According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

We’re all familiar with well-known causes of data security breaches and identity fraud; phishing, malware attacks, and lack of cyber security protection are some of the most popular.  A lesser-known but just as lethal culprit in the world of data breaches is surprisingly, a person’s typing skills due to the fact that a simple typo can lead to typo-squatting also known as URL hijacking.

Typo-squatters count on accidental misspellings and typing errors of web addresses in a web browser’s address bar to get people to their page which can often be unscrupulous hacker sites designed to extract a person’s private information.  Typo-squatters buy up domains that are similar to popular domain addresses to lie in wait for web surfers to make typing mistakes which is now even more widespread with the popularity of touch screen devices.  For example, instead of typing dot-com, you mistakenly type dot-org and are transferred to an authentication or login page that asks you to input your account information and password before proceeding.  These pages are actually typo-squatted pages that were created to not only steal your information but they can also make you vulnerable to a computer virus or identity theft.  The most dangerous scenario is when a person uses the same user name and password for every website since a hacker then can access financial information such as banking and credit cards accounts using the stolen log-in information.  

Typo-squatters can also cause a business data breach by creating doppelganger domains for large companies that use subdomains for their various worldwide offices.  Business emails are intercepted when a user mistypes a recipient’s e-mail address.  Using a doppelganger domain, a hacker configures an email server to intercept any correspondence addressed to a person with that name.  Extra large companies with many subdomains are at the biggest risk since they have more employees with more email addresses which means more chances for typos.

A key way to practice data breach protection in preventing typo-squatting is to use a search engine to find a website instead of directly typing in the web address especially if you are searching for a financial institution.  All the big search engines will have companies’ legitimate web addresses as well as data protection and security software to scan for malware and prevent hacking.  Common sense is also another powerful tool to prevent a breach of data; if a site doesn’t look right, it probably isn’t so exit quickly and try again through a search engine.

As Superstorm Sandy demonstrated to the East Coast during the last week of National Cyber Security Awareness Month; life happens so do you know where your data is?

Data breach protection is of such national critical importance, the effects of Sandy prompted Homeland Security chief Janet Napolitano to emphasize the need for more national cyber security protection at an event in Washington.  During her speech, Napolitano spoke about how Sandy’s devastation left many financial institutions vulnerable to business data breaches due to lack of electricity and other utilities.  She also highlighted the exorbitant costs of a data breach which total billions of dollars annually and are generally paid for by consumers and companies.  From Washington to Wall Street, Superstorm Sandy was a forceful reminder the best thing businesses can do to mitigate natural disasters is to have a data protection and security plan in place to not only protect their business data but to ensure that their disaster recovery time is brief, enabling their business to return to functioning as quickly as possible.

In developing an IT disaster recovery plan, companies need to first address the potential threats to hardware and data caused by natural disasters. Earthquakes can destroy physical infrastructures and floods can prevent offices from being accessed for days until the water subsides, creating a need for long term business data breach protection.  And hurricanes such as Sandy create both problems, potentially destroying hardware and software.  Therefore, the most effective way a business can protect itself from a breach of data in the event of a natural disaster is to implement a strategy that combines data protection solutions with a disaster recovery plan.

Since IT systems are comprised of hardware, software, data and connectivity, without one component, business recovery will be halted.  An IT recovery plan needs to address how to deal with the loss of each of these parts.  First, every recovery strategy needs to create an inventory list of hardware, software applications and data.  Then there must be a plan as to how to replicate and reimage hardware if the hardware is destroyed.  Next, copies of software programs need to be accessible for re-installation with multiple copies kept in more than one place.  The final piece of a data recovery plan is to reclaim the actual data so it is crucial that all business data is constantly backed up and protected using data protection solutions that are reliable and accessible.  Companies then should periodically test their recovery plan to make sure that it works.

Recovering from a disaster is not all about technology; a company’s disaster recovery strategy needs resources such as people, processes and a plan.  However, if a company is well prepared and their recovery plan is well-executed, their disaster recovery time will be less and hopefully, less painful.

