Choosing The Right Data Breach Response Services for Consumer Remediation

Transcription

1 Choosing The Right Data Breach Response Services for Consumer Remediation Authored by Brian Lapidus, Managing Director, InfoSec Practice Leader Kroll When a data breach exposes personal information to potential compromise, what type of damage control should be offered to impacted consumers? Most organizations let regulatory pressure, victim demographics and the likelihood of a lawsuit drive their remediation decisions, but this short-sighted approach fails to address other factors that may seem less volatile but are vital in order to realize the actual risk of harm to the affected population. For example, what if your organization experiences a data breach event where thousands of medical insurance identification numbers are exposed? In this instance, impacted individuals are at risk of insurance fraud and medical ID theft, both forms of harm that credit monitoring, fraud alerts, credit freezes and other common remediation offerings likely won t address. The following whitepaper examines the gaps between remedy and risk experienced in the data breach response industry today and argues for a shift toward a risk-based approach to consumer remediation that addresses the actual risk of harm to affected individuals. When is Credit Monitoring a Problem? Over the last decade, credit monitoring has become the de facto breach response offering among those organizations offering consumer safeguards in 2012, only 33 percent of breached organizations provided credit monitoring as a remediation service, the rest offered advice on how to place a fraud alert or credit freeze. 1 However, public expectation and outcry has increasingly demanded this offering regardless of what was lost, or how. But the notion that credit monitoring is a panacea for all data breaches is misguided. In fact, when you couple the myriad types of sensitive information [see sidebar] with the multitude of ways an identity can be stolen and used fraudulently, there are many instances where credit monitoring will not be helpful to a breach victim at all. After all, how effective can credit monitoring be at detecting signs of medical identity theft? Criminal impersonation? Phishing or spam fraud? Employment fraud? Tax fraud? Public embarrassment? Shifting Tide of Public Opinion Lawmakers and the general public are beginning to raise questions about the thoroughness of post-breach remediation offerings. The California Office of Privacy Protection advises organizations, If you are considering offering notice recipients credit monitoring or another identity theft assistance service as a mitigation, make sure it is relevant to the situation. In recent guidance published by the Illinois attorney general, organizations are advised to prepare for a security breach by conducting a risk analysis to determine when to offer credit monitoring and when to contract for an alternative form of monitoring. It further advises, despite the fact Personal, Private, Protected the types of sensitive information about individuals that exist in various digital and physical settings where data is gathered, used, shared or stored is staggering. These pieces are important enough to be considered when a data breach exposes them in critical combinations. Consider what any two or more types of data reveal about the individual and how they may be used to impersonate or defraud the victim: Name, Social Security number, address, date of birth, marital status, gender, race, ethnicity, national origin, grade point average, drivers license number, personal income, bank account and routing numbers, credit or debit card number, financial account numbers, usernames, passwords, governmentissued identification numbers, insurance numbers, warrants for arrest, personal medical data (e.g., record numbers, sensitive diagnosis and treatment information). 1 Statistical sampling of publicly reported breaches in 2012, performed by Kroll, of 60 publicly reported small-to-midsized breaches that impacted between 1,000 10,000 individuals each, for a total sampling of 228,000 individuals TM

