- The Washington Times - Thursday, June 24, 2004

America Online’s revelation this week that an employee sold more than 90 million e-mail addresses to a spammer coincided with a push by lawmakers and privacy advocates for a crackdown on identity theft involving insiders.

As much as 70 percent of all identity theft cases involve persons from inside companies, recent research shows, and lawmakers this week passed legislation that would allow for up to two years in jail for such crimes.

Meanwhile, privacy advocates said the AOL incident, in which 24-year-old Jason Smathers stole a database password and distributed e-mail addresses in exchange for money, underscores a need for better security around companies’ most sensitive databases.

“If you look at identity theft, the biggest cases we’ve seen are insider cases,” said Ari Schwartz, an associate director with the Center for Democracy and Technology, a nonprofit privacy group in the District. “A major privacy concern is the way insiders use information.”

A to-be-released study by researchers at Michigan State University revealed that about half of identity theft cases defintiely involved someone from inside a company or organization. That number jumps to about 70 percent when suspected cases of insider participation are included.

The biggest identity theft case on record occurred when a customer service representative at a Long Island, N.Y., technology company helped coordinate a fraud scheme involving more than 30,000 victims and costing them nearly $3 million.

The Federal Trade Commission reported 27.3 million victims of identity theft in the past five years, costing businesses $48 billion.

The House of Representatives Wednesday passed the Identity Theft Penalty Enhancement Act, which calls for as much as five years in jail for anyone committing identity theft as part of a terrorist act. Anyone who collects information as an employee of a company could go to jail for up to two years.

Judith Collins, the author of the Michigan State report, said the legislation passed by the House is a good first step, but there must also be laws requiring companies to make their workplace more secure.

Most states have passed laws addressing how companies must respond when personal information is stolen from their databases. In most cases, companies must notify those people whose information has been exposed. But privacy advocates said too many of these laws do little to prevent thefts.

There are no laws addressing background or security checks for workers, no laws that regulate what can be carried in and out of call centers and no laws that regulate what job positions are appropriate for temporary or part-time workers.

Some companies say requiring certain security procedures can create extra, unnecessary expense, and that lawmakers do not know enough about the issue to draw up sensible laws.

“Industry does a very good job of self-policing these things,” said Steven Gal, general counsel with IDAnalytics, a San Diego information security firm. “I’m not sure that for fraud, legislation is the best approach.”

Insider identity theft cases involving Internet providers such as AOL are rare, researchers said. Cases involving health care or financial services companies are more common, partially because those companies store more personal information.

Ms. Collins said AOL deserves some praise for placing credit-card and other personal information of customers in a database separate from e-mail addresses. In many recent cases of identity theft, all of a person’s information was stored in one place.

“They’ve got someone in charge of security who’s doing a pretty good job despite what happened,” Ms. Collins said.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide