Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The rise of online functionality and connectivity has in turn given rise to online security issues, which create the need for passwords and other defenses against information theft.  Most people today have multiple online accounts and accompanying passwords to protect those accounts.  I personally have accounts (and passwords) for sites I no longer even remember.  And while I have more accounts than most due to my profession, my hunch is that many people deal with the issue of password overload.  Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out.  Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that “you are you.”  I expect that you have experienced such “password overload” inconveniences, or you almost certainly know someone who has.

The problem seems like it could be easily solved by using the same password for everything.  One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app.  The problem with this approach is that if you are using the same passwords for all (or even several) of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to then drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks….  This could all happen because you logged into Facebook at an unsecured Wi-fi location, where your password for that one account is compromised, and it happens to be the same password you use for multiple accounts.

So, what do you do if you don’t want to tattoo 25 passwords on your arm and you don’t want to end up cuffed for felony check fraud? The answer is a password manager.  This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service. 

A few things you should look for when finding a password manager are:

1. Is it cross platform? Will it work on your iPhone and your PC?
2. How is the information (your passwords) encrypted?
3. Does the service sync automatically, or will the user need to update the password storage database every time they sign up for a new account?
4. What is the initial authentication process and how strong is it?
5. How reputable is the company who created the product and what is reported about the product itself?

By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.  Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking.  By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer.  Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information.  Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”.  ITRC only publishes breach incident information which is available from credible, public resources.  Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources.  This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.”  In addition, ITRC is aware of a significant number of breaches that are not made public.  As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records.

The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue.  Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards).   Some states have expanded this “trigger” definition to include medical and healthcare information.  This situation leaves large loopholes for breaches to remain unreported.

Currently we know that –

• An indeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
• Many breach notifications (at least what is disclosed by the entity) underreport the number of records
• Many breach notifications also do not clearly define the types of information exposed.
• Public information is often incomplete in detailing how the breach occurred
• Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

It can be unnerving to be told that your information has been compromised in a data breach.  The uncertainty of not knowing all the details and the anxiety over what information has been exposed is deeply troubling to many consumers.  A breach notice makes us aware of a new risk to our lives that we can’t measure easily.

Often times, there is a lot of speculation surrounding the company’s timing of the breach notification.  The timing of notification may depend upon a variety of state laws, some of which may delay notification if law enforcement is doing an investigation of the incident and has requested a delay to make the investigation easier.  In most breach cases, the company will want to investigate internally prior to making public notice.  It is important to the consumer and the company that they provide a notice which is accurate.  No one is happy when a notice is made public, and then has to be changed as further information comes to light.  Everyone is better served when the company gets the information right the first time.

It is also important to understand the complexities which may surround various types of data breaches. Not all breaches are equal in the amount of risk posed to the consumer.  For instance, some pieces of information about you are generally available and public, and pose little risk to you taken alone, such as your email address, or first and last name.  Credit card numbers that are exposed are a risk, but not a long term problem, as the issuer will provide a new card with a different account number very quickly.

Additionally, malicious attacks on a company’s server, insider (employee) theft, or the theft of mobile devices (i.e. storage devices, laptops) may be more likely to lead to identity theft than accidental posting on a long-ago cached website or papers left behind in an old abandoned building.  Knowing whether or not the breach incident was malicious or accidental in nature may help you to put the level of risk into a better perspective.

Just remember, unless you know otherwise, the fact that your data was compromised does NOT mean you are an identity theft victim.  In fact, there have been millions of people notified that their information may have been breached who have not become identity theft victims. Your response to the breach will depend on the type of information that was compromised.  Here are some steps you can take at this time:

Financial Account Numbers:

This includes checking accounts, credit cards, money market funds, stocks, and bank accounts:

• Close ONLY the affected accounts and have account numbers changed.
• Password-protect all your accounts, the new ones as well as the closed.  This restricts thieves from re-opening closed accounts.
• Monitor your account and billing statements closely
• Report any fraudulent activity immediately to the bank and law enforcement.

Social Security Numbers:
Call the credit reporting agencies.  These are automated and secure systems.   Place a fraud alert with each agency and request a free copy of each of your credit reports.  It is free because your information was breached and you are a potential victim of identity theft.  Do this for any person whose Social Security Number (SSN) was compromised. If the SSN belongs to a child, you should find that there is no credit report available for that child.  If there is a credit report for a child, it indicates that the child’s information may have been used. In that case, you need to get a copy of the credit report in order to repair the incorrect items.

It is also recommended that you call all three credit reporting agencies and not just one.  Check your report carefully for any irregularities.  Sometimes people see errors on the report that were on the report before the data breach occurred.

You can use, without charge, the annual credit reports system www.annualcreditreport.com to monitor your credit report over the next year. Stagger them throughout the year by ordering one every four months.

Or, if you want real-time updates on your credit report, you may want to consider a paid service which monitors your credit report and alerts you immediately upon any change.

Other:

• If your auto or medical insurance policy information is involved, ask the company about their policy to protect compromised policies.
• If it is HR data that was compromised, change account numbers for your 401-K, life insurance, and accounts holding your stock options.  Password-protect these accounts.
• Driver’s License’s – contact your state Department/Bureau of Motor Vehicles and notify them of the theft.  They most likely will not change your number.

Everywhere you turn these days there’s word of a new data breach.  Your old college – archives hacked.  Your dentist’s office – files stolen.  The local retailer – credit cards skimmed.  Government offices – accidental posting of information online.

In the course of our lifetime, our “personal identifying information (PII)” is shared with hundreds of companies, governmental agencies, educational facilities, businesses and healthcare providers.  Social Security Numbers, account numbers, birthdates, and other identifiers are diffused into thousands of databases, each with its own risk of exposing our PII.

These are all areas that the ITRC recognizes as areas “beyond your personal control”.  While you make every effort to protect your personal identifying information, the same cannot always be said for those who hold it in their possession.

Data breaches (the inadvertent or malicious exposure of our sensitive personal information) are a fact of modern life as evidenced by the many high profile data security breaches which have occurred throughout 2011.  Late in 2010 the ITRC predicted an increase in breaches aimed at email lists which would lead to more social networking scams and malware attacks.  This has indeed come to pass.

The harsh reality is that our personal information is simply available in too many places to ensure a high level of security over a long period of time.  So what can a consumer do to minimize their risk in these areas which are beyond our control?  Before you provide your personal information, ask the following questions:

• Why do you need my Social Security number? 
• What will happen if I don’t provide it?
• Is there an alternative identifier you can use instead? 
• How is it going to be used?
• Do you have published policies about data protection?

Depending on the answers, you may have a decision to make.  You can decide to continue with that company, or find one that will provide acceptable answers.  It’s your data they will control.

Businesses have both an ethical and legal responsibility to protect personal identifying information and control access to such information.  Businesses should clearly identify their specific need to collect sensitive personal information and to ensure that those within a company, who access this information, have a recognized need for such access

Additionally, consumers need to make the case with businesses that data protection is a critical issue.  This point can be made by alerting businesses that access to an individual’s SSN should never be taken lightly.