Friday, September 28, 2007

Lose Your Customer or Employee Data?

by Rick Kam

Eric McNulty authored a Harvard Business Review case study September 2007 called "Boss, I Think Someone Stole Our Customer Data".

In this HBR case study, McNulty illustrates how a small business called Flayton Electronics learns that the security of its customer data has been compromised—and faces tough decisions about what to do next.

90% of organizations lose or have customer data stolen each year (see related blog). If you are one of the 65 million business in America and have this happen to you, how would you respond?

The most important decision a CEO and/or Chief Security Officer will make is what to do once you find out this has happened to their organization.

Remain calm. Just because personal protected information may be lost or stolen doesn't mean that the information will be misused by perpetrators to commit ID theft of financial fraud. In many cases, the perpetrator was targeting the laptop to resell it to a pawn shop for a few bucks to buy drugs. But, you still have to act quickly to determine if the information was compromised and do a risk assessment of whether or not the information may cause harm if it were misused.

There are several questions you have to ask. Here are a few of the key questions:

1. was the information encrypted or not?
2. if it was encrypted, was the encryption key protected?
3. when did we discover the information was missing or stolen?
4. what information was lost (name, SSN, account numbers, etc.)
5. was there evidence to believe there was criminal intent?
6. did we contact law enforcement?
7. who knows about the issue?
8. how many records were compromised?

Once you have an initial assessment of the issue, you make a risk assessment, develop a risk mitigation plan, and implement your incident response plan. If all of these sound foreign to you, ask your privacy or compliance officer to do a review of your ability to respond to a data breach.

Wednesday, September 26, 2007

Credit Bureaus Offer Credit Freeze



by Rick Kam

TransUnion and Equifax to offer credit freeze services according to a September 22, 2007 article in ConsumerAffairs.com by Martin Bosworth.

"offer consumers the ability to "freeze" their credit files in all 50 states in order to protect themselves against identity theft and fraud. The service will be available in the 11 states that do not already have credit-freeze laws, costing consumers $10 to set the freeze and $10 to unlock it, and will "meet or exceed the requirements" of states with existing freeze laws. The freeze service will be free to victims of identity theft, and is scheduled to roll out Oct. 15."

This means that you can instruct these two credit bureaus to freeze your credit making it more difficult for an ID thief to set up a new fraudulent credit card or take out a loan using your personal information. Experian is the other major credit bureau. They have not indicated whether or not they will also offer this service.

The question is whether or not this is a good solution to protect you from ID theft? There is a $10 cost to freeze and unfreeze your credit. If you are a victim of ID theft, the cost to freeze your credit is $0.

Our suggestion is to look at using this tool if you are a victim of ID theft versus a preventative measure. There are several reasons for this.

1. If you are a victim of ID theft, it can prevent more fraudulent accounts being set up by the thief

2. If you are not a victim of ID theft, this tool requires you to take an action each time you want to open a new credit line.

3. A credit freeze only protects you against credit fraud. There are many more ways ID theft can occur that this tool will not address including debit fraud, medical ID theft, criminal misuse of your ID etc.

The good news is there are new preventative tools entering the market that provide a 360 degree protection against all of these issues and provide better protection. These services scan both financial and non-financial data sources and do a much better job of protecting your identity. I will discuss more on this topic in future blogs.

Friday, September 21, 2007

Free Credit Reports?



by Heather Wells (Recovery Advocate)


Everyone should check their credit reports at least once a year to make sure that all of the information contained in them is accurate and up to date. You should also check your reports for any information that is fraudulent, which could signal that you are the victim of Identity Theft. This includes accounts as well as personal information such as addresses and phone numbers.

There’s only one legitimate source where you can obtain your FREE credit reports and that’s http://www.annualcreditreport.com/. The law requires that each of the major credit reporting agencies-Equifax, Experian, and TransUnion-give you a copy of your credit report every year at no charge.

If you are ever online and are asked to enter a credit card number in order to obtain a copy of your credit report, DON’T DO IT. Many of the companies that advertise free credit reports and credit scores will enroll you in services that you don’t want or need. Cancelling these services once you’ve given over your billing information can be difficult or downright impossible.

So, before you give over your credit card number for something that is supposed to be “free,” don’t do it. Go to http://www.annualcreditreport.com/.

Monday, September 17, 2007

Share Your SSN with Anyone?

by Rick Kam

When is it OK to give someone your SSN, if ever?

The answer is ...

NEVER give out your SSN to an organization or person you don't know.

There are only a few reasons organizations need your SSN. One is if you are applying for credit. Say, you walk into your local car dealer and decide to buy a new/used car. The dealer will ask you for a copy of your drivers license and will check your credit report to see if you are an able buyer.

