Tuesday, March 30, 2010

Longer Term Effects of ID Theft

The story below may be a great example of how identity theft can occur at any time from some unlikely sources. A person takes out a student loan and gives their personal information out. An incident like this happens and they get the obligatory "credit monitoring" service. Yet several years later they find that they have been victimized in a dozen non-credit types of crimes. They find that mysteriously their medical insurance policy is waivered due to multiple false claims made. They discover that dozens of small retail accounts have been opened purchases were made and never paid. Now they are being hounded by credit recover agencies or attorneys trying to collect on bad debt. During a routine traffic stop they find warrants have been issued because their ID was used with police after multiple traffic violations. They are arrested. Credit monitoring alone cannot help those victims. Everyone needs to be aware of the outcome of millions of ID theft cases each year that are not directly related to the credit bureaus or banks and credit cards. These far-reaching effects are much more serious and very complex issues to deal with. An ID theft victims needs the help of professionals who will advocate for them, and even represent them in righting corrupt personal file entries throughout the system.

Personal Information of 3.3 Million Stolen
A student loan firm is providing credit monitoring and protection services to some 3.3 million people affected by a data breach, the Washington Post reports. A spokesman for Educational Credit Management (ECMC), a nonprofit student loan guaranty agency headquartered in Minnesota, said portable media containing personally identifiable information was stolen in an "old-fashioned theft" from company headquarters. The stolen information included names, addresses, birth dates and Social Security numbers, but no banking information, an ECMC press release said.

Wednesday, March 10, 2010

Office Awareness Training

When I speak with business owners about the dangers of data breaches within the office, I often have to point out the issue of copy machines. Copiers can record thousands of documents on the internal hard drive. As mentioned in the article below it is very simple to capture the contents of the drive on a laptop in just a couple of minutes. This also applies to the copy machines in office supply businesses and copy shops. As most private businesses lease their copiers it is incumbent on the rental company to erase hard drives before removing the machine from the client's office. They need to be reformatted to insure the data is erased.

"When you protect the information on others you are protecting them, when someone else does it they are protecting you."

Copy Machines Pose Privacy Risks
Boston's WBZ-TV reports on a privacy threat looming in homes and offices: copy machines. Security expert John Juntunen demonstrated how easily accessible a copy machine's stored data can be, connecting his laptop to a copier and downloading a child support document and one woman's IRA application containing her address, Social Security number and date of birth. Another hard drive produced contact information for Caroline Kennedy. Though companies are supposed to wipe used hard drives clean before selling a machine, that isn't always executed, the report states. "I think it's an issue that's going to have major ramifications," says security expert Sean O'Leary.

Tuesday, March 9, 2010

Lifelock Settles with the FTC

For all of those who have purchased a Lifelock product without reading the contract here ya go.

Federal Trade Commission Chairman Jon Leibowitz and Illinois Attorney General Lisa Madigan announced a settlement today that requires LifeLock, Inc., to pay a total of $12 million to settle charges that its claims of providing comprehensive identity theft protection were false. According to the FTC, LifeLock did offer some protection against specific types of ID theft, but the company's practice had no effect on the most common form: the misuse of existing credit card and bank accounts. "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it," Leibowitz said.

I have many clients who had a Lifelock plan until I explained to them what they are not getting in the bargain. Please read the fine print before you buy!

Friday, March 5, 2010

What, Medical Identity Theft?

A little over three years ago I was speaking with a good friend and author on identity theft. He had predicted that medical identity theft would soon be the new frontier of identity theft. He had been soundly rejected by the press and some so called experts. They put down his theory as soundly as if he had purported that the world was flat after all. In fact John Gardner was exactly right. Read the article below to see just how pervasive medical identity theft and fraud has become.

A new survey from the Ponemon Institute shows that nearly six percent of American adults have been victims of medical identity theft, with an average cost per victim of $20,160. The cost comes from the efforts victims face to sort out what happened with concerned parties such as doctors, hospitals, insurance companies and credit agencies, the San Francisco Chronicle reports. "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss the general topic of identity theft, with 5.8 percent confirming they had been the targets of medical ID theft. Based on those statistics, the study estimates that 1.42 million adults in the U.S. may have experienced the theft of their medical identification information
.

