Tuesday, April 29, 2008

Moving ...


by Doug Pollack

Our ID Experts blog is moving to a new home. Please check out the latest in identity theft and data breach news, advice and other happenings at our new address www.blog.idexperts.corp.com.

We are also sponsoring a new, informational data breach news site providing articles and news events specifically focused on data breaches. Please visit often or subscribe to this site at www.databreachwatch.org.

Both sites will continue to provide you with current and helpful information in the areas of identity theft and data breaches.

Thursday, April 3, 2008

Independent Risk Analysis Presented at FOSE Conference April 1, 2008

by Rick Kam
April 3, 2008


This conference is one of the largest IT conferences for public agencies with attendance approaching 20,000 professionals. Leading educators and technology solution providers focused on security, privacy, and "green" IT solutions.

Keynote speakers from Google, Sun Microsystems and others talked about the future of computing and how public agency IT professionals can create a more productive and secure computing environment.

I presented for ID Experts on the topic of how an "Independent Risk Analysis" provides public agencies a more effective solution to mitigate risk when they have a data breach (i.e. when the best security measures fail, what next). Highlights from my presentation included:

1. The requirements that prompted congress to enact public law requiring independent risk analysis
2. When an agency would implement an independent risk analysis
3. What are the benefits of doing an independent risk analysis
4. How to initiate an independent risk analysis
5. How to be better prepared before an agency has a breach

ID Experts was one of two companies awarded a government contract to provide Independent Risk Analysis to public agencies in the U.S. This was a great opportunity for us to explain to public agencies how our solution helps them assess and certify the level of risk for an affected breach population and develop an effective risk mitigation plan.

Tuesday, April 1, 2008

LifeLock Class Action Lawsuits

by Doug Pollack

This past week, there were two class action lawsuits filed against LifeLock, one in its home state of Arizona and one in New Jersey. Following on a recent lawsuit filed against LifeLock by Experian, one of three US credit bureaus, these class action lawsuits also assert that LifeLock is engaged in deceptive advertising relative to the level of protection provided by their service against identity theft. The LifeLock offering depends almost entirely upon the placement of perpetual fraud alerts as the means for protecting their subscribers from identity theft.

As noted by David Paris, an attorney involved in this matter, in an article on the CNBC website titled "N.J. Class Action Lawsuit Filed Against LifeLock Alleging Deceptive Marketing Regarding Limited Level of Protection Against Identity Theft":

" 'While fraud alerts may be effective in limited instances, they certainly cannot provide the comprehensive identity protection that LifeLock deceptively advertises,' said Paris. 'For instance, fraud alerts cannot stop the use of existing account numbers, and contrary to LifeLock's advertisements, lenders are certainly not required to contact the subscriber before extending credit to a potential identity thief.' "

The article and comments from Mr. Paris also address the alleged deceptive nature a severe limitations on the highly publicized $1MM LifeLock Guarantee:

"According to the Complaint, LifeLock also misleads subscribers by advertising its $1 million service guarantee. 'Potential LifeLock subscribers are enticed by the 'safety net' of what appears to be a one-million dollar insurance policy against any losses sustained as a result of identity theft,' said Paris. 'In actuality, once you get beyond the limitations and disclaimers, you find that the guarantee is limited to fixing failures in LifeLock's services and paying third-parties to attempt to restore subscriber losses.' "

Hopefully these lawsuits will help bring visibility and clarity to consumers as to the differences in identity theft protection services. Most services, including those provided by the company that sponsors this blog, ID Experts, do not rely on fraud alerts as a primary or sole means of protection, nor do they make questionable or misleading large dollar guarantees. It is unfortunate that brash marketing tactics have made it difficult for consumers to make an informed product decision based on the facts related to differences in these services.

Tuesday, March 25, 2008

ID Experts Launches New Data Breach Services


by Doug Pollack

Tomorrow at the International Association of Privacy Professionals (IAPP) conference in Washington, D.C., we will announce our new ID Experts Data Breach Services.

Developed to resolve the growing consumer dissatisfaction with current breach notification and response methods, these services include breach assessment, notification and communications, monitoring and identity theft recovery components. Tailored to meet the individual needs of the private sector and government agencies, ID Experts is delivering a comprehensive approach to responding to data breach events that alleviates legal liability, manages public perception, and protects and restores individuals’ identities from identity theft.


We have also released a preview of the results from a study that we recently commissioned with the Ponemon Institute, the leading privacy and information management research firm, to be released in April 2008 . The study delves into how consumer victims of corporate breach events are terminating their business relationships because of a lack of responsiveness.

