Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The rise of online functionality and connectivity has in turn given rise to online security issues, which create the need for passwords and other defenses against information theft.  Most people today have multiple online accounts and accompanying passwords to protect those accounts.  I personally have accounts (and passwords) for sites I no longer even remember.  And while I have more accounts than most due to my profession, my hunch is that many people deal with the issue of password overload.  Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out.  Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that “you are you.”  I expect that you have experienced such “password overload” inconveniences, or you almost certainly know someone who has.

The problem seems like it could be easily solved by using the same password for everything.  One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app.  The problem with this approach is that if you are using the same passwords for all (or even several) of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to then drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks….  This could all happen because you logged into Facebook at an unsecured Wi-fi location, where your password for that one account is compromised, and it happens to be the same password you use for multiple accounts.

So, what do you do if you don’t want to tattoo 25 passwords on your arm and you don’t want to end up cuffed for felony check fraud? The answer is a password manager.  This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service. 

A few things you should look for when finding a password manager are:

1. Is it cross platform? Will it work on your iPhone and your PC?
2. How is the information (your passwords) encrypted?
3. Does the service sync automatically, or will the user need to update the password storage database every time they sign up for a new account?
4. What is the initial authentication process and how strong is it?
5. How reputable is the company who created the product and what is reported about the product itself?

By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission.

As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line.

The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t.

Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection.

Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member.

With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships.

Extended protection from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, please contact us at 1 866 751 1323 or databreachinfo@experian.com.

http://www.youtube.com/watch?v=KTHWhscxGeU

Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Our latest study, Aftermath of a Data Breach Study, was conducted to better understand how a data breach affects organizations over the long term. In this study, IT professionals weigh in on how their organizations dealt with a data breach that had both serious financial and reputational consequences. While we asked respondents to focus on just one breach, 85 percent say that their organizations had more than one breach involving customer/consumer data in the past 24 months. It is interesting to note that in many cases it took a serious data breach to make privacy and data protection a greater priority and allocate additional resources to the IT security function.

While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims was enough to reduce the negative consequences of the data breach. This suggests that compliance with data breach notifications laws in and of itself is not sufficient if an organization is concerned about customer loyalty and reputation. Other lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored. We invite you to read the full report here.

Within the world of cyber security, a great deal of attention has been focused lately on the escalating hazards and frequency of data breaches, with considerable discussion on the high cost of such breaches.  But as the industry has assessed the financial toll of breaches, it has never taken into account the impact breaches have on a company’s brand image and, consequently, its bottom line.

Until now.

A recently released Ponemon Institute study, sponsored by Experian’s Data Breach Resolution and believed to be the first of its kind, explores the “Reputation Impact of a Data Breach” to provide more context for the full scope of data breaches.  The findings draw enlightening conclusions around the financial toll that data breaches wreak upon harmed corporate reputations, including these key takeaways:

Reputation is one of an organization’s most important and valuable assets.
Reputation and brand image are perceived as very valuable…and highly vulnerable to negative events, including a data breach.

Calculating the value of reputation and brand reveals how valuable these assets are to an organization. The average value of brand and reputation for the study’s participating organizations was determined to be approximately $1.5 billion.  Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $330 million. Depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to 31 percent.

Not all data breaches are equal. Some breaches are more devastating than others to an
organization’s reputation and brand image, with the loss or theft of customer information ranked as the most devastating (followed by confidential financial business information and confidential non-financial business information).

Data breaches occur in most organizations represented in this study and have at least a moderate or a significant impact on reputation and brand image. According to 82 percent of respondents, their organizations had a data breach involving sensitive or confidential information.  Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant.

Most organizations in the study have had a data breach involving the theft of sensitive or confidential business information. On average these types of breaches have occurred 2.9 times in surveyed organizations, with the theft or loss of confidential financial information having the most significant impact on reputation and brand.

Respondents strongly believe in understanding the root cause of the breach and
protecting victims from identity theft. When asked what their organizations did following a
breach to preserve or restore brand and reputation, the top three steps are: conduct investigations and forensics, work closely with law enforcement and protect those affected from potential harms such as identity theft.

The Ponemon study clearly shows that when data breaches occur, the collateral damage of a company’s brand and reputation become significant hard costs that must be factored into the total financial loss.

