Medical identity theft is no longer some obscure phrase spoken primarily in data security circles. It’s quickly becoming a household term for millions of Americans who’ve become a victim or know someone victimized by identity theft.

In fact, 90% of the respondents in a recent study knew the definition of medical identity theft this year, compared with 77% last year, according to the Ponemon Institute.

Awareness of the crime, along with its number of victims, is obviously rising. But interestingly, a majority of victims are either not sure what to do or don’t do anything about having their medical identities stolen. What about your organization? Does it know what to do?

Here are three things you should never do if your organization experiences a data breach that puts patients or consumers at risk of identity theft:

• Ignore the incident thinking no one will find out
• Take one year or longer to notify potential victims. Or even worse, don’t notify them at all if you’re not required to do so by law.
• Don’t offer any compensation or services to help potential victims

So what should you do? Here’s what people expect when their medical records are lost or stolen.

1)      Reimbursement for the cost of finding another provider. If you’re a doctor, this may seem worse than it actually is, as most victims take no action. But if they do leave, reimbursing them is an act of goodwill that can only benefit your organization in the long run.

2)      To be notified of the loss or theft within 30 days. It may behoove you to be honest and forthright. Some organizations maintained the loyalty of their patients by issuing a press release and developing a website dedicated to the breach.

3)      To be provided with free identity protection for one year.

The best remedy for identity theft is to avoid it altogether by taking precautions to protect data and train your staff on security measures. But if you do experience a breach that leads to identity theft, the best thing you can do is help your victims. It’s not only the right thing to do, it’s also the best way to protect your brand and reputation.

A nationwide look at consumers’ identity theft complaints based on FTC reports.

For a company, a data breach can seem like it comes out of the blue. Yet, according to analysis by the Identity Theft Resource Center (ITRC), the three primary causes of data breaches have remained the same since 2009:

• Hacking
• Data on the move
• Insider theft

ITRC has been releasing an annual Breach Report since 2007. For the first time, hacking outpaced all other triggers to account for just more than a quarter of the 419 breaches in 2011. Incidents of hacking rose from 17.1% in 2010 and, the previous high, 19.5% in 2009 to 25.8% in 2011.

Data on the move* was the second highest trigger, accounting for 18.1% of the breaches in 2011. Insider theft, falling slightly from 2010, caused 13.4% of the breaches as the third trigger. ITRC further counts hacking and insider theft together as a malicious attack, adding up to nearly 40% of breaches in 2011.

The numbers make it clear that companies can’t rely on one form of data breach prevention alone. The 2011 Breach Report further illustrates that no company is immune. Of the entities reporting data breaches, 47% fell into the business category. Both business and educational entities experienced an upswing in data loss incidents in 2011.

The report also considers government/military, financial/credit and health/medical entities, the third of which accounted for 20.5% of the breaches in 2011.

Among the more alarming findings is that 61.6% of the reported breaches in 2011 exposed Social Security numbers (SSN), one of the most valuable pieces of personal data an individual has. Such exposure can leave a consumer vulnerable to identity theft indefinitely. Individuals can’t easily exchange their SSN for a new number like they can with credit or debit cards. (Loss of credit and debit card data was a factor in 26.5% of incidents in 2011.)

Drawing on what’s known about how breaches occur, companies can plan ahead to prevent and respond to incidents in order to protect themselves and the consumer data they use and collect. A comprehensive prevention and response plan should account for all of the various ways, including accidental exposure and subcontractor loss, that breaches occur.

Staying aware of vulnerabilities can only help companies strengthen their defense. Data breaches are here to stay, so there’s no time like the present to take prevention and preparation seriously.

*“Data on the move” refers to data that has left its usual place of rest, i.e. its proper storage place. This includes data in transport to a new storage location as well as data that has left an office on an electronic drive, a mobile device or paper.

A great deal of data is collected on students of all ages. Registration forms, health forms, emergency contact forms and permission slips are all a part of the information overload that schools typically require from their pupils, and many of these forms request sensitive data such as social security numbers. Unfortunately, school administrators don’t always protect this information as well as they should and education institutions are just as susceptible to data breaches as any other organization.

This vulnerability, combined with the fact that stealing personal information from minors can go undetected for years, is just part of the reason why minors are 51 times more likely to suffer from identity theft than adults.

The Federal Trade Commission recently issued a release alerting parents about how to protect students from fraudulent activity. Of particular note is information about the federal Family Educational Rights Privacy Act (FERPA), enforced by the U.S. Department of Education, which protects the privacy of student records and gives parents of school-age kids the right to opt out of sharing contact information with third parties, including other families.

