New Federal Legislation Would Top List of Major Events Shaping America's Response to Identity Theft Threats

This summer, the House Ways and Means Committee unanimously approved a bill that could drastically affect the national incidence of identity theft by eliminating the use of Social Security numbers – a key identifier – by businesses and government entities. Third party groups such as AARP and the U.S. Public Interest Research Group are among the bill’s top supporters, advocating that until organizations make it more difficult for identity thieves to get the authentication they need to commit their crimes, potential victims will never be safe. National identity theft expert, Brian Lapidus, senior vice president of Kroll’s Fraud Solutions, agrees that, if passed, this legislation would have a lasting impact on the future of identity theft. "Social Security numbers are the most desirable elements of sensitive personal data,” says Mr. Lapidus, whose team of licensed investigators currently serves more than 10,000 businesses and millions of individuals dealing with data breaches and issues of identity theft. "As such, we caution our business clients to minimize their use as personal identifiers to better safeguard themselves and their customers in the event of an attack. Rather than wait for new legislation, organizations should be proactive about guarding against huge financial, market and reputational losses by changing their practices now.” Below, Mr. Lapidus outlines the top five events to-date that have paved the way for this legislation and, more importantly, changed the way consumers and businesses alike think about identity theft. 1. January 2007 – TJX Announces Major Data Breach, Reportedly Largest On Record: Earlier this year, TJX Companies, Inc. – parent to such retailers as T.J. Maxx, Marshalls and HomeGoods – announced that hackers had stolen more than 45.7 million consumer credit and debit card numbers from its IT systems over a period of 18 months. Another 455,000 customers who had returned merchandise without receipts had their data stolen, as well, including driver’s license numbers. The magnitude of the breach – thought to be the largest in corporate history – continues to draw significant national attention to the topic of data security, specifically how data breaches should be handled and where the onus lies in terms of victim support and restitution. In response to growing concerns, Minnesota recently passed the Plastic Card Security Act that prevents retailers from storing customer credit information and holds them financially liable if that information is breached. Similar legislation is being considered in a number of other states, including California. Nearly 11 months after the breach was announced, experts are estimating total costs to the company at $256 million. But, with an investigation by the FTC and many class action law suits still pending, the total is expected to rise. 2. May/August 2006 – U.S. Department of Veterans Affairs Announces Two Data Breaches Affecting 26.5+ Million Veterans and their Families: In two separate incidences, laptops containing the personal information (i.e., Social Security numbers, dates of birth, etc.) of 26.5+ million veterans and their families were stolen from the U.S. Department of Veterans Affairs. Though the missing laptops were soon recovered and an examination of the files suggested they were never accessed, the magnitude of the breach – the third largest on record and the largest breach of Social Security numbers – combined with the national attention it generated make it the most influential data breach on record. 3. 2005 – The Year of the Breach Notification Bandwagon: In 2002, California was the only state to introduce legislation requiring companies and/or state agencies to disclose consumer security breaches involving personal information. The law, enacted in 2003, was the primary reason why the ChoicePoint security breach (see below) became a matter of public record. However, it was in 2005 that the domino effect of data breach notification laws raced through state legislatures, with at least 25 states introducing breach notification laws in that year alone. Today, 39 states have enacted such legislation – the most recent being Massachusetts and Oregon in the summer of 2007 – causing businesses and government entities to put a greater emphasis on the protection of consumer data. The legislation also gives more power to consumers, who are now equipped with increased rights and the knowledge necessary to protect themselves and their identities. 4. February 2005 – ChoicePoint Announces Breach Affecting 163,000: In late 2004, ChoicePoint discovered that identity thieves had stolen the personal information of 163,000 consumers nationwide. Initially, the company only intended to notify the 35,000 California consumers affected, as required by the state notification law (the first of its kind at the time). Eventually, under greater public scrutiny, ChoicePoint was forced to notify the remaining 128,000 victims. In January 2006, after two years of negotiations, ChoicePoint came to a $15 million agreement with the Federal Trade Commission (FTC) to settle legal disputes related to the incident. The $10 million civil fine included in the sum remains the largest in FTC history. The reputational costs of the breach have never been calculated. 5. October 2003 – Citibank Ads Give a Face to Identity Theft: Citibank made a big splash in late 2003 with the introduction of a series of creative television advertisements that used humor to tell the identity theft story. The ads, designed for the launch of new Citibank services, featured identity theft victims talking in the voices of their identity thieves (from common thugs to valley girls) as they discussed the fun they had with the victims’ credit cards and bank accounts. The ads marked the first time many Americans were able to visualize the consequences of identity theft without experiencing them firsthand and drove home the point that everyone is a potential victim. About Kroll Kroll, the world's leading risk consulting company, provides a broad range of investigative, intelligence, financial, security and technology services to help clients reduce risks, solve problems and capitalize on opportunities. Kroll Inc. is a wholly-owned subsidiary of Marsh & McLennan Companies, Inc. (NYSE: MMC), the global professional services firm. Kroll began providing identity theft solutions in 1999 and created its Fraud Solutions practice in 2002 in response to increasing requests from clients for counsel and services associated with the loss of sensitive personal information, and related identity protection and restoration issues facing organizations and individuals. Since then, Kroll’s Fraud Solutions clients have included Fortune 500 companies, non-profit organizations, and government entities dealing with healthcare, financial services, insurance, consumer service, and any activity involving the collection and use of personal information. Kroll’s Fraud Solutions team presently serves over 10,000 businesses and millions of individual consumers. For more information, visit: www.krollfraudsolutions.com.