Tuesday, March 2, 2010

The Cost of Data Theft

The pice to Fix Data Theft: $7 Million and Counting
The theft of 57 unencrypted hard drives from BlueCross-BlueShield of Tennessee has given thieves access to personal data on upwards of 500,000 customers and is costing millions to fix, PCWorld reports. The drives contained recordings of more than one million customer support calls as well as 300,000 screen shots, which in some cases included names, birthdates and Social Security numbers. BlueCross is now auditing its security practices, the report states. The process of investigating the breach and notifying customers has cost more than $7 million so far. According to Michael Spinney of the Ponemon Institute, while the average data breach costs $6.75 million, the company could be paying much more due to the complexity of the breach.

FTC to Appeal Red Flags Exemption for Attorney Firms

FTC Set to Appeal the Red Flags Rule Exemption for Attorneys and Law Firms

On February 25, 2010, the Federal Trade Commission filed a notice that it is appealing the D.C. District Court’s December 28, 2009 judgment in favor of the American Bar Association in American Bar Association v. FTC. The District Court’s summary judgment held that the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule” or the “Rule”) does not apply to attorneys or law firms. The Rule implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act. In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program. The program must be designed to detect, prevent and mitigate the risk of identity theft. Prior to the district court’s decision, the FTC had taken the position in publications and numerous panels that attorneys and law firms meet the Rule’s definition of “creditor” because they allow clients to pay for legal services after the services are rendered.

View the FTC’s notice of appeal notice last week stating its intention to appeal the court's judgment notice
http://www.huntonprivacyblog.com/uploads/file/ABA_v__FTC_Notice_of_Appeal.pdf

Wednesday, February 24, 2010

Iowa Victims Fear Identity Theft

Thousands of Iowa residents fear they could become victims of identity theft after the state's Racing and Gaming Commission licensing database was hacked during routine Internet maintenance last month, the Des Moines Register reports. The FBI is investigating the breach of the database, which includes the names, addresses, dates of birth and Social Security numbers of 80,000 current and former casino and racetrack employees. Experts say those whose information was compromised have every reason to be concerned. Citing examples of financial and medical identity fraud, California-based attorney Mari Frank said, "the sky is the limit as to what could happen...

Can anyone think of a reason to NOT have identity theft protection and restoration services when this sort of thing can and does happen almost daily? There is only one such service that provides complete restoration for all types of identity theft issues. The one I am proud to represent.

Tuesday, February 9, 2010

Top Five Mistakes of Privacy Training Programs

I won't prattle on about the breach of 50,000 Californians' SSNs along with their names and addresses inadvertently sent out last week by the Cal Dept of Health. The envelopes actually had the SSNs printed on the envelopes sent to some 50,000 recipients of health care aid. Anyone who can't reach out to their own comprehensive identity theft restoration service and avoid identity theft and the fallout from records entries should be ashamed.

Instead I will report the following...
Good intentions aside, many companies are missing the opportunity to effectively train employees on data protection. "Many corporations have adopted a check-box approach toward compliance" with the obligations set out in various data protection regulations, says Jay Cline, CIPP, in a Computerworld article. Cline says common mistakes that companies make include separating rather than melding privacy, security and records management and ethics training; using too few communications channels; and failing to measure training effectiveness. "Employee training is probably the most important component of an information risk management process," he writes. "Yet few companies actually measure..."

Full Story

Tuesday, January 26, 2010

Mortgage Broker Fined

I recently had a conversation with a mortgage broker that was not aware of the importance of security is to client transactions other than a vague awareness of the risk of identity theft. There are numerous business sectors that simply do not understand their responsibilities and liability when it comes to protecting their clients' personal information. Chief among them are mortgage and legal professionals.


