Tualatin chamber offers anti-identity theft help for area businesses

Press Release-4282008

The Tualatin Chamber of Commerce can now help area businesses meet the requirements of Oregon’s tough, new anti-identity theft law.

The Oregon Consumer Identity Theft Protection Act (OCITPA) and your business.

State Law (SB_583) Effective January 1, 2008, Oregon’s new law requires a business to have;

-A comprehensive information security program with pre-determined safeguards in place.

-It also requires that a business that uses service providers, contractors, and vendors ensure that those entities agree to and adhere to Oregon Law (SB_583) by contract.

-It is also required that a business notifies its customers, clients, or business partners when non-public data is lost.

A business found not to be in compliance faces fines up to $1,000 for each violation (per day) with a cap of $500,000, plus compensation to victims.

The Tualatin Chamber of Commerce can help.
To help the Tualatin business community to avoid these problems, The Tualatin Chamber of Commerce has partnered with CASHTOOLS, Inc.’s Sue Whittaker. Sue is the co-author of Oregon law (SB_583) and is one of the nation’s top experts on business anti-identity theft protocol and compliance. Sue is joined by Michael Thayer who is available to answer your questions and assist your business with the new law as well.

To help facilitate your businesses’ compliance with the law, team members will visit your business, provide a consultation and the required materials. Please call 503-515-6383 with questions or to schedule your appointment.

How Oregon Senate Bill 583 effects your business

The Oregon Consumer Identity Theft Protection Act – Effective January 1, 2008

CLICK HERE (pdf) SENATE BILL 583

Your business must implement an information security program that includes the following:
-Establish administrative safeguards.

-Designate one or more employees to coordinate the security program.

-Identify reasonably foreseeable internal and external risks.

-Assess the sufficiency of safeguards in place to control the identified risks.

-Select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract.

-Adjust the security program in light of business changes or new circumstances.

Technical safeguards such as the following:

-Assess risks in network and software design.

-Assess risks in information processing, transmission and storage.

-Detect, prevent and respond to attacks or system failures.

-Regularly tests and monitors the effectiveness of key controls, systems and procedures.

Physical safeguards such as the following:

-Assess risks of information storage and disposal.

-Detects, prevents and responds to intrusions.

-Protect against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information.

-Dispose of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information

New ID theft law imposes duties on Oregon corporations

Required security programs must contain a lengthy list of checks and safeguards

Portland Business Journal – by Rob LeChevallier

Oregon’s new identity theft law puts additional requirements on businesses to safeguard personal information regarding their customers’, members’ and clients’ personal information.

This includes personal information on consumers that is used in the course of an organization’s business, vocation, occupation and volunteer activities.

The law, which became effective Jan. 1, requires for profit, nonprofit and public entities to protect “consumer personal information” which includes the individual’s first name or first initial in combination with their Social Security number, driver’s license, passport number, financial account numbers, credit or debit cards.

With certain governmental exceptions, Social Security numbers must be excluded from any materials not requested by the consumer. They also should be excluded from documentation of a transaction or service requested by the consumer that is mailed to the consumer, unless the numbers are redacted, meaning only the last four or six digits are used.

The new law also requires that such “persons” who own, maintain or otherwise possess such data must develop, implement and maintain reasonable safeguards to protect the data, confidentiality and integrity of the personal information. This includes disposal of the data.

This security program must include administrative safeguards, designate employees to coordinate the program, assess the risks in network and software design, and require that data service providers are capable of maintaining appropriate safeguards. The program must also be adjustable in light of business changes or new circumstances. This program is not limited to electronic security but also must include physical safeguards such as assessing the risks of information storage and disposal and protecting against unauthorized access to or use of personal information.

Manufacturers with less than 200 employees or other businesses with 50 or less employees may comply with new requirements if the information security and disposal program they adopt contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities and the sensitivity of the personal information collected from or about consumers.

If there is a breach of data security, the new law requires mandatory reporting and notice to the consumers, television and newspaper media, governmental agencies and consumer reporting agencies. With certain exceptions consumers can also put a “security freeze” on their consumer credit report.

What does this mean for the average Oregon business?