How important is cyber security? October is National Cyber Security Awareness Month for the ninth consecutive year and each year, the designation seems to become more important.

So important that a top U.S. cyber warrior is recommending that his cyber command division be elevated into a top-level military unit under the Department of Defense. The Cyber Command, created two years ago, is currently under the U.S. Strategic  Command, which is responsible for U.S. nuclear and space operations.

Rear Admiral Samuel Cox, the cyber command’s top intelligence officer, believes his unit needs more power to combat the growing number of cyber threats facing the nation, according to Reuters. Many of those threats come from foreign hackers who are trying to pierce the Pentagon’s computer networks to obtain highly-classified information.

But cyber attacks aren’t just a threat to the military. Look at the numerous banks that experienced online outages due to cyber attacks in the past few weeks. And what about the flurry of data breaches reported this year by healthcare organizations?

The fact is that no organization – large or small – is immune from cyber attacks, hackers or simply the loss of a portable device containing the personal identifying information of consumers. Every organization and – every individual for that matter – needs to take cyber security seriously. And what better time to check on your security measures than during National Cyber Security Awareness Month. So here’s a checklist to help you keep your data safe.

•  Install the most up-to-date firewall, anti-spam and anti-virus software.
• Establish policies for handling sensitive data, mobile devices and computers. Educate everyone from C-suite executives to employees to contractors and vendors.
• Upload patches to fix any problems with your software programs.
• Use passwords on laptops, computers and mobile devices. Educate employees and contractors on the importance of using long, strong passwords.
• Encrypt laptops and mobile devices. Also encrypt sensitive files.
• Back up sensitive files and properly dispose of files you no longer need. Store backup data in a separate location – ideally off-site – from your main servers. To dispose of sensitive data, you should physically destroy the hard drive that contains the data. Otherwise, someone may be able to retrieve that data if the computer is sold or donated.

Health care fraud and abuse has been in the national spotlight for years. But now that the Affordable Care Act is coming into play, it’s taking center stage.

The Affordable Care Act gives officials tough tools to crack down on groups and individuals who try to defraud Medicare, Medicaid and other types of insurance plans. These tools include technology that’s being used to spot fraud and suspicious activity before any claims are paid.

The law is also creating partnerships between government agencies and private organizations that are working together to fight fraud and health care abuse. One of the more visible examples of this increased collaboration is the Health Care Fraud Prevention and Enforcement Action Team or “HEAT,” which is a joint effort between the U.S. Department of Health and Human Services and the Department of Justice. 

So where do you fit into this battle against health care fraud? What defense counsel advice could you give your clients in this era of increased enforcement?

Join us at the Fraud & Compliance Forum to find out. Experian will be one of the exhibitors at the conference, which will be held Sept. 30-0ct. 2, in Baltimore, MD. The forum is sponsored by the American Health Lawyers Association (AHLA) and the Health Care Compliance Association (HCCA).  It will feature speakers from the Inspector General’s Office, Department of Justice and Centers for Medicare and Medicaid Services, along with private practitioners.

In addition to discussing increased enforcement, there will also be sessions on some of the following topics:

• 50 Shades of Gray: Strategies for hospital-physician alignment in the light of recent developments
• CIAs: What enhanced Corporate Integrity Obligations tell us about OIG expectations for compliance programs
• Compliance, criminal and civil liability for overpayments
• Strategies for a medical necessity case
• Exit strategies for voluntary disclosures

For more information, call HCCA at 888-580-8373 or visit http://www.healthlawyers.org/Events/Programs/2012/Pages/FC12.aspx

Medical identity theft is no longer some obscure phrase spoken primarily in data security circles. It’s quickly becoming a household term for millions of Americans who’ve become a victim or know someone victimized by identity theft.

In fact, 90% of the respondents in a recent study knew the definition of medical identity theft this year, compared with 77% last year, according to the Ponemon Institute.

