims. In his keynote speech at the 2000 White Collar Crime Summit in Los Angeles, California’s attorney general, William Lockyer, warned that identity theft was the greatest threat to the financial economy of businesses and the entire United States. Since then, and despite his warning, identity theft has escalated worldwide and continues unabated. The reason in great part is that no international security standards exist to protect personal information, such as the identities of U.S. citizens.

  Nevertheless, federal laws now require all businesses to secure personal identifiers and document this or risk being fined. Nowhere, however, are businesses told how they might do this. Granted, each of several federal laws recommends database and computer security—but computers do not steal identities. Information technology (IT) cannot by itself secure personal information because, and perhaps to some degree due to those already secured IT systems, employee insider theft is the source of most stolen identities.

  In the field of criminal justice, when the source of a crime is known, the incidence of that crime can be mitigated and even prevented. Preventing Identity Theft in Your Business: How to Protect Your Business, Customers, and Employees shows how manager-employee te
ams (managers have the decision power to authorize employee-designed solutions) can use step-by-step instructions in a series of consecutively ordered exercises to combat identity theft in the workplace. Preventing Identity Theft is written with employees in mind, to help protect them and because employees are the key to securing the workplace.

  Employees are the persons closest to the workplaces and work processes where identity thefts occur. Some employees perform the job tasks required to process, update, and otherwise maintain and manage personal information contained on applications, healthcare forms, payroll and benefits checks, and other documents, both paper and digital. Those employees are positioned to recognize the work processes most susceptible to identity thefts; and those employees, therefore, also are the key individuals capable of securing those work processes.

  But what exactly is an “identity”? In the evolution of crime, identity theft is a particularly fast-moving, ever-changing, and overarching crime that facilitates many ancillary identity crimes. In Part I, therefore, the first priorities are to update yesterday’s definitions of identity theft and report on recent events and trends that, disturbingly, point to even greater incidence and variations in identity crimes. Included in the text is a discussion on “identity rape,” the insidious effects on victims (both persons and businesses), and several sections detailing facts on why identity theft may never be completely eradicated.