• You must review the information that is collected on your customers. Is the data stored in a secure place? Who has access to this information? Are your computer files password-protected? Does the janitor or the cleaning staff have access to your customers’ confidential information? Do you shred all confidential information after use?
• Are you collecting Social Security numbers, driver’s license numbers, credit card numbers and other sensitive information? Is this information really necessary, or are there alternative means of identification? Do you redact these numbers so only the last few digits appear? What do you mail to your customers and could your mailings include sensitive data?
• What kind of network security do you have? Do you have confidentiality agreements with your vendors, including your IT professionals and archive services? Do you purge old client or customer personal information?
• If you are involved on the board of a nonprofit or charitable organization (think church or soccer league) make sure that the information they possess is protected the same way as a business would. The standards are exactly the same.
• Have you drafted a written program on information security and designated a person in your office to train employees to implement the program?

The penalties for violating the new act can be severe. In addition to all other penalties, the Oregon Department of Consumer and Business Services can impose fines of $1,000 for every violation.

The real penalty is not the threat of fines but the risk to your goodwill or customer base. A year or two ago, one of my clients was notified by the police that his mortgage application file was found as part of an arrest of an identity theft ring. He came to me wanting to sue the mortgage company that had failed to protect the security of his personal information. Can you imagine the loss of customers (let alone liability) your business would have if an identity theft was publicized and if your clients or customers knew that that their confidential personal information was being sold on the street?

Rob LeChevallier is a business attorney in the law firm of Buckley LeChevallier PC in Lake Oswego. He can be reached at 503-620-8900 and at rlc@buckley-law.com.

Medical identity theft: don’t be a victim

Monday, April 21, 2008

Many people are familiar with identity theft, in which con artists use another person’s personal information to commit fraud. Identity theft encompasses a range of crimes, from using a stolen credit card to make an illegal purchase to employing a pilfered Social Security number to establish a new identity.

One truly alarming twist on this trend is medical identity theft, a crime that can threaten your family’s well-being. The Minnesota Society of CPAs (MNCPA) offers an overview of medical identity theft and steps you can take to avoid becoming a victim.

Anatomy of a crime

Much like other identity thieves, medical ID thieves steal personal data, typically insurance information or Social Security numbers. The difference is that these scams involve health care.

1) These thieves may use your identity to get medical care or medications. That’s not the only danger, though.

2) In some cases, dishonest health care providers or a thief may use stolen personal information to file a false claim and receive reimbursement from an insurance company.

3) If you are the victim of medical ID theft, you likely will not be aware that your data has been stolen and that your medical records now show a history of illnesses or procedures that you have never actually had.

An added danger

Unlike conventional identity theft, medical identity theft can actually endanger your health. If a thief has medical procedures performed using your identity, that person’s medical history is now added to your own. Medical identity theft victims who go into the hospital for needed procedures have found out that their records show incorrect information about previous medical conditions. As a result of such mix-ups, patients may receive the wrong blood type in a transfusion or be given a drug to which they’re allergic. There are financial consequences as well. Victims often face credit problems after thieves ring up unpaid bills in their name, which can damage their credit ratings.

Look for warning signs

Medical identity thieves carefully conceal their actions, but there are warning signs that can alert you to a possible problem. For example, you may get a communication from your insurer or a bill from a physician that refers to an unfamiliar medical visit or service. You may also receive notices demanding payments for medical bills in your name. If any of these occur, contact the insurance company or physician immediately to find out more information. The World Privacy Forum also recommends that you ask your insurer for a listing of benefits paid in your name and request a copy of your current medical files from all your insurers.

A personal health record

It’s a good idea to keep a personal health record that details any illnesses you have had, medical services you’ve received and medications that you take. It will help you answer questions about your health and identify potential medical ID theft when something on your records doesn’t make sense.

Do you have further concerns about potential fraud risks facing your family? Your local CPA can help. Consult him or her with any questions you have on these or other financial issues.

East Coast supermarket chain exposed 4.2 million credit and debit card numbers

• Mar 17, 2008 9:59 pm US/Eastern

Hannaford Bros Supermarkets Hit By Big Data Breach

BOSTON (WBZ) ― A security breach at an East Coast supermarket chain exposed 4.2 million credit and debit card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday.

Hannaford said credit and debit card numbers were stolen during the card authorization process and about 4.2 million unique account numbers were exposed.

The breach affected all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products.

The company is aware of about 1,800 cases of fraud reported so far relating to the breach.

