and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (

The Price of Admission to the Digital Age

Identity theft is everywhere. It’s the crime of the millennium; it’s the scourge of the digital age. If it hasn’t happened to you, it’s happened to someone you know. Using Federal Trade Commission (FTC) data, Javelin Research estimates that about 9 million identity thefts occurred last year, which means that about 1 in 22 American adults was victimized in just one year. So far – knock wood – I’ve personally been spared, but in the course of running an enterprise identity theft solutions company, I’ve run across some amazing stories, including from close friends that I had not previously known were victims. One friend had her credit card repeatedly used to pay for tens of laptops, thousands of dollars of groceries, and rent on several apartments – in New York City, just prior to the 9/11 attacks. The FBI finally got involved, and discovered an insider at the credit card firm, and links to organizations suspected of supporting terrorists.

So what is this big scary threat, is it for real, and is there anything one can do other than install anti-virus software, check credit card statements, put your social security card in a safe deposit box, and cross one’s fingers? And perhaps even more important for the corporate audience – what’s the threat to corporations (oh, yes, there’s a major threat) and what can be done to keep the company and its employees safe?

First, the basics. Identity theft is – as the name implies – any use of another person’s identity to commit fraud. The obvious example is using a stolen credit card to purchase items, but it also includes such activities as hacking corporate networks to steal enterprise information, being employed using a fraudulent SSN, paying for medical care using another person’s insurance coverage, taking out loans and lines of equity on assets owned by someone else, using someone else’s ID when getting arrested (so that explains my impressive rap sheet!) and much more. In the late 90s and early 2000s, identity theft numbers skyrocketed, but they have plateaued in the last 3 years at around 9-10 million victims per year – still an enormous problem: the most common consumer crime in America. And the cost to businesses continues to increase, as thieves become increasingly sophisticated – business losses from identity fraud in 2005 alone were a staggering $60 billion dollars. Individual victims lost over $1500 each, on average, in out of pocket costs, and required tens or even hundreds of hours per victim to recover. In about 16% of cases, losses were over $6000 and in many cases, the victims are unable to ever fully recover, with ruined credit, large sums owed, and recurring problems with even the simplest of daily activities.

The underlying cause of the identity theft crime wave is the very nature of our digital economy, making it an extremely difficult problem to solve. Observe yourself as you go through the day, and see how many times your identity is required to facilitate some everyday activity. Turn on the TV – the cable channels you receive are billed monthly to your account, which is stored in the cable company’s database. Check your home page – your Google or Yahoo or AOL account has a password that you probably use for other accounts as well, maybe your financial accounts or your secure corporate login. Check your stocks – and realize that anyone with that account info could siphon off your money in seconds. Get into the car – you’ve got your drivers license, car registration, and insurance, all linked to a drivers license number which is a surrogate national ID, and could be used to impersonate you for almost any transaction. Stop for coffee, or to pick up some groceries, and use one of your many credit cards, or a debit card linked to one of your several bank accounts – if any of those are compromised, you could be cleaned out in a hurry.

And in the office – a veritable playground of databases with your most sensitive data! The HR database, the applicant tracking system, the Payroll system, the Benefits enrollment system, and various corporate data warehouses – each one stores your SSN and many other sensitive pieces of identifying data. Also the facilities system, the security system, the bonus and commission and merit increase and performance management systems, your network login and email accounts, and all of your job-specific system accounts. Not to mention all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel provider’s systems? And let’s not forget how every outsourced system multiplies the risk – each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.

It’s a brave new digital world, where every step requires instant authentication of your identity – not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs – your drivers license number, your SSN, your userids and passwords, your card numbers – have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (F

e implies – any use of another person’s identity to commit fraud. The obvious example is using a stolen credit card to purchase items, but it also includes such activities as hacking corporate networks to steal enterprise information, being employed using a fraudulent SSN, paying for medical care using another person’s insurance coverage, taking out loans and lines of equity on assets owned by someone else, using someone else’s ID when getting arrested (so that explains my impressive rap sheet!) and much more. In the late 90s and early 2000s, identity theft numbers skyrocketed, but they have plateaued in the last 3 years at around 9-10 million victims per year – still an enormous problem: the most common consumer crime in America. And the cost to businesses continues to increase, as thieves become increasingly sophisticated – business losses from identity fraud in 2005 alone were a staggering $60 billion dollars. Individual victims lost over $1500 each, on average, in out of pocket costs, and required tens or even hundreds of hours per victim to recover. In about 16% of cases, losses were over $6000 and in many cases, the victims are unable to ever fully recover, with ruined credit, large sums owed, and recurring problems with even the simplest of daily activities.