“Our research shows that consumers are growing increasingly dissatisfied with the way they are being treated following a data breach,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The manner in which breach notification communications are often conducted fails to appropriately convey what the consumer needs to make an informed decision about protecting their personal information and, as such, does not succeed in being the first step in helping to repair a breakdown in trust.”

You can download a pre-release copy of this Ponemon report at our website at www.idexpertscorp.com.

ID Safeguards now ID Experts(tm)

by Doug Pollack

ID Safeguards is changing its name. ID Safeguards will become ID Experts(tm). Founded in 2003 with a mission to protect Americans from identity theft, we have grown into a leader in identity theft protection. Today, we apply best practices to protect over three million Americans from this growing problem.

Our team of experts is passionate about helping victims of identity theft. We are one of the only companies in the industry that provide fully-managed recovery services, in other words we do all the work for victims of identity theft in order to restore them to pre-theft status. We are also trusted by some of our country's largest and most prominent companies to provide a full spectrum of data breach response services.

As our market and our services have evolved, we have found that the common thread across all aspects of our business is our people and the expertise they provide in addressing the problems associated with identity theft. For this reason, we feel that the name ID Experts expresses more clearly and appropriately who we are today.

So ID Safeguards is now ID Experts. But rest assured, we still provide the best in identity theft protection services for individuals and families, and we provide leading corporations and public sector organizations with the most complete and tailored data breach services.

Visit us on the web at www.idexpertscorp.com, and continue to visit our blog for the latest in news and advice on identity theft.

Monday, March 17, 2008

Is the U.S. Losing the Information War?





By Rick Kam

In a March 13, 2008 article in GovernmentExecutive.com by Gautham Nagesh titled "Feds losing war on information security, senators told",

"The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday."

Why?

Protecting information has become a significant challenge for all organizations large or small, in pubic or private industry. The amount of personal information any organization has on its customers and employees and the many ways they are stored; both in electronic and paper form, make protecting information from thieves a daunting task.

What are these organizations trying to protect?

There is value in information considered personal or health related. Your name, address, SSN, mother's maiden name, and yes, even the name of your favorite pet (if you use it as a password recovery keyword) has value to ID thieves who utilize it to access your bank accounts, set up new accounts using this information, or use you to mask their criminal past.

Think about the places you have your information stored in your home like files in your kitchen or home office, boxes in the garage, utility bills, and explanation of benefits statements posted on the refrigerator awaiting payment.

Now think about where you work, whether in health care, insurance, government agencies, car dealerships, accounting firms, etc. You may see a lot of this information accessible to anyone, including ID thieves. There in lies one of the biggest challenges. Protected information is easily available to anyone everywhere you look!

What do you do about it?

In your home, secure this information in a locked file cabinet and away from people who may see it and decide to use. At work, let your supervisor know that there is information that you think should be protected so the organization can secure it properly.

Is this a losing battle?

No. We can win the information war by each of us making an effort to do our part to protect our information and alert others when we see possible exposures. You can make a difference.

Thursday, March 13, 2008

SEC Proposal to Amend Data Breach Regulations

by Doug Pollack

The Securities and Exchange Commission (SEC) is proposing amendments to the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) that would create more specific requirements for safeguarding information and responding to information security breaches.

"Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information."

The amendments are currently open for comment. If they go through in substantially their current form, the SEC will be requiring public companies to analyze each data breach for the risk of exposure of personal information, and then, if their determination is that the risk of unauthorized access is "reasonably possible", notify all individuals affected by the data breach.

Currently, there are no federal regulations that require notification of individuals affected by a corporate data breach. There are however numerous states that have notification laws with varying provisions.

It would be a very positive step for all of us if there are federal laws and regulations that would ensure that those affected by data breaches are notified on a timely basis and provided with useful, instructive information. All too often, individuals (millions of them each year) are notified of a data breach in such as way that it causes them great concern, but provides them with little help.

Wednesday, March 12, 2008

More on Experian vs. Lifelock


by Doug Pollack

There is a growing amount of legal commentary emerging in the discussion surrounding the Experian vs. LifeLock lawsuit. This week, Peter Bronson from The Union.com published an article titled "Business Law Bulletin: Experian vs. LifeLock Heats Up".

Relative to the false and misleading advertising issue, Mr. Bronson notes that:

"According to Experian's lawsuit, at least one Lifelock ad claims that the company's services make it virtually impossible for identity thieves to strike, but that fraud alerts are only effective against those particular types of fraud that require accessing a credit report. In other words, says Experian, Lifelock cannot protect against such forms of identity theft as an undocumented worker using someone's Social Security number to obtain a job; or against unauthorized use of a credit card."