It’s no surprise that data breaches are expensive.  The exact cost of these incidents, which have only become more spectacularly headline-grabbing in recent months, is a question that the Ponemon Institute has addressed for the past six years.  Their most recent analysis, the 2010 U.S. Cost of a Data Breach, includes a look at 51 U.S. companies from 15 different industry sectors, all of which experienced data breaches.

The findings dispel any notion that data breaches are becoming less costly as data breach notification sets in amongst consumers and they presumably care less about breach incidents.  In fact, consumers are still highly concerned about data breaches, and the costs of breaches are climbing.

A few key takeaways from the Ponemon study:

• The average cost of a data breach increased by seven percent to $7.2 million in 2010, with the cost of each compromised record now averaging $214, up from $209 in 2009.
• Costs of a data breach include notification and legal defense costs, penalties from regulations such as the HITECH Act, and lost customer business.
• For the first time, malicious or criminal attacks are the most expensive cause of data breaches and not the least common one; up from 12% in 2008, to 24% in 2009, to 31% in 2010.
• Quick responses to data breaches are more costly than slower responses – 54% more, to be precise.  With the haste to comply with state and federal regulations, some companies rush to get the notification process over with, and in the process over-notify more than needed.
• Companies are more proactively protecting themselves from data breach threats.  For example, breaches due to systems failures, lost devices and third-party mistakes are lower than before.  And while some companies may be responding to breaches too hastily (and inefficiently), the good news is that more companies are responding to breaches within 30 days of an incident.

One of the more surprising findings is that negligence is still the leading cause of data breaches, at 41%, further underscoring the need for companies to strengthen their security practices.  On the bright side, the average breach detection and escalation costs went up by 72%, so it appears that companies are beginning to get the message that the threat of data breaches requires aggressive precautions.

Our guest blogger this week is Tom Bowers, Managing Director, Security Constructs LLC – a security architecture, data leakage prevention and global enterprise information consulting firm.

Back in the days of Prohibition, organized crime burst into the national consciousness with the “ka-pow” of a Tommy gun, capturing a sometimes romantic fascination that continues to this day.  The public face of organized crime may have morphed somewhat over the years, from Al Capone and Bugsy Siegal to Vito Corleone and Tony Soprano, but the mugshots have been generally similar and the contours of “the life” familiar.

With the advent of technology, however, organized crime has flocked to new outlaw opportunities that depart wildly from the old stomping grounds.  Today, cyber crime is the hot modern racket, with offenses ranging from the seemingly mundane (non-delivery of payment or merchandise top the list at 14.4% of all online crime), to the daring (scams impersonating the FBI, which come in second place at 13.2%), to the now well-known standbys (identity theft, rounding out third place at 9.8%).  At the center of the cyber crime explosion is organized crime, often formed into global gangs (frequently based in Eastern Europe), ever more sophisticated, and comprising a new kind of operation that doesn’t look anything like the movies.

Indeed, cyber criminals have been so successful in recent years that they have seemed unstoppable, leaving federal law enforcement struggling with the fast pace of attacks and ever-changing tactics.  The FBI gained headway – and large-scale arrests in the U.S. – with the hiring of more agents with computer science, business and operational analysis backgrounds, but cyber criminals responded by outsourcing their operations to countries with weak computer crime laws and law enforcement capabilities.  Investigations across borders were bogged down by legal proceedings, arrests and convictions were slow to materialize, and negative public outcry placed pressure on governments around the world.

But now the tide has changed.  The three-year-old International Multilateral Partnership Against Cyber Threats (IMPACT) is the world’s first not-for-profit comprehensive global public-private partnership against cyber threats, bringing together academia, industry experts and governments from more than 120 partner countries.  The Budapest Convention on Cybercrime, an effort to synchronize national cyber security laws, has been joined by more than 30 different countries.  The European Union, U.S and NATO are working together to tackle cyber crime and have announced the formation of a new cybercrime center, to be operational by 2013.

As international agreements begin to take shape, global law enforcement benefits from common frameworks for cooperation.  Accordingly, countries are beginning to share enforcement officers, time and talent…and cyber crime arrests are on the rise.  Clearly, a mobilized, globalized and flexible law enforcement response to cyber criminal activity – combined with best practices for data breach prevention – are the best ways to keep today’s mob offline and on the run.

