Battling ID Theft by vivi07


									Battling ID Theft: Do All Companies Have to Comply with Gramm-Leach-Bliley?
David F. Baumer, Ph.D, J.D. Professor of Management College of Management North Carolina State University P.O. Box 7229 Raleigh, NC 27695 – 7229 e-mail: phone: 919-515-6950 fax: 919-515-6943 Robert P. Moffie, Ph.D., CPA Associate Professor of Accounting School of Business North Carolina Central University P.O. Box 19407 Durham, NC 27707 e-mail: phone: 919-530-7377 fax: 919-530Ralph B. Tower Calloway Professor of Taxation Calloway School of Business and Accounting Wake Forest University P.O. Box 7443 Winston Salem, NC 27109 e-mail: Phone: 336-758-5735 Fax: 336-758-6133

Abstract: As identity theft continues to plague the U.S. public, it is of interest to survey the main features of what the Federal Trade Commission (FTC) considers commercially reasonable security. The FTC has used its powers under Section 5 of the FTC Act to examine statements made in the privacy policies and to challenge those statements when the FTC believes they are deceptive. The Gramm-Leach-Bliley Act of 1999 empowers the FTC to require firms covered by the Act to secure personally identifying information in light of reasonably anticipated threats. The remedies that the FTC has been promulgating appear to be extending GLB requirements to all firms that acquire, store and transmit PII. I. Introduction As identity theft continues to escalate, affecting millions of Americans, policy makers are increasingly searching for ways to reduce its incidence and severity. Among the tools available to policy makers are new laws, more vigorous enforcement, public education, placing more responsibility and liability on rightful holders of personally identifying information (PII) and so on. The focus of this paper is upon the government’s efforts to place more responsibility and liability on rightful possessors of PII that, nevertheless, are the situs of identity theft. Among government agencies, the FTC has assumed leadership in filing actions against companies and other entities that improperly collect, store, or transmit PII of customers, website visitors, and others, such as participants in various contests or opportunities. The FTC seems to be moving towards a standard that it is a deceptive trade practice for a company to make promises that its security is commercially reasonable, when the FTC determines otherwise. The FTC definition of commercially reasonable security appears to be coincident with the requirements of GLB Act. II. Identity Theft: Prevalence and Consequences The prevalence of identity theft has become ubiquitous. It’s on the cover of Newsweek Magazine; it’s in all the newspapers. The basic modus operendi is that a company has its website hacked into by data thieves and personally identifying information (PII) is stolen, but there are numerous other examples of low tech identity theft facilitated by horrendous examples of company negligence.1 A. It’s Everywhere Perhaps the most frightening aspect of identity theft is that you can be a victim no matter who

In one example, computer tapes containing customer PII was literally left laying on the floor when a company was relocating and later picked up by identity thieves. Steven Levy and Brad Stone, “Grand Theft Identity, Newsweek

you or how careful you are. If you recently bought shoes from DSW Shoe Warehouse you probably received a letter telling you that your bank account number and credit card information was stolen by hackers (The Chairperson of the FTC did according to Newsweek).2 An astounding 41 million credit card numbers fell into the hands of identity thieves when the records of CardSystems, a processor of credit card transactions, were acquired as a result of hacking by identity thieves.3 Soon after the cyber break-in those same credit card numbers started appearing on shadowy websites that fence them to identity thieves.4 According to the FTC, an identity thief is a person who uses someone else’s information for illegal purposes. Generally identity thieves use credit card information to apply for numerous other credit cards and then start making purchases and cash withdrawals that wreak havoc on the victim’s credit and personal life.

B. What Should An Internal Auditor Do? As an Internal Auditor you must be thinking, what happens if my company has its website hacked into and PII is stolen? What part of liabilities and sanctions are involved; how can my company protect its PII and itself from such invasion and the resultant liability? This article in a follow up of our previous article “Legal Liabilities of Website Operation and Internal Privacy Issues” (Internal Auditing September/October 2003) and focuses on how you as the Internal Auditor can help protect your company from such crimes, and thereby avoid costs and ramifications associated with such an invasion.

Magazine, July 4, 2005 issue at: 2 Op. Cit. at 1. 3,10801,102631,00.html. 4 Credit card numbers are much more valuable to identity thieves if they are coupled with social security numbers.

