Identity Theft: Why It Is Not Going Away, How Come Law Enforcement Is Not Working, and Could Regulation Provide Better Outcomes?

Similar documents
The United Nations study on fraud and the criminal misuse and falsification of identity

Issue Brief. A Public Policy Paper of the National Association of Mutual Insurance Companies July 2005

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

The Global Economic Crime Survey Cybercrime: are you at risk?

Hacking and the Law. John MacKenzie

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

Debating privacy and ICT

Georgia Computer System Protection Act

Underestimated threats?

The Convention on Cybercrime: A framework for legislation and international cooperation for countries of the Americas

Russia The Global Economic Crime Survey Cybercrime in the spotlight

GUEST WIFI NETWORK. Terms and Conditions and Acceptable Use Protocol

Identity Theft: Trends and Issues

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

Cyber Crime & Information Security A Legislative Regime. Dr. Adrian McCullagh Information Security Institute Queensland University of Technology

Council of the European Union Brussels, 14 September 2017 (OR. en)

Policy: Notifiable Data Breach

Cyber Crime and Cyber Security Data Protection Implications and Financial Regulation Expectations

A Democratic Framework to Interpret Open Internet Principles:

Australasian University Safety Association 2016 Fiona Austin

AIA Australia Limited

Cybercrime in the spotlight

Cybercrime Convention Committee (T-CY) Report of the Transborder Group for 2013

DEPARTMENT OF JUSTICE CANADA MINISTÈRE DE LA JUSTICE CANADA

ANTI-BRIBERY POLICY. (Covering all employees) Contents

Fraud, bribery and money laundering: corporate offenders Definitive Guideline DEFINITIVE GUIDELINE

Case 2:15-cv PA-AJW Document 1 Filed 01/02/15 Page 1 of 11 Page ID #:1 UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA. Deadline.

AFRICAN DECLARATION. on Internet Rights and Freedoms. africaninternetrights.org

STATEMENT OF PRINCIPLES

Criminal Justice: A Brief Introduction Twelfth Edition

Q. What do the Law Commission and the Ministry of Justice recommend?

Optimize Web Presence in China

AmCham EU Proposed Amendments on the General Data Protection Regulation

Policies and Procedures

Global Economic Crime Survey Italian Addendum 2016

Crime and Criminal Justice

BILL HORN SUPERVISOR, FIFTH DISTRICT SAN DIEGO COUNTY BOARD OF SUPERVISORS

Handbook for Strengthening Harmony Between Immigrant Communities and the Edmonton Police Service

Chapter 6. Disparagement of Property 8/3/2017. Business Torts and Online Crimes and Torts. Slander of Title Slander of Quality (Trade Libel) Defenses

RCNI Cyber-harassment Discussion Document updated April 2017

Data, Social Media, and Users: Can We All Get Along?

LECTURE NOTES LAW AND ECONOMICS (41-240) M. Charette, Department of Economics University of Windsor

Revealing the true cost of financial crime Focus on the Middle East and North Africa

Ashley Green Sensitive Information in a Wired World Professor Joan Feigenbaum Yale University December 12, 2003

Act No. 502 of 23 May 2018

Report on Plans and Priorities

Hackers in Hong Kong and the attitude of Hong Kong Courts towards hacking. David Leung, 11 November 2000

Terms of Use Coach Me

Privacy Act of 1974: A Basic Overview. Purpose of the Act. Congress goals. ASAP Conference: Arlington, VA Monday, July 27, 2015, 9:30-10:45am

Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law

Business Law Chapter 9 Handout

Calif. Privacy Act Will Increase Data Breach Liability

Police and Crime Needs Assessment. Karen Sleigh Chief Inspector Andy Burton

City of Alpharetta Department of Public Safety Ride-Along Program Application Form

MASTER LOCK For Everything Worth Protecting SWEEPSTAKES OFFICIAL RULES

Guidelines on the Safe use of the Internet and Social Media by Police Officers and Police Staff

CHANDLER POLICE DEPARTMENT GENERAL ORDERS Serving with Courage, Pride, and Dedication

TRANSNATIONAL CRIME. An International Law Enforcement Collaboration

Chapter 11 The use of intelligence agencies capabilities for law enforcement purposes

Anglo American Procurement Solutions Site

ASTRAZENECA GLOBAL STANDARD EXPECTATIONS OF THIRD PARTIES

Anti- Bribery Policy. Date of Approval: 4 th February 2014 Date for Next Scheduled Review: February 2017 Review Body:

Office of the Commissioner of Lobbying of Canada

You may owe fees for use of the App or the Services. Check with your Financial Institution for applicable rates.

