We’ve known for a long time LifeLock’s multi-million advertising campaign was misleading. CEO Todd Davis’ reckless display of his social security number on the side of trucks sent a clear message – our product is a silver bullet against identity theft. Illinois Attorney General Madigan put that myth to rest on Tuesday when she stated, “there is no 100% protection against identity theft.”

We know that. Our member companies live with it every day.

It’s good news that Identity management services are including features that alert consumers to possible fraud before criminals have an opportunity to exploit existing accounts or open new accounts or services. We always recommend consumers use free data protection tools – like monitoring their accounts online – but legitimate paid services can offer a extra level of protection and peace of mind.

It’s time that service providers, including ITAC and our proprietary service, ITAC Sentinel®, be held to a set of standards so consumers have a clear understandings of the value and limitations of paid identity theft protection.

Leibowitz made it clear the settlement represents all the company’s cash reserves to compensate more than a million LifeLock consumers. Leibowitz and Madigan called LifeLock’s advertising campaign and CEO Todd Davis “shameless” for exploiting consumer fear about identity theft.

“No service can provide 100 percent protection against identity theft,” said Madigan. She said LifeLock offered no protection against the most common type of fraud – existing account fraud. Ironically, Madigan received a
direct mail piece from LifeLock stating she was at risk of identity theft.

“As a nonprofit committed to helping consumers, we’ve been worried about LifeLock’s ads for a long time because we felt they were misleading,” said ITAC President Anne Wallace. “We’re happy the FTC has taken action to protect consumers.”

While this encouraging that there has been a 5 percent decline, the reality is that identity theft continues to be major problem. And, these findings very much reinforce the recent findings of the Javelin Strategy & Research’s “2010 Identity Fraud Survey Report,” which found that the number of identity fraud victims in the United States increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent to $54 billion.

And, if you do find yourself becoming a victim of identity theft, check out this video that the FTC produced about how to file a complaint with the agency:

According to the Washington Post, privacy and consumer advocates have long urged regulators to address the risks posed by peer-to-peer networks. They say that, for example, an employee at a commercial firm could inadvertently publicize unsecured customer data by using a work computer to download music from a Web service such as BitTorrent, BearShare or LimeWire.

For many years, P2P networks have been a cause of serious cyber security (and copyrights for that matter) concerns. In fact, yesterday, it was announced that researchers had identified Spybot.AKB, a worm that spreads across P2P networks and email systems. So, it is good to see the FTC addressing this issue.

According to this article from CMIO, The FTC’s interpretation of the regulation imposes an unfunded mandate on healthcare professionals for detecting and responding to identity theft, according to the organizations. In the letter, they asked the FTC to make it clear that the rule will not apply to their members given the result of recent litigation brought by the American Bar Association against the FTC where the U.S. District Court for the District of Columbia ruled that lawyers should be excluded from the requirements imposed by the “red flags” rule.

What do you all think about this? George Hulme the Healthcare blogger for InformationWeek had this to say: Step up and protect your customers from identity theft.

We believe that George has a valid point. Healthcare providers deal with sensitive customer information that can easily be compromised. Even though the Red Flags rule may be cumbersome to meet the requirements, what is the alternative? Having patients accept the responsibility when they become victims of identity theft? Wouldn’t it be better to have steps in place to ensure that this data is protected? We welcome all thoughts and feedback!

In early July 2009, BITS, the technology and operations division of the Financial Services Roundtable, submitted a comment letter to the OCC revealing significantly higher compliance burden estimates. The letter is based on the results of a June 2009 survey of eleven Roundtable/BITS member companies representing a diverse mix of banking, brokerage, consumer finance, and insurance products, responded to the survey.  The average amount of time spent on a “red flags” program was 2,650 hours with a low of 250 hours and 5,000 hours.  To view the comment letter, click here.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires financial institutions that hold critical customer information to develop identity theft “red flags” programs for new and existing accounts by November 2008.  Since the agencies issued the proposed rule in 2006, BITS has worked with member financial institutions and regulators to understand the new regulation and to develop cost effective compliance strategies.  Our efforts include:
•    Submitting a detailed comment letter in 2007 to the regulatory agencies on a proposed regulation.
•    Convening a dozen conference calls with members and regulators to understand the rule and discuss compliance strategies.
•    Submitting questions for the Frequently Asked Question document (FAQ) in 2008.
•    Engaging credit bureaus, U.S. Postal Service and others on address discrepancy requirements.
•    Conducting two member surveys on implementation challenges and compliance burden.

An integral part of identity theft red flags programs is reliance on the Identity Theft Assistance Center (ITAC).  Federal financial regulators have begun examinations of financial institutions and the early indications are that financial institutions have developed robust and acceptable ID Theft Red Flags programs.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he manages relationships with regulatory agencies and engages experts from financial institutions on information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable. On June 11, the federal financial regulators and the Federal Trade Commission jointly issued answers to 37 frequently asked questions (FAQs) on the ID Theft “Red Flags” regulation. The FAQs are available on all of the agencies websites and here is a link to the FDIC’s website.

Despite progress, it’s clear there’s still work to be done to help victims, like making it easier to file a police report. But the elephant in the hearing room was the need to prevent identity theft in the first place – through better authentication practices, better data protection through regulation, better resources for investigating cybercrime, to name a few.

There was a lot of great information, but one exchange stands out. Now that medical records are going online, Rep. Eldophus Towns (D-NY) asked if there should be a federal preemption of state privacy laws in order to protect health care consumers. The witness for the Electronic Privacy Information Center said such a preemption would be a “tragedy,” explaining that California has amended existing law to address medical identity theft and that federal preemption would have stifled that.

I know that the FTC is seeking comments on a Health Breach Notification rules as part of the economic stimulus package. But what kind of security can we expect from vendors who handle our electronic records to prevent a breach in the first place?

Kate Ennis
Ennis Communications