A mortgage broker charged with improperly disposing of consumers' personal financial records has paid a $35,000 settlement to the Federal Trade Commission (FTC). Gregory Navone, of Las Vegas, disposed of about 40 boxes of sensitive consumer records in a public dumpster, according to the December 2008 FTC complaint. The records included tax returns, mortgage applications, bank statements, photocopies of credit cards and drivers' licenses and at least 230 credit reports. The settlement also requires Navone to employ an information security program for sensitive consumer information, and to hire an independent, third-party security professional to conduct compliance audits annually for the next 10 years.

Thursday, January 21, 2010

What is Identity Theft?

With all of the articles about breaches, including the ones I have posted, sometimes it is important to get back to basics about identity theft itself. Below is an excerpt from a PC World article published yesterday which outlines the definition of identity theft as it has evolved.

"Identity theft happens when your personal information is accessed by someone else without your explicit permission."• "Identity fraud occurs when criminals take that illegally obtained personal information and misuse it for their financial gain, by making fraudulent purchases or withdrawals, creating false accounts, or attempting to obtain services such as employment or healthcare. Personally identifying information such as your Social Security number, bank or credit card account numbers, passwords, telephone calling card number, birth date, name, address and so on can be used by criminals to profit at your expense."• "Almost 10 million Americans learned they were victims of identity fraud in 2008, up from 8.1 million victims in 2007.

"Identity theft also falls into this category [of financial fraud]; cases classified under this heading tend to be those where the perpetrator possesses the complainant's true name identification (in the form of a Social Security card, driver's license, or birth certificate), but there has not been a credit or debit card fraud committed."


Tuesday, January 19, 2010

"Just Another Data Breach"

Data breaches have become so ubiquitous that more often than not they go unnoticed, and often unreported.
I wonder how any victims of identity theft resulting from those breaches feel? While it is reported here that the number of breaches is on a decline the number of breached records is increasing and the number of ID theft victims holds steady. vIts all in the numbers.

ITWire.com reports that the number of data breaches reported to the media has declined significantly over the past 18 months. The article cites an Open Security Foundation blog post that says the number of breaches reported in global media has dropped from about 1,000 per month between 2005 and 2008, to about 500 per month. The blog speculates that boredom in the press may be a cause. "Just another data breach" isn't news anymore, the report states.
Full Story

Friday, January 15, 2010

Malice Outpaces Error as Breach Cause

In its annual report on data breaches The Identity Theft Resource Center (ITRC) says that 2009 marks the first time that malicious attacks have moved beyond human error as the leading cause of data breach, Dark Reading reports. According to the ITRC's "2009 Data Breach Report," hackers and insider theft accounted for 36.4 percent of breaches, human error 27.5 percent. The ITRC also found that compromised paper documents were involved in 26 percent of data breaches. In the 2009 report, the ITRC says that while the number of officially reported data breaches fell in 2009, it cannot determine if the overall breach rate is falling because of the number of unreported breaches.
Full Story

Thursday, January 7, 2010

An Armed Society

Ever hear of the phrase "An armed society is a polite society"? It does take things a bit far but the principle is right on the money. I've said time and again that if you can successfully remove the value from the data then you can actually reverse the trend in data theft and misuse. It shouldn't be the sole responsibility of the "data keepers" to protect it from lurking thieves. Just as in terrorism or any crime of attack, the good guys have to be right 100% of the time where the attacker only has to be right once. Not exactly great odds.

When you look at the practical percentages of theft surrounding your personal data you can see that the odds are lower of your stuff being stolen and used, than is widely perceived. Currently there are roughly 10 million domestic identity theft victims each year according to FTC and Ponemon Institute estimates. A little over 60% of those cases are the result of data theft from a public or private entity. But that doesn't mean that it is any less devastating. The problem is that when you entrust the data keeper to report the loss to you, or to fix a breach weak link, or frankly do anything for you after the fact, you are dreaming. No breached entity will tell you that the breach will likely result in identity theft. They will run damage control instead, meaning that they will downplay that aspect to protect their public image. The problem with that is that time is now on the side of the thieves to sell or use your personal information. A breached entity can take months or in some cases years to notify you of the loss. Sometimes not at all if the breach doesn't rise to the threshold the states' reporting laws have in place.