It is interesting to see a credit bureau that advertises their credit monitoring services as a means to help deter identity theft relentlessly (who hasn't seen the FreeCreditReport.com ads on TV?) make the case for the inherent limitations in this area.

Mr. Bronson goes on to point out the ambiguities with LifeLock's famous $1 million guarantee:

"Lifelock does offer a $1 million guarantee that if a customer's identity is compromised, Lifelock will help restore the customer's credit standing and pay the cost of doing so. However, Lifelock's web site states that the guarantee comes into effect when a customer's identity is compromised "due to a failure or defect in our Service", a phrase that seems open to more than one interpretation. (If the service offers protection against only certain types of identity theft, does the guarantee only cover those specific types?)"

This is the first instance where I've seen someone dig into the specifics of this guarantee. The "service defect" provision certainly provides LifeLock with a get-out-of-jail-free card. Not to mention, given that it is the financial institutions who provide most of the financial fraud protection, how valuable really is a $1 million guarantee other than as a marketing gimic. I guess we'll all find out as this lawsuit unfolds.


Tuesday, February 26, 2008

Putting LifeLock to the Test


by Doug Pollack

Right on the heels of the lawsuit filed by Experian against LifeLock, the self-proclaimed leader in identity theft protection, which asserts that LifeLock uses deceptive advertising and misleading claims in advertising their service, as well as illegal means of setting fraud alerts on behalf of their customers, now a CBS news report by Jim Benemann has put LifeLock to the test, along with two other companies, Debix and TrustedID, that rely on credit bureau fraud alerts or freezes for protecting their customers.

It seems that based on this test, these products do not prevent identity theft as you might be led to believe based on LifeLock's advertising. So on to the test. The first thing he did was have three of his colleagues, Tom, Jillian, and Kristine, each sign up for one of the three services. Then...

"With their permission, CBS4's Jim Benemann took all of Tom, Jillian and Kristine's personal information including their social security numbers and dates of birth. Using that information, Benemann applied for the same major credit card in each of their names. The only little thing he changed was the address. Benemann asked for those credit cards to be mailed to his home address. Essentially, he stole Kristine's, Tom's and Jillian's identities.

The three testers weren't worried. They all figured they would get that phone call telling them that someone was applying for credit in their name and they would put a stop to it immediately. Tom waited, Jillian waited and Kristine waited close to their phones. They waited 24 hours, then 48 hours and then a week. Not one of them got a phone call from any creditor even though they had paid companies for credit protection."

It is worth noting, that a fraud alert can easily be placed by an individual for free, just by contacting the credit bureau. Unfortunately services like these make the fraud alert seem like a "silver bullet" for preventing identity theft. As this test proves, nothing could be further from the truth. The reporter goes on to note:

"And remember Kristine who signed up with LifeLock? A little more than a week after Benemann applied for a credit card in her name, that card arrived, mailed to him, at his home address. And that had Kristine all the more interested in finding out about LifeLock's $1 million guarantee...Here is what LifeLock had to say:

'The credit card companies have a contract with the credit bureaus that say they must honor fraud alerts. The fact that they chose not to is proof that the fraud alerts are not bulletproof. The good news is that this is where the LifeLock $1 million guarantee is most effective. LifeLock is not a credit monitoring service but a protection service in the event a fraud alert proves to be ineffective.' "

Having said that, LifeLock didn't clarify how they then provide "protection" for the victim of ID theft. In the past, LifeLock had outsourced victim recovery services to other companies. It would be instructive to know what they do for their victims today.

Thursday, February 21, 2008

Experian vs. LifeLock Lawsuit

VS.
by Doug Pollack

The Red Tape Chronicles yesterday reported on a recently-filed lawsuit by Experian, a major US credit bureau, against Lifelock. This lawsuit represents the first "shot across the bow" for vendors of credit services that rely on placing continuous fraud alerts on consumer accounts with the credit bureaus.

About.com's identity theft site defines a fraud alert as a "flag that is put on your credit report through the consumer reporting agencies. This flag establishes that as part of any credit approval process, you need to be notified."

Lifelock's consumer service, which they tout as providing guaranteed protection against identity theft, relies solely on the setting of fraud alerts to provide consumers with the stated protection. The Experian lawsuit brings into question the efficacy of fraud alerts as a means to prevent identity theft.

