Transcript for Event: How can agencies better support victims of identity fraud?
View this event's page, with a summary and description of the event, here.
Transcript Text:
Lisa Reijula:
Good afternoon everyone. Thank you for joining the Pandemic Response Accountability Committee or PRAC for today's virtual round table discussion. I'm Lisa Reijula. I'm our Associate Director for Outreach and Engagement, and I am thrilled to be serving as a moderator today for this fantastic panel. By way of reminder, the PRAC, we were created by Congress in March of 2020 to provide independent oversight of what is more than $5 trillion in pandemic relief spending.
We count 20 federal inspectors general as our members, and our mission is twofold, to protect pandemic relief from fraud, waste, and abuse, and to promote transparency as to how the money was spent, to let the public and policymakers know where the money went and whether it reached those it was intended to help. So we are really excited today to host today's event on identity fraud and victim redress, featuring a panel of esteemed experts in this space. So today, we're going to talk about the increase in identity fraud during the pandemic, the consequences, and how agencies can better support victims. So before we begin and kick off with each of our panelists, we have a message from our PRAC chair, Michael Horowitz.
Speaker 1:
Hi, I'm Michael Horowitz.
Lisa Reijula:
Hi, I'm Michael Horowitz.
Speaker 2:
Hi, I'm Michael Horowitz.
Michael Horowitz:
Actually, I'm Michael Horowitz, Chair of the Pandemic Response Accountability Committee or PRAC, and I'm here to talk about identity fraud. Our investigations have found widespread use of stolen identities by fraudsters to illegally obtain benefits from pandemic programs. As far too many Americans know, victims of identity theft face the enormous burden of cleaning up their personal credit scores, addressing potential tax problems, and interacting with multiple government agencies to resolve the issue. It can also make it harder for victims to claim their rightful benefits. Identity theft victims have told us that the federal government's current decentralized process is burdensome, messy, confusing, isolating, and frustrating.
This problem needs to be addressed, and the PRAC supports the development of a whole of government one-stop shop model, that approaches resolving cases of identity fraud with the victim in mind and reduces the burden on victims to resolve these issues themselves. We recently commissioned a federally funded research and development center to look into this serious and growing problem and to provide some potential solutions. Please visit our website, pandemicoversight.gov, to read the full report, which provides valuable insights and possible solutions. The PRAC looks forward to continuing to work with policymakers, so that the federal government can be more effective in helping identity theft victims and in addressing this pervasive and growing problem. Thank you for joining me today.
Lisa Reijula:
Thanks everybody, and I encourage anyone tuning in today, state and local offices, anyone that has questions about that report, to please reach out to us at the PRAC. We'll share the best way to reach us at the end of the webinar. Please put any questions that you have, as we go, in the Q&A feature, and we'll get to as many as we can. And all resources that are mentioned during this discussion by our panelists, we're going to share those in our newsletter. And if you haven't already subscribed, like Michael mentioned, please follow us on pandemicoversight.gov. And thanks again for joining us today. Now, let's turn to our panelists. I'm going to ask each of you to briefly introduce yourselves. Tell us a little bit about your role, your organization, and your work in this space. And if I could start with Eva, please.
Eva Velasquez:
Hello everyone. I'm Eva Velasquez, President and CEO of the Identity Theft Resource Center. We're a 501(c)(3) nonprofit, that provides no cost victim recovery services to the public. We've been around since 1999, and we are very, very involved in this issue.
Lisa Reijula:
Fantastic. And if I could go to Reverend Roberts, please.
Reverend Ben Roberts:
Yeah, good afternoon. I'm Reverend Ben Roberts. I'm at Foundry United Methodist Church in Washington DC. As part of my work as the Executive Director of Programs and Justice, I oversee our ID ministry. And that's all about helping people recover vital documents, like non-drivers IDs, birth certificates, social security cards. We serve around 2000 people a year.
Lisa Reijula:
Thank you so much for being here today. Julia, over to you.
Julia Simon-Mishel:
Good afternoon everyone. I'm Julia Simon-Mishel. I'm the Supervising Attorney of the Unemployment Compensation Unit at Philadelphia Legal Assistance. Philadelphia Legal Assistance is a direct legal services organization. We provide free civil legal aid to low-income Philadelphians and their families. During the pandemic, my unit represented thousands of individuals seeking unemployment benefits, and we have come face-to-face many times, both during, before, and after the pandemic, with clients who have faced issues due to identity fraud.
Lisa Reijula:
Thanks, Julia. Michele?
Michele Evermore:
Hi, I'm Michelle Evermore. I'm with the Century Foundation. I'm a senior fellow. Also, during the first couple of years of the Biden administration, I was at the Department of Labor, most recently as policy director at the Office of UI Modernization.
Lisa Reijula:
Fantastic. Thanks for joining us. And last but certainly not least, over to you, Jeremy.
Jeremy Grant:
Hey, hello everybody. I'm Jeremy Grant. I serve as the coordinator of an organization called the Better Identity Coalition. It's an industry association formed mostly of companies that are on what I would call the buy side of the digital identity equation. Think about banks or health firms or telecom companies, that are looking for better information to know who they're dealing with online. Obviously, a lot of the same issues apply to challenges that we face in government, in terms of delivering government services, government benefits, actually knowing who's who and who might be somebody who's just pretending to be who. But our focus is largely focused on the policy layer of identity and authentication, working with policymakers on Capitol Hill and in the executive branch to try and deliver more robust and modern digital identity solutions.
Lisa Reijula:
Fantastic. So as you can see, we have a fantastic group assembled today. So let's get into the discussion. And while we titled this event focused on identity fraud, we wanted to kind of set the stage and say what we mean by identity theft and identity fraud. So at the PRAC, how we define identity theft is illegally acquiring and using someone else's private information, usually for financial gain. And identity fraud occurs when a victim's private information is used to commit a crime, deceive, or in the case that we'll be talking about a lot today, defraud pandemic relief programs.
And our oversight work and our partner IG's oversight work has shown that the unemployment insurance programs and some of the small business relief programs were susceptible to fraud, due to federal agencies' reliance on self-certification and some of the other what's been described as lowered guardrails that were used to disperse funds at speed. So what are some of the consequences of those vulnerabilities? How can we strengthen program integrity? We'd like to hear your perspectives on how we are verifying people's identities for eligibility for some of these programs. So Jeremy, if I can ask you to start on the first step in the process, something what you touched on in your opening, how are agencies currently authenticating identities? And what are your views on the current state of digital services that are used to authenticate identities?
Jeremy Grant:
Sure. Well, I'll say what government agencies are doing isn't necessarily that different than what the private sector's doing. I think this is not just a government benefits problem, it's really a national problem and that pretty much every sector is looking to deliver more high value, high trust services online. But there's a risk model that's such that, if there's significant money or data that you can get from those services, we're going to see our adversaries come in with pretty organized efforts to try and slice through those protections that we have in identity verification. Part of the problem is that we're basically dependent on an industry of companies that is trying to guess who you are, when, in most cases, it's the government that's the authoritative source. One of the things that we've talked about in our policy blueprint and other things that we published is that there's a gap between the nationally recognized authoritative identity sources that we have in the physical world, it's issued by a mix of federal, state, and local agencies, and the lack of any counterpart that really works in the online world.
And so, when we hear these stories about identity theft, that, "Well, criminal knew five things about me, so they were able to basically steal my identity," I think part of the conversation we need to be having today is that's a really dumb system that we have of validating identity online, if knowing five things about you means I can be you. In fact, it's pretty outdated. But I think what we saw during the pandemic certainly with state agencies was they had very weak identity verification to start. In many cases, it was leveraging knowledge-based verification. In many cases, states then and federal agencies moved to harden that to a different set of tools, that might have somebody, say, take a picture of their driver's license, take a photo of their face, to try and do a selfie match against that driver's license.
