According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

It was only a matter of time before a flood of class action lawsuits began to wash over breached companies. In general, these suits allege that a company: 1) did not adequately protect the sensitive data entrusted to it and 2) did not notify consumers of the breach in a timely enough manner. In 2011, after one of the biggest breaches of the year went public, it took just one day for the first class action lawsuit to be lodged.

The avalanche of recent breaches has been worrisome for consumers, causing lawyers, as well as lawmakers, to take note. Moving into 2012, businesses will want to carefully watch the changing landscape of litigation and legislation.
Two recently submitted bills would require companies to inform affected customers, the Federal Trade Commission and law authorities of a data loss within 48 hours of completing a breach assessment.

No matter the outcome of these bills, companies that delay making their breaches public will continue to face the consequences. In 2011, a large financial institution found itself in hot water after waiting weeks to notify customers of a breach. The controversial delay prompted a leading industry group representing the country’s largest financial institutions to testify before congress. The testimony suggested that banks should immediately notify federal officials and affected customers of a breach.

While the outcome of recent litigation remains to be seen, many lawyers expect these suits to inevitably increase in size – and rewards. To date, Internet privacy-related lawsuits have yet to yield the hefty settlements of securities fraud cases. Still, with the escalating breadth of data breaches, higher profile law firms, ones known for mounting successful security fraud litigation on behalf of shareholders, are getting involved.

The challenge for plaintiffs’ lawyers in security breach cases is not in proving liability but establishing damages. Judges must determine whether the compromise of personal data represents a loss of value or if there should be additional proof of tangible harm.

With the recent spate of data breaches and accompanying class action lawsuits, businesses have constant reminders that an ounce of prevention is worth a pound of cure. The best way to protect your business against the high costs of data breaches is to ensure your security practices and fraud resolution plans are strongly built to ward off malicious attacks and the complications that follow.

You might think you’re pretty savvy when it comes to understanding identity theft.  But what about when identity theft threatens your children?

A recent Federal Trade Commission discussion, “Stolen Futures: A Forum on Child Identity Theft,” presented a valuable opportunity to galvanize industry experts and public leaders around this increasing privacy threat.  Pop quiz: did you know….

• Children are 51 times more likely to become victims of identity theft than adults, with anywhere from 140,000 to 400,000 children affected annually by this crime.
• Criminals can easily establish fraudulent credit files in a child’s name and use them for years without detection.
• Child identity thefts often aren’t discovered until the youngster applies for a driver’s license, summer job or college loans.
• Thieves snatch children’s Social Security numbers and other personal information from day care centers, hospitals, schools, and even sports team applications.
• Stolen identities can result in credit damage for years, resulting in denial of college loans, inability to rent an apartment, difficulty in getting hired for a job, confusion around medical records, and driving records attached to a criminal’s name.

Children make vulnerable prey for identity thieves, with fresh, unused Social Security numbers that can easily be applied to another person’s birth date and name.  The sad truth is that these crimes are often perpetrated by the victim’s own family, making it difficult for the child (when he’s an adult) or non-offending family members to report the incident.  Foster children are particularly vulnerable since their personal information is passed around from family to family.

Whether the theft was committed by strangers or family, identity theft causes financial as well as emotional suffering for children, especially once they become old enough to fully understand how they were victimized.  The Identity Theft Resource Center offers helpful fact sheets that explain the process of reporting and repairing credit damage as well as healing the emotional wounds from these crimes.

What can you do to protect your child?

• Fiercely guard your child’s social security number, only giving it out when absolutely necessary and after you’ve been assured it will be well protected.
• Teach your child to protect himself online by keeping his personal information private.
• Investigate red flags like debt collectors calling for your child or mail addressed to your child from debt consolidators.
• Enroll your child in credit report monitoring that will immediately alert you to suspicious activity.