C. Information as “digital capital” A number of important theorists in this field are suggesting that a paradigm shift is taking place.5 That is, traditional views of capital, which include financial and durable assets, should be expanded in the minds of internal auditors to include company digital capital, trade secrets, sensitive proprietary information and customer PII. Digital capital is increasingly critical to your company’s business, and therefore it must be protected just as if it were cash or other liquid assets. Unfortunately, companies that store sensitive and valuable PII have been preyed upon by sophisticated hackers, but some of these companies have been appalling negligent in their care of customer PII. According to the Newsweek article:    one company was conned into inadvertently selling PII data to crooks (identity thieves), another stored its customers’ PII data on laptops, which were stolen, and another apparently lost significant amounts of PII data after it disappeared off the back of a UPS truck. Given standard internal auditing controls, this wouldn’t happen to your company’s cash supply so why let it happen to your company’s PII? D. Sanctions This whole area is a mixed bag so to speak. The good news, if you can call it that, is that unless your company is a financial institution, there are little or no legal sanctions or liability if PII is stolen.6 However, it is likely that firms with inadequate security will face legal sanctions in the near future. In the wake of continuing high profile identity thefts, there are a number of bills that are wending their through Congress that carry with them heavy fines for negligent handling of

See 5 See e.g., Don Tapscott, David Ticoll, Alex Low, Digital Capital: Harnessing the Power of Business Webs, HBS Press Book, 2000. 6 The GLB Act specifically requires covered firms to have security that is adequate to protect customer PII in light

customer PII.7 One could make an analogy with the automobile in 1895. At that time people could speed around and recklessly operate an automobile with no liability until an “accident” occurred because there were no traffic laws. Technology was ahead of the laws. The same is true today when it comes to information technology. Just as traffic laws caught up with the automobile and defined negligent driving even before an accident occurred, legal sanctions will catch up with technology in the areas of PII and company websites. Currently there are three major pieces of legislation that govern information technology. The first two deal with the people stealing PII. The third pertains to financial institutions and is promulgated by the FTC:

1. The Computer Fraud and Abuse Act (18 USC 1030) as amended by the USA Patriot Antiterrorism Legislation of October 26, 2001 is the chief, federal anti-hacking statute. This Act defines the legal consequences of hacking, which is legally defined as unauthorized access of a computer or computer information, if the value of the information accessed is greater than $5,000 in any one year. This Act also covers the unauthorized transmission of a program, information, code, or command if this causes danger. However, the Act does not specify liability for the company maintaining or transmitting the PII, even if that company has been negligent in these functions. Thus while the thieves that hacked DSW Shoe Warehouse for bank accounts and credit cards are in violation of the Computer Fraud and Abuse Act, DSW Show Warehouse has no liability under this Act.8 Even though there is no direct statutory authority for the imposition of liability, the FTC is filing actions against firms that are

of reasonably anticipated threats. 7 Chief sponsor of the ID Theft bill currently before Congress is California Senator Diane Feinstein. 8 Companies operating in California now have a statutory obligation to report identity thefts to their customers. SB

negligent in their care of PII, as will be discussed below. 2. Identity Theft and Assumption Deterrence Act as amended by Public Law 105-318-112 Sect. 3007 (October 30, 1998). As is apparent from its title, this Act makes it a violation of the law for a person to engage in identity theft. Under this law it is a violation to knowingly transfer or use without lawful authority, any means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of federal law or state and local law. So, in the case of DSW Show Warehouse, if the thieves who stole the PII make use of this information to make unlawful purchases by assuming the identity of the credit card holder or make a bank draft, they are in violation of this law. 3. Gramm-Leach-Bliley Act and the Safeguards Rule. Although it is good to know, and not surprising that U.S. law makes it a crime to wrongfully acquire information and to assume someone’s identity to use the information, as an internal auditor you need to focus on the third piece of legislation, because this is designed to protect and safeguard the PII held by your company. This piece of legislation is known as the Gramm-Leach-Bliley (GLB) Safeguards Rule (Rule). Basically, this Rule requires financial institutions to develop and implement physical, technical, and procedural safeguards to protect customer information. 9 This Rule, promulgated by the FTC, became effective in May of 2003. As will be discussed shortly in this paper, you as the internal auditor could use this Rule as a blueprint to form a set of controls for protecting PII even if your company is not a financial institution. Alternatively, if the FTC decides your security for customer PII is inadequate, it make
1386, which is part of the

This Act is available on the FTC Website at:

require your firm to implement the GLB Rule.