Awareness of the crime, along with its number of victims, is obviously rising. But interestingly, a majority of victims are either not sure what to do or don’t do anything about having their medical identities stolen. What about your organization? Does it know what to do?

Here are three things you should never do if your organization experiences a data breach that puts patients or consumers at risk of identity theft:

• Ignore the incident thinking no one will find out
• Take one year or longer to notify potential victims. Or even worse, don’t notify them at all if you’re not required to do so by law.
• Don’t offer any compensation or services to help potential victims

So what should you do? Here’s what people expect when their medical records are lost or stolen.

1)      Reimbursement for the cost of finding another provider. If you’re a doctor, this may seem worse than it actually is, as most victims take no action. But if they do leave, reimbursing them is an act of goodwill that can only benefit your organization in the long run.

2)      To be notified of the loss or theft within 30 days. It may behoove you to be honest and forthright. Some organizations maintained the loyalty of their patients by issuing a press release and developing a website dedicated to the breach.

3)      To be provided with free identity protection for one year.

The best remedy for identity theft is to avoid it altogether by taking precautions to protect data and train your staff on security measures. But if you do experience a breach that leads to identity theft, the best thing you can do is help your victims. It’s not only the right thing to do, it’s also the best way to protect your brand and reputation.

Phishing attacks, despite their long history, continue to be one of the greatest threats to data security. More than 200,000 new viruses are discovered every day, according to malware experts, and they’re usually out of circulation by the time they’re detected.

So how does an organization protect data from vicious phishing and spear-phishing attacks?

Here’s a comprehensive data loss protection plan:

1) Protect your organization’s computers. Shop for the newest software that provides spam filters, firewalls, anti-virus, anti-spyware and reputation services. Look for data protection programs that offer automatic updates and free patches from manufacturers to fix problems.

2) Consider hiring a vendor that specializes in software data security. Data security firms can go beyond traditional data protection programs and conduct audits to determine your risk for phishing and data breach. They can isolate emails that have been quarantined and scan outbound emails to see if any data has been extracted outside of your organization. As experts, they can also provide technical support with the latest email data security technology. Be careful, however, not to overlap your own software with that provided by the vendor or you may be spending too much.

3) Educate your computer users. Data security software is far from full proof so perhaps the most important cyber security strategy is to keep educating your users. Remind them:

• To be suspicious of emails with generic salutations, typos or those that try to create a sense of urgency.
•  Not to open attachments they aren’t expecting. If the attachment looks legitimate, ask your users to call the person to verify that they really did send it.
• To be wary of email links. Instead of clicking on the link, users may want to visit the website manually by typing the address into their browser. They can also check a link by hovering their mouse over it to see where it came from.

Like Blanche Dubois in A Streetcar Named Desire, we’d all like to think that we can depend upon the kindness of strangers.  Unfortunately, Symantec recently reminded us (in case there was any doubt) that strangers are bound to let you down.

In its Smartphone Honey Stick Project, Symantec intentionally “lost” 50 smartphones, all programmed with fake corporate and personal information.  The phones included a tracking device so Symantec could monitor what happened once the devices were found.  The purpose of the test was to assess the human threats to a lost smartphone’s data and the connected corporate systems.  Specifically, Symatec set out to assess the following circumstances: 

● Likelihood of a finder attempting to access data on the smartphone
● Likelihood of a finder attempting to access corporate applications and data
● Likelihood of a finder attempting to access personal applications and data
● Likelihood of attempted access to particular types of apps
● Amount of time before a lost smartphone is moved or accessed
● Likelihood of a finder attempting to return a device to its owner
 
On every count, the results were a disappointment to anyone hoping for better from their fellow mankind.  Bottom line: if you lose your business-connected mobile device, there’s more than an 80% chance that an attempt will be made to breach corporate data and/or networks.  A total of 83% of the devices showed attempts to access corporate-related apps or data, and attempts to access a corporate email client occurred on 45% of the devices.  A file titled “HR Salaries” was accessed on 53% of the phones and another titled “HR Cases” was accessed on 40% of the devices.

