Sizing up the problem
Identity theft is big business for fraudsters, and a big headache for Government. According to Cabinet Office figures, identity fraud cost the UK economy £1.5bn in 2005. This cost is a double whammy; a significant proportion of identity theft is committed by foreign nationals carrying out their criminal activity from outside the UK. This means that their illegal gains are removed from the UK economy when they are spent abroad.
The number of reported cases has shown a steady rise since it first reached a significant level of public awareness in 1999. The rise still appears to be unchecked, caused by the fact that this is a relatively new crime phenomenon, meaning that police do not yet have sufficient experience to investigate and bring those responsible to justice in a meaningful number of cases. Specialist teams investigating identity fraud (such as that based at City of London Police) do exist, most recently in the form of the new National Fraud Reporting Centre (which aims to amalgamate efforts) but so far these have only used to investigate the most serious cases, estimated to be 1% of total cases reported. Part of the reason for this is that investigations are complex and time consuming, spanning multiple geographies with a complex paper trail. Furthermore, our stringent data protection laws can actually work against us; access for police to information to help identify offenders is often hindered by arduous requirements for regulation of investigatory powers warrants, which are highly time consuming to obtain.
If our police forces are to increase our investigation and detection figures for these offences, the public must accept they will need new training, equipment and procedures, all of which come at a cost. And perhaps more controversially, they need additional legal powers to obtain information to identify offenders in a much more streamlined way. Ironically, to keep our identities secure, we must trust them to those that protect them.
The real life impact of identity theft – worse than being robbed in the street?
Identity Theft has been seen by many as a victimless crime. In many cases, provided the consumer has not been negligent, they will not be liable any financial losses incurred as a result of the fraud, for example, their credit card being used to order goods fraudulently. However, the impact of identity theft goes deeper than simple financial losses. In the more trivial cases, impact may be low, for example if a consumer received confirmation of a loan application through the post that they did not make, it may be a simple matter of a telephone call to the building society to explain the circumstances. However, in the more serious cases, where multiple fraudulent applications have been made to perhaps twenty organisations, the amount of time (and consequent cost in terms of lost earnings) required to contact each one may be very significant.
Frequently, the problem doesn’t end there. Credit history is often very adversely affected by the sheer number of credit applications that fraudsters make, and while notes can be added to credit files, credit score invariably suffers as a result. Applications for loans, credit cards, insurance and even mortgages may be denied or have special terms imposed. So while street robbery is undoubtedly a more traumatic experience, cards can be cancelled and replaced in a matter of days. With identity theft, the victim may feel the effects for far longer.
Sharing the responsibility for preventing identity fraud
Until recently, the consumer has shouldered most of the responsibility for prevention of identity fraud. Scare campaigns led by the financial institutions and frightening news stories caused many households to start shredding the myriad of confidential documents that land on our doormats on a daily basis before disposing of them.
However, an increasing number of news stories are starting to emerge, showing that those we trust with our personal information, both private companies and Government bodies are failing to afford this information the protection it deserves. Failures in systems, processes and the human element of operations have led to some catastrophic leakages of data, leaving the consumer at risk of significant inconvenience and expense.
By way of an analogy, if a bank does not transport cash securely, and it is stolen, the bank and the bank alone bears the brunt of the loss, and will take steps to avoid a recurrence to protect itself financially in the future. Not so if that same bank is careless with our personal data and it falls into criminal hands; the full impact of the security failure hits us, as in reality, it will be difficult or impossible to prove that a single security breach causes a specific criminal act to take place. In that respect, identity theft is a strange crime, in that the negligent party may not be the victim.
Increase security voluntarily now, or have it imposed later
The current situation is clearly untenable, in that at present, there is little incentive for organisations to increase the security they apply to personal information because those organisations are rarely the victim. In time, this fact will lead to legislative change, mandating and defining key security requirements and procedures. Penalties will also need to be defined for those that do not comply.
For that reason, now is the time for organisations to get advice on improving security in their people, processes, governance and tools. Doing so now will ease the pain when these changes are inevitably mandated by law, and increase public confidence that personal data is given the level of protection it deserves.
Securing confidential information in government organisations
Government bodies are dealing with confidential personal information that carries with it many of the risks and threats to the individual described above. As the recent furore over the HMRC / NAO leak shows, the cost of mistakes can be very high. The damage caused can very considerably outweigh the perceived cost of removing the risk points. In the highly publicised case, risk analysis factored in “perceptions” like the reliability of the internal government mail service, that should with hindsight have been regarded with pessimism. Hunting for risk points in a complex environment like that operated in many government agencies and departments can be a length process but it is well worth doing.
Briefing people on the need to respect customer confidentiality for it’s own sake is very important. Too often, organisations approach confidential information in an “impartial” manner as if the problem is either conceptual or belongs to someone else. Yet as both individual citizens and members of staff we are all threatened by sloppy approaches to security. The mainstay of ensuring secure behaviour is to encourage the right attitudes at all levels of staff and management, for good honest personal reasons.
IT and IS systems can help in the equation and always need to be looked at, but confidential and secure treatment of personal information is not just an IT problem – it is about personal decisions every day at work and the public sector needs to think about the way these decisions are made and how it makes them, not just lean on systemic solutions.