III. The FTC and Cybersecurity As an internal auditor it would be prudent for you and your department to become familiar with how the FTC looks at safeguarding data and in this case PII. When it comes to information security matters the FTC has two types of enforcement tools:  Section 5 of the FTC Act, which empowers the FTC to prohibit unfair and deceptive acts or practices10 and,  As mentioned earlier, the FTC also has certain enforcement powers as a result of their “Gramm-Leach- Bliley (GLB) Safeguards Rule.”

Your company and all companies are subject to FTC enforcement under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive trade practices. The FTC defines deception as a material representation or omission that is likely to mislead consumers acting reasonably under the circumstances. In the case of data security, Section 5 has been

interpreted to mean that if your company obtains sensitive data from customers, then there is an implicit promise that your company will provide adequate (commercially reasonable) protection for these data. If your firm’s security measures are inadequate (do not meet the commercially reasonable standard), then the FTC views promising your customers that you have adequate security as a deceptive trade practice under Section 5. So, in actions by the FTC, if a company’s security measures prove to be inadequate, the company’s promise (either explicit or implicit) to


15 U.S.C. § 45 (a) (1).

protect their PII will be considered by the FTC to be a deceptive trade practice. The key to data protection, then, is how do the FTC and the courts define what is “commercially reasonable” under the circumstances? It is clear from the statements of several high officials at the FTC is not holding companies to a strict liability standard, but rather a negligence standard.11 Under a negligence, unlike a strict liability standard, not every breach of security implies that the company storing PII has committed a legal wrong, but rather only those breaches that occur when the company’s negligence was a factor in the incontinent disbursement. it’s the suggestion of this paper, that you as the internal auditor should take two major steps in protecting your company from the liability and expenses of not having your PII reasonably protected.

The Proactive Approach
First of all, as we have said earlier, you as the internal auditor should see to it that you and your company make a paradigm shift in the way you think about PII. You should think of your company’s PII as being more valuable and equally as susceptible to theft as your company’s cash assets. While cash is protected physically, your PII must be protected not only physically but encrypticly as well. Once you and your Internal Audit Department developed this mental shift in the way you look at PII, you are ready to take action. The first step is to establish a close relationship with your company’s IT people. The whole area of PII presentation is a joint effect between IT who controls PII and the Internal Audit Department who can help IT set up and operationalize an appropriate intense control


Cite Beales and Parnes.

section for your company’s PII. It is the suggestion of this page, that the appropriate internal control system for PII in your company should be designed around the FTC “Gramm- Leach- Bliley (GLB) Safeguards Rule.” The reason for this suggestion is twofold. First of all whether your company is a financial institution or not, the FTC is looking at you. The FTC has actively taken the position that for any company the security procedures taken must be appropriate for the kind of information it collects and maintains. Different levels of sensitivity will require different levels of security, and the FTC may take your company to court if it thinks you may not have set up controls accordingly.

FTC Takes Action
The FTC’s first case was against Eli Lilly. The breach of security involves disclosure of sensitive Prozac user information despite the company’s promise to maintain confidentiality. Eli Lilly put consumer’s e-mail addresses in the “to” line of the e-mail sent to Prozac users thus identifying all Prozac users to one another. The FTC said in this case that Lilly’s breach of security here resulted from inadequate implementation and maintenance of internal controls that were appropriate under the circumstances to protect sensitive consumer information. The focus was on the reasonableness of Lilly’s efforts, (or lack thereof). As part of the FTC complaint against Lilly, the Commission has required Lilly to implement a comprehensive IT security program based on the “GLB Safeguard Rule”, which we will discuss shortly. In addition, every year Lilly must have its IT security program reviewed by a qualified person to ensure compliance. Since future actions taken by the government to force companies to better safeguard their

PII will most likely be undertaken by the FTC, the best proactive approach will be for the Internal Audit Department to work closely with IT to design the kind of internal controls that the FTC feels are important and then monitor them on an annual basis. If you think about it, what is more likely to come out of such security breaches as Cardsystems, Inc. and DSW Shoe Warehouse might be large class-action lawsuits against those companies. The best way to protect your company is to have already in place an air tight IT internal control system for PII that is based on the FTC’s model since they are the government agency that is apt to come after you in the first place. Furthermore, if your company were unfortunate enough to be involved in a class action lawsuit, what better defense than to have the FTC on your side because you have a well designed internal control system. This is an important concept, because in a statement made by the FTC before the US House of Representatives on cybersecurity and consumer data, the FTC said that they were not simply saying “gotcha” for security breaches.12 Basically if there is a security breach involving PII and the FTC looks at the company’s internal controls and considers them to be reasonable under the circumstances then the FTC will conclude that action is not warranted. The real “eye opener” here is, and very few people are aware of this, the FTC has the power to sanction your company even if there has not been an actual breach of security. Take the case of the FTC against Microsoft. In this case, the FTC has taken the position that when explicit promises are made to customers to safeguard PII, then the company has a legal