The study underscored yet again that businesses must impress upon employees the importance of adhering to strict security guidelines regarding their mobile devices.  What does that look like?  Here are five key reminders:
   
1. Require that employees use password protection on all electronic devices especially if they use it to access work related files and email.
2. Implement software that allows you to use remote wiping so a device can be killed if its lost or untraceable.
3. Invest in employee training and education about data breaches and the impact it has not only on the business but also on the employees themselves since most people also program their personal information into business devices.
4. Account for every device that has access to your company’s networks and take inventory often so nothing slips through the cracks or gets lost.
5. Use business security software for all your electronic devices and implement a security management program. When a device is lost or stolen, have a recovery system in place so employees know what to do immediately in order to prevent any lost of data.

Organizations are adopting social media tools within their networks at increasing rates, yet the legal and compliance risks are often not fully understood or addressed.  A recent Forrester report noted that more than half of security decision-makers and influencers at enterprises reported that they were “concerned” or “very concerned” about the inability to meet regulatory obligations using social media platforms. 

According to the report, critical reliance on third parties for information collection and capture, rapidly rising social media content volume and fast-changing applications, and the difficulty of ensuring authentication all make it difficult for security professionals to keep up with the legal and regulatory compliance associated with social media.

The report suggested that security pros should look to financial services for guidance on social media risks, keeping in mind that retention obligations clearly apply to social media, retention obligations also apply to both corporate- and employee-owned mobile devices, and firms should monitor and provide ongoing training to employees.

Above all, critical steps that security professionals must take in order to respond to the risks that social media poses include the following:

1.  Build effective policies governing social media usage in your enterprise.
Your social media policy should cover what your organization will and will not do online, what your employees can and cannot do, and what members of the public can and cannot do on your social media sites.

2.  Determine how tools that control social media fit into broader information governance.
Look before you leap when it comes to adopting tools that help enforce social media controls and make sure they’ll integrate with your company’s existing systems.

3.  Incorporate flexibility and continuous monitoring in social media.
Social media is constantly innovating end evolving – your organization will need to do so as well.

Don’t expect medical breaches and healthcare fraud to drop off the radar anytime soon. Here’s why.

First, the number of breaches in the industry is still escalating. In 2011, healthcare breaches occurred 32% more frequently than in 2010.¹

Second, the profitably of medical records on the black market is high – 192% more profitable than Social Security numbers. Estimates put the former at $50 and the latter at $1, according to a GovTech.com article.

It’s this frequency and profitability that, in part, help to ensure the continuation of data loss and fraud. The sooner the industry accepts and prepares for incidents, the better.

Healthcare organizations still have a lot to do in that regard. Forty-three percent rank their ability to counter internal and external data security threats as “needs improvement,” “poor” or “failing.”² And their actions – or lack thereof – can adversely affect patients. Medical identity theft can cost a consumer $20,663 to resolve.³

 So what exactly is compromising data security at healthcare organizations? In a recent study, most organizations (54%) agreed that a lack of budgetary resources dedicated to security and privacy is the greatest weakness in preventing a breach.⁴ The study also named the top three causes of data breaches as:

• Lost or stolen computing devices
• Third-party errors
• Unintentional employee actions⁵

Looking at the list, it’s clear that budgeting for security and privacy needs to encompass protecting mobile and other computing devices, training employees and verifying that third party partners uphold a high level of security as well.

Without a well-rounded approach to data security, organizations make themselves even more vulnerable at a time when vulnerability is a given. Organizations big and small can’t do without computers, third parties and employees – or at least two of the three. So the risk of a breach and resulting fraud can never be completely eradicated. Human error alone is impossible to eliminate.

But risks can be managed with a comprehensive plan that addresses a full spectrum of weaknesses and threats. A plan that includes access controls and encryption for sensitive data as well as a response guide to handling a data breach if one occurs.

[footnotes]

1. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
2. Healthcare Information Security Today (2011)
3. Second Annual National Study on Medical Identity Theft, Ponemon Institute (2011)
4. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)
5. Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute (2011)