Some of those can work better, but they're still ultimately trying to guess what only the government knows. And I think one thing we've been talking about throughout this process is solving this problem in part is going to require closing that gap between physical and digital. And as I'm sure you'll hear from Pastor Ben today as well, also dealing with the fact that, as much as we're talking about documents many of us have, there's a lot of people in the country who still don't have those foundational physical documents. And as we talk about making that shift from physical to digital, making sure that people aren't left behind.
Lisa Reijula:
Thanks, Jeremy. And Michele, how about you? Can I turn to you on this same question?
Michele Evermore:
Yeah, absolutely. So with unemployment insurance, there has always been a form of identity verification in the fact that a person applies for unemployment insurance and then, the state agency has to go back to the employer that fired you and they have to say, "Yes, that is a person who deserves an unemployment insurance benefit," which was already a pretty high bar. But during the pandemic, the new program, Pandemic Unemployment Assistance, didn't require that kind of verification, and the fraudsters picked up on that pretty quickly and exploited it. And they're still attacking state unemployment insurance systems now, as I say, the ants have found the picnic. And so, states have responded very quickly. Over $540 million have gone out to states, in terms of fraud grants. By way of comparison, the entire operating budget for all UI state agencies is like around 2 billion. So they've received a huge chunk of their annual funds just to fight fraud.
And so, they've employed a variety of different private sector and public sector solutions. States are using ID.me, TransUnion, LexisNexis. One state, Arkansas, didn't have a digital solution. And so, the US Digital Service and, later, the Department of Labor worked to hook them into Login.gov. And I think the department is exploring connecting more states to that option. But if you look at the guidance coming out from the Department of Labor, so when the Department of Labor wants to communicate something to states, they issue a UI program letter or a UIPL. One particularly helpful one is UIPL 22-21 Change 2 But basically, it lays out for states, "You need to have more than one solution in place. You can't have just one crosscheck. You can't have just one identity validator."
And I think, ideally, the best way for states to deal with this is to have something that's less onerous, less visible for claimants as a first check, and then, when they don't pass that, then maybe send them to something that requires more participation from the claimant. But at this point, the login process, the application process for unemployment insurance is already so daunting that most people don't apply. And so, adding more steps for claimants is generally not great.
Lisa Reijula:
Julia, go ahead.
Julia Simon-Mishel:
Yeah. And just to throw out there, for a lot of the programs that identity verification is now being required of, this higher level digital identity verification, it's extra judicial. There is nothing in the state statutes or policy that has been published about what the rules are, what the standard is that that particular agency is using, and if you're denied, how you can appeal that, how you can rebut that. There's still a real issue with a lack of due process involved in a lot of these identity verification systems. The other thing I wanted to point out is we're talking a lot here about applying for benefits, because that was how benefits were taken by these criminal cyber rings.
But agencies have also moved to block your information just about what's going on with your claim or with your situation with identity verification as well. So to access information in an online account, for the Social Security Administration or the IRS, not even to file for any sort of benefits or file for a return, you still have to go through an advanced type of identity verification. And so, people already struggled to get access to information. And now, those who especially are low income or struggle with technology just see bigger and bigger walls being put up before them.
Lisa Reijula:
Thanks, Julia. Anyone else want to weigh on this one? If not, I want to ask, what are some of the challenges? If we can talk a little bit about the victim experience, what are the challenges that victims face after their identity is stolen and used to commit fraud? Tax consequences, there's hits to their credit, emotional distress. Eva, if we could start with you, because this is a lot of what you do in your work. Can you tell us a little bit about some of those challenges and what your organization has observed or found? I think you're on mute.
Eva Velasquez:
I was on mute. You've touched on some of them. And we know from our research, we actually survey all the victims that we've helped in a previous year, there's usually about 15,000 individuals every year, and we ask them much more than, "How much money did you lose? And how much time did you spend?" Those are important things, but the emotional toll, the lost opportunity costs, when we have folks that are dealing with identity theft and fraud victimization, and they're not able to, in the context of government, take advantage of benefits that they're legitimately entitled to, when they start dealing with the tax implications. But it can be dealing with employment. They can lose a job that they already have, because they can't pass an updated security clearance, or lose out on an opportunity for employment, not being able to pay their bills. And it can have this domino effect, that then touches every aspect of their life.
So that emotional toll that you talked about, it's real and it's severe. It's not just this feeling of "I'm a little unsettled" or "This was an inconvenience." In our last survey, 16% of the individuals that we surveyed had suicidal thoughts. So think about that for a second. These folks were so distraught and didn't see any other way out of resolving this issue other than to end their own life. And then, of course, there are the other challenges that they have, the feeling vulnerable, the shame and the embarrassment, and then, it can move on into physical problems, insomnia, headaches, just all of that stress. And so, those impacts, they touch every aspect of individuals' lives and they even affect their physical wellbeing. I think that's a piece that's hard for people to connect the dots. We think of fraud as being this nonviolent crime. So we don't think that it can have these types of serious consequences and impacts for individuals.
Lisa Reijula:
Thank you. Pastor Ben, how about you? What are some of your observations?
Reverend Ben Roberts:
I'm glad I've heard multiple other people already mention the struggle of what it takes to get something replaced. And just to lay the groundwork for those who are listening, my program works primarily with individuals who are unhoused or who are homeless and people who are low income and need the assistance to pay for the document. So when I'm seeing somebody, it's not necessarily because of an identity fraud scenario. Though, if you wanted to count having your items literally stolen from you while you sleep on the street, then yes, somebody has stolen their documents. They come to us to try and get things replaced. What we see is people having to take around five steps and, at the fastest, about a month long process to try and replace the actual physical documents, not to mention anything else that goes on with trying to recover anything financial, if it was a case of identity fraud.
So for us, the process looks like meeting with one of my volunteers on a midday week here at the church. And then, we outline the steps that it's going to take. So if you're coming to us with absolutely nothing, you're looking at at least five steps to go get a doctor's note, a signed medical record that can help you get then your social security card, that usually takes up to two weeks to get mailed to you. Then you use the social security card, along with anything else we can cobble together, to get your birth certificate, which in DC, you can get same day. But if you didn't happen to be born in DC, it could take anywhere, depending on the state, a couple of weeks to multiple months. Different states have different levels of backlog, so you could be looking at six months or, on the short end, a week or two.
And then, once you finally have all of that, we piece together some form of residency verification. If you're homeless, it's a certification that you are homeless. Otherwise, you're looking for bills, bank statements, anything like that, to finally go to the DMV and then, wait another couple of weeks for your actual credential to get mailed to you. So like I said, short end of things, a month. Long end of things, I just wrapped one that was a year long process, and we had to get a court order just to get the birth certificate. The longest one I've ever worked on was over three years with one individual to get his birth certificate, so he could then get his identification document. We're talking, on average, for somebody doing all of this, about $68, just to pay for the documents themselves. We're also looking at the average cost of taking bus trips around DC.
If somebody wanted to be a little faster and take the metro, it's going to cost more. But what it doesn't count is some of the things that Eva talked about. There's additional pieces. There's any time you take off from work to try and make all of these multiple steps. There's securing childcare, so if you need to pay for childcare, if you have wage loss for missing work that day. But I want to reiterate what Eva said about the emotional and mental toll it takes. I have had people sit in my office, as I try and explain how long the process is, actually say to me, the words, "I think I'm done with this lifetime. I'm ready for whatever the next one is." And then, working through... The reason that we, here at the church, call it a ministry is because we recognized, early on, when Real ID was rolled out that it was going to be much more of a journey for people to do this.
And so, we really try to wrap around people and give them that emotional support to try and bear with them as agency after agency tells them they're not who they think they are or because they call themselves Kathy, it's not good enough when their birth certificate says Catherine, or they didn't know their mom's maiden name and they start to doubt themselves and their whole life story, that we can be there to try and wrap around them. We're serving 2000 people in Washington DC. This is a problem that happens nationwide. And so, these are the types of some of the scenarios that we see. And I'm happy to talk about some specifics as we continue moving in the program.