Prepared Statement of the Federal Trade Commission before Commerce, Trade & Consumer

Protection Subcommittee on Energy and Commerce, U.S. House of Representatives on Cybersecurity and Consumer Data: What’s at Risk for the Consumer? (November 19, 2003).

obligation to take steps to guard against reasonably anticipated vulnerabilities. The FTC alleged that Microsoft did not employ “sufficient measures reasonable and appropriate under the circumstances to maintain and protect the privacy and confidentiality of personal information obtained through Passport and Passport Wallet.” The focus was on Microsoft’s lack of internal control to prevent unauthorized access, detect such access, monitor for potential vulnerablities and maintain sufficient records to perform security audits and investigations.13 The interesting thing about this case is that even though there was no breach of security like in Lilly, or DSW Shoe Warehouse or Cardsystems the FTC has required Microsoft to implement a comprehensive information security program, and this must be monitored and certified by independent professionals every two years. It doesn’t take much to realize that Microsoft or Lilly could have saved an enormous amount of costs, by having an appropriate system in place and monitored in house in the first place. The final concept that the FTC adheres to and believes in is that good security is an ongoing process of assessing risks and vulnerabilities. The Commission’s case against Guess, Inc. illustrates this. This illustrates the concept of information security with web-based applications and their associated databases. In the Guess, Inc. case the FTC alleged that the company did not protect PII gathered through its website By including a “webbased application” attach on Guess, Inc. website, hackers gained access to 191,000 credit card numbers. In its complaint against Guess, Inc. the FTC said that despite explicit promises to protect



its customers PII, Guess “had no system in place to test for known application vulnerabilities or to detect and block attacks once they occurred.”14 In essence the Commission said that Guess, Inc. did not employ common low cost methods that would block a web-application attack. In fact, Guess, Inc. did not even encrypt the PII that they collected. As in the previous two cases, the FTC’s emphasis was on reasonableness. That is, when the vulnerabilities are known, and the security easy to implement, it is unreasonable to do nothing and ignore the security risks like the previous two cases the Commission has required Guess, Inc. to implement a comprehensive information security program, and an independent audit is required every two years.

A Data Security Program for Your Company
It is this paper’s suggestion that you and your Internal Audit Department work closely with IT to implement a comprehensive PII security plan of internal control based on the “GLB Safeguard Rule.” This is a five step program which is outlines in Exhibit 1. The “GLB Safeguards Rule” is aimed at financial institutions where there is a higher perceived level of care. However, this paper suggests that this is not really so. You as the internal auditor should think of sensitive information (PII) as generic. That is, all businesses must aim at this higher level of care whether or not they are financial institutions. The five steps you should follow are outlined below:  Designate one or more employees to coordinate the Safeguards- Your company should have a chief security officer (CSO). The CSO should be on the same level with the Chief


Financial Officer (CFO) and Chief Information Officer (CIO). The CSO should interface between the financial aid technical aspects of your company. Once again we see the paradigm shift here, because most companies don’t think about data security as being important enough to have a CSO. The fact is though, this individual will be one of your company’s most cost effective employees.  Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks- First of all your company needs to look at its core competencies (are you manufacturing, service, or financial) then you must look at your company’s value chair. Risk assessment and identification must be made at each step in the value chain. That is, the PII you collect may be crucial at one step in the value chain and not in another. For example, PII collectively within your company may not need to be encrypted but will need to be encrypted when sent between organizations.  Design and implement a safeguards program, and regularly monitor and test it- Today’s audits (both external and internal) are based on risk assessment. Your company’s safeguards program must be designed based on step two above, that is, risk assessment at each level. Monitoring and testing the system would then be an extension of what you are probably already doing in other areas, ie. the risk based credit. The safeguards program must be designed around unauthorized access to data internally as well as externally. Not everyone has a need to know everything. Your company’s safeguard program must differentiate the need to know internally as well as externally. A firewall is of little value if the unauthorized access comes from within.  Hire appropriate service providers and contrast with them to implement safeguards- The