The Red Tape Chronicles article highlights that a key assertion of the lawsuit is that LifeLock is using deceptive advertising practices and making misleading claims in order to persuade consumers to subscribe to their service. The article notes that the "credit bureau Experian is suing the identity theft prevention firm LifeLock, accusing it of deception and fraud in its familiar advertising campaign, which includes a spot in which CEO Todd Davis reveals his Social Security number and then brags about the effectiveness of the company’s protections. In the lawsuit, filed in U.S. District Court on Feb. 13, Experian contends that LifeLock's advertising is misleading and that the firm is breaking federal law in the way it goes about protecting consumers."

The Experian lawsuit also brings into question the legality associated with firms placing fraud alerts on behalf of consumers. The Red Tape Chronicles article notes that "Experian contends that LifeLock's chief ID theft prevention tool -- the placing of continuous fraud alerts on consumers' credit files – is illegal because, under the Fair Credit Reporting Act, fraud alerts can only be requested by the individual consumer or an individual acting on behalf of the consumer."

ID Safeguards provides corporations and consumers with identity theft services. Among these services are those that assist victims of identity theft with recovery of their identities taking a "fully managed" approach to recovery. Coincidentally, the company has handled identity theft recovery efforts for numerous LifeLock members who became victims of identity theft, despite the placement of fraud alerts by LifeLock.

The fact that LifeLock members do fall victim to identity theft should not be surprising. Fraud alerts do not prevent an identity thief from co-opting and using one of your credit cards. They also don't prevent someone from using your social security number to work. They further don't prevent thieves from signing up for utilities of telecommunications services using your identity. And they don't stop someone from using your personal information to get access to health care services.

Fraud alerts also don't prevent inquires for credit from showing up on a victims credit report. These "little dings" can have a detrimental effect on an person's credit score. Fraud alerts do have their place in dealing with a threat to your financial identity, but they are not a silver bullet and certainly are not a guarantee that individuals won't fall victim to identity theft.

Monday, February 11, 2008

The Indirect Costs of a Data Breach


by Doug Pollack

A recently published article in E-Commerce Times concerning the costs of corporate data breaches titled The Cost of ID Theft, Part 2: Fixing the System written by Andrew Burger, highlights the staggering economic impact of the increasing number of data breaches by America's corporations.

The article notes a statistic from the Ponemon Institute that pegs the average cost of a data breach at $197 per record compromised.

"The stakes are already quite high when it comes to data loss: According to Gartner and the Ponemon Institute, the loss of a single record -- not financial fraud -- is around (US)$197. If you take the extremely conservative estimate from the same research that said that in 2007, 127 million records were lost, you get around $25 billion in direct losses noted Uriel Maimon, senior researcher for security firm RSA."

Ponemon further explores these costs, finding that around two-thirds of the cost of the data breach is associated with the loss of customers or reduction of corporate reputation.

"The cost of lost business is likely to be larger and more significant than actual cash losses and expenses related to remediation, however. The average customer churn for businesses surveyed that had suffered a breach was 2.67 percent, noted Kevin Bocek, director of product marketing for encryption firm PGP."Link

With this in mind, companies should plan as part of their data breach response plans to explicitly focus on elements of their response that will engender customer goodwill. While this may seem difficult to achieve in such circumstances, every opportunity to reach out and touch your customers creates an opportunity to increase retention and brand loyalty.





Friday, January 25, 2008

Are You Well Protected?


by Doug Pollack

As we look forward to what is in store for us in 2008, The Identity Theft Resource Center is projecting an increase in both the number of security breaches and incidents of identity theft.

With this as a backdrop, we've developed a set of recommendations for people to protect themselves. As part of our ID Self-Defense Academy, a component of our subscription services member website, this Self-Defense Checklist includes both common sense suggestions that you are likely to be familiar with, as well as others that are new this year given the evolution in the use of the internet and computers in identity theft.

Some of the items you may not have thought about include using a "wipe" utility on your computer hard drive to make sure all of your information is permanently erased before disposing of the computer, and checking the annual earnings statement that you receive each year from the social security administration for any discrepancies in earnings or work history.

The complete checklist follows.

Self-defense Checklist

Protect Yourself At Home

  • Switch to a mailbox with a lock.
  • When you're away from home, place a hold on your mail (online at www.usps.com or with a Hold Mail form at the post office).
  • Use a cross-cut shredder to shred documents containing financial or other personal information.
  • Secure important documents in a safety deposit box or a fire-proof safe hidden at home.
  • Stop newspaper delivery and garbage service if you're leaving town.
  • Set up lights on timers to make your home look occupied when you're away.
  • Have a neighbor you trust keep an eye on your home, and leave a number where you can be reached.
  • Immediately notify the post office and anyone you do business with if you change your address.
  • Place outgoing mail in a post office mail slot or hand it to a postal worker instead of leaving it at your home mailbox for pick-up.
  • Review your credit card, bank account, and cell phone statements regularly to make sure there are no unauthorized charges.