Lisa Reijula:
Thank you so much. And one follow up. Of the folks that you're working with at a given time, how many are able to persevere kind of through that five-step labyrinth? Are there a lot of folks that drop out along the way, given the difficulties you've outlined?
Reverend Ben Roberts:
A lot of people drop out along the way. We deal with a lot of individuals with severe mental illness, who are trying to get their things together. We see higher success for individuals who have a caseworker, who can work with them. So we try to make that a requirement, that we really endeavor to not turn people away. One of the only metrics we have is the number of our checks that get cashed by the intended agency, so the DC Treasurer, in most cases. At our highest access rate, we were around 89% of seeing the funds get cash through within a three month period. At our lowest...
PART 1 OF 4 ENDS [00:24:04]
Reverend Ben Roberts:
... the cash through within a three-month period. At our lowest, we've been as far down as 39%. And that's where we were as soon as Real ID came into practice. And we've had years where we hover in between. So we're an all volunteer organization, so as much as I would like to have super detailed metrics on every single thing, that's not quite our capacity.
Lisa Reijula:
Thank you. And so I think Julia raised it and it's come through this discussion, some of the equity issues. Do folks want to weigh in? Julia, I don't know if you want to start, talk about the victim experience and how it varies depending on the circumstances of the individual and your perspective on what are some of the things that agencies really need to keep in mind to make sure this redress process is not as onerous?
Julia Simon-Mishel:
Sure. So when we talk about victims in the legal aid space, we're often actually talking about two different types of victims. Both those who had their identity stolen and used for other purposes, but also those individuals who now because of increased identity verification protocols can't access the benefits they need to survive. So for the former, those who are victims of identity theft themselves, one of the things we haven't touched on as much is it's actually not easy to figure out if you've been the victim of identity theft usually until something really awful happens. And so for most folks, especially those who are low income and let's say didn't usually file a tax return, the first time they might find out that somebody had filed a tax return in their name could be when a government program for the first time offers benefits like the tax credits where they can get them, even if they're a non-filer. Or for unemployment benefits, they find out for the first time when they get a 1099 in the mail, say that they collected benefits and they have to pay taxes on them.
And generally when this happens, folks are not given any information about what to do, where to go. And as Eva and Reverend Ben pointed out, there's also a lot of trauma happening in this time and it's really difficult to navigate these spaces when you're good and healthy, even for those who have significant income. So for those who don't have significant income and who are experiencing all different types of emotional trauma, it feels like a black hole of information. You reach out, you try to figure out what's going on, no one responds to you, you file a fraud report, it ends up in that black hole. And so it becomes even more and more of a time suck and that's where you kind of see that exacerbated trauma. The other thing is a lot of times to prove to an agency that you're the victim of identity theft, they require things like getting a police report.
And let me tell you, the vast majority of my clients don't want to go to their local police station, period. And even if they do, the police, that is not their main area of work. They have a lot of other things on their plate, they're not looking to file police reports on identity theft. Even if they do, there's very little follow up, it's hard to get any sort of proof about it. And so a lot of the ways in which we require people to navigate this has, I would say, a disparate impact, especially on low income and minority individuals.
And then the last part I'll say on the equity is that of course those who don't have the resources and especially those who struggle with technology are the ones most harmed by a new move to broader digital identity verification. Because generally when they are trying to get benefits, there is an emergency situation. And that is the time, that first month or two of any time that you're applying for benefits is the most fragile. If you do not get money in that period, that is when everything can domino. And so the more barriers we put up, the fact that you have to go through a third party identity verification service like ID.me before you can even apply for unemployment benefits, pushes that timeline. And that is really dangerous for our clients and does things both, as Michelle said, they drop out of the system altogether and as has also been said, we also worry for their personal health and safety.
Lisa Reijula:
Anyone else want to jump in on this with any comments? Just wanted to hold some space in case... Go ahead. Reverend Ben and then Jeremy. Great.
Reverend Ben Roberts:
Okay. So I want to highlight just the disparity that we see frequently. It constantly feels like as the policies are written, it's written frankly for somebody who looks like me, it's a middle class white guy with two parents and I don't know, a dog and two kids, whatever it is. But what we see is that it's not typical. It's as if it's written for a typical American whatever, but it does not get to what is typical for the people I see. So if you're coming from a family with any level of strained relationship, if you're coming from a family with divorces in the history of the family, with estranged parents, with a mother who isn't with your father or is with a different individual, it really puts a strain on somebody when they're making their applications because they may not know offhand who's listed on their birth certificate or with a maiden name or a married name or the name after a divorce.
So we see a lot of failures initially because of those types of issues. One of the things that we see still to this day are my older guests who are African-American and born in the South. I still have individuals that we'll work with and it turns out that they were born at home, maybe with the assistance of a midwife and are coming from a place where their family did not have access to the local hospital for segregation reasons, their births were never registered with the state. And so it adds another layer of trying to get the document created and then purchase the document so you can try and prove your identity despite having valid IDs all your life.
We have it a lot with women. There's a massively disparate impact on women, especially if they have ever changed their name or tried to change their name or managed to change their name on one document but not another. The marriage certificate says one thing, the birth certificate says something else. We run into that all the time. And it is not only an extra time burden, it is an extra cost burden that we don't go through with men who have not been out there to change their name. It'll probably happen more and more as individuals if they need to look at changing their gender identity of any sort, then they're going to run into that type of barrier as well.
The strained relationship piece within a family system is also massive. So as I mentioned, adoptees. Sometimes your adoption files are sealed by the court, so you can't actually access your birth certificate or your adoption record without an additional court order. And so that's an additional step. I've had people who were in their fifties sit in my office and find out for the first time that they were adopted and then that kicked off this process of needing to figure this out. And their parents had already died, so they didn't have help with that. The system's not written for that individual.
The other thing is the estranged relationship. And this is where some of it overlaps with the knowledge-based assessments and the financial records that are accessed to produce some of those KBAs. We had a young woman, she had never met her father before in her life, she grew up in this area with her mom. But when she went to do the KBA to get her birth certificate, all of the information coming back kept saying, "Tell us about your address in Florida. Tell us about your phone number in Florida. Tell us about these tax things in Florida." And it took us a while to figure out what had happened was it was her father who lived in Florida whom she'd never met. There was nothing nefarious happening, but because they were connected in the eyes of the government and in the eyes of the financial system, she was being presented with questions she was never going to be able to answer.
And were left with trying to sort out a way to find a back door for her to actually get the document she is entitled to. So when we think about how we're writing our policies or we're writing our protocols, if some of these, "Not typical," experiences aren't being considered, we are really barring access to documents for a whole range of stories that are just not considered at the front. So my reminder is that we always are trying to consider these situations upfront because some of them are quite common, but they're not making it into consideration.
Lisa Reijula:
Thank you for that. Jeremy, over to you.
Jeremy Grant:
Yeah. I just wanted to flag, I think, some similar themes to what Pastor Ben talked about, which is I mentioned in my opening comments, a lot of our systems today are based on leveraging private sector vendors who've come up with ways to try and guess what only the government knows. But a lot of those assume you have some things. If it's knowledge-based verification, it often assumes you've got a credit history. A lot of people, particularly if you're trying to get benefits, might have a very thin or non-existing credit history. So those systems don't always work as well for them.
Or we've moved to things where, "Hey, we'll ask you to take a picture of your driver's license." Well, what if I don't have one? There's a lot of people who don't have foundational identity documents. And so I think a big takeaway should be, whether it's access to benefits or other digital services, we're reliant on what I would call digital identity infrastructure that's a little bit hodgepodge, it's pieced together from different pieces and parts right now and it's far from perfect. There's a lot we need to do, I think, to look at where the shortcomings are and come up with solutions that can work better, more accurately, more securely and work for everybody.
