by Doug Pollack

This past week there have been a flurry of articles about the state of litigation pending against LifeLock. An AP article titled “ID protection ads come back to bite the pitchman” is illuminating relative to how this situation has expanded. The “pitchman” noted in this article is Todd Davis, CEO of LifeLock who proudly displays his real social security number in ads that run on TV, newspapers and elsewhere.

Per the article,

“Now, Lifelock customers in Maryland, New Jersey and West Virginia are suing Davis, claiming his service didn’t work as promised and he knew it wouldn’t, because the service had failed even him. Attorney David Paris said he found records of other people applying for or receiving driver’s licenses at least 20 times using Davis’ Social Security number, though some of the applications may have been rejected because data in them didn’t match what the Social Security Administration had on file.”

As one can discern reading this article, Mr. Davis remains totally unrepentant. He defends their advertising, the nature of the $1MM guarantee that is at issue as part of the “deceptive practices” claim in the lawsuits, and the efficacy of their identity theft protection product even in the face of evidence that brings into doubt its effectiveness.

In an interview yesterday with Matt Lauer on the NBC Today Show, he was asked about whether LifeLock does anything for their customers that they can’t do themselves. While acknowledging that consumers can set fraud alerts and “opt out” of credit card offers pretty easily on their own, he defended what LifeLock does do that consumers can do for themselves, noting that it monitors numerous databases on the internet, for instance in chatrooms, where identity theft can occur. What he didn’t mention is that this capability was only added to the LifeLock offering very recently. Since the class action lawsuits were filed.

So it would appear now that the courts will help assess whether LifeLock has engaged in deceptive advertising practices and made misleading claims about its identity theft service.

by Doug Pollack

We know that over 10MM Americans this year will far victim to identity theft. But a recent survey by Bankrate asks people whether they are worried about this problem. The results indicate that people who personally know a victim of identity theft tend to be both more worried about this and also more proactive about protecting themselves.

The poll titled “Americans worry about ID theft; but consumers may be confused about the most effective strategies to protect their privacy” highlights:

“The results show that consumers who personally know a victim of identity fraud tend to be more concerned about the crime overall. Further, their concern pushes them to take more steps toward protecting their personal information, although there does seem to be some ambiguity as to the most efficient privacy protection actions.”

The following chart illustrates people’s answers to the question of how concerned they are about identity theft.

How concerned are you about having your identity stolen? Total Know an identity theft victim Don’t know a victim Very/somewhat concerned 81% 88% 76% Very concerned 40% 46% 36% Somewhat concerned 41% 42% 40% Not very/not at all concerned 19% 12% 24% Not very concerned 12% 7% 15% Not at all concerned 7% 5% 9%

So while most of us are concerned about identity theft, this is a problem area where most of us do very little to actually protect ourselves. If you talk with a friend or family member that has had to recovery their identity from theft, you will learn just how scary and time consuming that this can be. So don’t be complacent.

by Doug Pollack

An article published by the Wall Street Journal titled “Are Your Medical Records at Risk; Amid Spate of Security Lapses, Health-Care Industry Weighs Privacy Against Quality Care” discusses the growing incidents of data breaches and contributing factors within the health care world.

The article highlights the extent of this problem as follows:

“In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data unsecured on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc.”

The premace here is that the health care industry is inclined to have greater incidence of data breaches due to the broader access to private patient information by employees and health care workers. This was illustrated in recent weeks by the highly publicized access to medical records of Britney Spears by works at the UCLA medical center.

“Health care isn’t the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees — including billing staff, nurses, doctors, researchers and lab technicians — who have quick access to individuals’ private information.”

But there seem to be structural requirements for patient record access, dictated by the need to ensure high quality and emergency medical care, that will make it difficult to reduce the risks of data intrusion and breach.

“Many hospitals are reluctant to control access to data too tightly for fear that it will create red tape in emergency situations. “We have to be able to take care of patients, too,” says Wendy Mangin, president of the American Health Information Management Association and director of medical records and privacy officer at Good Samaritan Hospital, in Vincennes, Ind., which audits clinical staff’s access to medical data but doesn’t block it. ”

Unfortunately, it would appear that we will be seeing more rather than fewer data breaches within the health care industry for the foreseeable future.

by Doug Pollack

The Ponemon Institute today released a new study, sponsored by ID Experts, titled “Consumers Report Card on Data Breach Notification“. They describe the rationale and importance of this study as follows:

“It is well established that identity theft has become a very serious issue for Americans. But how well are organizations responding to consumers’ worries when their personal information is lost as the result of a data breach? We decided to conduct this study to find out if consumers who received notification about a data breach involving their personal information were satisfied with the organizations’ response and transparency. In other words, if the consumers had the ability to issue a report card on the current status of data breach notification would it be A for excellent or F for failing?”