In light of that reality why then can't we all empower ourselves to be our own first line of defense when it comes to our personal data? With the power to act in our hands we are able to react to incidents of breach and identity theft much faster and with greater precision than is possible from the university, government agency, employer, or hospital, etc, that lost it in the first place. A professional agency dedicated to notifying us when our information is misused and report that misuse within hours is our best line of personal defense. If that agency can not only report these incidents to you in a timely way but also act as your proxy to correct the errors and false records entries on your behalf when it does occur is the most direct way to protect ourselves.

Tangentially, by having such a representative we are lowering the value of the data to the thieves. Illicit data brokers and identity thieves rely on time being on their side to profit from the misuse of your information. They need days or weeks to actually use the data to make purchases or obtain insurance, file false claims, get employment, etc. Draining bank accounts or running up credit purchases, while pretty awful, are largely handled by the banks and credit card companies themselves. With timely reporting a bank generally will help the victim but only with timely reporting. That means within hours or a day or so at the longest. Beyond a few days a banks' responsibility is much reduced. If you are not aware of the misuse you cannot report it to the bank. An agency that can notify the client within hours of an identity theft episode can shut down the misuse and render that identity information nearly useless almost immediately. The client is isolated from the incident, identified as a victim of identity theft, and the agency then can begin the restoration of the records or credit files affected. They will also look for other misuse within other databases in the event the incident is more widespread than the original incident. This can all take place within hours of the incident. Not a bad timely response to the attack in my opinion.

Wednesday, January 6, 2010

Welcome to the Other Side of New Year's Day

Now that we have successfully transitioned into 2010 with our skin intact I want to once again return to the subject of our PII, those who wish to have their way with it, and the hapless aggregators and keepers with file cabinets and servers chock full of it. To that end I have included links to a couple of things to ponder in these first few days of the year.

Navy's InfoSec Chief Suffers Sixth Breach
The Navy's Chief Information Officer Robert Carey recently received notification of a compromise of his personally identifiable information (PII), reports govinfosecurity.com. For Carey, it was the sixth such notification, and came from the Army--where he hasn't worked in 24 years. Carey used the event to describe his philosophy on data protection and enumerate a seven-point summary of his department's efforts to reduce the risk of a breach within the Department of the Navy. "In today's Information Age, PII must be treated with extreme care because unauthorized access to someone's digital identity can and does cause grave consequences," Carey wrote.
Full Story

Three Breaches Compromise 30,000 at Penn State
The Pittsburgh Post-Gazette reports that Penn State has begun the process of notifying nearly 30,000 individuals that their personally identifiable information (PII), including Social Security numbers, may have been compromised as a result of three separate malware infections discovered in late December. The school said it has no evidence that the individual or organization behind the malware gained access to the PII, but has decided to notify as a precautionary measure. "We do not have any indication that it was accessed by unauthorized parties. We prefer to err on the side of caution," said spokesperson Annemarie Mountz. The event was the second known breach at Penn State in 2009.
Full Story

Does it occur to anyone that for as long as we have been entrusting our personal information to others they have been losing it, a lot? One of life's principals is that "Continuing to do the same things while hoping for different results" is a hopeless waste of time. If they continue to lose our personal information why then do we continue giving it to them without any sort of check and balance? Certainly all of the laws passed have not had any nulling effect, nor any of the so-called procedures and software "solutions". This is not a problem that we have to accept as a given that requires a highly technical or overly complex set of controls. This is a very basic condition that if we, as the actual owners of the prize were to take into our own hands, could quite well nip in the bud. Think about it. Do we all put our prized silver in a big building or a bunch of buildings and then hire people to guard it or do we keep our own at home and watch it our selves?

The examples above are not isolated cases unless you consider the US Navy and Penn State to be marginal. This is big time mainstream stuff.

Oh, Happy New Year!