Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

It can be unnerving to be told that your information has been compromised in a data breach.  The uncertainty of not knowing all the details and the anxiety over what information has been exposed is deeply troubling to many consumers.  A breach notice makes us aware of a new risk to our lives that we can’t measure easily.

Often times, there is a lot of speculation surrounding the company’s timing of the breach notification.  The timing of notification may depend upon a variety of state laws, some of which may delay notification if law enforcement is doing an investigation of the incident and has requested a delay to make the investigation easier.  In most breach cases, the company will want to investigate internally prior to making public notice.  It is important to the consumer and the company that they provide a notice which is accurate.  No one is happy when a notice is made public, and then has to be changed as further information comes to light.  Everyone is better served when the company gets the information right the first time.

It is also important to understand the complexities which may surround various types of data breaches. Not all breaches are equal in the amount of risk posed to the consumer.  For instance, some pieces of information about you are generally available and public, and pose little risk to you taken alone, such as your email address, or first and last name.  Credit card numbers that are exposed are a risk, but not a long term problem, as the issuer will provide a new card with a different account number very quickly.

Additionally, malicious attacks on a company’s server, insider (employee) theft, or the theft of mobile devices (i.e. storage devices, laptops) may be more likely to lead to identity theft than accidental posting on a long-ago cached website or papers left behind in an old abandoned building.  Knowing whether or not the breach incident was malicious or accidental in nature may help you to put the level of risk into a better perspective.

Just remember, unless you know otherwise, the fact that your data was compromised does NOT mean you are an identity theft victim.  In fact, there have been millions of people notified that their information may have been breached who have not become identity theft victims. Your response to the breach will depend on the type of information that was compromised.  Here are some steps you can take at this time:

Financial Account Numbers:

This includes checking accounts, credit cards, money market funds, stocks, and bank accounts:

• Close ONLY the affected accounts and have account numbers changed.
• Password-protect all your accounts, the new ones as well as the closed.  This restricts thieves from re-opening closed accounts.
• Monitor your account and billing statements closely
• Report any fraudulent activity immediately to the bank and law enforcement.

Social Security Numbers:
Call the credit reporting agencies.  These are automated and secure systems.   Place a fraud alert with each agency and request a free copy of each of your credit reports.  It is free because your information was breached and you are a potential victim of identity theft.  Do this for any person whose Social Security Number (SSN) was compromised. If the SSN belongs to a child, you should find that there is no credit report available for that child.  If there is a credit report for a child, it indicates that the child’s information may have been used. In that case, you need to get a copy of the credit report in order to repair the incorrect items.

It is also recommended that you call all three credit reporting agencies and not just one.  Check your report carefully for any irregularities.  Sometimes people see errors on the report that were on the report before the data breach occurred.

You can use, without charge, the annual credit reports system www.annualcreditreport.com to monitor your credit report over the next year. Stagger them throughout the year by ordering one every four months.

Or, if you want real-time updates on your credit report, you may want to consider a paid service which monitors your credit report and alerts you immediately upon any change.

Other:

• If your auto or medical insurance policy information is involved, ask the company about their policy to protect compromised policies.
• If it is HR data that was compromised, change account numbers for your 401-K, life insurance, and accounts holding your stock options.  Password-protect these accounts.
• Driver’s License’s – contact your state Department/Bureau of Motor Vehicles and notify them of the theft.  They most likely will not change your number.

Everywhere you turn these days there’s word of a new data breach.  Your old college – archives hacked.  Your dentist’s office – files stolen.  The local retailer – credit cards skimmed.  Government offices – accidental posting of information online.

In the course of our lifetime, our “personal identifying information (PII)” is shared with hundreds of companies, governmental agencies, educational facilities, businesses and healthcare providers.  Social Security Numbers, account numbers, birthdates, and other identifiers are diffused into thousands of databases, each with its own risk of exposing our PII.

These are all areas that the ITRC recognizes as areas “beyond your personal control”.  While you make every effort to protect your personal identifying information, the same cannot always be said for those who hold it in their possession.

