Identity theft is emerging as the leading crime of the 21st century. Simply put, identity theft is the deliberate stealing of another person’s identifying information for criminal purposes. According to a recent survey conducted by Deloitte and an American privacy think tank, one in five respondents has been the victim of identity fraud or theft. PhoneBusters, a Canadian anti-fraud call centre jointly operated by the Ontario Provincial Police and the Royal Canadian Mounted Police, received almost 15,000 identity-related theft reports in 2003, totalling over $21 million in losses. The threat is increasing significantly, and methods of identity theft are becoming more sophisticated every year.

At the same time, increased awareness is forcing organizations to ramp up efforts to protect sensitive data. For instance, some companies have made great strides in showing consumers how to protect themselves, and in establishing ways for people to report suspicious activity.

But there’s more that companies can do, particularly when it comes to the personal identifiable information of their customers and employees. “To date, the burden has been on individuals to protect themselves,” says Andreas Faruki, Deloitte’s Identity Management and Privacy Leader in Canada. “But that’s a fallacy.” He suggests that the responsibility for identity protection rests with the organizations that capture and store personal data. “This is the dilemma that corporate Canada is now wrestling with.”

From high-tech to human error: How hackers can steal sensitive information
Identity theft is typically associated with credit card and mail fraud. But new methods, such as spear-phishing (targeted and convincing email attacks) are constantly emerging. High-tech versions include the use of phishing and pharming (persuading people to disclose sensitive information through phony emails and web sites), and malicious spyware and hacking to obtain information. Low-tech forms consist of laptop theft or social engineering techniques, such as posing as a call-centre employee or sending a fake email to obtain personal identifying information. “Anyone with the energy and time could collect enough ‘tombstone data,’ such as date of birth and postal code, from the Internet to impersonate you and get a loan,” says Faruki.

Companies also have to recognize that identity theft is not just about the technology. “Often the security of information is compromised by human behaviour,” says Faruki. Individuals entrusted with managing personal information often lack adequate security qualifications, and human error frequently accounts for highly publicized security breaches. “Organizations that are the custodians of information need to do a better job of how they secure and protect it,” says Faruki.

Reduce ID theft through technology and improved data management
Companies often fall into the trap of viewing information security as an added cost. As a result, they under-invest in security and data protection systems. But a recent study by the Gartner Group suggests that investing in data protection is less costly than dealing with a major security breach. With improved security, operations and infrastructure, companies can improve service delivery, strengthen consumer trust and increase their competitive advantage.

But companies don’t always see the link between robust security and privacy protection in managing their information systems. “Most of corporate Canada is a long way from having the right leadership and tools to correctly and safely manage personal information,” suggests Faruki. “We’re at a transition where companies need to learn how to protect that data.”

The first step usually involves technology solutions such as web and email validation services, data encryption and the use of smart cards. “These solutions are good,” says Marc MacKinnon of Deloitte’s Security & Privacy Services group, “but they should not be merely reactive. To effectively protect your information systems, you have to take a more comprehensive approach,” he says.

MacKinnon cautions that there is no “silver-bullet technology” that will guarantee the security of your data. The solution lies not in technology itself, but in how you implement that technology and enforce secure processes. He recommends combining technology with other security measures, from well-crafted internal policies and data access procedures to screening new hires and ensuring that third-party service providers are not the weak link in the chain.

Better risk management can reduce instances of identity theft
Faruki’s approach is to look at information security attacks as risk-based events. The main issues that companies should consider: Where is their information located? Is it encrypted? How is the information stored and disseminated? What are the security credentials of the information gatekeepers?

Deloitte’s Security & Privacy Services group conducts risk analyses for companies, banks, government and small businesses — all of which are vulnerable to identity theft. The group is often called on to assist companies in devising their security policies and procedures. The team helps companies assess their security risks, design a customized “road map,” and recommend IT solutions to handle identity management. “Our services are designed to help companies work through the risk exercise in a holistic way,” says Faruki.