The FTC’s safety tips for parents include:
• Read the notice schools must distribute that explains the rights of students and parents under FERPA. This legislation protects the privacy of student education records and gives parents the right to inspect and review your child’s education records, consent to the disclosure of information in the records and correct errors in the records.
• Ask your child’s school about its directory information policy. Student directory information can include a child’s name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy and give them the right to opt out of the release of directory information to third parties. Absent opting out, directory information may be available not only to the people in a child’s class and school, but also to the general public.
• Take action if your child’s school experiences a data breach. If you believe there’s been a data breach and your child’s information has been compromised, contact the school to learn more. Talk with teachers, staff, or administrators about the incident and their practices. Keep a written record of your conversations. Write a letter to the appropriate administrator, and to the school board, if necessary. The U.S. Department of Education takes complaints about these incidents. Contact the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave., SW, Washington, DC 20202-5920, and keep a copy for your records.

Perhaps it’s no coincidence that as more attention is directed to the risks of identity theft amongst children, cyber defense is becoming a hot new field of study for students. National cyber defense competitions have emerged as spirited forums for budding technical talent, including the National Security Agency’s Cyber Defense Exercise – a competition that pits students from a series of military academies against each other – and against the competition’s leaders at NSA; the Air Force Association’s National High School Cyber Defense Competition, CyberPatriot, created to inspire high school students towards careers in cyber security and associated fields; and the National Collegiate Cyber Defense Competition, designed to provide practical experience for students in a fast-changing field that needs ever more talented workers.
We can only hope that this new generation of cyber experts – borne from a time when new risks have posed threats to their own personal safety – can meet the growing challenges of cyber defense.

http://www.youtube.com/watch?v=KTHWhscxGeU

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

Within the world of cyber security, a great deal of attention has been focused lately on the escalating hazards and frequency of data breaches, with considerable discussion on the high cost of such breaches.  But as the industry has assessed the financial toll of breaches, it has never taken into account the impact breaches have on a company’s brand image and, consequently, its bottom line.

Until now.

A recently released Ponemon Institute study, sponsored by Experian’s Data Breach Resolution and believed to be the first of its kind, explores the “Reputation Impact of a Data Breach” to provide more context for the full scope of data breaches.  The findings draw enlightening conclusions around the financial toll that data breaches wreak upon harmed corporate reputations, including these key takeaways:

Reputation is one of an organization’s most important and valuable assets.
Reputation and brand image are perceived as very valuable…and highly vulnerable to negative events, including a data breach.

Calculating the value of reputation and brand reveals how valuable these assets are to an organization. The average value of brand and reputation for the study’s participating organizations was determined to be approximately $1.5 billion.  Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $330 million. Depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to 31 percent.

Not all data breaches are equal. Some breaches are more devastating than others to an
organization’s reputation and brand image, with the loss or theft of customer information ranked as the most devastating (followed by confidential financial business information and confidential non-financial business information).

Data breaches occur in most organizations represented in this study and have at least a moderate or a significant impact on reputation and brand image. According to 82 percent of respondents, their organizations had a data breach involving sensitive or confidential information.  Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant.

Most organizations in the study have had a data breach involving the theft of sensitive or confidential business information. On average these types of breaches have occurred 2.9 times in surveyed organizations, with the theft or loss of confidential financial information having the most significant impact on reputation and brand.

Respondents strongly believe in understanding the root cause of the breach and
protecting victims from identity theft. When asked what their organizations did following a
breach to preserve or restore brand and reputation, the top three steps are: conduct investigations and forensics, work closely with law enforcement and protect those affected from potential harms such as identity theft.

The Ponemon study clearly shows that when data breaches occur, the collateral damage of a company’s brand and reputation become significant hard costs that must be factored into the total financial loss.

A recent data breach discovery serves as a reminder that even when you’re on vacation, cyber criminals never sleep.

Vacationland Vendors, a company that supplies vending machines and video games to entertainment venues, recently reported that an unknown intruder penetrated its point of sale systems, resulting in a data breach affecting approximately 40,000 customers at waterland resorts in Tennessee and Wisconsin.  Although credit card and debit information was apparently stolen between December 2008 and May 2011, Vacationland Vendors did not state how the breach was discovered or whether affected customers have been notified.  The company did issue a general recommendation to anyone who visited the affected resorts within the targeted time frame to remain vigilant for fraud activity on their bank and credit card statements and to consider adding a fraud alert with the major credit bureaus.

The Vacationland Vendors data breach highlights the continued vulnerabilities of point of sale technology to crafty cyber criminals.  Heartland Payment Systems, a leading payment processing company, discovered this several years ago when it was hit by a historically large breach that exposed the accounts of as many as 100 million cardholders.  The same kind of breach affected CardSystems Solutions when a breach exposed the accounts of 40 million debit and credit card holders, leading to the sale and ultimate closure of the company.  Indeed, the theft of credit card data is one of the most common forms of fraud and the very reason that the Payment Card Industry Data Security Standard strengthened its requirements of payment card device vendors last year.

The debate about how to best secure credit card transactions has continued this year with the burgeoning introduction of end to end encryption technologies that can better protect cardholder data throughout the entire transaction process.  An example of improved safety mechanisms in the POS process is newer chip and PIN technology, as evidenced by Visa’s recent announcement that it is accelerating chip migration and adoption of mobile payments.

Until the technology around POS systems is more bulletproof, it’s especially important for companies to implement added safety measures around its current credit card payment processes.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.