main point to be made here is don’t let a consultant tell you what to do. Working with a service provider must be a collaborative effort between the provider and your company. What good is data protection if you can’t access your PII. This step is where you as the internal auditor really need to be proactive in terms of balancing access versus safety at every link in the value chain. You can’t just sit back and let a consultant come into your company and say “this is how it should be.”  Evaluate and adjust the program in light of relevant circumstances including changes in the firms business arrangements and operations or the results of testing and monitoring of safeguards- Your company’s business environment is dynamic and never static. Data security is constantly changing. There is never a totally secure system. As your company modifies its value chain, by definition everything else gets modified as well. As more and more businesses expand their e-commerce your company can’t just wait for a breakdown in the system to fix and plug the hole. You as the internal auditor must be proactive here or we will have the Microsoft scenario over and over again. Once again, it is the suggestion of this paper, that the internal audit function be expended to cover the adequacy of data security.

Important Internal Control Concerns The “GLB Safeguard Rule” identifies three areas that are important to information security when implementing the safeguards. These three areas are outlined in Exhibit 2. In other words, if you use the GLB Safeguards as a template for your company’s data security internal control, the FTC considers these three concepts always important at every step. The areas of concern are as follows:

 Employee management and training – Here it is important to isolate the simply human error from lack of training. Lack of awareness and training equals lack of security. The CSO should design and implement the training of your company’s work force, and this means all of your work force not just the IT people. A good training program should be designed to continually update the work forces knowledge base. As an example, if your company collects and stores PII on a virtual private network (VPN), an untrained employee might feel that this type of network is secure. What happens if a hacker breaks into it? A trained employee will be as concerned by the company’s VPN as any other system. E-mail is a good example. The problem is that we all think that from the outside, when in fact it may come from within. For example, you may have a firewall that provides protection from outside, that is e-mail coming into your company; but, do you have protection from within? That is, does your company’s computers have protection for outgoing e-mail that prevents sensitive attachments from being sent out? A well trained work force will be aware of this.  The information System- Here it really is the concept that the IT system is only as good as how it is managed. This is, the internal management of information starts with the five steps that have been outlined. It is also a matter of “IT governance.” That is “what is appropriate for whom to see what.”  Management of system failures- This falls into three categories. The first category is a complete system failure. In this case you want to be sure your company’s IT system has back up (redundance). A good analogy is Lockeeds 380 Airbus which is the bigger

commercial passenger jet in the world. Every system on the airbus has three backups. That is, a principle system and two backups (double redundance). Is your company’s IT system any less important than the hackers? The second category is a failure resulting from a clear security risk and a failure to address the risk. In this case if you can identify the problem, you should be able to react immediately to plug the whole. The trickiest and perhaps the most important category is the last one which is contingency planning. In other words, what happens if? Your company must think outside the box when it comes to PII. There must not only be an ongoing assessment of what the contingency risk could be, but a mechanism in place for solving these risks. In other words crisis management applied to your IT systems.

Conclusion: Back in the 1970’s, William Proxmire, a Wisconsin Democrat brought about much needed reform to the credit card industry. In 1970, he authorized a bill that stopped banks from “dropping” credit cards in people without their consent. In 1974, he pushed through another bill limiting customer liability to $50 if their card was stolen and used to make a fraudulent purchase. As a result people felt confident with credit cards and today there are over a billion credit cards in the United States alone. But, things are different today. Back in the 1970’s people had a choice. If they didn’t trust credit cards they could pay with cash. Today we as consumers don’t have a choice. None of us know where our PII is going. People are looking to industry to protect their PII. Part of your responsibility as an internal auditor has always been a fiduciary function over your company’s internal sensitive data. What is happening now is that a quantum leap is

taking place, and your fiduciary responsibility has now spread to everyone whom your company has obtained PII on. This is a leap in responsibility, a paradigm shift that is taking place in industry as you read this paper. You as the internal auditor must take the initiative to be sure that you company from the CEO on down realizes that this expanded responsibility is taking place. For example, DSW Shoe Warehouse sells shoes, but they also have millions of customer’s credit card numbers and bank account MICR numbers. If the breach of security that allowed this PII to be stolen was due to a lack of “reasonable” security measures then this company is almost sure to face major expenses in their future. This paper has been designed as an eye opener and guide to taking a proactive approach to data security in your company. You will probably want to read further. Exhibit 3 contains important websites and some suggestions for further reading.

To top