Eva Velasquez:
[inaudible 00:35:05]. And Lisa, I know we're really short on time, I just want to throw out there on the issue of how victims experiences differ by race. There really isn't a lot of research out there, we're just really beginning to look at the cultural differences about how people use, maintain, protect and recover their identity. We just completed research in the black community, it's called Identity and Practice. The report is available, no cost to the public. But I just want to end this with, we actually need to dive in a lot deeper because there are differences. We just all view our identity and how again, use, maintain, protect and recover it very differently. And those minor differences are going to make a huge difference in programming and policies. So more research in this area is definitely needed.
Lisa Reijula:
Thank you. And we'll make sure to share that report with any resources from the panel. I saw a lot of heads nodding to that. So thank you all for that discussion. And to pick up on the thread that Jeremy started. So let's talk a little bit about the current redress process and your perspectives on what should be changed or how it should be reformed. Are there ways to simplify or streamline? What do you all see from where you sit? How can we do a better job? Michelle, can I throw that one to you first?
Michele Evermore:
Yeah, absolutely. So right now, the Department of Labor at the start of the Biden Administration saw that it was difficult for people to find just where to even report in their own state agency that they've been impersonated. In some instances you had to call in, there wasn't even an online form. So the Department of Labor put together dol.gov/fraud where you can go report your identity theft to your unemployment insurance agency, which is a decent first step. But I have to tell you, I have a lot of people, friends and neighbors coming to me and saying, "I found out that I've been impersonated and gosh, I'm so mad at my state DOL for leaking this information." And it's like, "Oh, hold on. This actually isn't probably your state DOL. You're probably going to have a pretty easy time reporting to the Connecticut Department of Labor that your identity was stolen and somebody fraudulently applied for benefits. And frankly, you're lucky that this is how you found out that the Russian mob has your information, now you can go lock down everything else."
And so I've been telling people, "Okay, now you go to the credit reporting agencies, these are your next steps." It seems to me that unemployment insurance agencies have a lot of information about people whose identity has been compromised. It would be great if there were a way for that information to make its way into other systems because once they get blocked from UI, they're going to go onto the next thing. And whether that's food stamps, whether that's banks, we're seeing a lot of bank account hijacking going on with unemployment insurance. We've got to figure out how to share the information that the 53 state UI systems who are all very different, how they can share information with each other and to other systems.
And it would be great if once somebody is compromised in one system, that person gets assistance in locking down everything that they need to lock down. Right now, it's basically the case that if somebody reports it to the unemployment insurance agency, great. The unemployment insurance agency knows that that's a false claim and they can block it, but that's where it ends. And people don't realize, my identity is out there, I've got to do a bunch of other stuff to make sure that I don't get false credit cards taken out in my name and things like that.
Lisa Reijula:
Eva, how about you? Oh, Jeremy and then Eva, I'll throw it over to you if that's okay.
Jeremy Grant:
I was just saying to this point, this isn't just a government benefits problem, it's a national problem. And we're seeing the same organized criminals and in some cases hostile nation states take advantage of the same two or three deficiencies in digital identity infrastructure to steal from government and banks and healthcare, retails, FinTech apps, cryptocurrency exchanges. It's all really the same thing. And if we look at this just from a perspective of identity theft and government benefits, we're probably going to fail. All of these things are intertwined. And to Michelle's point, they'll move on from compromising your identity to steal unemployment benefits, to trying to open a bank account in your name or a credit card or take over a bank account. And so it's very difficult, I think, for consumers to know what to do. This is really where I want to do here what Eva has to say because this where her group excels.
But I think that the fact that this was a problem that came to light in the government benefits community during the pandemic is very interesting. But just as the GAO said, I think their estimate was $100 to $135 billion in fraud in UI, FinCEN, the Treasury Crimes Financial Crimes Enforcement Network said in 2021, over $200 billion in suspicious transactions reported by banks that were tied to breakdowns in the identity space. Which by the way, $135 billion and I think their number was $212 billion, there's some real money here that's flying out of the hands of Americans and their government agencies that they depend on, the businesses that they depend on. This is a major problem fueling financial crime across the globe and so we need to start thinking about how do we recognize this as that sort of a problem rather than something that is sector specific.
Eva Velasquez:
Well, I can thank Jeremy and Michelle for highlighting why the Identity Theft Resource Center exists because all of those issues that you're talking about with this data, once it's compromised, the identity thieves are not going to stick in one silo, they're going to use it as broadly as they can. And the onus is then put on the victim to report separately to all of those different places. But before they can do that, they have to have a document that substantiates that they're a victim. And they can get that one of two places, their local police department or sheriff's department, their local law enforcement agency or the FTC. This is a problem, Julia actually touched on it earlier. We need to remove this process out of local law enforcement agencies for a number of reasons. Frankly, they're not equipped to do it. Many of them don't have the resources, they don't have the desire, we don't incentivize properly.
A lot of these agencies, their funding is dependent on their resolution rate. And when they have tons of unresolved identity theft and fraud cases that actually impacts their budget financially. This is a terrible way to incentivize agencies to take reports. And a lot of folks just simply don't want to go to a police department and have to report this. Whatever the experiences or the life experience or the cultural experience, that is something that they're deeply uncomfortable with. Now, the FTC Affidavit was supposed to alleviate a lot of this pressure and stress. And in theory it's a good idea, but it's not being widely accepted. We have people constantly telling us, "Okay, I got my FTC affidavit, but this retailer, this bank, the state government, state UI, will not accept the FTC Affidavit as the document that demonstrates that you're a victim."
They simply won't. They make people go and get a police report. If we can at least start not only with the data sharing that Michelle was talking about, but let's accept our own documents and forms as proof of victimization among the government agencies where this fraud occurs. That would make a huge difference. But we're not even doing that right now. So we do need the one-stop shop, that single reporting, but it also needs to occur outside of government. So go to government to get your supporting documentation that you've been a victim, but then that needs to be allowed and used and acceptable to any of the entities where these victims have to report. Then we can start working on reducing the number of places that people have to call as they wind through the different industry sectors that they have to deal with. But until we do that, that first step, and until we fix that, we're going to keep having the same conversation over and over.
Lisa Reijula:
Any other reactions-
Eva Velasquez:
[inaudible 00:44:13] soapbox now. Sorry, Lisa.
Lisa Reijula:
No, all good. Any reactions to that? Anyone want to weigh in? Maybe on the current state of data sharing or any thoughts there on how that can be improved?
Julia Simon-Mishel:
So I'll throw out that my clients are often, and I'm sure Reverend Ben recognizes this, already the most surveyed people in the country. The government has so much information on my clients already and it blows my mind that we're still unable to already use that information to verify their identities for multiple programs at a time. And that I think moving towards some sort of one-stop model, both for verification, but also as the chair said, for addressing victims of identity theft, I think is incredibly helpful. Because as Jeremy has pointed out several times, it's also not just a government problem. This domino effect impacts people in their private lives. And so just having government resources to fix the government problem doesn't fix all the other problems that Eva's folks are so familiar with. And so I think it's really important when we're thinking about this to also think about the people and not just the money.
So I understand that there is a lot of money that went places it wasn't supposed to go to during the pandemic, under very particular circumstances of a national crisis. But when you report fraud to an agency, the agency uses that report to do one thing generally, stop any ongoing fraud, stop money from going out. They're not using that report to address the harms to that victim. And most of the times they're not even responding to that victim. So while we're hopefully on our way to a more holistic approach to this in multiple different sectors, I think we need to look at opportunities like ombudsman in different agencies who are more focused on victim redress, more focused on the person on the other end of that call and not on the criminal. And so again, understanding the importance of preventing ongoing fraud, we have to make sure that it's not to the continued detriment of the individuals who are the real people who need help.
Reverend Ben Roberts:
I'll just note the example that drives me crazy on this point all the time, which is anytime I'm working with a returning citizen. So somebody who's exiting incarceration, who's been locked up for God knows how many years and then comes out and has to reprove to the government who had them locked up, who they are. And for me, I'm sitting there going, "Well, who the hell do you think you had locked up in the first place?" Why can't we help people along the way by making sure that if you are literally inside of the system, that you could at least come out with your ID in hand and possibly reduce some of the recidivism that we see? So the data sharing among agencies, there's got to be something better than what we have right now.