2 that consumers have come to expect some offer of free credit monitoring, that organizations should explore their options because credit monitoring may not be appropriate in all breach situations. 2 Three recent breach cases also illustrate a narrowing gap between consumer remediation expectations and needs: In 2011, Citigroup was criticized by affected consumers for merely providing advice in their response to a breach and not offering credit monitoring. 3 But the PII that was exposed (i.e., names, contact information, and Citi account numbers) was not likely to lead to new account fraud, the type most likely to be identified by monitoring credit reporting activity. What is more, privacy experts suggested that given the PII exposed in the Citigroup event, victims would be more vulnerable to social engineering schemes or other types of fraud. Despite these circumstances, there was public outcry for a form of credit monitoring. That same year, Sony received criticism because its offer of credit monitoring was deemed an insufficient response to protect those consumers who were affected. 4 Sony s breach included extra data elements in addition to name, address and payment card number, dates of birth and account passwords were also exposed. Consumer advocates recognized this type of exposure posed a greater risk to victims; however, attention became focused on other options for protecting financial data such as paying for credit freezes for affected individuals. Freezes can be a good option for existing identity theft victims. Still, it places a burden on the individual to un-freeze their credit when they need to use it, and completely ignores the risks of non-credit related fraud. The issue culminated in the 2012 cyberattack on the South Carolina Department of Revenue. This massive breach of taxpayer data 3.8 million Social Security numbers along with 3.3 million bank account numbers represented a high risk to those affected. In the days following the event, many reported they had already experienced identity theft. 5 The state quickly provided credit monitoring services. But the firestorm of criticism that began when the breach was made public pushed the state to look into offering other forms of identity protection, such as monitoring for personal information on the internet or checking personal information against public records. 6 The weakness of offering credit monitoring alone became apparent, as numerous articles chronicling the event mentioned the rise in self-reported identity theft incidents following the breach. One state senator noted the longevity of effects, citing the breach as a lifetime issue for anyone whose information was stolen. 7 Of course, none of this means that credit monitoring is useless on the contrary, it is a valuable tool for consumers when it aligns with the type of data exposed. Individuals can use credit monitoring to keep watch on their credit reports and spot unfamiliar or suspicious credit-related activity that may be an indicator of identity theft. Instead, these cases demonstrate the broad misunderstanding about what constitutes an effective response and raise important questions about the need to match remedy to individual risk based on the unique circumstances of a breach and the characteristics of the affected population What constitutes PII under state breach notification laws? Most states define PII as an individual s name, in combination with one or more of the following data elements: Social Security number, driver s license number or other state identification number, and/ or a bank account number, credit or debit card number, with any required access code or PIN number. Some states include medical or health insurance information in the definition. Some states make distinctions regarding the format of the data (electronic or hard copy) while others cover encrypted information if the encryption key is also compromised. At a federal level, organizations that meet the criteria of a covered entity under HIPAA must notify if they experience a breach of PHI. States are increasingly looking to expand the definition of what constitutes PII or PHI for breach notification purposes. For instance, California is currently considering a bill that would expand the classification of triggering data to include password, user name or security question and answer for a non-financial account. These elements would, however, be in combination with first name or initial and last name (and must be unencrypted) to trigger notification requirements.

3 The Case for a Risk-Based Approach to Consumer Remediation Organizations today are overlooking an opportunity to positively impact consumer risk mitigation. Delivering remedies and support that empower people to protect their own information following a data loss event is often the intent, but the path is not always clear. There are factors related to any breach that will play a key role in determining the level of risk for the affected population. A hack event may pose a higher level of risk than a misplaced thumb drive, and most organizations consider such factors in designing a remedy. And while the presence of Protected Health Information (PHI) or Personal Identifying Information (PII) is recognized as a trigger for state breach notification, the type of PHI or PII exposed should be regarded as well. It can have direct correlation to potential risks that the consumer may experience because of the data breach. Getting it right: using PHI/PII intelligence to match consumer remedies with their risks of exposure According to the Consumer Federation of America s (CFA s) website, the claims for identity theft services are sometimes exaggerated or misleading, and may not be easy to tell from their websites and advertising exactly how they work, how much they cost, or what protection assistance they really offer. 8 Organizations looking to offer their breached population some type of remedy are faced with the same array of remediation services and the same problem of interpreting what exactly is the best combination of services for all parties involved. Because they draw from a number of sources, such as public records, or even websites known to be sources of illegally obtained PII (criminal websites or the dark web, as it is sometimes called), non-credit monitoring products are valuable for identifying triggers that can indicate identity theft has occurred or may be imminent. For instance, a service that monitors for payday loans (i.e., short term loans provided without a credit check) associated with an individual s SSN or other identifiers is one example of the services consumers can utilize to keep track of how their information is being used. Consider the risks present in these scenarios, and how solutions can be crafted to provide real safeguards: Scenario 1: A laptop theft exposes names, addresses and credit card numbers of store customers, putting them at risk for current financial account takeover. Purchases made using existing credit cards aren t reported to the bureaus, so there s no real time activity for credit monitoring to detect on a credit report. Organizations in this situation would be better served by choosing a program that keeps an eye on internet activity by monitoring identity trading websites, chat rooms, forums and networks across the globe for personal information. Scenario 2: Employee addresses and passwords are exposed by a hack on a system no longer in active use. Those two compromised elements open the door to the risk of authentication takeover, one form of true identity theft. Criminals can use someone s personal information to achieve a variety of other goals such as obtaining medical services, getting a job, filing taxes or even amassing a criminal record. This breached audience needs help from experts with professional-level investigative tools and experiencebased intuition to search non-credit sources for signs of identity fraud, including: federal and state criminal data, state department of motor vehicles records, Social Security documentation for fraudulent address or status entries, and public records for indicators like liens and bankruptcies. Scenario 3: Straight from mid-2013 headlines: The theft of four computers compromises the names, addresses, dates of birth, Social Security Numbers, and some scattered medical record details of four million patients potentially the second-largest loss of unsecured health information since mandatory notification became required in This is no time for credit monitoring alone. Enhance this offering by also providing a way to keep track of one s mailing address while searching for additional addresses associated with that person (often an early indicator of identity theft activity), or to look for the individual s personal information linked with short-term, pay day, or similar cash-advance loans. Fundamentally, monitoring of both credit and non-credit sources is valuable but it is limited to detecting potential fraud; it does nothing to assist the individual who has already become a victim. For this reason, providing some type of hands-on assistance from experts in identity theft restoration affords an outlet for those affected. 8

