Moving ...

by Doug Pollack

Our ID Experts blog is moving to a new home. Please check out the latest in identity theft and data breach news, advice and other happenings at our new address www.blog.idexperts.corp.com.

We are also sponsoring a new, informational data breach news site providing articles and news events specifically focused on data breaches. Please visit often or subscribe to this site at www.databreachwatch.org.

Both sites will continue to provide you with current and helpful information in the areas of identity theft and data breaches.

Independent Risk Analysis Presented at FOSE Conference April 1, 2008

by Rick Kam
April 3, 2008

This conference is one of the largest IT conferences for public agencies with attendance approaching 20,000 professionals. Leading educators and technology solution providers focused on security, privacy, and "green" IT solutions.

Keynote speakers from Google, Sun Microsystems and others talked about the future of computing and how public agency IT professionals can create a more productive and secure computing environment.

I presented for ID Experts on the topic of how an "Independent Risk Analysis" provides public agencies a more effective solution to mitigate risk when they have a data breach (i.e. when the best security measures fail, what next). Highlights from my presentation included:

1. The requirements that prompted congress to enact public law requiring independent risk analysis
2. When an agency would implement an independent risk analysis
3. What are the benefits of doing an independent risk analysis
4. How to initiate an independent risk analysis
5. How to be better prepared before an agency has a breach

ID Experts was one of two companies awarded a government contract to provide Independent Risk Analysis to public agencies in the U.S. This was a great opportunity for us to explain to public agencies how our solution helps them assess and certify the level of risk for an affected breach population and develop an effective risk mitigation plan.

ID Safeguards now ID Experts(tm)

by Doug Pollack

ID Safeguards is changing its name. ID Safeguards will become ID Experts(tm). Founded in 2003 with a mission to protect Americans from identity theft, we have grown into a leader in identity theft protection. Today, we apply best practices to protect over three million Americans from this growing problem.

Our team of experts is passionate about helping victims of identity theft. We are one of the only companies in the industry that provide fully-managed recovery services, in other words we do all the work for victims of identity theft in order to restore them to pre-theft status. We are also trusted by some of our country's largest and most prominent companies to provide a full spectrum of data breach response services.

As our market and our services have evolved, we have found that the common thread across all aspects of our business is our people and the expertise they provide in addressing the problems associated with identity theft. For this reason, we feel that the name ID Experts expresses more clearly and appropriately who we are today.

So ID Safeguards is now ID Experts. But rest assured, we still provide the best in identity theft protection services for individuals and families, and we provide leading corporations and public sector organizations with the most complete and tailored data breach services.

Visit us on the web at www.idexpertscorp.com, and continue to visit our blog for the latest in news and advice on identity theft.

Is the U.S. Losing the Information War?

By Rick Kam

In a March 13, 2008 article in GovernmentExecutive.com by Gautham Nagesh titled "Feds losing war on information security, senators told",

"The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday."

Why?

Protecting information has become a significant challenge for all organizations large or small, in pubic or private industry. The amount of personal information any organization has on its customers and employees and the many ways they are stored; both in electronic and paper form, make protecting information from thieves a daunting task.

What are these organizations trying to protect?

There is value in information considered personal or health related. Your name, address, SSN, mother's maiden name, and yes, even the name of your favorite pet (if you use it as a password recovery keyword) has value to ID thieves who utilize it to access your bank accounts, set up new accounts using this information, or use you to mask their criminal past.

Think about the places you have your information stored in your home like files in your kitchen or home office, boxes in the garage, utility bills, and explanation of benefits statements posted on the refrigerator awaiting payment.

Now think about where you work, whether in health care, insurance, government agencies, car dealerships, accounting firms, etc. You may see a lot of this information accessible to anyone, including ID thieves. There in lies one of the biggest challenges. Protected information is easily available to anyone everywhere you look!

What do you do about it?

In your home, secure this information in a locked file cabinet and away from people who may see it and decide to use. At work, let your supervisor know that there is information that you think should be protected so the organization can secure it properly.