Jeremy Grant:
One thing I just wanted to flag is Julia was talking about the idea of an ombudsman. I do think that's something that's been lacking or what I would call additional steps people can take when something go wrong. I mean, there's an obvious thread that's running through this whole discussion, which is the tension between getting people the benefits and services they need and also making sure that we're not seeing hundreds of billions of dollars lost to criminals in hostile nation states. And as a cyber-
PART 2 OF 4 ENDS [00:48:04]
Jeremy Grant:
... Dollars lost to criminals in hostile nation states and as a cybersecurity weenie, I think that's a technical term for my job, I don't want to dismiss the latter. The FBI's documented this summer that the North Koreans are leveraging deficiencies and identity to break into cryptocurrency accounts that they're then liquidating to fund their nuclear programs. So there are actually some consequences downstream. I don't want to dismiss that. However, the reason a lot of these things are happening is because right now, the attackers have gotten sophisticated enough that they're able to launch scalable attacks, and by scalable attacks, I mean things that they can launch at scale on hundreds or thousands of accounts every day, hundreds of thousands of identities that don't take a lot of resources, and so they can just kind of go down the line and take over identities and steal money, putting an extra step in there like an ombudsman, for example.
You know what a North Korean hacker is not going to do? Show up at an ombudsman in Philadelphia to try and prove that he's actually a Philadelphia citizen. So I just say this to say that it's not necessarily all focused on security or all focused on dealing with benefits going out the door and then just saying, "Well, we have to deal with some fraud along the way." There are some middle grounds where we can perhaps put additional steps in so that if something goes wrong or somebody's identity has been stolen or they can't be validated through one of the solutions that we're using online, "Hey, what's that next step you can go to try and get a little bit of help rather than just sort of presume that you're a lost cause?" I think that's something that could probably use some more attention.
Lisa Reijula:
Thanks, Jeremy. So it's clear from this discussion, we still have a long way to go, but is there any progress that we want to call out, things that have been done that you all think are important to highlight that we should continue doing, and then where should we go next? Michelle, how about over to you on that one?
Michele Evermore:
Yeah. Yeah, so when I was at the Department of Labor, I had 15 pages of things that we've done. Of course, I couldn't take any of my documents with me, but I will say that this has been top of mind. A lot of effort has gone into this, and so some of the things that the Department of Labor has done, for example, is put up the deal.gov/fraud and directly sent money to states. They've also set up these tiger teams. So these are groups of experts including fraud experts that go to states and make recommendations about how to best address their fraud issues as well as equity and timeliness issues.
They've been to more than half of states. One thing that I'm dismayed about is the two billion dollars that were being used for a lot of these efforts was cut in half during the debt ceiling deal. So a billion dollars was taken away from the Department of Labor for a lot of these ongoing efforts. So that's a little frustrating. The other thing is that the National Association of State Workforce Agencies has a UI integrity center, which has a UI data hub. Prior to the pandemic, not all states were taking advantage of that resource, and now all 53 states and territories are at least taking part in some of those cross matches. There've been cross matches added to the ID hub, for example, bank account verification. One of the things that we saw was that people with ongoing benefits were getting stolen by fraudsters who would go and basically text claimants.
"You need to fix something on your claim." And actually it would send them to a shell site where they'd enter in all their information and then the fraudsters could go in and tell the unemployment insurance agency, "Hey, I changed my bank account," and direct it to a nefarious bank account. That's been added, prisoner database has been added, crosscheck, lots of stuff like that going on. And I think just in general, states, they've been in this for three years, and so they've gotten a lot more sophisticated being able to detect and prevent fraud and actually recover quite a bit of fraudulently paid out money, which actually surprised me in a recent JAO report looking at how much of UI funding that they've recovered is very surprising considering the actors that are stealing it. So a lot of good stuff going on out there to hopefully prevent a lot of this going forward.
Lisa Reijula:
Thanks, Michelle. Jeremy, how about this question for you? Anything that you see that has been working or that we should continue or take further?
Jeremy:
I think the other panelists hit it pretty well. I think certainly the race to put some things in place to harden our identity infrastructure, at least with regards to benefits helped prevent some of the scalable attacks. The flip side is talking to Julia and Michelle and others, it created a lot of burdens for people as well in that if you're turning the dial up to make it harder to prove who you are, that also starts to exclude more people. I'll come back just to the point I made earlier, which is the attackers are always going to innovate. They're going to keep coming. The only way we really solve this is if we start to treat this as a national priority that impacts every sector as opposed to just one around government benefits. I'll flag the White House in March published its National Cybersecurity Strategy with a whole bunch of different strategic objectives.
We were really excited to see strategic objective 4.5, which is all about what we can do to make digital identity more robust in a way that's also privacy preserving and easy to use and equitable. The implementation plan that came out from the White House in July skipped over it. It just went directly from section 4.4 to 4.6. We're still told they may yet have something on there in a future iteration of the implementation plan, but at least for now, it is not getting attention either as a cybersecurity priority or frankly as a benefits priority or a national priority. And so I think there's work for the administration to do here. I think there's work Congress could do to perhaps direct the administration to focus on this more directly. That's really an area where I think the next layer of focus needs to go as opposed to just looking at this on a sector by sector basis.
Lisa Reijula:
Anyone else want to weigh in before we move on to the next topic? Okay. So a lot of what we do at the PRAC, our statutory authority is pandemic oversight. So we're focusing on finding ways to build in the lessons learned that can approve program effectiveness with the ultimate goal of protecting taxpayers and protecting public funds. So I'd like to get your perspectives, your recommendations, talk a little bit about to what extent did the pandemic exacerbate issues that already existed that were related to the integrity of some of these federal programs, verifying identities and eligibility. In your view, how can we use this experience, this extraordinary and traumatic experience that we went through to affect change, particularly on some issues that may be longstanding? That is a big question. I can give you a minute. Julia, I was going to throw that to you, but welcome anyone's thoughts open to all on that one.
Julia Simon-Mishel:
Thanks, Lisa. I have feeling we'll go a few rounds on this, so I'll just start with a couple. Prior to the pandemic, we were already moving towards requiring individuals to use computers and technology to navigate most parts of our world, and we were already in the unemployment sphere moving heavily towards online applications and online systems to access your benefits. The pandemic sped all of that up, and in doing so, we left a lot of people behind. And in doing so, we also opened ourselves up to a lot of these problems. When you used to walk in person to an unemployment office to file a claim, as Jeremy said, that wasn't a North Korean hacker doing that. And so I think this has led us to reconsider the type of identity verification we've been doing in this country for centuries, which is in-person identity verification.
Now, granted, there are, of course, folks that can't access in-person services for a variety of reasons. We need lots of options to be as equitable as possible here, but we need to remember that when you're forcing people to navigate technology, you're, A, leaving people behind, but, B, you're exacerbating the problem. Because what happens to someone who is forced to do an online application for benefits when they don't have, let's say an operable tablet or computer or even phone, they go somewhere else for help. Guess what happens half the time they do that? That person takes advantage of them and steals their identity and then uses it for other things, or somebody else just takes the money and runs. So you're creating even more problems often by requiring folks to do things in this very narrow way of both access to benefits, but also digital identity verification, right?
We need to have that off-ramp of in-person services, and we also need to rely on the folks in the community who have been helping individuals and been serving in these roles for years. So one thing that has always been frustrating to those in social services and legal services is our inability to serve as authenticators for the individuals we represent, right? Most of these programs don't have a way for us to do that, despite the fact that if you're in legal services, you've already collected a heck of a lot of information about someone before they can even qualify for your services.