No personal data such as names, addresses or telephone numbers were divulged — just account numbers.

Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough.

“We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

The company urged its customers to monitor their credit and debit cards for unusual transactions and report any problems to authorities.

The U.S. Secret Service, whose duties include investigating electronic crimes such as data breaches, confirmed it’s investigating but declined to comment on the scope of the crime.

“The company did contact us, and we are investigating,” said agency spokesman Malcolm Wiley.

MasterCard, the second-biggest U.S. credit card association after Visa, issued a statement before Hannaford’s disclosure: “Because this incident is the subject of an ongoing law enforcement investigation, we cannot disclose additional details regarding the incident or otherwise comment at this time.”

Calls to Visa were not returned.

Mark Walker, an attorney for the Maine Bankers Association, said his organization sent an advisory to member banks Friday after learning of the breach. Only a few had reported suspicious activity involving the credit and debit cards they had issued customers, Walker said.

“I had expected there would be more than we’ve heard of,” Walker said. “But it’s still too early for us to tell.”

Bruce Spitzer, a spokesman for the Massachusetts Bankers Association, criticized the delay in public notification of the source of the breach.

“Visa and MasterCard have stipulated in their contracts with retailers that they will not divulge who the source is when a data breach occurs,” Spitzer said. “We’ve been engaged in a dialogue for a couple years now about changing this rule…. Without knowing who the retailer is that caused the breach, it’s hard for banks to conduct a good investigation on behalf of their consumers. And it’s a problem for consumers as well, because if they know which retailer is responsible, they can rule themselves out for being at risk if they don’t shop at that retailer.”

Paul Stephens, of the San Diego-based consumer advocacy organization Privacy Rights Clearinghouse, said the delay in disclosure “puts consumers in a difficult position because they have no way of knowing whether their accounts may have been impacted or not.”

Eleazer defended Hannaford’s actions.

“We moved with all deliberate speed to get out to customers with information that we could have confidence in,” she said. “This is a complex undertaking.”

Consumer advocates said this crime costs $50 billion each year.  And while victims aren’t held responsible for fraudulant charges, in the end everyone pays.

“At the end of the day, as customers, we all pay for it because we get that passed on to us in the form of higher costs for consumer goods and products,” said Eric Bourassa with MASSPIRG.

Hannaford is advising customers to take the following steps:

• Customers should carefully review their financial institution and credit card statements, and immediately contact their credit card company or issuing bank with any questions or concerns about individual charges.
• Customers with questions may call Hannaford’s customer assistance line at 866-591-4580.

Like Stealing Credit From A Baby

Liz Moyer with Tatyana Shumsky 03.06.08, 6:00 PM ET

When you think about identity theft, you don’t typically think about protecting your kids. Maybe you should.

While adults in their spending years–30s and 40s–are typically the targets, a growing number of victims tracked by the Federal Trade Commission are under the age of 18–some 5% of the total. That’s up from 3% just a few years ago. More than half are under the age of 6.

Video: $45 Billion I.D. Theft In 2007

The reason is simple: It’s practically the perfect crime. All anyone needs is a Social Security number to get started opening new accounts, and parents usually apply for the number when their child is born. Usually the thief is a family member or another adult who spends time in the home, according to the Identity Theft Resource Center.

Child identity theft is especially pernicious because it can go undetected for years, unearthed only when the victim goes for a driver’s license or a student loan, only to be turned down. By then the crime trail is cold, and the thief has likely long abandoned the accounts after maxing them out.

“Consumers who have been victims of identity theft as a child will face great difficulties when attempting to establish credit later in life,” according to information on the Web site of Experian, one of the big three credit-reporting firms.

One of the problems is the lack of cross checking among the various credit reporting agencies and credit issuers about the age of the person seeking credit. So, using any birthday, a child’s stolen Social Security number can be used to take out credit, giving the thief instant credibility.

The age put down on the application becomes the official credit report age and sticks on the credit report unless a dispute is filed and proved.

“The information on the application is typically taken at face value,” writes Linda Foley, founder of the San Diego-based center. “This is a fault within our system that needs to be rectified.”

Consumer advocates also advise parents to closely monitor kids’ use of Web sites and chat rooms, which may ask for personal information on the registration screen, and to educate children about keeping personal information private. If parents start getting a lot of card solicitations in the mail in their child’s name, that is cause for alarm. As if parents didn’t have enough to worry about.

