Know the difference between 'identity theft' and 'identity fraud'? Don't feel bad if you don't. Even within the security industry, within the government, and within law enforcement, the terms are used interchangeably although they are in fact different.
Deciding what is defined as and counted as Identity fraud was the subject of a gathering of Identity fraud experts in Pleasanton, CA last month. Hosted by Javelin Strategy & Research, it was the second workshop for The Identity Theft Prevention and Identity Management Standards Panel (IDSP) sponsored the American National Standards Institute (ANSI). In attendance were representatives from Javelin, the Federal Trade Commission, the Department of Justice, the Department of Homeland Security, Kroll, Debix, Affinion, IDExperts, ID Analytics, Experian, Visa, and the non-profit ID Theft Resource Center.
The first workshop last fall in New York covered identity verification standards. The purpose of the second workshop was to determine the desirability and feasibility of standardizing identity theft metrics.
One panel sought to define the difference between identity theft and identity fraud. After considerable discussion, the panel produced a working definition that identity theft occurs when the personal data is first accessed (as in a data breach) and identity fraud occurs when that personal data is used.
Other panels provided insight into how different organizations currently collect and represent statistics and data around identity fraud. Not surprisingly the panelists frequently admitted there were gaps around the extent and pervasiveness of the problem.
Toward collecting better metrics, one discussion entertained the notion of having companies share data breach information on a neutral third party-hosted server. Not all data breaches, which can lead to identity fraud, are reported publicly. The goal of this new database would be to gain a more accurate count of the problem.
At the end of the two day conference participants agreed to continue standardizing identity theft metrics and organized into three working groups: Definitions, Research, and Methodologies. Over the next few months, the three groups will meet individually and this summer will draft and publish a unified report.
Robert Vamosi is a freelance computer security writer specializing in covering criminal hackers and malware threats.
Correction: As an oversight body, ANSI approves as American National Standards those standards that have been developed in accordance with ANSI's Essential Requirements by ANSI-accredited standards developing organizations and submitted to us for approval. ANSI itself does not develop standards. Standards panels like the IDSP function as coordinating bodies that facilitate standards development by identifying the need for standards, guidelines or best practices in a particular subject area. The workshop report that will culminate from this exercise may serve as a call to action for further work by the standards development community.