KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911
1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION AND ITS EMPLOYEES. Data is at more at risk today than ever before. A recent Consumer Reports study estimated that in 2013 alone, 4.5 million smartphones were lost or stolen and never recovered 1. The same survey found that fewer than half of respondents protected their phone with a PIN or passcode. Only 8 percent had installed software that could erase the phone s contents should it go missing. A full 34 percent took no security measures at all. Things aren t much better on the corporate side. A study conducted by Ponemon Institute and Intel found that 46 percent of lost laptops held confidential data. Encryption was present on only 30 percent of those devices. Those numbers really hit home when considering that the average cost of a lost laptop was determined to be more than $49,000, with 80 percent of that figure being attributed to data breach costs 2. One of the most challenging aspects of a data breach is that lost or stolen information may not ever be made whole again. Even if it s successfully recovered from a backup file or through manual efforts the very nature of this sensitive data makes its exposure an event from which full recovery often is impossible. Once an individual s Social Security number has been exposed or a company s intellectual property taken, for example, the genie is out of the bottle. As a result, it s difficult to place a true value on the data stored on laptops, smartphones, and other devices. Employees personal information, company financial data, stored login credentials, saved passwords, medical data, customer information, and other intellectual property are at risk of exposure from these devices every day. As companies have become more mobile and adopt new technologies and ways of doing business (think: BYOD), the risk to employee and company data has increased exponentially. Organizations of every size, in every sector, and in every area of the country are potential targets for a breach. Exposed data can be used for identity theft and financial fraud, or sold on the black market almost as quickly as it s acquired. For businesses, the damage inflicted by a data breach is the gift that keeps on giving. Breach response costs build up on top of regulatory fines and penalties, while lawsuits are also often added to the pile. Once the reputational damage sets in as consumers lose trust in the organization and potential customers are put off by the company s presumed lack of security the financial losses can sometimes threaten the organization s very viability and the organizations brand equity can be damaged for years to come. 1 Smart Phone Thefts Rose to 3.1 Million Last Year, May 29, 2014, http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm 2 The Cost of a Lost Laptop, Ponemon Institute, April 22, 2009 IDT911 1
2 EMPLOYEE BENEFITS PROVIDERS AND BROKERS CAN PROTECT THEIR EMPLOYEES, ENHANCE BENEFITS PORTFOLIOS AND BUILD TRUST WITH IDENTITY MANAGEMENT SERVICES. Even those businesses that aren t breached can be impacted. If one or more employees are affected by an exposure outside the workplace, productivity is still likely to drop as a result. Studies have shown that individuals spend an average of eight to 24 hours trying to resolve their identity theft or fraud alone, oftentimes during business hours 3. In a world overloaded with data and devices, how can employee benefits brokers and providers stay ahead of the trends as medical identity theft, tax fraud, and criminal identity theft-related situations continue to plague employees? How can organizations best protect themselves and their employees in the event of a breach? And how can brokers continue to increase their trusted partnership with organizations and increase their benefits portfolios with identity management services? KNOW THE RISKS Privacy risks abound in today s environment, unfortunately. Not only are organizations and individuals connected to the online realm like never before smartphones and tablets are quickly being joined by Apple Watches and FitBits but the amount of data transiting across those connections also is growing dramatically. In addition, the information being generated by all these devices is being stored in enormous volumes. Data storage costs have gone down and the availability of big data number-crunching technologies has gone up. That confluence of factors translates into massive amounts of sensitive information residing within highly connected networks and devices. Add in the very clear danger presented by hackers and cyber thieves, and it s a recipe for a damaging exposure. A brief recap of several recent breaches handily illustrates the risks. Some of these network intrusions have been nothing short of mammoth in scale. In the retail sector, Target experienced a breach that potentially impacted up to 70 million consumers. That was closely followed by a similar incident at Home Depot that exposed the data of around 56 million consumers. But stores sporting point-of-sale systems that collect payment card information aren t alone in the data breach landscape. Hackers gained entry to the systems at health insurance giant Anthem, resulting in the exposure of 80 million current and former members records. A short time later, 11 million records were breached at another insurer, Premera Blue Cross. But where Anthem s attack didn t include patients claims data and clinical information, the Premera incident did. 3 2015 Identity Fraud: Protecting Vulnerable Populations, Javelin Strategy & Research IDT911 2
EMPLOYEE RELATIONSHIP MANAGEMENT 3 UNDERSTANDING BREACH CAUSES FROM CYBER CRIME AND EMPLOYEE ERROR TO MORE TRADITIONAL METHODS, SUCH AS LOST OR STOLEN DEVICES IS CRITICAL TO MINIMIZING RISK. These breaches, though they re in different industries and involved different types of data, highlight the enormous danger faced by companies as well as employees. Organizations in every sector handle data that is valuable to thieves. In some cases that s financial data, which may include credit and debit card numbers in addition to bank account numbers or financial institution routing numbers and even retirement savings plan and healthcare reimbursement plan account numbers. In other instances, the information sought by hackers may be more personal in nature. Social Security numbers are routinely stored not only by employers, but also by companies that extend credit or run background checks, such as furniture stores, car dealers, apartment complexes, and others. Even if a corporate entity isn t hacked, individuals have shown they