Overall, complaints about identity theft rose 5% in 2007, according to the Federal Trade Commission. The average victim wound up shouldering $691 in costs because of it, up from $554 the previous year. Federal law enforcement efforts to clamp down couldn’t keep thieves from getting away with $45 billion last year.

Man Accused of Stealing 7-Year-Old’s ID

Feb 23, 2:42 PM (ET)

CARPENTERSVILLE, Ill. (AP) – Police in a Chicago suburb say the Internal Revenue Service has told a 7-year-old boy he owes back taxes on $60,000 because someone else has been using the youngster’s identity to collect wages and unemployment benefits.

Officers in suburban Carpentersville said Friday the second-grader’s identity has been in use by someone else since 2001.

Detectives have filed a felony identity theft charge against 29-year-old Cirilo Centeno of Streamwood, Ill.

They accuse Centeno of using the boy’s personal information to collect more than $60,000 in pay and services while working three jobs. They say he also used the boy’s ID to buy a truck, pay bills and even collect unemployment benefits.

A valid SS#, name, and date of birth=$1300 street value

48 people are now indicted as part of Wednesday’s identity theft raid at the Pilgrim’s Pride in Mount Pleasant. Immigration and customs officials confirmed that they’ve been looking into the scam for over a year.

Nearly 300 people in all were arrested in the pre-dawn raids at plants in 5 states. Authorities want to make it clear that the arrests were not random, and they had proof those in custody were working under someone else’s Social Security number.

“A good set of documents that had the right Social Security number and right name could run up to $1300,” said John Chakwin, Special Agent In Charge, Immigration & Customs Enforcement. “Its cost you more money for the right Social Security number and right name and date of birth. All the documents are provided to you, including drivers license, birth certificate. And they are all counterfeit.”

ICE agents said their investigation started when the victims of these identity theft came forward after such issues as they couldn’t get credit reports, and had problems with their taxes.

Garcia said it was well known that around 80% of the workers at Pilgrim’s Pride had fake identification. He also said the plant had to have known about it.

91 Pilgrim’s Pride Workers Face Criminal Charges in Ongoing Identity Theft Probe

Mount Pleasant Plant Included in Raids

April 20, 2008

U.S. Immigration and Customs Enforcement (ICE) agents worked through the night processing the more than 300 foreign national workers arrested yesterday at Pilgrim’s Pride plants in five states who are suspected of committing identity theft and other criminal violations in order to obtain their jobs. The most arrests by a wide margin was forty-six in East Texas town of Mount Pleasant, which is the headquarters of Pilgrim’s Pride.

Of the 311 Pilgrim’s Pride employees taken into custody during the enforcement action, 91 have been charged so far with criminal violations, including false use of a Social Security number and document fraud. The workers facing criminal charges have been turned over to the custody of the U.S. Marshals Service. The remaining Pilgrim’s Pride employees are being processed for removal on administrative immigration violations.

All of the individuals arrested during yesterday’s operation were interviewed by ICE agents and health care professionals, assigned to ICE from the Department of Health and Human Services Division of Immigration Health Services, to determine if they had health, caregiver, or other humanitarian concerns, and to identify possible urgent medical needs. As a result of those interviews, 58 of the workers were processed and released on humanitarian grounds under supervision, pending future immigration proceedings.

ICE has established a toll-free number that family members can call to get information about a relative’s detention status and the removal process. The toll-free hotline number is 1-866-341-3858.

Yesterday’s enforcement action is the result of an ongoing ICE-led investigation in cooperation with the U.S. Attorneys’ Offices in the Eastern District of Texas, the Eastern District of Arkansas, the Eastern District of Tennessee, the Middle District of Florida, and the Northern District of West Virginia. Also aiding in the investigation are the Department of Labor’s Office of the Inspector General; the Social Security Administration’s Office of Inspector General; the U.S. Department of Agriculture’s Office of Inspector General; U.S. Customs and Border Protection; the U.S. Postal Service; the U.S. Marshals Service; the West Virginia State Police; and numerous other state and local agencies.

As part of the investigation, ICE conducted simultaneous enforcement actions yesterday at Pilgrim’s Pride plants in Mount Pleasant, Texas; Live Oak, Fla.; Chattanooga, Tenn.; Batesville, Ark.; and Moorefield, W.Va. More specific information about each enforcement location is included on an updated fact sheet available at www.ice.gov.

