This report documents the President's Task Force on Identity Theft’s efforts to implement the Strategic Plan’s recommendations. The report indicates that the Task Force successfully carried out most of the recommendations or is making substantial progress in doing so.
The report made recommendations in four primary areas:
- preventing identity theft by keeping consumer data out of criminals’ hands,
- preventing identity theft by making it more difficult for criminals to misuse consumer data,
- assisting victims in detecting and recovering from identity theft, and
- deterring identity theft by increasing the prosecution and punishment of identity thieves.
With respect to identity theft prevention, the Task Force suggested that decreasing the use of social security numbers (SSNs) in the public sector and reviewing the use of SSNs in the private sector could help prevent identity theft. Also, the Task Force suggested that educating employers and individuals on how to safeguard data, as well as establishing national data protection and breach notification standards, could further aid in preventing identity theft.
Relating to victim assistance, the Task Force suggested that identity theft victims may be better served if first responders were specially trained to assist this particular class of victim. It also addressed victim redress by recommending that identity theft victims be able to obtain an alternative identification document after the theft of their identities.
Through the Identity Theft Enforcement and Restitution Act of 2008 (Title II of Pub. L. No. 110-326), Congress responded to the Task Force’s recommendation that criminal restitution statutes allow victims to be compensated for their time in recovering from the actual or attempted identity theft.
Regarding identity theft deterrence, the Task Force recommended enhancing information gathering and sharing between domestic law enforcement agencies and the private sector, ramping up identity theft training for law enforcement and prosecutors, and increasing enforcement and prosecution of identity theft. The Task Force also promoted international cooperation to decrease identity theft through identifying countries that may be safe havens for identity thieves, encouraging anti-identity theft legislation in other countries, and increasing international cooperation in the investigation and prosecution of identity theft.
- amending the identity theft and aggravated identity theft statutes so that thieves who misappropriate the identities of corporations and organizations — and not just the identities of individuals — can be prosecuted,
- amending the aggravated identity theft statute by adding new crimes as predicate offenses for aggravated identity theft violations,
- amending the statute criminalizing the theft of electronic data by eliminating provisions requiring that the information be stolen through interstate communications,
- amending the computer fraud statute by eliminating the requirement that damage to a victim’s computer exceed $5,000,
- amending the cyber-extortion statute by expanding the definition of cyber-extortion, and
- ensuring that the Sentencing Commission allows for enhanced sentences imposed on identity thieves whose actions affect multiple victims.
Congress has already taken steps to address some of these Task Force recommendations. Through the Identity Theft Enforcement and Restitution Act of 2008, Congress, among other things, eliminated provisions in the U.S. Code requiring the illegal conduct to involve interstate or foreign communication, eliminated provisions requiring that damage to a victim’s computer amass to $5,000, and expanded the definition of cyber-extortion.
However, Congress did not addressed the Task Force recommendation to expand the identity theft and aggravated identity theft statutes to apply to corporations and organizations as well as to individuals, nor has it addressed the recommendation to expand the list of predicate offenses for aggravated identity theft.
The Task Force's guidance was distributed in a September 2006 memorandum from the Office of Management and Budget to the heads of federal agencies and departments. In May 2007, the Office of Management and Budget issued a memorandum that updated the September 2006 guidance and, among other things, required agencies to develop and implement data breach notification policies within 120 days.