4 This type of assistance bridges the gap between monitoring for the possibility of identity theft and restoring the identity of an individual who has become a victim. It provides a safety net in cases where the risk of social engineering is especially high and provides a high level of assistance when non-traditional information is lost, such as personal medical data, which may not even be traceable by a monitoring tool. While it is up to the organization to decide the value of such products, Kroll offers the following guidance to explain the products typically available and how they can be leveraged to monitor certain types of PII or PHI. Taking a Risk-Based Approach to Breach Remediation Begins with the Type of PHI/PII Exposed New Account Financial Fraud Current Financial Account Takeover Insurance (Financial and Medical) Fraud Tax, Government Document, and Employment Related Fraud Criminal Identity Theft Utility and/or Payday Loan Fraud Medical Fraud and Medical Identity Theft Breached Data Fraud Risk Recommended Remediation Services Type of PHI/PII exposed: Specific identity theft and fraud risk associated with exposed PHI/PII: Advisory Services/ Identity Recovery Internet Monitoring Public Records Monitoring Specialty Reporting Agency Monitoring Credit and Credit Monitoring Services Primary Identifiers SSN + Name, Address or DOB Credit Card #s Banking and Financial Account #s Secondary Identifiers Insurance #s Medical ID #s and related PHI Driver s License #s User Account Log in Information (including ) Figure 1. Fraud Risk Analysis, Kroll. Categorizes types of data exposed, associated risk and suggested remediation to be considered by the breached organization on behalf of affected individuals.

5 Conclusion In a data breach, context is everything. As Figure 1 shows, different types of PII in relation to one another pose different levels of risk to the consumer. But that must be weighed alongside other factors such as how the breach actually occurred, or size, location, and demographics of the affected population. This context gives nuanced meaning to the loss of PII/PHI, and leads to a greater understanding of the true level of risk. In short, organizations that take an informed, risk-based approach to consumer remediation will address the actual risk of harm to affected populations, thereby reducing the financial and legal implications of a data breach and preserving and protecting the trust of their key stakeholders. For more insight from our team of professionals, be sure to visit Kroll s blog A Dialogue on Data Security. TM For more information, call or visit us online Certain Altegrity companies provide investigative services. State licensing information can be found at These materials have been prepared for general information purposes only and do not constitute legal or other professional advice. Always consult with your own professional and legal advisors concerning your individual situation and any specific questions you may have Kroll, Inc. All rights reserved. Item #THT