Is this a losing battle?

No. We can win the information war by each of us making an effort to do our part to protect our information and alert others when we see possible exposures. You can make a difference.

SEC Proposal to Amend Data Breach Regulations

by Doug Pollack

The Securities and Exchange Commission (SEC) is proposing amendments to the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) that would create more specific requirements for safeguarding information and responding to information security breaches.

"Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information."

The amendments are currently open for comment. If they go through in substantially their current form, the SEC will be requiring public companies to analyze each data breach for the risk of exposure of personal information, and then, if their determination is that the risk of unauthorized access is "reasonably possible", notify all individuals affected by the data breach.

Currently, there are no federal regulations that require notification of individuals affected by a corporate data breach. There are however numerous states that have notification laws with varying provisions.

It would be a very positive step for all of us if there are federal laws and regulations that would ensure that those affected by data breaches are notified on a timely basis and provided with useful, instructive information. All too often, individuals (millions of them each year) are notified of a data breach in such as way that it causes them great concern, but provides them with little help.

The Indirect Costs of a Data Breach

by Doug Pollack

A recently published article in E-Commerce Times concerning the costs of corporate data breaches titled The Cost of ID Theft, Part 2: Fixing the System written by Andrew Burger, highlights the staggering economic impact of the increasing number of data breaches by America's corporations.

The article notes a statistic from the Ponemon Institute that pegs the average cost of a data breach at $197 per record compromised.

"The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record -- not financial fraud -- is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses noted Uriel Maimon, senior researcher for security firm RSA."

Ponemon further explores these costs, finding that around two-thirds of the cost of the data breach is associated with the loss of customers or reduction of corporate reputation.

"The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP."

With this in mind, companies should plan as part of their data breach response plans to explicitly focus on elements of their response that will engender customer goodwill. While this may seem difficult to achieve in such circumstances, every opportunity to reach out and touch your customers creates an opportunity to increase retention and brand loyalty.

Lose Your Customer or Employee Data?

by Rick Kam

Eric McNulty authored a Harvard Business Review case study September 2007 called "Boss, I Think Someone Stole Our Customer Data".

In this HBR case study, McNulty illustrates how a small business called Flayton Electronics learns that the security of its customer data has been compromised—and faces tough decisions about what to do next.

90% of organizations lose or have customer data stolen each year (see related blog). If you are one of the 65 million business in America and have this happen to you, how would you respond?

The most important decision a CEO and/or Chief Security Officer will make is what to do once you find out this has happened to their organization.

Remain calm. Just because personal protected information may be lost or stolen doesn't mean that the information will be misused by perpetrators to commit ID theft of financial fraud. In many cases, the perpetrator was targeting the laptop to resell it to a pawn shop for a few bucks to buy drugs. But, you still have to act quickly to determine if the information was compromised and do a risk assessment of whether or not the information may cause harm if it were misused.

There are several questions you have to ask. Here are a few of the key questions:

1. was the information encrypted or not?
2. if it was encrypted, was the encryption key protected?
3. when did we discover the information was missing or stolen?
4. what information was lost (name, SSN, account numbers, etc.)
5. was there evidence to believe there was criminal intent?
6. did we contact law enforcement?
7. who knows about the issue?
8. how many records were compromised?

Once you have an initial assessment of the issue, you make a risk assessment, develop a risk mitigation plan, and implement your incident response plan. If all of these sound foreign to you, ask your privacy or compliance officer to do a review of your ability to respond to a data breach.

New Data Protection Bill in California

by Rick Kam

K.C. Jones authored an article on September 7, 2007 in InformationWeek called "California Data Protection Bill Moves Forward".

Once the Bill is ratified it will provide several new consumer protections. The TJ Max issue, where 40+ million credit card numbers were lost/stolen is an example of where this legislation would apply.

"The bill would provide notice to consumers, telling them which retailers lost their credit or debit card information, and when the information was lost. It would require retailers responsible for data breaches to assume all costs of consumer notification and card replacement."