Data breaches (the inadvertent or malicious exposure of our sensitive personal information) are a fact of modern life as evidenced by the many high profile data security breaches which have occurred throughout 2011.  Late in 2010 the ITRC predicted an increase in breaches aimed at email lists which would lead to more social networking scams and malware attacks.  This has indeed come to pass.

The harsh reality is that our personal information is simply available in too many places to ensure a high level of security over a long period of time.  So what can a consumer do to minimize their risk in these areas which are beyond our control?  Before you provide your personal information, ask the following questions:

• Why do you need my Social Security number? 
• What will happen if I don’t provide it?
• Is there an alternative identifier you can use instead? 
• How is it going to be used?
• Do you have published policies about data protection?

Depending on the answers, you may have a decision to make.  You can decide to continue with that company, or find one that will provide acceptable answers.  It’s your data they will control.

Businesses have both an ethical and legal responsibility to protect personal identifying information and control access to such information.  Businesses should clearly identify their specific need to collect sensitive personal information and to ensure that those within a company, who access this information, have a recognized need for such access

Additionally, consumers need to make the case with businesses that data protection is a critical issue.  This point can be made by alerting businesses that access to an individual’s SSN should never be taken lightly.

You might think you’re pretty savvy when it comes to understanding identity theft.  But what about when identity theft threatens your children?

A recent Federal Trade Commission discussion, “Stolen Futures: A Forum on Child Identity Theft,” presented a valuable opportunity to galvanize industry experts and public leaders around this increasing privacy threat.  Pop quiz: did you know….

• Children are 51 times more likely to become victims of identity theft than adults, with anywhere from 140,000 to 400,000 children affected annually by this crime.
• Criminals can easily establish fraudulent credit files in a child’s name and use them for years without detection.
• Child identity thefts often aren’t discovered until the youngster applies for a driver’s license, summer job or college loans.
• Thieves snatch children’s Social Security numbers and other personal information from day care centers, hospitals, schools, and even sports team applications.
• Stolen identities can result in credit damage for years, resulting in denial of college loans, inability to rent an apartment, difficulty in getting hired for a job, confusion around medical records, and driving records attached to a criminal’s name.

Children make vulnerable prey for identity thieves, with fresh, unused Social Security numbers that can easily be applied to another person’s birth date and name.  The sad truth is that these crimes are often perpetrated by the victim’s own family, making it difficult for the child (when he’s an adult) or non-offending family members to report the incident.  Foster children are particularly vulnerable since their personal information is passed around from family to family.

Whether the theft was committed by strangers or family, identity theft causes financial as well as emotional suffering for children, especially once they become old enough to fully understand how they were victimized.  The Identity Theft Resource Center offers helpful fact sheets that explain the process of reporting and repairing credit damage as well as healing the emotional wounds from these crimes.

What can you do to protect your child?

• Fiercely guard your child’s social security number, only giving it out when absolutely necessary and after you’ve been assured it will be well protected.
• Teach your child to protect himself online by keeping his personal information private.
• Investigate red flags like debt collectors calling for your child or mail addressed to your child from debt consolidators.
• Enroll your child in credit report monitoring that will immediately alert you to suspicious activity.

With a little bad luck, security breaches can become the match that sets your revenues aflame.  Breaches are big business for fraud “arsonists” who smoke out ways to profit from your pain.  How big?  Here’s what the Identity Theft Resource Center has uncovered about security breaches and the workplace:

1.     According to one study, identity theft cost U.S. businesses and consumers $56.6 billion in a given year.

2.     One expert calculated that the loss or theft of just one laptop can cost a company as much as $90,000 or more in fines, credit monitoring for victims, public relations damage control, and class action litigation.

3.     According to the U.S. Bureau of Justice Statistics, identity theft is now surpassing drug trafficking as the number one crime in the nation.  Further, a preliminary study done by ITRC shows that the majority of identity theft criminals are repeat offenders.