Here in Pennsylvania to apply for public benefits, our medical-legal partnership here at PLA actually can log in and file applications on behalf of folks for different types of public benefit programs. They're able to do that on behalf of someone else. We don't have that in the unemployment world, and we don't have that in a lot of other states for a lot of other types of benefits. And so I think we need to really look at how to use social services and legal services who are already working with populations that are most harmed here to help get people across the finish line, both to access benefits, but also to address harms from identity theft.
Lisa Reijula:
Thanks, Julia. Pastor Ben, can I put you on the spot to react to that as someone who's working in services and in the community for your thoughts?
Reverend Ben Roberts:
I mean, it's exactly what Julie said. One of the things that we saw during pandemic was no in-person options. That was especially the case of the Social Security Administration office. So where we used to be able to send somebody to apply for their card in person, that all moved online. But that meant if there was any discrepancy, if you were a Debra, but your card said Debbie, and you didn't know that, there was nobody to go back to plead your case whatsoever, and so you were just out of luck. I'm not even sure. I think the Social Security Administration only came back to in-person within the last few months. So any time that we have that barrier where your only option is online to try and take care of business, then we're definitely going to cut people out who do have a legitimate claim to try and move forward.
The generational barrier for that, any physical abilities, I know I was on a panel with somebody who's vision impaired and they tried to flag the challenges with having a technology only verification form. So I'm constantly wondering about, there has to be some sort of ... I call it a backdoor. I don't think that sounds good for a technology thing because that sounds like a vulnerability, but there has to be some other way for people to be able to come through when they can't just do it with the standard that's presented them, whether it's a KBA or an application that's just going to get fired back at them because they didn't agree with the algorithm.
Jeremy Grant:
Yeah, I'll say as the cybersecurity weenie, backdoor is not the right term, but a second door, an alternative path I think is the one you want to talk about. And here as we're talking about solutions, I just wanted to flag, I mentioned Congress could act. There is a bipartisan bill that's actually been introduced and cleared committee the last couple of congresses, the Improving Digital Identity Act. Came close to becoming law last year. I'm hopeful maybe something will happen this year. And a lot of it's been focused on trying to get the administration to take a holistic approach on closing the gap between physical and digital credentials. But the original version of the bill had a really important element of that that was actually inspired a lot by some of the work that Pastor Ben does at the ID ministry, which was it authorized grants to the states to help them accelerate, particularly in things like driver's license systems, which are often the defacto ID that people have.
How do they accelerate the transition from physical to digital? It would've required that states spend 10% of those grants on also helping people who can't get a basic physical ID today for whatever reason. They don't have documentation. They don't have the means to do so. The work that Ben and others do with the ID ministry is not uncommon across the country. And it's ... how do I say this? It is both inspiring to see that there's groups that do this, but also a little bit pathetic that the answer from any state governments, and I mean, frankly at the federal level or local, is if you don't have the documentation, you need to get a foundational credential. Well, come back when you do.
And then it falls to good volunteers and charities to try and help them. And so this was an effort to at least look at the issue holistically and make sure that as we're accelerating the creation of digital credentials, we're also making sure that we're not leaving people behind. Unfortunately, I had a key senate markup about a year ago where the idea of new grant dollars to the states became politically controversial until the grants were stripped through it. But we still think it's going to be an important part of any investment we make in better identity infrastructure to try and get us away from this problem that we're currently stuck in.
Eva Velasquez:
And I have a ...
Michele Evermore:
One thing I would just add quickly that I forgot to add as one of the things that's been done to address fraud is the Department of Labor is working with the US Postal Service to provide people an option, an in-person option, which I think is a really good equitable solution since by definition there's a post office in every zip code. I mean, I think that could be a potential way moving forward, not only for people to get through an ID hurdle with unemployment insurance, but to have a more universal ID verification in-person option for folks.
Eva Velasquez:
I just wanted to piggyback on what Pastor Ben and Julia were saying is I actually think this issue that was created by the pandemic is a lot bigger than just the folks that don't have access to technology, that don't have access to the internet. There were a ton of folks who do have access to the internet, can make use of it in certain situations, but who were pushed so swiftly into digital only transactions in areas that they weren't comfortable with. I'll use work from home for an example. A ton of people who heretofore had never had to work from home, had to quickly set that up. They did not know what legitimate emails coming from their employer were going to look like. How do they get their voicemail? What does a fax look like? So it's bigger than just that group. And of course, we need these digital off-ramps, that's the term I use, and I think I actually stole it from Julia, we need these digital off-ramps for folks.
But it isn't just that smaller group or I think there's a lot, a lot, a lot more folks that would benefit from that because it might just be a transaction that is so foreign to them. They're not comfortable with it. They've never done it before. Boy, unemployment can definitely fall into that category. Number of folks that are doing, "I'm doing this for the first time. I have no idea. I'd rather talk to a person." We need that. And Michelle, I do have to comment on the use of the post office as the boots on the ground. That option actually concerns me. And the reason is not the brick and mortar establishment and having that building available. It would be the training of the folks and the employees that are going to be potentially handling sensitive identity credentials, and what are they going to do when someone hits a roadblock?
Is there a process for them or are we just going to end up with the folks that are trained in customer service but not trained in how to deal with identity, how to deal with identity victimization, how to deal with all of those other issues that go along with it. It's much more than a customer service type of engagement. So that's a concern that I have with that. If it's done well with a lot of training, I think it could be beneficial. But if that training and those processes are lacking, I actually think it could be a disaster.
Julia Simon-Mishel:
I just want to piggyback on that for a second. I mean, I think we're really excited about the USPS option that DOL is rolling out. I agree, Eva, that training is incredibly important here because there are a lot of both conscious and subconscious biases that people have about anyone who walked through the door and how valid they think what that person is telling them is, or they may not look like the picture they have on their ID, but there might be very valid reasons why they don't look exactly like that picture that have to do with both cultural and economic reasons.
Eva Velasquez:
As human beings are also terrible at identity proofing. Jeremy, now I'm taking Jeremy's spot here. If you look at the rates with technology and people, people are absolutely terrible at saying, looking at a driver's license and saying, "Oh yeah, that's you." They fail miserably. So maybe we need to have a combination, a little technology, the human touch, and do something along those lines.
Julia Simon-Mishel:
And I'll give USPS credit. We did passports for our children recently. Very smooth, a great job working with our documents, getting those over. So they do have some experience in this field already. But I do think the kind of training part about this, and it's not just at USPS, it's with all of the agencies that are doing identity verification, right? First of all, we deal with a lack of empathy often when interacting with individuals, both who are struggling with access or who are victims of identity fraud. But the other issue with training is that oftentimes, when you're working with a government agency, a government official, they're trying to do their best. They have been all overwhelmed by this process. They got us through the pandemic in an amazing way. But there's also often an assumption that you did something wrong if you're coming to them as the victim of identity theft.
And you're often treated that way. And that's a huge problem, and especially since at the end of the day, none of this gets fixed if we don't find a way to stop people's personal information from being exposed on the dark web. We can slap lots of band-aids on all of this, on every single government program. But as long as your information is becoming available on the dark web due to data breaches, it's going to keep being a problem. But training people about how to interact with folks as Jeremy and others have pointed out, if I'm calling into the agency, if I'm showing up in person to X, Y, or Z, probably not a cyber criminal. We can show more grace in those situations than I think we have been, so both just a training and support for any sort of in-person or human to human touch that's happening in these systems.
Lisa Reijula:
So that gets to the last question that I was going to ask to each of you before we take some questions from the Q&A from the audience. So Julia, you touched on some of it, the training, empathy, not treating victims like they're the wrongdoers themselves, but what are other things that government agencies or program administrators, what would you like them to learn from organizations like yours or from where you sit in this space when it comes to helping victims of identity theft, what are some of the things that you think they need to be mindful of? And that one is to the whole group.
