This case involves various plaintiffs who used a local tax preparation service. Their credit information was stored in a non-secure database which was accessible to the employees of the company. An employee of the company sold the personal information to local criminals. These criminals then colluded with employees of a phone company to fraudulently purchase multiple cell phones on behalf of the plaintiffs. The plaintiffs received bills from the phone company informing them that payments were due on their fraudulently created accounts. It is alleged that the tax preparation service was negligent in failing to secure customers’ private information. Further, it is alleged that the phone company was negligent in failing to flag the fraudulent transactions.
Question(s) For Expert Witness
- 1. Please describe your background in data security and identity theft.
- 2. What type of information can be exploited through stolen social security numbers and other personal information?
- 3. Are you able to evaluate the cost of protecting someone's identity over the long-term?
Expert Witness Response E-089500
As the Chief Information Officer at a community bank, I was responsible for data security and preventing identity theft of the bank’s customers by assuring that all systems were secure from hacking, including skimmers on ATM machines. Information security includes having appropriate human behavioral controls in place in policies, procedures, audit trails and training. I was a software engineer at a company that analyzed data from the credit bureaus and generated credit risk profiles for the cellular telephone industry.
Stolen social security numbers are used to fraudulently apply for loans of all types. Credit is granted for the loan and this may result in cash, consumer goods such as cellular devices and computers, home loans, automobiles, boats or other items that can be sold. Social security numbers can be used to file a tax return for the refund. Financial institution accounts, such as bank accounts, money markets, 401K, are at risk for withdrawals and accounts with lines of credit can be opened including credit cards.
Evaluating the cost of protecting someone’s identity from theft involves assessing the appropriate access controls on video, information technology systems, databases and networks, purchasing and installing information security devices and software (malware, spoofing, virus, privilege escalation, botnets, trojans, rootkits, etc.), development of policies and procedures, regular risk assessments and audits, and training and education of the employees.