re surprisingly adept at compromising their personal data all on their own. A stolen credit card often ranks as a simple annoyance call the card issuer, get it cancelled but a lost mobile device could be a real disaster. Stuffed full of stored login credentials, prescription refill numbers, and financial account information, even the lowly smartphone could open a person up to identity theft if it falls into the wrong hands or isn t properly protected against unauthorized access. More traditional risks still exist, as well. A home breakin, where thieves are able to abscond with bank statements and other highly sensitive documents, can be a calamity. MINIMIZE THE RISKS Fortunately, there are steps organizations can take to help avoid a breach as well as strategies they can leverage to assist their employees in safeguarding personal information. The approach isn t complex. In fact, it s straightforward and affordable. Know your data. It s nearly impossible to secure information unless you know where it comes from, where it s stored, and who has access to it. A simple audit of your company s data assets can provide your team with the knowledge necessary to mitigate many existing breach risks. Remember that sensitive information may be in digital or hard copy format, so be sure to thoroughly review all online and offline data storage locations. Limit the amount of data gathered and stored. Your company can significantly improve its security posture by eliminating unnecessary data. If you don t have it, hackers can t attack it. Retain only the information required for business operations and securely remove or destroy the rest. Regularly cull obsolete data to minimize privacy risks. IDT911 3
4 ORGANIZATIONS CAN MINIMIZE RISK BY CONDUCTING AN AUDIT OF THEIR DATA ASSETS, ELIMINATING UNNECESSARY DATA, AND IDENTIFYING WHICH DATA SETS NEED THE MOST PROTECTION. Deploy the right protection for each type of information. With your data audit in hand, determine which data sets are the most sensitive. Those should be given the highest level of protection, while less expensive measures can be used to safeguard lower-value information. Employees can also take steps to protect themselves from identity theft and fraud. Encourage them to establish strong passwords for their mobile devices as well as their online accounts, and remind them not to use unique passwords for each site and system. In addition, employees should be checking their credit reports regularly. This enables them to quickly spot potential fraud or suspicious activities. KNOW HOW TO REACT IN THE EVENT OF A BREACH If a breach does occur, there are actions organizations can take to minimize the damage. Identify and stop the leak. Powering down network equipment or entire systems may be a tempting option, but that can sometimes make it difficult to conduct a thorough and effective investigation later. Instead, the business should work to find the security weakness and remove access to the compromised areas. That may mean taking a server or an entire system offline. Determine the scope of the breach. Have instances of malware or other threats expanded from the primary system into other areas of the network? Were only a subset of records exposed? What kind of information was exposed? Employee information, customer records? Your team needs to confirm where the intrusion occurred and how far it extended. Notify the affected parties. Whether it was employee files or consumer data that was exposed, your organization must alert the victims to the situation. Provide as much detail as you can but present only the facts you know. Work with your organization s breach response consultants and the involved law enforcement agencies to ensure the information provided to victims doesn t compromise any active investigation. Develop and deploy a strategy to address the original vulnerability. Before your company can return to normal operations, it s imperative that the security issue behind the breach be completely resolved and the integrity of the network confirmed. IDT911 4
5 VOLUNTARY BENEFITS PACKAGES THAT INCLUDE IDENTITY MANAGEMENT SERVICES CAN INCREASE BROKER PARTNERSHIPS, STRENGTHEN TRUST WITH EMPLOYEES AND ENHANCE REVENUE POTENTIAL. HELP IS AVAILABLE Organizations have support services available if they experience or suspect a data breach or system intrusion. Experienced forensic investigators can review the situation and work with your company to identify vulnerabilities and deploy measures designed to return your network to a secure state. Specialists are also available to assist in notifying parties who may be affected by the exposure and help your organization navigate compliance issues that may need to be resolved with the various regulatory agencies. In the event an employee suspects their personal data has been compromised, your organization can also provide them with the tools and resources necessary to address the situation. Identity management services are available to help investigate fraudulent activity and resolve cases of identity theft. Specialists can work with affected employees to secure credit files; restore tampered financial, medical, or other records to their original states; and work with law enforcement agencies to determine what happened and where concerns may still remain. INCREASE REVENUE Offering voluntary benefits packages that include identity management services is an excellent way to increase broker partnerships and revenue potential. Data breaches are a primary concern among organizations today and individuals are increasingly worried about the safety of their personal information. Because it s an issue on the minds of many and because both businesses and consumers are aware of the financial harm, emotional toll, and reputational damage an exposure may inflict being able to offer meaningful support is good for brokers, employers, and employees alike. By providing your clients with resources that include identity theft and fraud experts, you re differentiating your services as a trusted advisor and a business partner. You re also enabling your clients in their pursuit of a better security posture and reduced risk of breach. As an employer, including identity management services in the suite of employee benefits available to workers shows that you understand the challenges they face in their personal lives. When employees know they aren t alone in the event their data is compromised, it not only allows them to get their lives back to normal more quickly, it also reduces the likelihood that their productivity will impact the organization as they work to resolve the situation. IDT911 5