In order to avoid identity theft confusion when discussing identity theft management and fraud mitigation within an organization, we have to discuss and address: 1) the reduction or elimination of duplicated efforts with clear assignment of responsibilities, and 2) clear definition and understanding of the terms.
In order to address the number one above, we have to first address number two above and clearly define the term "identity theft". If we ask an information security professional to define the term "identity theft management", the person will say it means securing the personal information of our customers and employees in all forms available whether physical or digital. If we were to ask the government regulators specially those who created the Red Flags Rule in the United States to define the term "identity theft management", they will say that it means preventing fraud committed with stolen personal information. And if you ask me, I would say it’s both and that organizations must have policies and procedures to protect any personal information that they possess, and, prevent fraud committed with stolen personal information which is what the Red Flags Rule means when it calls for an "Identity Theft Prevention Program" to be implemented in certain high risk organizations.
Therefore, depending on the defined risk, various tools and processes may be needed to mitigate the risk and avoid identity theft confusion. A final note that I would like to bring up on this topic is that identity protection companies which collect their customers’ personal information must have qualified information security personnel to protect the collected information, however, their service quality of consumer identity protection companies can not and must not be rated solely based on having certified information security personnel alone because their staff and management must also have the necessary skills to support consumers and regulators with identity fraud prevention, detection and resolution services which the focused CIPA and CRFS designations offer and complement information security certifications.
Now that this distinction is clarified, we can go back to number one above to discuss duplication of efforts and assignment of responsibility and address identity theft and fraud management within an organization. In many organizations where the identity fraud risk exists and is high, the task is assigned to the fraud department instead of the information security group for the specific reasons I just mentioned. Also, the task of compliance with related laws such as the Red Flags Rule is assigned to the Legal or Compliance group which must coordinate with the fraud group to finalize and implement the processes.
With these clear definitions and responsibility distinctions, organizations can avoid duplication of efforts to be more effective and cost efficient. Some of the above may be different for different companies, but each company must take the time to define the terms and decide who does what to fully address the identity theft risks and avoid identity theft confusion.