Tag: Data Breach
The experience of being a victim of data breaches has created a shift in consumer behavior and attitude over the past year. A recent Ponemon Institute study found that more than one-third of consumers ignored data breach notification letters, taking no action to protect themselves against fraud. To combat data breach fatigue, companies should communicate with customers sincerely and avoid treating the notification process as a compliance issue. Notification letters should include an apology, a clear explanation of what happened and why, and steps consumers can take to protect themselves from fraud. 2015 Data Breach Industry Forecast
The news of the latest breach last week reported that tens of millions of customer and employee records were stolen by a sophisticated hacker incursion. The data lost is reported to include names, birth dates, Social Security numbers, and addresses. The nature of the stolen data has the potential to create long-term headaches for the organization and tens of millions of individuals. Unlike a retailer or financial breach, where stolen payment cards can be deactivated and new ones issued, the theft of permanent identity information is, well, not easily corrected. You can’t simply reissue Social Security numbers, birth dates, names and addresses. What’s more, the data likely includes identity data on millions of dependent minors, who are prime targets for identity thieves and whose credit goes frequently unmonitored. According to the Identity Theft Resource Center’s 2014 Data Breach Report, a record 783 breaches, representing 85 million records, occurred from January through September 2014 alone. The breaches have ranged across virtually every industry segment and data type. So where does all this breached data go? It goes into the massive, global underground marketplace for stolen data, where it’s bought and sold, and then used by cybercriminals and fraudsters to defraud organizations and individuals. Like any market, supply and demand determines price, and the massive quantity of recent breaches has made stolen identities more affordable to more fraudsters, exacerbating the overall problem. In fact, stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection company. The big question: So what now? The answer: Assume that all data has been breached, and act accordingly. Such a statement sounds a bit trivial, but it’s a significant paradigm shift. It’s a clear-headed recognition of the implications of the ongoing, escalating covert war between cybercriminals and fraudsters, on one side, and organizations and consumers on the other. For individuals, we need to internalize this fact: our data has likely been breached, and we need to become vigilant and defend ourselves. Sign up for a credit monitoring service that covers all three credit bureaus to be alerted if your data or ID is being used in ways that indicate fraud. Include your children, as well. A child’s identity is far more valuable to a fraudster as they know it can be several years before their stolen identity is detected. Many parents do not check their child’s credit regularly, if at all. For organizations, it’s a war on two fronts: data protection and fraud prevention. And the stakes are huge, bigger than many of us recognize. We’re not just fighting to prevent financial theft, we’re fighting to preserve trust — trust between organizations and consumers, at the first level, and ultimately widespread consumer trust in the institutions of finance, commerce, and government. We must collectively strive to win the war on data protection, no doubt, and prevent future data breaches. But what breaches illustrate is that, when fundamental identity data is breached, a terrible burden is placed on the second line of defense — fraud prevention. Simply put, organizations must continually evolve their fraud prevention control and skills, and minimize the damage caused by stolen identity data. And we must do it in ways that reinforce the trust between consumers and organizations, enhance the customer experience, and frustrate the criminals. At 41st Parameter, we are at the front lines of fraud prevention every day, and what we see are risks throughout the ecosystem. Account opening is a particular vulnerability, as consumer identity data obtained in the underground will undoubtedly be used to open lines of credit, submit fraudulent tax returns, etc. unbeknownst to the consumer. Since so much data has been breached, many of these new accounts will look “clean,” presenting a major challenge for traditional identity-based fraud and compliance solutions. But it’s more than new accounts — account takeover, transactions, loyalty, every stage is in jeopardy now that so much identity data is on the loose. Even the call center is vulnerable, as the very basis for caller authentication often relies on components of identity. At 41st Parameter and Experian Fraud & Identity solutions, we advocate a comprehensive layered approach that leverages multiple solutions such as FraudNet, Precise ID, KIQ, and credit data to protect all aspects of the customer journey while ensuring a seamless, positive user experience across channels and lines of business. Read our fraud perspective paper to learn more. Now is the time to take action. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924
As data breaches continue to attract publicity, consumers are expecting more from impacted organizations.
A recent study conducted by the Ponemon Institute found that a data breach is among the top three occurrences that affect brand reputation, along with poor customer service and an environmental incident.