Another good reason an organization will ask for your SSN is if you are applying for a job. The employer will do some background and credit checking depending on the position you are applying for. If you are not comfortable with the organization having your personal information to do this background check, you may want to reconsider working for them.

The other reason is to pay taxes. The IRS will require your SSN on your tax returns. Many of us may ask why the IRS needs your SSN? Well, it is so they can identify that you submitted and paid any taxes due. Unless you want the IRS coming after you, it is probably a good idea to provide your SSN on your return.

If others ask you for your SSN, make sure you ask why they need it and ask how they plan to protect and destroy the information once they are done with it. It is incumbent on organizations to protect your personal information, especially with recent privacy legislation (i.e. HIPAA or GLBA).

Monday, September 10, 2007

New Data Protection Bill in California

by Rick Kam

K.C. Jones authored an article on September 7, 2007 in InformationWeek called "California Data Protection Bill Moves Forward".

Once the Bill is ratified it will provide several new consumer protections. The TJ Max issue, where 40+ million credit card numbers were lost/stolen is an example of where this legislation would apply.

"The bill would provide notice to consumers, telling them which retailers lost their credit or debit card information, and when the information was lost. It would require retailers responsible for data breaches to assume all costs of consumer notification and card replacement."

California has led the nation in several pieces of ID Theft legislation. I expect other States will also put consumer protections like this in place soon.

Can Sharing Music on the Web Expose You to ID Theft?

by Rick Kam

According to Brian Koemer who authored an article on September 10, 2007 titled "Peer-to-Peer Networks Used to Steal Identities", the answer is YES!

"In what federal authorities are calling the first of its kind, the arrest of Gregory Thomas Kopiloff of Seattle, who allegedly used P2P Software to steal the personally identifiable information (PII) of at least 83 people."

How many of you use P2P file sharing software like Kazaa or LimeWire?

If you have teenagers in the house, are they using these tools to share their favorite songs with friends?

There is a good chance that one of your computers have this tools installed. If you do, Brian Koemer provides tips on how to protect yourself online. Besides, these tips from Brian, We also suggest the following:

1. Make sure your computer has the firewalls enabled. A firewall will help reduce the risk of someone getting unauthorized access to your computer. If you bought a computer recently, most will come out of the box with the firewalls enabled (i.e. Windows Vista or MAC OSX).

2. Scan your computer regularly for viruses. You can schedule this function to run every week or once a month when you are not using it.

3. Make sure you obtain files from known sources (i.e. iTunes). Many versions of music files exist on the web. You can tell they are different because the file sizes differ. Some of these variations are legitimate and accommodate for various media players. Others contain viruses and other malware.

If you suspect any issues with files, just don't put it on your computer...

Tuesday, September 4, 2007

Another One Bites The Dust: Warranty Hard Drive Replacement



By: D. Jones, Recovery Advocate

Enjoying your computer but one or more of the drives bites the dust? Realizing that it’s still under warranty solves only half the problem. What happens to that old, dead drive once your warranty service visits your home to replace it? Worse yet, what about when you ship your computer to the manufacturer for them to replace the drive at their facility? Both of these scenarios can be rife with identity theft opportunities.

As noted in a recent post on whatsnextblog, it has been shown that hard drive replacement could lead to data compromise. Manufacturers are supposed to wipe the drives with an industrial magnet, a technique called “degaussing”, before resale or render them unusable but that often doesn’t happen the way it should. One of our recovery advocates recalls a Dell computer drive that failed. The system was under warranty so a contractor made a house call to replace the drive. She asked if she could keep the old drive for security reasons and was told it was Dell’s policy to return the used drive. Daunted, but secure in the fact that the drive was new and therefore free from sensitive information, she watched as the drive was taken from her computer and removed from her home. Who knows what happened after that point? Its common knowledge now that the drives are repaired and resold but what happens to the info stored on the drives?

The auto mechanic industry has learned to honor our right to the broken, damaged parts that are replaced – why not the computer technician field? If we’ve paid for it, we should be able to keep the old part or be assured that our information is removed or the drive destroyed so that others can’t access it. Dell now has a policy that allows the consumer to purchase the damaged drive for an additional fee. As the article in the link states, at the very least, new manufacturers should revisit current policy on replacing dead drives or perhaps current laws need to be restructured to ensure corporate protection of consumer privacy.

Monday, September 3, 2007

Gone in 4 Seconds



by Rick Kam

Have you thought about how a perpetrator might steal your personal information? I came across this video called "Gone in Four Seconds." In this video, crooks prey on unsuspecting victims at a gas station, stealing their personal information while they are not looking.



Have you been a victim of ID theft? Share with our readers how this happened and any suggestions you have to help them avoid the crime.