The White House recently released a comprehensive cyber-security policy proposal, and with it raised new hopes that a streamlined solution around data breach notification is finally at hand.  The desire for such a federal policy, which would supersede the patchwork quilt of state regulations, has long been expressed – proposals have been bandied about for years but have invariably become bogged down in Congress.  Despite widespread arguments that the mandatory obligations of businesses around data breach notification should be simplified and made uniform across the country, a national law has remained frustratingly elusive.

The release of the Obama administration’s proposal breathes new seriousness of purpose to this effort, which leaders hope will galvanize Congress to push this effort over the hump so that national guidelines finally become law.  The new proposal creates specific requirements around the method and timing of communications about breaches and positions the Federal Trade Commission and state attorneys general as the enforcers of the law, with penalties for violations totaling as much as $1 million.

The proposal has been met with both receptivity and criticism.  Members of the House Committee on the Judiciary Subcommittee on Intellectual Property, Competition, and the Internet, for starters, have various issues with the bill; some claim that enforced standards will hinder economic growth, while others complain that the information sharing portions of the bill that address liability are too broad.  Additional criticism is that nationalization of rules which weaken state laws will help businesses at the expenses of consumers.

Data breach notification requirements are just one part of the White House proposal, which also includes parameters around cyber-defense and protections for critical infrastructure such as electric grids and financial systems from would-be cyber-terrorists.  The Department of Homeland Security would work closely with states and critical infrastructure businesses to help manage appropriate protections and responses to “significant cyber-security incidents.”

With the recent rash of highly newsworthy data breaches, headlined by the Sony PlayStation Network breach that impacted 77+ million subscribers, there’s been much hand-wringing over how to best ensure the protection of customer privacy.  The debate seems to be centered around two different camps: those who believe that the force of law can best bolster security and those who argue that better technology holds the key to data breach freedom.

Camp #1: The Lawyers

While proposals for a national data breach law have so far failed to gain traction, most states now have laws in place that oblige companies to take certain steps when data breaches impact their customers, including requirements around breach notification.  Privacy advocates insist that the government needs to become more involved in serving as a national “data sheriff,” passing new laws that will force companies to take their security obligations more seriously.  In the meantime, as we reported recently, the Sony breach in particular has galvanized the Federal Trade Commission to begin levying fines against companies for insufficient security practices that allow data breaches to take place.  The argument for financial penalties against breached companies is that economic spankings will motivate organizations to plug security holes in ways that concern for consumer protection alone has not.

Camp #2: The Techies

While legal roadblocks may have their place, some believe that regulations can only go so far in protecting us.  Factors that make information control nigh impossible, according to Time’s Jerry Brito, include the proliferation of digitization, the vast scope of the Internet, the scale of communications made possible by the Internet, and the ease of online distribution.  Instead of punitive measures as a path to security, this argument goes, we should accept that data breaches are inevitable and instead focus on harnessing technology to improve security.  Proponents of this approach note, for example, the promise of the Obama Administration’s National Strategy for Trusted Identities in Cyberspace, which would establish an identity ecosystem that would utilize new technologies, policies and standards to help protect and authenticate consumer transactions.

As data breaches become bolder and more destructive, the debate about how to best protect ourselves from this online menace is sure to rage on.

If you thought that data breaches were already expensive – what with the manpower and resources needed to issue breach notifications, offer compensatory protection services such as free identity theft protection, identify the source of leaks and tighten up security, and bolster marketing efforts to hang on to customer loyalty – add a new line item to the list.

Fines.

In an effort to make data breaches even more unpalatable and motivate companies to strengthen their security practices, the Federal Trade Commission is beginning to levy punishments for security holes that invite intrusions.  For example, the FTC recently settled with two companies, a payroll and HR firm and an immigration law services firm, both of which maintain a great deal of sensitive information about the employees of their business customers, including Social Security numbers.  The organizations were charged with violating federal law by failing to provide reasonable and appropriate measures to protect sensitive data, in spite of the fact that the companies advertised their security measures with claims such as “worry-free safety and reliability.”  As part of the settlements, each firm is required to obtain comprehensive information security programs and independent security audits every other year for 20 years.