By: Maria Moynihan In less than a year, my information has been compromised twice by a data breach. The companies involved varied significantly by way of size and type, yet both reacted expeditiously to inform me of the incident. As much as I appreciated the quick response and notification, I couldn’t help but wonder how well prepared we all are to handle these types of incidents within our own organizations. I recently read somewhere that data breaches are to be expected – like death and taxes. Can this be true? A recent Ponemon Institute Study, 2013 Cost of a Data Breach, highlighted alarming statistics around the typical impact a breach has on an organization. With costs amounting to approximately $5.4M and impact to brands ranging anywhere from $184M to $330M in losses, organizations cannot afford to pass breaches off as inevitable. Organizations must tighten their security standards, understand the evolving data breach environment and ensure their response plans are continuously enhanced to address emerging issues. To better understand what may lie ahead, Experian has developed six key predictions for how concerns about data breaches will evolve: 1. Data breach cost will be down – but still impactful The cost per record of a data breach will continue to decline, however security incidents and other breaches may still cause significant business disruption if not properly managed. 2. Will the Cloud and Big Data = Big International Breaches? With the rise of the cloud, data is now moving seamlessly across borders making the potential for complex, international breaches more possible. 3. Healthcare Breaches: Opening the Floodgates With the addition of the Healthcare Insurance Exchanges, millions of individuals will be introduced into the healthcare system and as a result, will increase the vulnerability of the already susceptible healthcare industry. 4. A Surge in Adoption of Cyber Insurance Many companies will look beyond investing in technology to protect against attacks and towards the insurance market to manage financial ramifications of breaches. 5. Breach Fatigue – Rise in Consumer Fraud? As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grow, they may become apathetic towards the subject, thereby exposing themselves to greater risk. 6. Beyond the Regulatory Check Box State regulators and law enforcement will turn a new leaf this year, devoting significant attention to helping organizations better manage breaches. What is your organization doing to improve its data breach preparedness plan? Check out our 2014 Data Breach Industry Forecast and guide to handling data breach response. Check out other related content on data breach resolution.
The growing cost and number of data breaches has spurred more interest in cyber insurance. While companies often increase investments in technology and training programs to reduce the likelihood of a breach, a recent Ponemon Institute survey of risk-management professionals found that 31 percent of companies surveyed have cyber insurance and 39 percent plan to purchase cyber insurance in the future. Learn how to outline your response plan with our data breach response guide. Source: Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age
According to a recent Ponemon Institute study, 65 percent of study participants say their organization has had a data breach in the past two years involving consumer data outsourced to a third party. Most of these are preventable, as employee negligence accounts for 45 percent of data breaches and lost or stolen devices account for 40 percent.
According to a recent Ponemon Institute study, 44 percent of consumers who were notified about a data breach believed the breached company was hiding something. When data breaches occur, it is extremely important to be there for customers and to address their concerns. When companies hide a data breach, impacted consumers begin to suspect the breach is actually much worse than the company claims, and trust in the organization begins to wane. Find out more by downloading the data breach case study of lessons learned from the field.
Consumers want to hear about data breaches - Eighty five percent of respondents in a recent study say learning about the loss of their data is pertinent to them. However, when they do, 72 percent indicated that they are dissatisfied with the notification letters they receive. Companies need to take note of these findings because more than one-third of consumers who receive a notification letter contemplate ending their relationship with the company. Providing affected individuals with a membership in an identity protection product is extremely important since 58 percent of consumers consider identity protection to be favorable compensation after a breach. Learn five pitfalls to avoid in your notification letters and how Experian Data Breach Resolution can help. Source: Download the complete 2012 consumer study on data breach notification.
Anyone keeping tabs on the legal scene would think data breaches are something new, given all of the legislation hitting the floor of Congress, when in reality they have been happening since businesses began saving data. The truth is the average consumer didn’t really think about it until they started to hear about data breaches and fraud trends when California blazed a trail with what is considered to be the “grandma” of data breach laws back in 2002. The California law (CA SB 1386) required entities to report data breaches if a California resident was a record in the breach that included personally identifiable information and met the state’s criteria for breach. One might say that law started it all: data breach reporting, the ability for watchdog tracking, and media coverage – before CA SB 1386 we only saw the tip of the iceberg. There are currently four bills worth watching in Congress right now that could have some significant impact to data breach notification requirements: Senate Bill 139, sponsored by California Sen. Diane Feinstein. The Data Breach Notification Act would cover any agency or business that uses or stores personal identifiable information and make it mandatory that if a breach occurred, the victims would be informed Senate Bill 3579, the Carper-Bennett legislation, entitled the Data Security Act of 2010 applies to financial institutions, retailers and government agencies, and would require these entities to safeguard sensitive information, investigate security breaches and notify consumers when there is a substantial risk of identity theft or account fraud. This bill is aimed to protect consumers and businesses from identity theft and account fraud. Senate Bill 3742, entitled The Data Security and Breach Notification Act of 2010, sponsored by Senators Mark Pryor and Jay Rockefeller would cross industries and requires special requirements for data brokers. It was referred this month to the Committee on Commerce, Science and Technology, which Rockefeller chairs. Senate Bill 1490, entitled the Personal Data Privacy and Security Act, designates as fraud unauthorized access of personally identifiable information and allows the act to lead to racketeering charges. Sponsored by Senate Judiciary Committee Chairman, Patrick Leahy, it would also prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim. Many organizations already provide for data breach and the security of personally identifiable information as part of an Identity Theft Prevention Program or Red Flags Rule compliance. I’m happy to say that many rely on Experian tools (https://www.experian.com/data-breach/data-breach-resources.html) for data breach or Enterprise Risk Management solutions. However, any of these bills could change the game for many businesses not already regulated by the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). In fact, two of the bills would essentially subject data brokers to the same kinds of legislation that financial institutions have under FCRA. The reasoning behind it is that fraud trends continue to show risk levels are the same to the consumer, regardless of where the information is stored. The financial industry and credit bureau data have been regulated for years so, in a sense, I think it’s just “more of the same” unless you happen to be in an industry not regulated as stringently. Still… it’s worth keeping those “tabs” and RSS feeds alive.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as check to ensure the submitted number is in an SSA valid issue range. But the two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores.
Learn More Image