The underlying cause of the identity theft crime wave is the very nature of our digital economy, making it an extremely difficult problem to solve. Observe yourself as you go through the day, and see how many times your identity is required to facilitate some everyday activity. Turn on the TV – the cable channels you receive are billed monthly to your account, which is stored in the cable company’s database. Check your home page – your Google or Yahoo or AOL account has a password that you probably use for other accounts as well, maybe your financial accounts or your secure corporate login. Check your stocks – and realize that anyone with that account info could siphon off your money in seconds. Get into the car – you’ve got your drivers license, car registration, and insurance, all linked to a drivers license number which is a surrogate national ID, and could be used to impersonate you for almost any transaction. Stop for coffee, or to pick up some groceries, and use one of your many credit cards, or a debit card linked to one of your several bank accounts – if any of those are compromised, you could be cleaned out in a hurry.

And in the office – a veritable playground of databases with your most sensitive data! The HR database, the applicant tracking system, the Payroll system, the Benefits enrollment system, and various corporate data warehouses – each one stores your SSN and many other sensitive pieces of identifying data. Also the facilities system, the security system, the bonus and commission and merit increase and performance management systems, your network login and email accounts, and all of your job-specific system accounts. Not to mention all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel provider’s systems? And let’s not forget how every outsourced system multiplies the risk – each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.

It’s a brave new digital world, where every step requires instant authentication of your identity – not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs – your drivers license number, your SSN, your userids and passwords, your card numbers – have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (

ee how many times your identity is required to facilitate some everyday activity. Turn on the TV – the cable channels you receive are billed monthly to your account, which is stored in the cable company’s database. Check your home page – your Google or Yahoo or AOL account has a password that you probably use for other accounts as well, maybe your financial accounts or your secure corporate login. Check your stocks – and realize that anyone with that account info could siphon off your money in seconds. Get into the car – you’ve got your drivers license, car registration, and insurance, all linked to a drivers license number which is a surrogate national ID, and could be used to impersonate you for almost any transaction. Stop for coffee, or to pick up some groceries, and use one of your many credit cards, or a debit card linked to one of your several bank accounts – if any of those are compromised, you could be cleaned out in a hurry.

And in the office – a veritable playground of databases with your most sensitive data! The HR database, the applicant tracking system, the Payroll system, the Benefits enrollment system, and various corporate data warehouses – each one stores your SSN and many other sensitive pieces of identifying data. Also the facilities system, the security system, the bonus and commission and merit increase and performance management systems, your network login and email accounts, and all of your job-specific system accounts. Not to mention all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel provider’s systems? And let’s not forget how every outsourced system multiplies the risk – each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.

It’s a brave new digital world, where every step requires instant authentication of your identity – not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs – your drivers license number, your SSN, your userids and passwords, your card numbers – have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (

n all of the various one-time and periodic reports and database extracts that are done all day long, every day, by Compensation, by Finance, by audit firms, by IT and many others. And what about all the backups and replicated databases, and all the outsourced systems, all the various Pension and 401(k) and other retirement account systems? The little easily forgotten systems that track mentor assignments and birthdays and vacation accruals. The online paycheck image systems? The corporate travel provider’s systems? And let’s not forget how every outsourced system multiplies the risk – each one has backups and copies and extracts and audits; each one is accessible by numerous internal users as well as their own service providers. How many databases and laptops and paper reports throughout this web of providers and systems have your data, and how many thousands of people have access to it at any moment? The list rapidly goes from surprising to daunting to frightening, the longer one follows the trail of data.

It’s a brave new digital world, where every step requires instant authentication of your identity – not based on your pretty face and a lifelong personal relationship, but on a few digits stored somewhere. Much more efficient, right? So your various digital IDs – your drivers license number, your SSN, your userids and passwords, your card numbers – have to be stored everywhere, and as such, are accessible by all kinds of people. This explains the huge and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (

and growing phenomenon of corporate data breaches. Amazingly, over 90 million identities have been lost or stolen in these breaches in just the last 18 months, and the pace is actually accelerating. It’s simple arithmetic combined with a financial incentive – a growing volume of identity data, accessible by many people, that has significant value.

And once any of these digital IDs are compromised, they can be used to impersonate you in any or all of these same thousands of systems, and to steal your other digital IDs as well, to commit further fraud. This is the scale of the problem. Much worse than a cutesy stolen Citibank credit card – identity theft can easily disrupt everything you do, and require a massive effort to identify and plug every potential hole. Once your identity is stolen, your life can become an eternal whack-a-mole – fix one exposure, and another pops up, across the enormous breadth of all the accounts and systems that use your identity for any purpose at all. And make no mistake – once compromised, your identity can be sold again and again, across a vast shadowy international ID data marketplace, outside the reach of US law enforcement, and extremely agile in adapting to any attempts to shut it down.

