The Communications Fraud Control Association’s annual meeting and educational event was held last week (June 14 – 16) at the Allerton hotel in Chicago, IL.   The Communications Fraud Control Association is made up of communications and security professionals, fraud investigators, analysts, and managers, law enforcement, those in risk management, and many others.   As an organization, they started out as a small group of communications professionals from the major long distance carriers who were looking for a better and more collaborative way to address communications fraud. Now, almost 30 years later, they’ve got over 60 members – a great representation of the industry yet still a nimble size. From what I hear, this makes for a specialized but quite effective “working” conference. Unfortunately I was not able to attend the conference but my colleague, Kennis Wong, attended and presented on the topic of Account Takeover and existing account fraud. It’s an area of fraud and compliance that Experian has spent some R&D on recently, with some interesting findings. In the past, we’ve been more focused on helping clients prevent new account and application fraud. It might seem like an interesting time to expand into this area, with some studies citing large drops in existing account fraud (2011 Identity Fraud Survey Report by Javelin).  BUT…consumer costs in this area are way UP, not to mention the headline-grabbing news stories about small business account takeover.  Which means it’s still a large pain point for financial institutions.   Experian’s research and development in existing account fraud, combined with our expertise in fraud scores and identity theft detection, has resulted in a new product which is launching at the end of this month: Precise ID for Customer Management. Stay tuned for more exciting details.

Whether you call it small business, commercial, or corporate account takeover, this form of existing account fraud has been in the headlines lately and seems to be on the rise. While account takeover happens to individual consumers quite frequently, it’s the sensational loss amounts and the legal battles between companies and their banks that are causing this form of commercial fraud to make the news. A recent BankInfoSecurity.com article, Fraud Verdict: Opinions Vary, is about a court opinion on a high profile ACH fraud case – Experi-Metal Inc. vs. Comerica Bank – that cites a number of examples of corporate account takeover cases with substantial losses: ·         Village View Escrow of Redondo Beach, Calif.:  lost $465,000 to an online hack ·         Hillary Machinery: settled with its bank for undisclosed terms in 2010. ·         The Catholic Diocese of Des Moines, Iowa:  lost $600,000 in fraudulent ACH transactions. I was curious what information was out there and publicly available to help businesses protect themselves and minimize fraud losses / risk. NACHA, the electronics payment association, had some of the best resources on their website.  Labeled the  “Corporate Account Takeover Resource Center”, it has a wide variety of briefs, papers, and recommendations documents including prevention practices for companies, financial institutions, and third-party service providers. There’s even a podcast on how to fight ACH fraud!  One thing was interesting to note, though. NACHA makes a point to distinguish between ACH fraud and corporate account takeover in this statement at the top of the web page: Corporate Account Takeover is a form of corporate identity theft where a business’ online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity. Corporate Account Takeover involves compromised identity credentials and is not about compromises to the wire system or ACH Network. ACH fraud and wire fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer. The ACH Network is safe and secure. Mostly I agree –the ACH Network is safe and secure. But from an F.I.'s or company’s perspective, corporate account takeover and ACH Fraud often go hand in hand.

High-profile data breaches are back in the headlines as businesses—including many in the communications sector—fall prey to a growing number of cyberattacks. So far this year, 251 public notifications of data breaches have been reported according to the Privacy Rights Clearinghouse. The latest attack comes on the heels of the Obama administration’s recent proposal to replace conflicting state laws with a uniform standard. The idea is not a new one—national breach notification legislation has been in discussion on Capitol Hill since 2007. With the addition of the White House proposal, three data breach notification bills are now under consideration. But rather than waiting for passage of a new law, communications companies and businesses in general should be aware of the issues and take steps to prepare. Replacing 48 laws with one Currently, notification standards differ on a state-by-state basis: 46 states, plus the District of Columbia and Puerto Rico each enforce their own standards. The many varying laws make compliance confusing and expensive. While getting to a single standard sounds like a good idea, finding a single solution becomes difficult when there are 48 different laws to reconcile. The challenge is to craft a uniform national law that preempts state laws, while providing adequate consumer protection. Five things to look for in a National Breach Notification Law Passing a single law will be an uphill battle. In the meantime, these are some of the issues that will need to be resolved before a national breach standard can be enacted: What types of personal information should be protected? First and last name + other info (e.g. bank account number) What should be classified as “personal” information? Email addresses and user names Health and medical information (California now includes this) What qualifies as a breach and what are the triggers for notification? What information should be included in a breach notice? How soon after a breach should notification be sent? Some states require notices be sent within a set number of days, others ASAP. Potential penalties What could happen if a company doesn’t comply with the proposed laws? Under the White House bill, fines would be limited to $1,000/day, with a $1 million cap. The two bills in House would impose penalties of $11,000/day, maxing out at $5 million. How to prepare before a national standard is passed Although the timing for passage is uncertain, communications companies need not wait for a national law to pass before taking action. Put a plan in place instead of sorting through 48 different laws. Preparation can be as simple as making a phone call to your Experian rep about our data breach protection services. Having managed over 2,300 data breach events, Experian can help you effectively mitigate loss. In addition to following updates on this page, you can also stay informed about the progress of pending data breach legislation by following the Data Breach Blog. Share your thoughts and concerns on the current proposals by leaving a comment. For further reading on this subject:   Experian Data Breach Blog   State Security Breach Notification Laws     Obama Administration Proposal: Law Enforcement Provisions Related to Computer Security (pdf of the full bill)     Obama national breach notification proposal: Good news, bad news for firms     2011 Data Breach Investigations Report (PDF)