Protect Your Computer and Internet Access

  • Protect your computer with a password.
  • Never provide personal information in response to an unsolicited e-mail.
  • Avoid viruses and other scams by frequently updating your browser and e-mail software.
  • Use and regularly update your firewall and anti-virus/anti-spyware software.
  • Change your passwords often, and use letter and number combinations that are difficult to guess.
  • Never have your computer remember your password.
  • Don't respond to instant messaging from unfamiliar users, and avoid instant message offers.
  • To ensure the authenticity of e-mail requests for personal information, type the company's Web site URL directly into your browser instead of clicking on a link in the e-mail. (The real destination of the link may be different than the URL that you see.)
  • Don't ever send personal or financial information via e-mail.
  • Don't open e-mail attachments or download files from strangers.
  • Before doing business with any company, ask for and verify its name, street address, and phone number.
  • Choose an Internet Service Provider and browser that use filtering software to limit spam in your e-mail inbox.
  • Never respond to email asking for your help in getting money out of a foreign country.
    Encrypt your wireless network as soon as you set it up.
  • When using Ebay, Craigslist, or other sites linking buyers and sellers, use PayPal for transactions. Don't ever wire money via wire service, and don't accept cashier checks or money orders, as these can be forged.
  • Review your credit card, bank account, and cell phone statements regularly to make sure there are no unauthorized charges.


Protect Yourself On the Road

  • Carry only the credit cards and checks you absolutely need when traveling.
    Keep identification and credit cards in a secure wallet or purse on your person (and out of pickpockets' reach) where you can keep an eye on them.
  • Make photocopies of the fronts and backs of your credit cards, driver's license, and passport and store the copies someplace other than your wallet in case of theft.
  • Program the toll-free numbers for your credit card companies into your mobile phone in case of theft.
  • Never leave valuables, phones, receipts, or other papers containing financial or personal information in your car, even if it is locked (and always lock it).
  • Keep receipts in a safe place until you can cross-shred or safely store them at home.
  • Always keep your mobile phone in a secure place on your person to avoid losing it. Activate the lock feature when it's not in use so that it can't be used and any stored information can't be accessed if it is stolen.
  • If you must discuss personal or financial information over the phone, do so in your hotel room or another private place where you won't be overheard.
  • Avoid downloading attachments from your e-mail account onto a computer other than your own. Erase your browsing history and discard any personal files in the computer's trash or recycling bin, then empty it before logging off.
  • Never enter or access personal information from a public-access computer or one in a hotel business center, as these can be fitted with hard-to-see key loggers that record your information.
    Be sure to eject any personal CDs, DVDs, or jump drives at the end of a session on a computer that isn't your own.
  • Especially after you travel, dealing with merchants you don't know, remember to review your credit card, bank account, and cell phone statements regularly to make sure there are no unauthorized charges.

Tuesday, January 8, 2008

Data Breaches Reach Record Levels in 2007

by Doug Pollack

According to a December 30, 2007 AP article written by Mark Jewell, the trend in data breaches continues on the upswing. He reported that:

"The loss or theft of personal data such as credit card and Social Security numbers soared to unprecedented levels in 2007, and the trend isn't expected to turn around anytime soon as hackers stay a step ahead of security and laptops disappear with sensitive information."

This of course is bad news for consumers who have also experienced meteoric rates of identity theft in 2007. It has been estimated that over 9MM US citizens fell victim to identity theft in 2007. If you're counting, this averages out to one every three seconds. And the growing adoption of new technologies such as wireless internet and devices by businesses and consumers, provides new ways for technically-savvy criminals to circumvent data security measures.

"With wireless data transmission more common, hackers increasingly are expected to target what many experts see as a major vulnerability. Eavesdroppers appear to be learning how to bypass security safeguards faster than ever, said Jay Tumas, the head of Harvard University's network operations, at a recent conference for information security professionals."

Research Groups estimate that between 50MM and 80MM records of personal information were breached during 2007. These breaches were caused both by hackers whose intent is to steal and exploit this personal data, as well as by unintentional human error such as in the loss or misplacement of a laptop computer with sensitive personal data residing on its hard drive.

Predictions by industry groups suggest that breach numbers reported will continue to rise given a growing trend requiring disclosure of breaches and notification of affected individuals by organizations that experience a data breach.