Compiled by Mark E.S. Bernard, CRISC, CGEIT, CISM, CISSP, CISA, ISO 27001 Lead Auditor, PM, PA, CNA

BBB Watch: Watch out for child ID theft

The Better Business Bureau is alerting parents their child may be at risk

of identity theft. Crime stats show last year more than 9.9 million

Americans were victims of ID theft, costing them about $5 billion. The

Federal Trade Commission also received more than 19,000 complaints

about child identity theft last year.

Many parents have no idea that their child is a victim, and this crime may

go undetected until the child applies for a job, loan or rents their first

apartment. Major reasons for the identity theft of minors include illegal

immigration (to obtain false IDs for employment), organized crime (to

engage in financial fraud) and friends and family (to offset bad personal

credit ratings).

Source; http://www.the-leader.com/community/blogs/biz-bits/x1035957048/BBB-Watch-Watch-out-for-child-ID-theft

There are a number of places where children’s personal information, including

Social Security numbers, may be vulnerable. Realize that the following places

typically request detailed personal information.

• Hospitals and physicians’ offices, through patient records.

• Schools, through student records.

• Daycare centers, through enrolment records.

• Libraries, through member records.

• Sports team organizations, through athlete applications.

• Online social networks, through personal pages or via e-mails as thieves

coax information from teens.

Source; http://www.parentguidenews.com/Catalog/Parenting/ChildIdentityTheft

Because most parents do not consider that their child has a credit report, or the need to check a

child’s report, the crime of identity theft and resulting damage can continue for years. In 2007, an

Experian-Gallup survey polled 3,029 adults ages 18 and older on the topic of child identity theft.

The results showed that many consumers are unaware of the dangers of child identity theft. Here

are some statistics the survey revealed:

• 68 percent of respondents knew “only a little” to “nothing at all” about child identity theft.

• 11 percent knew “a great deal” about child identity theft.

• 5 percent felt it would be “very difficult” to steal a child’s identity.

• 39 percent of parents with children under the age 18 felt it was “not too likely” that their

own child’s identity could be stolen.

• 11 percent of parents thought that it was “very likely” that their own child’s identity could

be stolen.

Source; http://www.parentguidenews.com/Catalog/Parenting/ChildIdentityTheft

Web link; http://laws-lois.justice.gc.ca/eng/charter/

•Guarantee of Rights and Freedoms

•Fundamental Freedoms

•Democratic Rights

•Mobility Rights

•Legal Rights

•Equality Rights

•Official Languages of Canada

•Minority Language Educational Rights

•Enforcement

Web link; http://laws-lois.justice.gc.ca/eng/charter/

Legal Rights

7. Everyone has the right to life, liberty and security of

the person and the right not to be deprived thereof

except in accordance with the principles of fundamental

justice.

8. Everyone has the right to be secure against

unreasonable search or seizure.

•Policy 1 – Collecting Personal Information

•Policy 2 – Consent

•Policy 3 – Using and Disclosing Personal Information

•Policy 4 – Retaining Personal Information

•Policy 5 – Ensuring Accuracy of Personal Information

•Policy 6 – Securing Personal Information

•Policy 7 – Providing Constituent’s with Access to Personal

Information

•Policy 8 – Questions and Complaints: The Role of the Privacy

Officer or designated individual

• Classification labeling

• Access restriction

• Classified information authorization list

• Information input/output validation

• Protection of spooled/printed information

• Storage complies with manufactures specifications

• Keep distribution to a minimum

• Clear Marking of recipient/sender

• Review distribution list

•Granting Access Rights

•Network Access Control

•Storage on Servers

•Storage on Removable Media

•Physical Removal

•Duplicating/Copying

•Faxing

•Transmission over Internet

•Transmission over FTP

•Transmission over email

•Transmission over wireless

•Disposal/Destruction

•Third-party / External-party

Disclosure

•US Personnel Disclosure

•Electronic Media Labeling

•Hardcopy Labeling Required

•Physical Mail Handling

•Tracking Process by Log

•Human Resources

•Remote Access

•Desktop

•Laptop

The Government Response to the Report of the Standing Committee on

Access to Information, Privacy and Ethics on the Statutory Review of the

Personal Information Protection and Electronic Documents Act (PIPEDA)

indicated the government’s intention to consult on the manner of

implementing a legislative requirement for data breach reporting and

notification.

The document builds on a previous working paper (Proposed Model, March

27, 2008) and reflects views from stakeholders provided at a roundtable

meeting held April 11, 2008 in Ottawa, as well as written comments

provided subsequent to the meeting. It is presented solely as a working

model to provide additional background to assist in framing and

considering the proposed legislative amendments to PIPEDA.

“Data breach” means an incident

involving loss of, unauthorized access to,

or disclosure of, personal information as

a result of a breach of an organization’s

security safeguards pursuant to Principle

7 of Schedule 1 of PIPED Act.

• In the event of a data breach, where it is reasonable to consider

in the circumstances that there exists a substantial risk of

significant harm to affected individuals, the organization will

notify affected individuals as a matter of course, and other

organizations as required, as soon as is reasonably possible after

detection, confirmation and assessment of the scope and extent

of the breach.

• Notification to affected individuals will be provided in a clear

and conspicuous manner using a direct means of communication,

and will include information that is sufficient for the individual to

understand the significance of the breach, and to take steps to

mitigate harm resulting from it.

• Factors that are relevant to the determination of substantial

risk include (i) the sensitivity of the information involved in the

data breach and (ii) the probability that the information could be

misused, or that harm to the affected individuals might result.

• Factors that are relevant to the determination of which other

organizations should be notified are (i) whether an organization

has a role in the mitigation or prevention of harm to the affected

individuals; or (ii) whether an organization could reasonably be

expected to suffer direct harm as a result of the data breach.

• The organization will also report to the Privacy Commissioner

any material data breach, as soon as is reasonably possible

following detection, confirmation, and an assessment of scope

and extent of the breach.

• Factors relevant to the determination of material data breach

include (i) the sensitivity of the information involved in the

breach, (ii) the number of individuals affected, and (iii) if it

constitutes a pattern, or provides evidence of a systemic root-

cause, outside of commercially acceptable operating standards.

•The organization having control of the information will be

responsible for determining the need for notification to affected

individuals and organizations and for reporting to the Privacy

Commissioner.

The threat of Child Identity Theft has raised a concern not just

for the protection of children’s personal information but has also

shed light on the need for a higher standard of care within

volunteer organizations.

CVOs believe in there fiduciary responsibility and wants to

demonstrate a higher standard of care.

CVOs are also guided by morals and community values, so its in

the best interest of our members to demonstrate that higher

standard of care starting now.