On May 10, 2006, President Bush signed an Executive Order creating the nation’s “first ever” Identity Theft Task Force.  The purpose of this ad hoc committee, chaired jointly by the Attorney General and by the Chair of the Federal Trade Commission (FTC), was “to help law enforcement officials investigate and prosecute identity thieves, educate consumers and businesses on ways they can protect themselves, and increase the safeguards on personal data held by the Federal government.”
Less than a year later, the Task Force produced its final report, Combating Identity Theft: A Strategic Plan . Approximately 20% of the pages comprising the largest chapter, “Strategy to Combat Identity Theft,” were devoted to issues concerning information security, including material pertaining to data breaches in the private and public sectors. In addition, the report discusses many topics familiar to information security professionals: theft of sensitive documents, dumpster diving, hacking, phishing, spyware, pretexting, and stolen media (such as laptops) containing data that promote identity theft.
At approximately the same time that the Task Force was drafting its Strategic Plan, six federal agencies-the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), and the FTC-were developing a new set of regulations also intended to reduce the threat of identity theft. Their final rules, formally titled “Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003 ,” was issued on October 31, 2007, and will take effect on November 1, 2008.
Despite the fact that the FTC was involved in crafting both documents, and that the Task Force members were aware of the agencies’ proposed regulations, and that the drafters of the rules were not oblivious to the existence of the Task Force, it is surprising that the Identity Theft Red Flags Rule barely makes mention of information security. None of the issues raised in the Task Force report are discussed in the context of the agencies’ rulemaking. Indeed, the Red Flags Rule does not focus upon the causes of identity theft; rather, it is primarily concerned with preventing identity theft by advocating the adoption of specific business practices intended to prevent theft.
This does not mean, however, that information security professionals can merely ignore the new rules and assume that business units alone must bear the burden of compliance. Indeed, lurking within the text of these new regulations are several issues that have serious implications for InfoSec staff.
What is the “Identity Theft Red Flags Rule”?
In past years, federal regulations (such as the guidelines intended to implement Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act ) have generally focused upon the privacy and accountability of personal information. These regulations are directed toward very specific businesses-especially financial and medical services. The Identity Theft Red Flags Rule, however, is not intended to safeguard the privacy of customer information; in addition, the scope of its applicability is much broader than previous rules relevant to information security.
The Red Flags rule has two main purposes:
- To require financial institutions and creditors to implement a written program to detect, prevent, and mitigate identity theft in connection with the opening of an account or any existing account.
- To identify and describe patterns, practices, and specific forms of activity that indicate a possible risk of identity theft. These “patterns, practices, and specific forms of activity” are “red flags” intended to alert financial institutions and merchants concerning the possibility of imminent identity theft. Written programs designed to prevent identity theft must include these “red flags”-or other relevant warning signals-and appropriate procedures must be developed to respond to the warnings.
According to the rule, a written program will include “reasonable” policies and procedures that perform the following tasks:
1. Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the program;
2. Detect Red Flags that have been incorporated into the program;
3. Respond appropriately to any Red Flags that are detected to prevent and mitigate and identity theft; and
4. Ensure that the program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
There are several issues here that bear close attention.
First, the agencies define “identity theft” according to FTC guidelines: “a fraud committed or attempted using the identifying information if another person without authority.” By this definition, any name or number that can be used-alone or in combination with other information-is a potential target of identity theft. Thus, the unauthorized disclosure or stealing of an individual’s name, social security number, date of birth, biometric data, PIN (such as an ATM PIN), password, or telephone number is a precursor to possible identity theft.
The Red Flags Rule is directed toward financial institutions and creditors who maintain “covered accounts.” According to the agencies, a covered account is (1) an account primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft.
Thus, “covered accounts” include a very broad spectrum of services. Most obviously, the kinds of accounts provided by retail banks to individual customers-checking and savings accounts, IRAs, loan accounts-are included. But the rules would also encompass any other account that permits “multiple payments or transactions,” such as accounts maintained at automobile dealerships, cell phone service providers, cable TV companies, and department stores. Each of these businesses, according to the Red Flags Rule, must now establish a written program to prevent and mitigate identity theft. Thus, the scope of the Rule extends well beyond retail banking institutions.
Also, please note the following strangely worded phrase: “Any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor.” Here, the regulators are seeking to emphasize that a “covered account” does not necessarily involve an account held by an individual customer. Indeed, the agencies explicitly (and quite accurately) intend to include business customers-especially small businesses-as potential victims of identity theft. Unlike Gramm-Leach-Bliley and HIPAA, the Red Flags Rule does not focus entirely upon “natural persons,” or individual human beings. The authors of the Rule recognize that theft of identity can occur to businesses as well as people. Therefore, a “covered account” may include an account used by a business or other institutional customer.
The scope and intentions of the Rule are remarkably broad: Any financial institution, store, or merchant from which individual or business customers purchase goods or services in multiple payments must develop a written program intended to prevent or mitigate identity theft.
So What is the Role of Information Security?
A funny thing happened between the original drafting of the Rule and its final formulation: Information security concerns lost their status as “Red Flags.”
When the agencies first drafted their regulations, they wrote a preamble stating that certain security-related events-such as phishing and data breaches-were “precursors,” or preconditions, to possible identity theft. The proposed Rule maintained that these “precursors” were genuine Red Flags. This emphasis was entirely consistent with the report of the President’s Task Force on Identity Theft. However, when the proposed Rule was made available for reaction and response by interested parties, numerous “industry commenters” complained that Red Flags must not merely indicate the “possible risk of identity theft”; rather, a legitimate Red Flag must be an indicator of “significant, substantial, or the probable risk of identity theft.” The agencies accepted this rationale and relegated information security-related events to the status of “precursors” to theft. They were not actual Red Flags.
However, the final version of the Rule did not entirely squash mention of security events that could lead to identity theft. Section IV of the regulations contains a provision noting that “a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft in determining an appropriate response to the Red Flags it detects.” Among these aggravating factors would be “precursors,” such as a data breach, successful phishing and other social engineering exploits, lost media, and hackers.
The final Rule also mentions that institutions that currently comply with the privacy safeguards to customer data mandated by Gramm-Leach-Bliley and by HIPAA will also be in compliance with the need to prevent or mitigate the occurrence of security-related “precursors.”
This is probably good news for those financial institutions and health services organizations that have already wrestled with the federal privacy and confidentiality requirements. However, a broad spectrum of retail establishments and service industries (such as the automobile dealerships and cell phone companies mentioned earlier) must now also adopt procedures intended to protect the unauthorized disclosure of customer information. These procedures will, in all likelihood, involve the implementation of information security controls. And, of course, these procedures must be documented.
Thus, information security professionals must be content to know that data breaches are merely “precursors” to identity theft, rather than Red Flag indicators of the real thing. But, according to the Rule, even “precursors” are significant, and their likelihood of occurrence must be prevented or mitigated. And, equally important, a very broad range of businesses must be concerned with this prevention and mitigation.