California has led the nation in several pieces of ID Theft legislation. I expect other States will also put consumer protections like this in place soon.

90% of Businesses at Risk of Losing Your ID

by Rick Kam

Should business be responsible for protecting your identity and paying to restore it if crooks misuse it? There is an article in InfoWorld dated July 16, 2007 that says 90 percent of businesses at risk of losing your personal information:

"A new report by the IT Policy Compliance Group finds that the vast majority of businesses do not meet data-handling regulations, increasing the risk of a data breach".

As of this posting, there are 36 States and existing Federal laws that require businesses to safeguard your personal information and notify you if they lose it. Essentially, if a business requires your personal information as a prerequisite to doing business with you, they are required to protect it. So, why are so many business not compliant with current legislation and unprepared to react if they have a data breach?

Security experts say the cost of securing a business from every potential threat is unrealistic. Good information security practices suggest protecting mission critical or high risk information. Unfortunately this means that many systems and information sources may be left at risk. This seems to be where most information crimes occur (i.e. stolen laptops, compromised employees, lost paper documentation, missing back up computer media, etc.). Privacy Rights Clearing House is a good resource for businesses and individuals on data breaches.

Individuals can take action by voicing their opinion, asking questions of the business they frequent, or voting where they spend their money. Several legislators including Senators Gordon Smith, Darlene Hooley, David Wu, and Representative Greg Walden are supporting legislation to require businesses do a better job at protecting personal information. Write your State legislators voicing your concern. The next time a business asks you for your social security number, ask them why they need it. If they do require it, ask them how they protect it. And remember, in most cases you have the final vote as to whether or not you do business with them (vote with your dollars).

More ID Theft Protection Offered By State of Ohio

by Rick Kam

On July 24, 2007 the State of Ohio announces additional identity theft protection offered to help hearing impaired.

"The Ohio Department of Administrative Services announced Tuesday that it has contracted with Identity Safeguards, a respected national leader in identity protection and restoration services, to provide a one-year membership to the deaf community affected by the recent theft of a state accounting and financial system backup tape."

Over 350 institutions have been in the news since ChoicePoint went public with their data breach in February 2005. Many public and private organizations have to comply with recent privacy notification laws. 36 States have enacted similar legislation today that require an organization to notify affected individuals if information they lose or is stolen may be misused. State and Federal legislators struggle with whether it is better to notify or not.

On side of the argument says that people will become complacent if they receive lots of notification letters -- "over notification". For example, if you are a VA, accountant, and have a B of A account, you could have received three notification letters last year. The other side says, it is better for you to know what happened so that you can assess your risk and take appropriate action to protect your identity. This is what we believe is most appropriate.

What do you think? Vote.

Identity Safeguards Joins Blog World

I’m Rick Kam, president of Identity Safeguards. I’d like to welcome you to the Identity Theft Protection blog.

I founded Identity Safeguards with John Davidson in 2003 in order to help Americans protect themselves from identity theft. We are proud to be a pioneer and leader in this industry, delivering quality services, and doing so with integrity.

Combined with John’s 26 years in employee benefits consulting, I bring to Identity Safeguards over 25 years of experience both at IBM and management consulting. We joined our business skills and passion to address the problem of identity theft.

Our purpose in creating this blog is to provide you with a central location to learn about and discuss issues in identity theft protection, relevant legislation, and new identity protection tools. Our mission at Identity Safeguards is to be the voice for victims of identity theft while driving innovation in identity management and protection services. This blog will include posts from experts on our staff as well as guest experts from the ID theft prevention community at large.

We founded Identity Safeguards on the promise of protecting you and your good name. Having pioneered the market for identity theft solutions, today we are honored to provide over 2,000,000 American citizens with identity theft protection services. Identity Safeguards is proud to serve as a beacon for the victims of identity theft and has grown into the leader in identity theft prevention and recovery services.