Eva Velasquez:
Well, since Julia brought it up, my thought is about that difference in training. Look, understanding that victims ... and I'm focused much more on recovery than I am on verification and authentication. So that's what the ITRC really does. We provide remediation and recovery plans at no cost. Victims are not this homogenous group, and I do think we tend to think of them that way. There's no easy, quick fix that, "You've got this issue. Here's your fix." If there was, the ITRC wouldn't exist. We have to treat these folks as individuals, but we also have to remember, these are crime victims, and that means more than customer service, we need to look at trauma-informed care. So Office of Victims of Crime, where a lot of organizations like mine get their funding from actually requires that you go to trauma-informed care training so that you know how to deal with people who are crime victims. We don't-
PART 3 OF 4 ENDS [01:12:04]
Eva Velasquez:
Know how to deal with people who are crime victims. We don't do that in any of the fraud departments in the financial institutions. I suspect we're not doing it in the government institutions. I can't say for sure, or even like I said, the fraud investigators and the retailer, the payment cards. So we either need to get victim advocates involved in this process at some point after the fraud report has been taken or the investigation has been conducted, or we need to get more training to these first responders, I'll put that in quotes, who are the first touch that these victims have, so that they are getting that care that's trauma informed and culturally competent.
Julia Simon-Mishel:
I just wanted to quickly hop on that advocate piece. One thing that has been missing for a long time, way before the pandemic, is that very few of any legal services organizations, which are those that are able to serve low income people for free, have any funding to work on identity theft issues, right? This is not a funded area of work that we see.
Eva Velasquez:
The victim advocacy organizations don't either, Julia.
Julia Simon-Mishel:
And things like what Eva's organization do are amazing, but a lot of folks need a step further, right? At some point, they're going to need an attorney, both because they are trying to navigate different rights, especially due process rights they might have with the government, but also because it bleeds into the private sphere, and all of a sudden you may have a debt collection issue coming at you, right? You may have a credit card company coming after you, and we don't have resources that have been sent to organizations that can take that role, and so I think really looking at some of our legal services funding and making funds available so that this can be a prioritized issue at certain organizations, at the very least, would be a good step forward.
Jeremy Grant:
I'd say going beyond how to actually help victims. This is certainly where Eva and Julia and others have more experience. I would say, getting back to a point I made at the beginning and picking up on something Julia just made, as long as there's data breaches, more information is going to be leaking out on us. It's going to become easier to compromise identities. We haven't even touched on what's happening right now, in terms of the way attackers are starting to leverage generative AI to launch more sophisticated attacks. I, frankly, think most people aren't even prepared for what's to come. This is a big reason why we really need to shift away from, look, if my data's stolen, so what? If it doesn't really have security value, if this criminal can't use three things that they know about me to prove that I'm me, and we get to something that's stronger, like say proof of possession of something, like a digital credential, that raises the bar. That changes what you can do with scalable attacks.
And so we're not going to have this today or tomorrow, but from an aspirational perspective, we should be really thinking right now, as a country, and really not just as a country, but this is a government issue specifically, given the government's role as the one authoritative issuer of identities, how do we actually start to harden that infrastructure so that we don't continue to have this problem year after year, where stolen data translates into stolen identities? So look, on that side, our coalitions produced a policy blueprint that's helped lead to, I mentioned the bipartisan improving Digital Identity Act, supported by Democrats and Republicans. It's supported by security experts, benefit experts, and privacy and civil experts. There is a path forward. We just have to decide we're going to make it a policy priority, and so I think that's how we start to get out of this conundrum of fretting about the current state of things, and actually get to something that might be working better for everybody in a few years.
Lisa Reijula:
Michelle, go ahead. I saw you come off mute.
Michele Evermore:
Yeah. I would just say this no wrong door approach to wherever it is that you find out that your identity was compromised, that place should direct you to somewhere that can get you to the services that you need. To button down your identity everywhere it needs to be buttoned down, is not just good for claimants, but it's also good reputationally for the state agency so that people understand that the information that was used wasn't a state UI agency breach. It's information that's out in the ether somewhere. I think that it's important. This kind of thing, when it happens, hurts people's faith in government in general, and I think that's bad.
I think giving people some sense of reassurance that, once their identity was compromised, they have someplace in government to go that will help them find all of the things that they need to do, I think that would be very helpful. It would also be helpful for all of the other entities, right? The other programs that would be the next target, or the financial institution or real retailer, whoever would be the next target. This is actually really good for everyone if there were a next step, besides just stopping that one fraudulent benefit, but realizing that this is a person who's been the victim of a really big problem, really big crime, helping them find all of the places that they need to go. I just can't say that enough.
Lisa Reijula:
Pastor Ben, how do you think about the future? How do you think about what's coming next? It seems fitting to give you the last word on this section.
Reverend Ben Roberts:
Yeah. For me, the place where I'm at when we think about what comes next in terms of the policies or the programs that are getting written or the agency rules to get written, is we have to consider what the non-average user experience is. If we're only considering the average user experience, we're locking out the folks that I work with on a day-to-day basis.
And so the way that I think about it is, whatever policy I'm proposing, whatever rule that I'm writing, is somebody going to be able to navigate this thing on their absolute worst day, the day they were evicted, the day they're escaping domestic violence, the day they had their items stolen from off of them while they were sleeping on the street? Is that person going to have a way to successfully navigate a replacement process that we know has to become stronger? But are they also going to have a way to get through this, even if it takes them a little more time, even if they have to do it in person? Does that person have a way to do this so that they can get back toward getting a job, getting housing, or enrolling in the benefits that they do deserve? So that's where I'm at when it comes to our next steps, is make sure that that's in the consideration.
Lisa Reijula:
Thank you. So we have about ten minutes. We have a couple of questions in the chat from the audience that I wanted to get your take on. The first question comes from Bonnie. It says, "What is the group's opinion of the numerous companies, like Lifelock, AAA Credit Monitoring, Experience Services, Homeowners Insurance Coverage, etc, to assist with identity theft assistance? Now, with so many breaches, many offer this benefit. Is it useful? Is it helpful?" Any thoughts on that from the group?
Eva Velasquez:
I can start, because we get this question a lot, actually. The first thing is there's a difference between credit monitoring and identity protection services. So if you are thinking about using these services, do your homework and make sure you understand what exactly they're providing. I look at identity protection services a lot like I look at other, like the dog groomer. Can you do a lot of these things to protect your identity and minimize your risk, yourself for free? Yes, you can, but there are benefits to paying someone to do some of that legwork for you, and having that expert available to you. So in and of themselves, they're not bad. They're not a scam in and of themselves, as far as the industry. Now, for individual companies, really important. Just like any other business engagement, do your homework.
Read reviews at the Better Business Bureau, at Google. Make sure you read the terms and conditions so you understand what they're actually offering. When it comes to these offerings for data breaches, we do tell people, "If it's free, go ahead and sign up. It's not going to cause you any harm." The only time you ever want to be very leery is if you get to that signup point, you don't recognize the name of the company, and they start asking you for payment information. That's an issue, because this actually happened. I haven't seen it recently. It happened when these things started where there would be auto-renew clauses. Well, you get it for free for a year, but at the end of 12 months, we're going to just auto-renew you, and people weren't wise to it, but there were some actions brought by various states for that behavior, and I haven't seen that in a long time.
So can it be useful? Yes, it can be helpful. It alleviates some of the burden. Last thought, if you have these services, you have the disposable income to pay for them, and you've engaged them, that's great, but you can't abdicate all responsibility. Look at what happened to Todd Davis at LifeLock, when he said, "Oh. I can publish my social security number, and nothing's going to happen to me." That was not the case. Nothing's impenetrable. So they can be an adjunct to your own identity hygiene practices. You can't abdicate all responsibility, but if you don't have the disposable income to pay for them, you really aren't just out on your own. There are organizations like mine, like the Federal Trade Commission, like AARP Fraud Watch, that can give you a lot of the information and tips that you need. You will just have to do the legwork, and all of that information from those organizations is free.