Taking a cue from this new practice in the U.S. and other countries, and asserting her deep concern with the large number of recent breaches, Canada’s privacy commissioner also wants to start implementing hefty “attention-getting fines” against firms that have allowed customer data to be compromised through preventable data breaches.

This decision followed news that Canadian lawyers have announced a $1 billion class-action lawsuit as a response to two massive Sony PlayStation Network breaches that exposed the information of 102 million customers.  A U.S. House of Representatives subcommittee is also demanding answers from Sony about the circumstances surrounding these breaches and has scheduled a hearing to address the “threat of data theft to American customers.”

Not all security experts think that punitive measures towards breached organizations help protect customers from data theft, noting that it is akin to fining a store after it has been robbed.  In fact, some think that fines have the opposite effect by deterring companies from reporting data breach incidents in the first place.

As they say, the best defense is a good offense.  Protect your organization from the threat of breaches and expensive regulatory punishments by ensuring that you have a strong and defensible security program in place.

In a recent report, Ernst and Young noted that stronger breach notification requirements are among the top privacy trends for 2011.  Governments around the world are enacting or tightening regulations around breach notification, and within the U.S., individual state laws around data breach notification have had a tremendous impact on data security.    

The dramatic exposures engineered by Wikileaks have made it clear that insiders who have access to sensitive information are often at the center of devastating breach incidents and can – either intentionally or inadvertently – cause tremendous damage.  Training and awareness can be of significant help in preventing accidental employee misuse of information, while technical controls such as data loss prevention tools can combat more sinister efforts to steal information.  Ernst & Young believes that DLP tools will become increasingly popular in 2011, although tools alone won’t solve data breach exposure; they must be accompanied by strong policies and trained staff for effective implementation. 

Here’s a quick checklist for how your company can responsibly manage its obligations around breach notification:

1. Develop an incident response plan ahead of time so that it can be implemented immediately.  For some businesses, the absence of such a plan can turn a breach incident into a fight for the company’s mere survival, so make sure that your business isn’t caught by surprise.  Refer to expert considerations of all the factors that should be included in your detailed plan.
2. Understand the breach requirements within your state and specific industry.  Until there is one national standard for all privacy regulations, your business must comply within regional laws or face stiff penalties. 
3. When breaches occur, execute upon your plan quickly and thoroughly.  Once your team determines the type of breach, scope of breach and the customers affected by the breach, you must determine which individuals or businesses need to be notified, if any. Guidelines from the Federal Trade Commission can help you quickly understand the specific requirements which your data breach demands.

When a data breach occurs it is important to understand the breach notification laws in your State and what you have to do to abide by them. After contacting your legal counsel, the next stop you can make is the National Conference of State Legislatures which maintains a list of enacted and proposed security breach notification laws.

In general, most state laws follow the basic tenets of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.

Some important considerations to these laws include, but are not limited to:

1.       The time allotted to inform consumers of a data breach.

2.       Whether or not there are penalties – civil or criminal – for a failure to disclose.

3.       What kinds of breaches, if any, are exempt from reporting.

4.       Whether or not there is a private right of action – or the ability for the consumer or employee to pursue a case on their own.

Federal agencies, such as the Federal Trade Commission, are currently reviewing ways to better protect consumer privacy.  Their findings are likely to influence how state legislature votes on some key data breach notification and privacy acts on the floor in 2011. Some of the proposals include requirements for a reasonable effort to be made to avoid a data breach with the use of encryption, designated individuals to lead privacy departments and education throughout the organization, and data security risk assessments prior to a breach.

With the recession driven boom of cybercrime, identity theft and security breaches that is likely to continue to expand in 2011, Congress will probably enact some version of these proposals sooner rather than later. That being said, it is better to be prepared and embrace the current and proposed laws before a data breach occurs.