The report provides a wealth of useful information to companies in order to effectively plan for a data breach response effort. Given an earlier Ponemon study estimate that around two-thirds of the $197 per person average cost of a data breach is in lost business and reputation, this report can assist companies in evaluating how elements of their data breach response effort can influence their customer retention rates and thereby attempt to reduce this very critical component of the cost equation.

Dr. Larry Ponemon states that:

“Data breach notifications are a failure if individuals do not have a clear understanding of their level of risk, available support, and the steps they need to take to respond to the loss of theft of their personal information. Our research strongly suggests that legal compliance is the primary goal of many companies’ notification efforts. This approach does not serve the best interests of consumers and contributes to a breakdown of trust that can impact a company monetarily as a result of increase in customer defection.”

To download a copy of this study, visit the ID Experts website and click on the New Ponemon Study link.

by Rick Kam
April 3, 2008

This conference is one of the largest IT conferences for public agencies with attendance approaching 20,000 professionals. Leading educators and technology solution providers focused on security, privacy, and “green” IT solutions.

Keynote speakers from Google, Sun Microsystems and others talked about the future of computing and how public agency IT professionals can create a more productive and secure computing environment.

I presented for ID Experts on the topic of how an “Independent Risk Analysis” provides public agencies a more effective solution to mitigate risk when they have a data breach (i.e. when the best security measures fail, what next). Highlights from my presentation included:

1. The requirements that prompted congress to enact public law requiring independent risk analysis
2. When an agency would implement an independent risk analysis
3. What are the benefits of doing an independent risk analysis
4. How to initiate an independent risk analysis
5. How to be better prepared before an agency has a breach

ID Experts was one of two companies awarded a government contract to provide Independent Risk Analysis to public agencies in the U.S. This was a great opportunity for us to explain to public agencies how our solution helps them assess and certify the level of risk for an affected breach population and develop an effective risk mitigation plan.

by Doug Pollack

This past week, there were two class action lawsuits filed against LifeLock, one in its home state of Arizona and one in New Jersey. Following on a recent lawsuit filed against LifeLock by Experian, one of three US credit bureaus, these class action lawsuits also assert that LifeLock is engaged in deceptive advertising relative to the level of protection provided by their service against identity theft. The LifeLock offering depends almost entirely upon the placement of perpetual fraud alerts as the means for protecting their subscribers from identity theft.

As noted by David Paris, an attorney involved in this matter, in an article on the CNBC website titled “N.J. Class Action Lawsuit Filed Against LifeLock Alleging Deceptive Marketing Regarding Limited Level of Protection Against Identity Theft“:

” ‘While fraud alerts may be effective in limited instances, they certainly cannot provide the comprehensive identity protection that LifeLock deceptively advertises,’ said Paris. ‘For instance, fraud alerts cannot stop the use of existing account numbers, and contrary to LifeLock’s advertisements, lenders are certainly not required to contact the subscriber before extending credit to a potential identity thief.’ ”

The article and comments from Mr. Paris also address the alleged deceptive nature a severe limitations on the highly publicized $1MM LifeLock Guarantee:

“According to the Complaint, LifeLock also misleads subscribers by advertising its $1 million service guarantee. ‘Potential LifeLock subscribers are enticed by the ’safety net’ of what appears to be a one-million dollar insurance policy against any losses sustained as a result of identity theft,’ said Paris. ‘In actuality, once you get beyond the limitations and disclaimers, you find that the guarantee is limited to fixing failures in LifeLock’s services and paying third-parties to attempt to restore subscriber losses.’ ”

Hopefully these lawsuits will help bring visibility and clarity to consumers as to the differences in identity theft protection services. Most services, including those provided by the company that sponsors this blog, ID Experts, do not rely on fraud alerts as a primary or sole means of protection, nor do they make questionable or misleading large dollar guarantees. It is unfortunate that brash marketing tactics have made it difficult for consumers to make an informed product decision based on the facts related to differences in these services.

by Doug Pollack

Tomorrow at the International Association of Privacy Professionals (IAPP) conference in Washington, D.C., we will announce our new ID Experts Data Breach Services.