The Measurement of Child Sex Trafficking and Exploitation

British Columbia, Crime Statistics in. Crime Statistics in British Columbia, Table of Contents

EXAMINING NORTH KOREA S PURSUIT OF CRYPTOCURRENCIES

A Behavioral Perspective on Money Laundering

IN THE CIRCUIT COURT FOR THE STATE OF OREGON FOR MULTNOMAH COUNTY. Case No.

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

Collaboration Amidst Complexity: Enhancing Jointness in Canada s Defence Instrument. by Doug Dempster

A Sentencing Guideline for Theft Offences within the ECSC

RULES OF DEPARTMENT OF COMMERCE AND INSURANCE DIVISION OF REGULATORY BOARDS TENNESSEE STATE BOARD OF ACCOUNTANCY

Chapter 1: Computer Forensics and Investigations as a Profession

SENTENCING AND PROPORTIONALITY. LTC Harms Japan 2017

General Background Check Terms

Proposal for a COUNCIL FRAMEWORK DECISION. on attacks against information systems. (presented by the Commission)

IN THE EIGHTH JUDICIAL CIRCUIT OF FLORIDA ADMINISTRATIVE ORDER NO. 8.02

2. Anti-Bribery and Corruption Policy

Canada s Response to the Special Rapporteur on the rights of Indigenous peoples

Finland's response

SECTION 1: GENERAL INFORMATION

KANSAS IDENTITY THEFT RANKING BY STATE: Rank 29, 61.0 Complaints Per 100,000 Population, 1694 Complaints (2007) Updated December 15, 2008

Victoria Police Manual

Statistical Report What are the taxpayer savings from cancelling the visas of organised crime offenders?

SEMIANNUAL REPORT TO THE CONGRESS

Automatic License Plate Reader Privacy Model Bill

Boom Shake: Shake Rattle and Boom! #Skylanders #SWAPtober

Corporate Litigation: Standing to Bring Consumer Data Breach Claims

IC Chapter 3. Adjudicative Proceedings

Support for Harmonization of the ICT Policies in Sub-Sahara Africa (HIPSSA)

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

Q1) Do you agree or disagree with the Council s approach to the distinction between a principle and a purpose of sentencing?

Identity Theft: Trends and Issues

Bahrain s Draft Law on Computer Crimes

Itinerant crime groups: the international dimension

AID FOR TRADE: CASE STORY

HOUSE OF REPRESENTATIVES STAFF ANALYSIS REFERENCE ACTION ANALYST STAFF DIRECTOR

Transcription:

Identity Theft: Why It Is Not Going Away, How Come Law Enforcement Is Not Working, and Could Regulation Provide Better Outcomes? Benoît Dupont

Structure of the presentation Conceptualizing cybercrime and identity theft What do we know about victims? What do we know about fraudsters? Who are the guardians? Law enforcement vs regulation and nodal governance

The crime triangle and Routine Activity Theory Offenders Access and identity Crime CyberCrime Pluralization of capacities Guadians Victims The Internet economy Adapted from Cohen & Felson

The ecology of information systems Glocalisation Distributed architecture Panoptism / Synoptism Organizational asymmetry Fragmentation of personal identity Economic structure Ease of use and speed of innovation Efficient vulnerabilities

The crime cycle: increased velocity Innovation Crime proliferation Crime reduction Security integration

The criminogenic internet Anonymity & deindividualization Emphasis on technical challenges Stealthiness Reconnaissance Escape Scalability Illustration: 10% of the Internet 2005

The scientific knowledge deficit Lack of interdisciplinarity: computer science, criminology, law, economics, psychology No Uniformed Crime Reporting Overestimation Computer Economics : 14 USD billions (2005) Scotland Yard: 220 USD billions (2006) FBI: 400 USD billions (2004) A Canadian police service: USD 1 600 billions (1.6 trillions - 2005) Underestimation What s left? Victimization surveys!! Identity theft is not always a cybercrime!!