Julia Simon-Mishel:
Just let me add on there. I mean, what Eva just said is incredibly helpful. It's also a lot, right? I mean, I felt that. When you said that, I felt stressed just thinking about everything I would have to do in that situation. I have received those letters offering this, monitoring that, monitoring for that breach, and I'm someone who was not experiencing trauma at the moment, has the bandwidth to look into those things, and I couldn't figure out half of it, what it made sense to do in that situation.
And so, Eva, I completely agree with you, but also, there's a moment where I feel like we have to step back on the amount of responsibility we're putting on people's plates here, and that's why, I think just coming back to what Jeremy has said about this whole of government, both non-government and government partnership to kind of figure this out, because that's just a lot to put on people, even on their best day, and thank God for organizations like yours that help navigate that.
Eva Velasquez:
Yeah. We get the calls, where people will call us. I'm trying to give you guys the abridged version of that advice, but if anybody needs more information on that, you can call our toll-free number, and you can even tell us which breach you're talking about, and we can say, "Oh, yes. Experian credit monitoring. That's what this is. Experian is a legitimate company. It's not Scammers R Us credit monitoring.
Lisa Reijula:
We have another question from Peter, kind of to tag on to that, talking about a particularly vulnerable population, seniors. So seniors, are they a prime target for identity theft, and does anyone have thoughts on how to protect older folks from this type of victimization?
Eva Velasquez:
Are you guys going to make me go again since I'm the ITRC? You are.
Jeremy Grant:
You're the best here, Eva.
Eva Velasquez:
Okay. I think that we need to take a step back. Vulnerability, really, in our experience is not based on age, so those standard demographics that we use to say, "Oh. If you're this age, and you live in this zip code, you're more vulnerable," that's broken. It just doesn't look like that anymore. Now it's about how you engage in the outside world, because you can have a 65-year-old, who's retired, traveling, and has been using technology that is going to have a very different set of vulnerabilities than, say, a senior who's in an assisted care facility is relying on someone else to manage their finances and has their credentials being handed to a bunch of different people. When it comes to protecting seniors, again, I go back to, they're not this homogenous group.
The commonality is they're the same age. We have to kind of pull out how do you engage with the outside world, and what are your vulnerabilities? But there are some programs that are directed for seniors. Of course, ITRC helps people of all age groups. We even help youth, foster youth, so anybody can call us, but AARP's Fraud Watch Network is a really great place to start for those resources that are senior-centric and only for older Americans. But I also want us to shift our mindset. I'm sorry. It's not about your age. It's about a whole host of other things, because at the end of the day, every single one of us, even everybody on this panel, we are all vulnerable to these crimes. Under the right set of circumstances, we're all vulnerable, and we kind of have to adopt that mindset and recognize that is how the world is right now.
Lisa Reijula:
We have a question from Deborah. She manages a team at SBA, reviewing affidavits of identity theft. How are agencies addressing reports of identity theft? In her work, they're finding a number of these are false claims. How are program offices, rather than federal investigators, expected to address the integrity of the claim in pursuit of financial relief? Anyone have thoughts on that question?
Jeremy Grant:
It's hard, so I talked before about scalable attacks, but sounds like some of what she's dealing with are ones that actually aren't scalable, where somebody's taking the time to file perhaps a false claim. And you do see some of that as well, where you'll see very patient fraudsters who, if they think there's a pot of gold at the end of the rainbow, will go through something, and they'll pretend to be a victim and ask for help. In fact, they're not who they claim to be. I don't know. I mean, I think a lot of this is because we have such sort of a soft underbelly here in terms of how hard it is to know who's who online, as well as what's real with some of these things. We think a lot of this gets to broader solutions over a few years that can harden some of this infrastructure, but I think without knowing more details about the specific challenge you're dealing with at SBA, I'm not sure if I have a great answer.
Michele Evermore:
This is where I'll go back to, I also think that agencies shouldn't be on their own with problems like this. We had this UI system that was at a 50-year low in administrative funding, having to deal with this massive fraud attack. We should have a coordinated, somewhere to go in government, that will help smaller agencies deal with these kinds of things.
Lisa Reijula:
I think we have time, maybe for one more question. It comes from Rory. It says, "Do you all see government identity document verification as a truly essential component of identify verification? It seems that strict government ID document-based verification often completely undermines the purpose of ID verification. The process becomes so convoluted, that only a few of the bandwidths jump through all the hoops and produce the right documents. It almost seems to create a system where fraudsters are more likely to get through the system than earnest applicants." Any reactions to that? Go ahead, Michelle.
Michele Evermore:
Yeah, I agree. And I think that some of the guidance has said that pure identity verification isn't necessarily the only road. There are other device, fingerprint processes, things like that. There are ways to do identity verification in a way that's not as intrusive, and can fairly accurately flag potential problems, and then you can go through the identity verification process, but I am not sure that that needs to be the only thing, nor should it be the only thing that states rely on or the government relies on.
Jeremy Grant:
Yeah. I'll say it's not the only thing, but it certainly can play a big role. Although, I think to Julia's point or Michelle's point before, there should be no wrong doors to go through. So if you have a document, if you have a driver's license and a smartphone, those are two things that you can actually use pretty quickly to establish with some of the better tools that can figure out whether an ID is real or not, to at least go through one step to prove your identity.
I think it's not that it's a panacea, it doesn't solve all of the problems, but some of those tools that have emerged in the market the last few years have actually been able to create new, more inclusive routes for people. Look, if five years ago the way to prove I am online was knowledge-based questions tied to my credit history, if I'm a nineteen-year-old person of color, just hypothetically, who has a smartphone and a driver's license but has never had a credit card, I may have a path to get through a digital channel here using that smartphone and the ID, that I would not have with something that's tied to a credit history I don't have.
It's not to say it solves all problems, but in many cases with identity verification, it's not what's the best solution. It's, is there something else that's out there that sucks less than what was out there before? I've been using this term a lot lately. It's a terrible tagline for the industry, "Buy our stuff. It sucks less than the thing it's trying to replace," but given how hard a problem this is to solve, I do think a lot of those remote document authentication tools actually are a better option for a lot of people, or at least to give them another path to proof of who they are compared to some of the legacy tools.
Julia Simon-Mishel:
If I could just add one more thing, which is I think we should be really careful about applying a one-size-fits-all approach to identity authentication, right? There are different risk levels to different areas, to different agencies, different types of benefits. It can't be, "Everyone has to meet this high, high level for everything," especially I was talking earlier about just accessing your information, not even applying for benefits or filing anything, just accessing information about yourself that doesn't have private information, that could be further the security reaches.
But that is something that I think we really struggled with in the pandemic, because there were just higher standards that, all of a sudden, all government agencies were trying to meet, and a lot of that required document authentication. So I do think, as we're looking for the path forward, we have to really step back and think about what's really necessary. We've talked a lot about in-person off-ramps and how those can work. I'll just bring up one more, again, that I said earlier. There are what I would call community authenticators out there, folks who are working with those who come from vulnerable populations, who should be able to help individuals authenticate themselves for different areas without having to have all of the various documents or all of the various technology.
Lisa Reijula:
Thanks, Julia. I'm pretty proud. We're three minutes over, but I thought with this group and all the issues, that it was going to be difficult to keep to time. This has been a fantastic discussion. A lot of food for thought, a lot that I've learned just along the way, so I just want to say thank you for everyone who tuned in. Thank you for listening. We'll follow up with resources from all of our panelists. The recording will be available. You can see the email address there that you can use to follow up with us.
And Eva, Pastor Ben, Julia, Michelle, Jeremy, thank you so much for lending your expertise and your time to this event. We really appreciate the work you're doing, and for you coming together with us to share your insights on this really important issue, which is key to figuring out how to relieve victim's burden of resolving their cases of identity fraud themselves. So on behalf of the Pandemic Response Accountability Committee, thank you all for attending and for participating, and we hope to see you all soon. Thank you.
PART 4 OF 4 ENDS [01:34:04]