by Doug Pollack

A recently published article in E-Commerce Times concerning the costs of corporate data breaches titled The Cost of ID Theft, Part 2: Fixing the System written by Andrew Burger, highlights the staggering economic impact of the increasing number of data breaches by America’s corporations.

The article notes a statistic from the Ponemon Institute that pegs the average cost of a data breach at $197 per record compromised.

“The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record — not financial fraud — is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses noted Uriel Maimon, senior researcher for security firm RSA.”

Ponemon further explores these costs, finding that around two-thirds of the cost of the data breach is associated with the loss of customers or reduction of corporate reputation.

“The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP.”

With this in mind, companies should plan as part of their data breach response plans to explicitly focus on elements of their response that will engender customer goodwill. While this may seem difficult to achieve in such circumstances, every opportunity to reach out and touch your customers creates an opportunity to increase retention and brand loyalty.

by Rick Kam

Eric McNulty authored a Harvard Business Review case study September 2007 called “Boss, I Think Someone Stole Our Customer Data“.

In this HBR case study, McNulty illustrates how a small business called Flayton Electronics learns that the security of its customer data has been compromised—and faces tough decisions about what to do next.

90% of organizations lose or have customer data stolen each year (see related blog). If you are one of the 65 million business in America and have this happen to you, how would you respond?

The most important decision a CEO and/or Chief Security Officer will make is what to do once you find out this has happened to their organization.

Remain calm. Just because personal protected information may be lost or stolen doesn’t mean that the information will be misused by perpetrators to commit ID theft of financial fraud. In many cases, the perpetrator was targeting the laptop to resell it to a pawn shop for a few bucks to buy drugs. But, you still have to act quickly to determine if the information was compromised and do a risk assessment of whether or not the information may cause harm if it were misused.

There are several questions you have to ask. Here are a few of the key questions:

1. was the information encrypted or not?
2. if it was encrypted, was the encryption key protected?
3. when did we discover the information was missing or stolen?
4. what information was lost (name, SSN, account numbers, etc.)
5. was there evidence to believe there was criminal intent?
6. did we contact law enforcement?
7. who knows about the issue?
8. how many records were compromised?

Once you have an initial assessment of the issue, you make a risk assessment, develop a risk mitigation plan, and implement your incident response plan. If all of these sound foreign to you, ask your privacy or compliance officer to do a review of your ability to respond to a data breach.

by Rick Kam

K.C. Jones authored an article on September 7, 2007 in InformationWeek called “California Data Protection Bill Moves Forward“.

Once the Bill is ratified it will provide several new consumer protections. The TJ Max issue, where 40+ million credit card numbers were lost/stolen is an example of where this legislation would apply.

“The bill would provide notice to consumers, telling them which retailers lost their credit or debit card information, and when the information was lost. It would require retailers responsible for data breaches to assume all costs of consumer notification and card replacement.”

California has led the nation in several pieces of ID Theft legislation. I expect other States will also put consumer protections like this in place soon.

by Rick Kam

Should business be responsible for protecting your identity and paying to restore it if crooks misuse it? There is an article in InfoWorld dated July 16, 2007 that says 90 percent of businesses at risk of losing your personal information:

“A new report by the IT Policy Compliance Group finds that the vast majority of businesses do not meet data-handling regulations, increasing the risk of a data breach”.

As of this posting, there are 36 States and existing Federal laws that require businesses to safeguard your personal information and notify you if they lose it. Essentially, if a business requires your personal information as a prerequisite to doing business with you, they are required to protect it. So, why are so many business not compliant with current legislation and unprepared to react if they have a data breach?

Security experts say the cost of securing a business from every potential threat is unrealistic. Good information security practices suggest protecting mission critical or high risk information. Unfortunately this means that many systems and information sources may be left at risk. This seems to be where most information crimes occur (i.e. stolen laptops, compromised employees, lost paper documentation, missing back up computer media, etc.). Privacy Rights Clearing House is a good resource for businesses and individuals on data breaches.

Individuals can take action by voicing their opinion, asking questions of the business they frequent, or voting where they spend their money. Several legislators including Senators Gordon Smith, Darlene Hooley, David Wu, and Representative Greg Walden are supporting legislation to require businesses do a better job at protecting personal information. Write your State legislators voicing your concern. The next time a business asks you for your social security number, ask them why they need it. If they do require it, ask them how they protect it. And remember, in most cases you have the final vote as to whether or not you do business with them (vote with your dollars).

by Rick Kam

On July 24, 2007 the State of Ohio announces additional identity theft protection offered to help hearing impaired.

“The Ohio Department of Administrative Services announced Tuesday that it has contracted with Identity Safeguards, a respected national leader in identity protection and restoration services, to provide a one-year membership to the deaf community affected by the recent theft of a state accounting and financial system backup tape.”

Over 350 institutions have been in the news since ChoicePoint went public with their data breach in February 2005. Many public and private organizations have to comply with recent privacy notification laws. 36 States have enacted similar legislation today that require an organization to notify affected individuals if information they lose or is stolen may be misused. State and Federal legislators struggle with whether it is better to notify or not.

On side of the argument says that people will become complacent if they receive lots of notification letters — “over notification”. For example, if you are a VA, accountant, and have a B of A account, you could have received three notification letters last year. The other side says, it is better for you to know what happened so that you can assess your risk and take appropriate action to protect your identity. This is what we believe is most appropriate.

What do you think? Vote.

I’m Rick Kam, president of Identity Safeguards. I’d like to welcome you to the Identity Theft Protection blog.

I founded Identity Safeguards with John Davidson in 2003 in order to help Americans protect themselves from identity theft. We are proud to be a pioneer and leader in this industry, delivering quality services, and doing so with integrity.

Combined with John’s 26 years in employee benefits consulting, I bring to Identity Safeguards over 25 years of experience both at IBM and management consulting. We joined our business skills and passion to address the problem of identity theft.

Our purpose in creating this blog is to provide you with a central location to learn about and discuss issues in identity theft protection, relevant legislation, and new identity protection tools. Our mission at Identity Safeguards is to be the voice for victims of identity theft while driving innovation in identity management and protection services. This blog will include posts from experts on our staff as well as guest experts from the ID theft prevention community at large.

We founded Identity Safeguards on the promise of protecting you and your good name. Having pioneered the market for identity theft solutions, today we are honored to provide over 2,000,000 American citizens with identity theft protection services. Identity Safeguards is proud to serve as a beacon for the victims of identity theft and has grown into the leader in identity theft prevention and recovery services.