A Disaster Waiting to Happen?

Over the last two years, three major legal changes have occurred that substantially increased the cost of corporate data theft. First, new provisions of the Fair and Accurate Credit Transactions Act (FACTA) went into effect that imposed significant penalties on any employer whose failure to protect employee information – either by action or inaction – resulted in the loss of employee identity data. Employers may be civilly liable up to $1000 per employee, and additional federal fines may be imposed up to the same level. Various states have enacted laws imposing even higher penalties. Second, several widely publicized court cases held that employers and other organizations that maintain databases containing employee information have a special duty to provide safeguards over data that could be used to commit identity fraud. And the courts have awarded punitive damages for stolen data, over and above the actual damages and statutory fines. Third, several states, beginning with California and spreading rapidly from there, have passed laws requiring companies to notify affected consumers if they lose data that could be used for identity theft, no matter whether the data was lost or stolen, or whether the company bears any legal liability. This has resulted in vastly increased awareness of breaches of corporate data, including some massive incidents such as the infamous ChoicePoint breach in early 2005, and the even larger loss of a laptop containing over 26 million veteran’s IDs a couple of months ago.

At the same time, the problem of employee data security is getting exponentially harder. The ongoing proliferation of outsourced workforce services – from background checks, recruiting, testing, payroll, and various benefit programs, up to full HR Outsourcing – makes it ever harder to track, let alone manage all of the potential exposures. Same thing for IT Outsourcing – how do you control systems and data that you don’t manage? How do you know where your data is, who has access, but shouldn’t, and what criminal and legal system governs any exposures occurring outside the country? The ongoing trend toward more remote offices and virtual networks also makes it much harder to control the flow of data, or to standardize system configurations – how do you stop someone who logs in from home from burning a CD full of data extracted from the HR system or data warehouse, or copying it to a USB drive, or transferring it over an infrared port to another local computer? And recent legislative minefields, from HIPAA to Sarbanes Oxley, not to mention European and Canadian data privacy regulations, and the patchwork of fast-evolving US federal and state data privacy legislation, have ratcheted up the complexity of control, perhaps past the point of reasonability. Who among us can say that they understand all of it, let alone fully comply?

The result: a perfect storm – more identity data losses and thefts, much greater difficulty at managing and plugging the holes, much greater visibility to missteps, and much greater liability, all boiling in the cauldron of a litigious society, where loyalty to one’s employer is a bygone concept, and all too many employees look at their employer as a set of deep pockets to be picked whenever possible.

And it’s all about “people data” – the simple two-word phrase right at the heart of the mission of Human Resources and IT. The enterprise has a problem – its people data is suddenly high value, under attack, and at escalating risk – and they’re looking at you, kid.

The good news is that at least it’s a well-known problem. Indeed, although I hope I’ve done a good job of scaring you into recognizing that identity theft is not all hype – that it’s a genuine, long-term, big-deal problem – the reality has a hard time keeping up with the hype. Identity theft is big news, and lots of folks, from solution vendors to media infotainment hucksters of every stripe have been trumpeting the alarm for years now. Everyone from the boardroom on down is aware in a general way of all the big data thefts, and the problems with computer security, and the hazards of dumpster divers and so on. Even the Citibank ads have done their part to raise awareness. So you have permission to propose a reasonable way to address the problem – a serious, programmatic approach that will easily pay for itself in reduced corporate liability, as well as avoidance of bad publicity, employee dissatisfaction, and lost productivity.

The Journey of a Thousand Miles

In general, what I recommend is simply that you do, indeed, approach identity theft prevention and management as a program – a permanent initiative that is structured and managed just like any other serious corporate program. That means an iterative activity cycle, an accountable manager, and real executive visibility and sponsorship. That means going through cycles of baselining, identification of key pain points and priorities, visioning a next generation state and scope, planning and designing the modules of work, executing, measuring, assessing, tuning – and then repeating. Not rocket science. The most important step is to recognize and train a focus on the problem – put a name and a magnifying glass to it. Do as thorough a baseline review as you can, examine the company from the perspective of this substantial risk, engage your executive leadership, and manage an ongoing improvement program. After a couple of cycles, you’ll be surprised how much better a handle you have on it.

Within the scope of your identity theft program, you will want to target the following primary objectives. We’ll examine each one briefly, and outline the critical areas to address and some key success factors.

1) Prevent actual identity thefts to the extent possible
2) Minimize your corporate liability in advance for any identity thefts (not the same thing as #1 at all)
3) Respond effectively to any incidents, to minimize both employee damage and corporate liability

From an enterprise perspective, you can’t achieve identity theft prevention without addressing processes,