Cloud computing.  It’s a buzzword that’s lately been bandied about in the context of recent data breaches, casting a shadow on a technology trend that has formerly been considered a bright light in data storage.  Do businesses that have come to rely on cloud computing need to worry that they’re at increased risk of data breaches?

First, let’s be clear about what cloud computing entails.  While the name sounds confusing, we’re all operating in the clouds these days, as cloud computing implies anything delivering hosted services over the Internet.  Because data is stored on remote servers and accessed online, consumers can have every piece of data that they need readily available wherever they are, on whichever device they need.  Cloud services have been a boon to businesses because they enable outsourcing of the cost and hassle of hosting and updating software on their own servers.

But hacking attacks against companies have drawn concerns about the level of data security within cloud computing.  Cloud services that handle enormous amount of data amongst consumers and corporate clients are a big target of fraudsters, and the recent wave of high-profile attacks may cause enough second-guessing to slow the growth of the exploding cloud computing market (expected to reach $55 billion by 2014, according to technology research form IDC).  When a cloud service that handles numerous corporate clients is breached, clients whose customer information was compromised must issue alerts and apologies to their own customers.  The end consumer may have never heard of the subcontractor, so the corporate client is the one that may suffer the blame – and lost business.

While the damage to companies when their marketing and email providers are hacked can be huge, many industry experts believe that cloud applications are still safer than in-house applications.  Companies who make their business in cloud computing invest vast resources in data security – far more than most individual organizations could ever handle alone, and while their systems are constantly under attack, they have highly specialized experts whose mission is to stay on top of the latest hacking loopholes.  Indeed, many believe that cloud computing can yield a net gain in data security for businesses, so long as these organizations exercise due diligence and planning before engaging a cloud service.

The clouds are here to stay, and businesses can come out ahead from the benefits these services offer.  Just remember that smart data security policies are as important with cloud computing as any other aspect of a company’s technology systems.  When it comes to security in the clouds or on the ground, preparedness is always key.

Quick – conjure the image that comes to mind when you hear the term cybercriminal.

Perhaps an unkempt, lone operator working out of a boiler room late at night?

How about – more commonly these days – a sophisticated fraud businessman running a high-stakes organization with international teams of experts, raking in millions through his illegal tactics.

When Albert Gonzalez was arrested for hacking into the networks of TJ Maxx, Barnes and Nobles, and OfficeMax, amongst others, and stealing 45 million credit and debit card numbers, he had $1.65 million in cash, a crew of international co-conspirators, and secret bank accounts across the world stuffed with millions more.  Gonzalez, who formerly worked for the Secret Service busting other cyber criminals, was later indicted for an even bigger, separate attack that compromised 140 stolen credit card numbers.

These days, the fraud economy has matured to a point where it is run like a global marketplace, with specialists for every aspect of fraud – from identity thieves to the consumers of stolen identities.  Data theft is only one part of what fuels this economy – the second and equally important aspect is the conversion of these thefts into cash, which is where the fraud economy connects illegal data traffickers with underground data buyers.

First Data’s report on this topic offers a cheat sheet of the cheating way of life:

1.       According to a study from Symantec Corp. which followed a year in the life of the underground economy, the value of the advertised goods on underground economy Web servers in a given year was more than $276 million

2.       The Symantec study found that the most popular item for sale, as well as the most requested for purchase, is credit card data, which are inexpensive to buy and have the potential for high profit

3.       The price for stolen credit card data ranges from 10 cents to $25 per card, with discounts offered for bulk purchases

4.       The average stolen credit card has a credit limit of $4,000

5.       The potential worth of all credit cards observed for sale during Symantec’s yearlong reporting period was estimated to be $5.3 billion

6.       Stolen financial account information is the second most popular item for sale in the underground economy, selling for $10 to $1,000 per account (with an average account balance of nearly $40,000)

7.       The potential value of all bank accounts advertised on underground economy servers during the reporting period was $1.7 billion

8.       Fraud as a Service (FaaS) has evolved as an infrastructure that helps fraudsters operate efficiently, just as software as a service (SaaS) has evolved to help the online needs of businesses.  FaaS includes online Fraud Forums, which serve as web-based marketplaces for illegal goods and services

As ever-developing fraud techniques challenge the wits of security experts, it’s important to understand as much as possible about the underground fraud economy that orchestrates advanced methods to rob businesses and consumers as well as how to address these concerns.

Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.