The management at the affected Pilgrim’s Pride facilities cooperated fully with the arrests. Pilgrim’s Pride Corp., headquartered in Pittsburg, Texas, is one of the largest chicken-processing companies in the United States.

ICE’s ongoing investigation determined that many Pilgrim’s Pride workers committed identity theft and other criminal violations to obtain their jobs. ICE agents have interviewed numerous individuals during the course of the probe whose identities were stolen by Pilgrim’s Pride employees. Those victims described a myriad of hardships they suffered as a result, including mistaken tax liens, denial of medical and social services benefits, and damage to their credit ratings.

Misuse of Social Security account numbers is a felony that carries a maximum penalty of five years in federal prison and a fine of up to $250,000. After completion of the criminal proceedings, defendants found to have been in the United States illegally will be returned to ICE custody and placed in deportation proceedings.

What one man is doing to fight the nation’s fastest growing crimes: Identity Theft

ROY L. WILLIAMS

Sunday April 20, 2008

News staff writer

For the past five years, Jimmy Parrish has helped companies across 20 states implement plans that help their customers and employees avoid falling victim to one of the nation’s fastest-growing crimes: identity theft.

It is a job Parrish takes personally – his identity was stolen by scam artists five years ago.

More than 162 million personal records were reported lost or stolen last year, triple the 49.7 million that went missing in 2006, Parrish said. A February report from the Federal Trade Commission ranked Alabama 17th among U.S. states in the number of identity theft complaints last year, up from 27th in 2006.

It is a crime that can create havoc for both businesses such as TJ Maxx and governmental agencies such as the U.S. Veterans Administration, both of which reported huge identity theft breaches last year.

Parrish shares why identity theft continues to rise and tells his story…

“Someone had checks made with my routing number and account number but with a fictitious address in Coosa County. They also had a fake Alabama driver’s license with my name, but someone else’s picture.

Over $3,000 in hot checks were written to Mississippi casinos, cleaning out my account. My local bank reimbursed me every dollar since they budget for that occurrence. However, they required me to spend parts of three days in their branch to meet with fraud investigators, who performed handwriting analysis until they were convinced I was not the culprit.”

“I literally was considered guilty until proven innocent, and felt like I was being treated as the criminal instead of the victim.“

“I promptly changed banks after the ordeal, which helped focus my efforts on making a difference in the area of identity theft risk management and keeping other identity theft victims from not having to experience the trials I had gone through.

A mentor from my youth in Montgomery, who later served as chief of staff for Alabama Gov. Fob James, got involved in this field in the late 1990s. I was intrigued but not convinced I could make a living in this new and upcoming niche consulting market.”

“At that time, I had started my own company specializing in religious event planning and international missions travel. After 9/11 crippled my business in 2001 and 2002, I launched full time into this field in 2003 and now have clients in over 20 states.

I show businesses how to minimize the risk and mitigate the damages when identity theft strikes a member of the business community. No business is immune, public or private, for-profit or nonprofit. A business employing one person or a business employing thousands of employees can fall victim.”

“I have clients that fit all ranges of business types. I seek to educate a business owner about the new identity theft laws requiring businesses to be taking reasonable measures to ensure sensitive and nonpublic information is not compromised, based on Federal Trade Commission guidelines.

The ID theft consulting field continues to grow. Whereas other industries are laying off employees and entering downturns, my business has never been stronger, having set income records each month in 2008 over 2007.”

Because many of the perpetrators are operating outside our country’s borders, mostly through the Internet, where our laws cannot touch these thieves. The U.S. government is trying to police business owners, whom they can control.

New ID theft laws have been passed this decade, but when thieves are caught, the sentences have been so light that incarceration, fines and penalties are not serving as much of a deterrent. Now, 38 states have either passed laws or in the process of doing so.

What should you do if victimized by identity theft?

Contact one of the three major credit bureaus to place a fraud alert on your credit report. That bureau will contact the other two signaling to credit granters that a thief may be using your identity for criminal means.

Close all accounts. Begin with credit cards and close bank accounts if your check book was stolen. File a police report. Regardless of what you experience, you will need to take action immediately to minimize the ultimate financial impact.