Individual victims 1 > 2 Victims profile (USA - 2004 & 2006) 3 % of households Age is a strong determinant Younger people are more at risk & the probability decreases with age so is wealth The higher the income, the higher the probability of becoming a victim Discovery pattern 45% of victims become aware less than a month after the incident and 32% more than a year after Only 9% of victims notified the police

Individual victims 2 > 2 Median amount of monetary loss: 400$ per household 68% of victims incurred no out-of-pocket expenses Time spent resolving problems: 34% needed a day or less Problems: True name identity-theft: only 11,7% of all identity theft Synthetic identities make up the rest Who is responsible for compromised personal data? The victims entourage or the institutions that hold her personal data? When the data was available, organizations were responsible for one third to one half of data breaches at the origin of identity thefts

Organizations: victims or facilitators? Total financial losses: 56,6 USD billions (in 2006 in the USA -- BBB & Javelin) Systemic vulnerabilities 2005-2006: 140 millions personal records (530 incidents) have been lost, stolen or hacked in North America (no disclosure obligation in Canada) According to WhiteHat Security, 36% of e-commerce websites tested in April 2007 granted non-authorized access to personal or proprietary data Outsider as well as insider threats Under-reporting to law enforcement authorities 25% of US companies having experienced a computer intrusion in 2006 reported it to law enforcement

A reputational risk management approach Reasons for under-reporting to the police: 48% > negative publicity 36% > believe would be used by the competition 27% > preferred civil remedies 22% > unaware of law enforcement interest Influential drivers for privacy: 88% > privacy regulation 82% > reputation and brand 62% > potential liability CSI-FBI 2006 computer crime survey Fire-brigade security Deloitte 2006 Global Security Survey

Fraudsters Division of labor: phishing kit programmers, web developers, Botnet and roots operators, mass mailers, personal data brokers, cashers, money mules Organized crime or organizing crime? Source: New York Times Source: Wired Source: F-Secure

The law enforcement response Limited resources available Canada: 61.000 police officers 245 cybercops More than 80% work on child exploitation and cyber-pedophilia Limited technical capacities Police occupational culture does not value this type of crime

The courts response Limited number of trials: Under-reporting by victims Suspects hard to identify and locate Multijurisdictional trials: the alphabet soup of identity theft fraud rings Evidence is expensive to assemble Sentences are usually light: Technical nature of deliberations The guilty are granted mitigating circumstances

Law enforcement vs regulation Law enforcement focuses on detecting & punishing illicit behaviours Better suited to low volume / high impact crimes Investigations and prosecutions: criminal code Vertical authority of the state Regulation focuses on orderly conduct of economically desirable activities Better suited to high volume / low impact crimes Conciliation, incentives, (self)- regulation, inspections, penalties: procedural flexibility Horizontal sharing of responsibilities and expertise

A plurality of ID theft prevention techniques Increase the perceived difficulty Increase the perceived risks Reduce the anticipated rewards Remove excuses 1. Target hardening 5. Intrusion detection 9. Target removal 13. New regulations 2. Access control 6. Technical surveillance 10. Property tagging 14. Control of «disinhibitors» 3. Data integrity protection 7. Surveillance by employees 11. Opportunity reduction 15. Attribution of responsibility 4. Identity authentification 8. Surveillance by users 12. Denial of benefits 16. Compliance encouragement Source: Newman and Clarke 2003

A plurality of guardians Degree of coercion Police & Justice Regulatory authorities Service providers SQ RCMP SPVM CSIS G8 24/7 points of contact ACCP CSE Consumer bureau CAI CPVP Consumer protection office BSIFC ISPs Banks StopBadware.org Google Users Anti-spyware coalition WiredSafety.org 419eater.com Cyberangels.org

An example of nodal governance

The limits of the nodal regulation approach Finding the proper mix of education, persuasion and coercion Regulatory overload and counterproductive regulation Costs of compliance Innovation cycle Effectiveness Closing the regulatory network to maintain its efficiency Measuring effectiveness New forms of responsibility and accountability required

To go further benoit.dupont@umontreal.ca www.securisphere.blogspot.com www.edupont.net

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback