Recent loss or theft of U.S. consumer data highlights the need for Canadian companies to have action plans in place and for governments to step in with stronger legislation to go after companies that fail to do so, according to law enforcement authorities and industry experts.
In one of
the most recent cases, data broker LexisNexis said thieves may have stolen information including names, addresses and Social Security numbers of 30,000 people. This breach of security involved two databases that LexisNexis acquired through its $775 million purchase of Florida company Seisint, a compiler of consumer background and asset information. The Federal Bureau of Investigation (FBI) and the Treasury Department are still investigating the case.
In another incident, Bank of America recently lost a million customer records when a number of backup tapes containing financial information of government employees were lost in a shipment to a backup center.
Then there’s the case of data warehouser ChoicePoint, which is currently facing a Securities and Exchange Commission (SEC) inquiry on its business practices after giving information on 145,00 subscribers to 50 fake businesses created by fraudsters. This has reportedly resulted in over 750 cases of identity theft. While the initial breach is believed to have happened several months prior to it becoming public, a California state law — the only one of its kind in the U.S. — required ChoicePoint to fess up to those subscribers who had been affected by the breach.
Earlier this week, ChoicePoint chairman Derick Smith publicly apologized to the victims whose data was compromised by identity thieves.
John Alsop, founder and chairman of Borderware Technologies Inc., an e-mail security provider based in Mississauga, Ont., said Choicepoint is an example of how not to handle this kind of problem.
“(ChoicePoint) only notified customers in California because they were legally required to do so,” said Alsop. “There’s the whole issue whether the law itself in California was sufficient and whether it should be implemented on a national basis.”
ChoicePoint is an example of how many firms would choose to do as little as they had to, Alsop said. As a vendor, Borderware can tell companies to go out and buy the necessary IT infrastructure to protect themselves, but Alsop said this illustrates why governments need to step in and flex some legislative muscle.
“Only the government can create the rules that will cause companies to do the right thing,” said Alsop.
On this side of the border, Wade Peer, a scrapyard owner based in West Virginia told the Globe and Mail newspaper last November that he had been receiving faxes containing confidential data from the CIBC for three years, despite attempts to inform the bank to put a stop to it. In a $3-million lawsuit, he claimed the volume of these faxes made it impossible to contact customers, forcing him to close his business. CIBC filed a countersuit, alleging that Peer was equally guilty of violating privacy laws by exposing the faxes to the Globe.
In separate case BMO found out that two of its servers ended up on eBay after a reseller went to the Toronto Star about it.
These incidents, particularly in the case of ChoicePoint, have prompted the U.S. Congress to consider new laws restricting the sale of Social Security numbers — ChoicePoint has since said it will no longer sell such information except in certain cases — and requiring companies to disclose to customers when a security breach has taken place.
In 1998 the U.S. Congress enacted a law directed specifically at identity theft as part of the Identity Theft and Assumption Deterrence Act, which went into effect last July. Under this offence, individuals found guilty would receive an additional two years’ imprisonment on top of their sentences. The penalty can range up to an additional five years’ imprisonment for some terrorism-related offences.
In Canada, identity theft isn’t a Criminal Code offence but certain misuses of personal information can be considered a crime under the law. This includes, for example, a person who uses a false identity for economic gain or to avoid criminal charges.
As part of a multi-pronged approach to combating and preventing identity theft, the Canadian Bankers Association (CBA) is calling for updates to “archaic provisions” like the Criminal Code.
“I think the Criminal Code needs to be modernized,” said CBA spokesperson Maura Drew-Lytle. “It hasn’t really kept up with the world we live in with 21st century technology.”
Drew-Lytle gave the example of how it is illegal under the law to send a telegram in someone else’s name, but not an e-mail. “We believe it needs to be an offence to possess personal information for other individuals.”
Similarly, Barry Elliott, Ontario Provincial Police detective staff sergeant at PhoneBusters National Call Centre (PNCC), points out that individuals can currently legally carry several pieces of identification at one time.
“(The government) is talking about looking at making the possession of more than one ID without a lawful excuse illegal,” said Elliott. “That would give the police the power to seize data and further investigate. Right now you could be carrying three IDs on you and you’re not committing a crime.”
Established 1993, PNCC is the central agency in Canada that collects information on telemarketing, advanced fee fraud letters and identity theft.
Last year, Elliott was part of a think-tank that met with the Attorney General’s office to lobby for a similar law to the one in California.
“We pushed this idea forward to the federal government and initial reaction was, they weren’t all that excited about it,” said Elliott, adding the government didn’t think Canadian businesses would support such a law.
Compliance laws need toughening up
Compliance laws in Canada such as the Personal Information Protection and Electronic Documents Act (PIPEDA) — which protects personal information in the hands of private sector organizations and provides guidelines for the collection, use and disclosure of that information — may help guard against identity theft but don’t go far enough, according to Joe Greene, vice-president of IT security research at IDC Canada.
“(They) need to be toughened up,” said Greene, adding that fines should be increased. “Organizations need to be educated of consequences of people hacking their systems and getting at the information of private citizens and businesses.”
Greene added many companies don’t tend to react until they’re hacked, which can end up costing them more in the long run. He pointed out, however, that banks have been very good about making sure they are complaint and protecting the privacy of their members.
In an IDC Canada survey of 460 small, medium and large organizations in the public and private sectors, only four per cent of respondents ranked privacy legislation as something that comes to mind when thinking about IT security.
The ChoicePoints and Bank of Americas of the world also highlight how big of a problem identity theft has become in the last few years, sources said.
A recent study in the U.S., for example, found that fear of identity theft is on the rise. A survey by the Ponemon Institute, a Tucson, Ariz.-based privacy consultancy group, found that the number of people who believe they are safe from identity theft fell from 57 per cent last month to 35 per cent this month.
Identity theft accounted for approximately $2.5 billion in losses to individuals and businesses in Canada in 2002 and US $53 billion in the United States between 2002 and 2003, according to a report by the Bi-national Working Group on Cross-Border Mass Marketing Fraud to the Minister of Public Safety and Preparedness Canada and the Attorney General of the United States.
Automation means more crime
As businesses automate more and more of their business processes, computer crime will continue to rise, said Brian O’Higgins, chief technology officer at Third Brigade Ltd., an Ottawa-based company that specializes in host intrusion prevention.
“The crime is never going to go away,” said O’Higgins, adding that applications are becoming more complex, creating more vulnerabilities. “People are finding new ways of getting in. The unfortunate thing is that last year’s solutions don’t solve this year’s problems.”
Referring to the above cases, O’Higgins said the nature of attacks has changed a lot in the last six months.
“Hackers used to get their jollies by defacing Web sites and that kind of thing. That’s changed. They’re now doing it for money,” he said.
Rick Dales, product manager at Fortiva Inc., a provider of e-mail archiving solutions, said some companies need to change how they secure their information.
“Traditionally people have had the sense that if they’re keeping information internally, following various practices and procedures, that their information was secure,” said Dales. “The reality is that today with information that can easily travel across communication networks as well as the fact that in these cases you’re often talking about a physical paper. There’s always risks that someone along the path is going to have access to information.”
Worms, viruses and Internet attacks aside, one of the biggest problems facing businesses today are so-called “rogue employees.” according to Elliott of the OPP, which jointly operates PhoneBusters with the Royal Mounted Canadian Police.
“When it comes to businesses protecting themselves, they need to make sure they’ve got a secure system that’s updated on a regular basis, and hire honest employees, which is hard to do sometimes, because you’re greatest risk is a corrupted employee,” said Elliott.
“Businesses can’t take it for granted anymore that this information they’ve got is just information — it could be very valuable for the criminals. They’ve got to make sure they can protect it, know what they can do if it’s breached, and know how to destroy it.”