Developed to resolve the growing consumer dissatisfaction with current breach notification and response methods, these services include breach assessment, notification and communications, monitoring and identity theft recovery components. Tailored to meet the individual needs of the private sector and government agencies, ID Experts is delivering a comprehensive approach to responding to data breach events that alleviates legal liability, manages public perception, and protects and restores individuals’ identities from identity theft.

We have also released a preview of the results from a study that we recently commissioned with the Ponemon Institute, the leading privacy and information management research firm, to be released in April 2008 . The study delves into how consumer victims of corporate breach events are terminating their business relationships because of a lack of responsiveness.

“Our research shows that consumers are growing increasingly dissatisfied with the way they are being treated following a data breach,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The manner in which breach notification communications are often conducted fails to appropriately convey what the consumer needs to make an informed decision about protecting their personal information and, as such, does not succeed in being the first step in helping to repair a breakdown in trust.”

You can download a pre-release copy of this Ponemon report at our website at www.idexpertscorp.com.

by Doug Pollack

ID Safeguards is changing its name. ID Safeguards will become ID Experts(tm). Founded in 2003 with a mission to protect Americans from identity theft, we have grown into a leader in identity theft protection. Today, we apply best practices to protect over three million Americans from this growing problem.

Our team of experts is passionate about helping victims of identity theft. We are one of the only companies in the industry that provide fully-managed recovery services, in other words we do all the work for victims of identity theft in order to restore them to pre-theft status. We are also trusted by some of our country’s largest and most prominent companies to provide a full spectrum of data breach response services.

As our market and our services have evolved, we have found that the common thread across all aspects of our business is our people and the expertise they provide in addressing the problems associated with identity theft. For this reason, we feel that the name ID Experts expresses more clearly and appropriately who we are today.

So ID Safeguards is now ID Experts. But rest assured, we still provide the best in identity theft protection services for individuals and families, and we provide leading corporations and public sector organizations with the most complete and tailored data breach services.

Visit us on the web at www.idexpertscorp.com, and continue to visit our blog for the latest in news and advice on identity theft.

By Rick Kam

In a March 13, 2008 article in GovernmentExecutive.com by Gautham Nagesh titled “Feds losing war on information security, senators told”,

“The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday.”

Why?

Protecting information has become a significant challenge for all organizations large or small, in pubic or private industry. The amount of personal information any organization has on its customers and employees and the many ways they are stored; both in electronic and paper form, make protecting information from thieves a daunting task.

What are these organizations trying to protect?

There is value in information considered personal or health related. Your name, address, SSN, mother’s maiden name, and yes, even the name of your favorite pet (if you use it as a password recovery keyword) has value to ID thieves who utilize it to access your bank accounts, set up new accounts using this information, or use you to mask their criminal past.

Think about the places you have your information stored in your home like files in your kitchen or home office, boxes in the garage, utility bills, and explanation of benefits statements posted on the refrigerator awaiting payment.

Now think about where you work, whether in health care, insurance, government agencies, car dealerships, accounting firms, etc. You may see a lot of this information accessible to anyone, including ID thieves. There in lies one of the biggest challenges. Protected information is easily available to anyone everywhere you look!

What do you do about it?

In your home, secure this information in a locked file cabinet and away from people who may see it and decide to use. At work, let your supervisor know that there is information that you think should be protected so the organization can secure it properly.

Is this a losing battle?

No. We can win the information war by each of us making an effort to do our part to protect our information and alert others when we see possible exposures. You can make a difference.

by Doug Pollack

The Securities and Exchange Commission (SEC) is proposing amendments to the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) that would create more specific requirements for safeguarding information and responding to information security breaches.

“Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information.”

The amendments are currently open for comment. If they go through in substantially their current form, the SEC will be requiring public companies to analyze each data breach for the risk of exposure of personal information, and then, if their determination is that the risk of unauthorized access is “reasonably possible”, notify all individuals affected by the data breach.

Currently, there are no federal regulations that require notification of individuals affected by a corporate data breach. There are however numerous states that have notification laws with varying provisions.

It would be a very positive step for all of us if there are federal laws and regulations that would ensure that those affected by data breaches are notified on a timely basis and provided with useful, instructive information. All too often, individuals (millions of them each year) are notified of a data breach in such as way that it causes them great concern, but provides them with little help.