Identity theft on the rise

(September 28, 2005) It’s been a banner year for identity thieves. High profile security breaches in the past have highlighted the growing problems associated with collecting massive amounts of personal information and compliance departments, hopefully, are well aware of privacy legislation, but poor information management practices on the part of organizations is still the single largest cause of identity theft in North America.

Imagine visiting the bank to apply for a mortgage or co-sign your child’s student loans, only to find out that your credit has been destroyed, thanks to unpaid debts for purchases you did not make.

Identity theft victims usually have no clue about their problems until it’s too late. Once the problem is identified, victims need to spend a tremendous amount of personal time to persuade banks and credit bureaus to remove fraudulent accounts from their credit reports, write certified letters, keep detailed records and follow up with companies until the problem is resolved, all while trying to convince creditors to stop reporting them as defaulters and deadbeats. Imagine then, that this same scenario is happening to one of your top A-list clients, and they landed in this position because of your company’s data practices.

“Identity theft is one of the most serious threats to the public today. When data begins leaking due to a company’s negligence, it is consumers who suffer the most, in the form of financial losses, identity theft, poor credit ratings and personal frustration,” says Dr. Ann Cavoukian, Ontario’s information and privacy Commissioner. “There’s been an explosion of identity theft that’s taken place this year, especially in the first six months of the year.”

In response, the privacy commissioner drafted a paper, entitled Identity Theft Revisited: Security Is Not Enough. In it, Cavoukian encourages businesses to adopt better practices aimed at safeguarding client and customer information.

“Privacy is good for business,” she writes. “A growing body of evidence indicates that organizations that adopt open and effective information management practices which respect their customers’ personal information are benefiting in many ways.” If nothing else, the practice “pays handsome dividends in terms of reduced costs associated with crisis management and damage control.”

The paper follows up on a similar report, written back in 1997. “We wanted to debunk some myths,” says Cavoukian. “One of the most prevalent myths out there is that somehow consumers can single-handedly protect themselves against identity theft by engaging in protective measures. That’s not true. I’m not discouraging consumers — everyone should engage in measures to protect themselves like shredding documents, protecting their credit information, but even if every consumer did that you would still have a huge problem with identity theft because most of the incidences of ID theft occur through poor information management practices.”

“Suggesting that individuals can prevent the occurrence of identity theft on their own is faulty. For the most part, they cannot,” she writes.

For example on Tuesday, RBC Dain Rauscher, the U.S. securities arm of RBC, told its customers that some of their personal information may have been stolen. The firm is investigating after several clients apparently received anonymous letters detailing the theft. Dain Rauscher says it has brought in the FBI and hired an outside firm that specializes in identify theft.

One big problem with the system is that there is little economic incentive to invest in good data privacy or security practices. The privacy commissioner’s report suggests that some companies regard the costs associated with addressing data privacy breaches might simply be tolerated as the cost of doing business. There are however fundamental changes underway, creating transparency and accountability in areas of data management.

Cavoukian writes: “If you treat privacy as a business issue, it becomes a competitive advantage, not just a compliance issue.”

For financial advisors, she recommends severing any “operation data” needed to work on the client files from personal identifiers like names, social insurance numbers, addresses or phone numbers. She also recommends creating and assigning “nonsense numbers” or unique file number that have no meaning outside of their use in your office.

“Let’s say you have a client who has vast, multi-million dollar holdings. You could have all the information on what accounts they hold and how their money is invested, but if it’s not linked to an individual, it could be anybody. It would have no value to a thief. It only has value if it’s linked to a name, social insurance number, addresses — the personal identifiers,” says Cavoukian. “That’s where the gold is. If you sever the personal identifiers from the actual transactional data, you minimize the risk.”

Restricting access to sensitive information is also important. The paper suggests roughly 70% of information intrusions are committed by someone within the company and 95% of those breaches result in significant financial losses.

Cavoukian says encrypting data and severing or masking personal information so it is not in plain view of anyone who accesses the data, are the minimum measures advisors and their companies should be taking to protect client information. “If you allow anyone to access the data, they are potentially a channel for identity theft. Organized crime is getting into this in a big way. They (the criminals) often have access to data through the clerical staff — people who don’t perhaps make as much money in the company as others.”

Filed by Kate McCaffery, Advisor.ca, kate.mccaffery@advisor.rogers.com