I haven’t read the new Javelin Strategy & Research report because it’s pricey, but their press release on it contains some of its key findings. Of note:
… nearly 1 in 4 data breach letter recipients became a victim of identity fraud, with breaches involving Social Security numbers to be the most damaging.
If 1 in 4 become fraud victims, isn’t that even more reason to prohibit entities from writing things like, “We believe the risk is very low…” or “We believe that the laptop was stolen for the hardware, not the data” or “We are sending you this letter in an abundance of caution?” Instead, I think entities should be required to include a statement such as:
“Last year, over 12 million consumers became victims of ID fraud, and for those who had been notified of a breach involving their information, 1 in every 4 became a victim of ID fraud. We urge you to take this notification letter seriously to protect yourself.”
The finding that 1 in 4 become victims of ID fraud also begs the question, “When do they become victims of ID fraud – before they even receive the letter or after they receive it?” If the former, then even though companies are responding more quickly than in the past years, what can we do to promote faster detection of breaches and/or even quicker notification? And if it’s the case that the 1 in 4 are becoming victims of ID fraud after they receive notification letters, then the letters aren’t effective in getting enough people to take steps to protect themselves. Javelin’s statement says:
almost 1 in 4 consumers that received a data breach letter became a victim of identity fraud, which is the highest rate since 2010. This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer.
I don’t know if the Javelin report has information on the timing of the fraud relative to the notification letters, but saying consumers need to take notifications seriously suggests that they had an opportunity or warning that could have prevented fraud and they didn’t act on it. Do we actually know that? I’ve e-mailed Javelin to ask if they have data on that point and will update this entry if I get a response.
Some of Javelin’s findings are consistent with the Risk Based Security/Open Security Foundation Quickview report, previously mentioned on this blog, while some of it isn’t:
While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, user name and password were compromised in 10 percent of incidents and 16 percent of incidents included Social Security numbers.
While our data on SSN were comparable at 14.4%, credit card numbers were exposed in only 6.4% of the 2,644 breaches we analyzed, whereas username and password were compromised in approximately half of all the incidents we compiled. In any event, I certainly agree that consumers need to take notification letters seriously.
I think one of the reasons the breached companies won’t commit to a more conclusive or exact phrase that is based on fact is that it will send an impression that they too have become a statistic. It adds more of a negative flavor – or an acceptance of thier fate. People will skim over and read only part of the long winded information, and see the amount of others affected and see the overwhelming numbers associated with the issue, and take a knee jerk reaction and may immediately lose trust in the business or entity.
In my opinion its not the speed in which breaches need to be reported. I think their should be mandatory requirements associated with each breach. There needs to be clear, well defined check points that can be indentified on how severe a breach is, and then an appropriate outline of action is presented in order. It has to be on a national level. A simple, well secured and current site.
Individual people do not need to be notified immediately. I think the credit card processors, banks and other higher level entities need to be on their toes and take immediate action. Its everyone’s individual responsibility to look over their account information from time to time to discover any illegal transactions or potential ID fraud.
Letting the cat out of the bag too early can cause the criminals to pull out early – or yet – they will refine the way they do their illegal activities to become quicker and less noticable. I imagine that the big fish grab the data and may only participate in illegal transactions in a very small amount of opportunities. They probably will sell the information quickly, to as many outlets as possible so the trail back to them is more difficult to follow than how a spider web is created.
The Feds rely on greed and catching people in the act. That great for the people on the list who are on the list and have not become a victim yet, but it doesn’t do much for others that have already been affected.
The system is broken. The current way is too easy to use. This way of doing business and protecting critical information was OK when the internet was just sprouting and the world and the trust in everyday action was ALOT higher than it is now. WHY are we still doing the same ole same ole? Its playing right into the crooks hands, and though those crooks have a higher than 50% of getting caught, – which may take years – the victims may never recover.
There isn’t much creativity out there. Businesses and organizations that don’t need SSN or an over abundance of PII shouldn’t have it. Why have this stuff facing the internet at all ? Companies and organizations know that the punishment will be easy, and will continue to spread PII as they wish on any device or manner they seem fit. Its the easy way, and will claim they did not know better when the Feds start asking questions.
I think it starts with the consumer. They will hand over anything to get their way. They want it now or they will go some where and get it. Thats a potential loos of a sale for an entity. So the companies have to loosen up a bit in order to gain / keep a customer base.
With the technology out there, its an easy fix. BUT since the CC companies are making truckloads of cash with this broken process, they are going to milk it to death until they are in the red, and then they will change it. Some of the newer credit card technology out there is impressive – but initially expensive and many will not currently consider using it.
The crooks know there are plenty of fish in the sea. They have an overabundance of ways to gather PII because the system is broke. Companies, banks, organizations and goverment are not willing to work together, let alone on the same page or pace. If your going to take the time to write a law, make it count. Screw the compassion in the wording. It’s law – follow it or get out of business. Require a probationary period of YEARS to any entity with the severe loss of PII.
The Feds can create a database of breaches with people who were in place at the time of the breach because those who were on the inside are responsible for some of this. Some may simply pull up their roots and go practice their ill formed methods on other businesses and have the same issue all over again. They need to be held accountable.
Class action suits need to happen more often and become successful. Instead of approaching it from a “harm” strategy, they need to attack it as a preventative nature. A Single year of credit monitoring is crap.
Anyone willing to say “it’s only a matter of time before we get breached” is accepting failure. failure to meet customer expectations, failure in their abilities, failure in technology and creativity. Accepting the fact that you will be breached means that you are willing – expecting to be be defeated. If I was a CEO and heard that – I would immediately fire one and all and restock in fresh ideas and technology.
The fact that the loss of an SSN can enable so much fraud surely must strike some that the barrier to fraud must be very low indeed? The SSN horse has left the barn a long time ago, and fretting about the loss of the SSN is a distraction from the real problem that allows banks and the financial servicers to continue to do business like they do (and pass the costs on to us all as higher rates.) In the 21st century, we should not continue to accept the status quo where the 9 digit SSN = “keys to the kingdom”.
I read all about notifying people faster, punishing organizations for being hacked, but no where do we demand that the targets of the hacksters, the banks and credit cards companies that the breached datya is then used against move away from SSNs (for new accounts) and boost the security threshold to more secure levels.
But we don’t because it is cheaper, for organizations at least, to point to a $50 limit on consumers and to write off loss and to pass on to the real people who get hurt the cost of fixing that fraud than it is to prevent that fraud from occurring.
Has anyone done a study to see what the savings would be if teh SSN were simply no longer the key that it is today?