4.     One survey showed that 21 of the top 100 U.S. retail financial institutions reported that 39% of respondents indicated an increase in online banking and bill-payment losses over the past year.

5.     A Zogby study reports that 91% of Americans are now concerned about identity theft and expressed concern that legitimate retailers would sell their information without consent. 83% are specifically worried that information will wind up in the hands of a third party.

6.     In that same study, 34% of respondents did not believe retailers are doing a good job of protecting their personal data, compared to 28% who felt companies protect data adequately.

7.     A Unisys survey reported by Internet Retailer said that 16% of respondents have stopped shopping online because the process requires a bank card, citing fear of card fraud and theft.

8.     The same study reported that 69% of those survey said they would stop using a site that lost their personal information.

9.     According to a Forrester Research study entitled “Calculating the Cost of a Security Breach,” the costs of a data breach vary widely, ranging $90 to $305 per customer record, depending on whether the breach is “low-profile” or “high-profile” and the company is in a non-regulated or highly regulated area, such as banking.

10.  The same study did the math and estimated the cost of a breach at $50 per customer record for the discovery, notification and response that brings in unexpected expenses associated with legal counsel, call centers and mail notification.  It also noted that lost employee productivity would range from $20 to $30 per customer record.

Don’t let your bottom line go up in flames: understand how security breaches impact your business and take aggressive action to avert disaster.

Legislation has been introduced in Congress to crack down on Medicare and Medicaid fraud. This legislation comes at a time when incidents of medical fraud are on the rise and the Obama Administration is poised to role out sweeping healthcare reform.  Medical fraud is estimated to cost the U.S. health care system $100 billion a year.

The new rules will give federal health officials key powers to detect fraud early and prevent improper payments from being made.  For example, medical provider employees will be subject to fingerprinting, payments will be suspended to health organizations that are under investigation and medical programs will be required to stop using providers kicked out of Medicare or Medicaid programs.

These rules have serious implications for the health care industry that must also comply with stringent new HITECH rules. As I mentioned in a previous blog entry, some professionals feel the best way to comply with the new requirements is to be proactive.  For example, providers should consider actively working with their vendors to ensure all parties comply with the new standards.

Another recommendation is to conduct an internal risk assessment. A thorough assessment can identify where a business is not complying with the HITECH Act or HIPAA standards and provide an opportunity to make the right adjustments. Non-compliance can result in up to $1.5 million in fines or even civil action from a State Attorney General.

Learn more about risk assessments and act now before it’s too late.

Identity thieves are becoming more skilled as they focus on stealing dormant social security numbers that belong to children. According to the Identity Theft Resource Center (ITRC) credit issuers do not have the ability to verify a SSN as belonging to an adult or minor which makes detecting fraud against minors more difficult. Experts point out that frequently the parents and children are not aware of the fraud and potential financial damage until the minor applies for his or her first job or student loan.  As you can imagine, significant damage to the minor’s credit may have already occurred.

This nascent threat has serious implications for business, lenders, and educational institutions that make decisions based on credit reports and scores.  For example, a recent scam was uncovered where thieves sold dormant SSNs to people looking to rebuild their credit rating. People who buy these numbers build their credit score by linking to a dormant credit file, a process called “piggybacking.” Unfortunately, these dormant files most likely belong to minors.

The economic downturn and mortgage crises have resulted in tightened lending policies and a greater focus on credit profiles. Many lending decisions are made simply on a defined credit score threshold. However, with the increase in incidents of “piggybacking” on dormant accounts, a growing number of these scores will be based on fraudulent information.

The ITRC has proposed creating a database that enables businesses to verify if a submitted SSN is that of a minor creating an opportunity to identify fraud.  Visit the ITRC to learn more.

Just as the healthcare industry came up to speed on the regulations defined in The Health Information Technology for Economic and Clinical Health (“HITECH”) Act, additional modifications are being proposed. These proposed rules focus on expanding obligations and penalties for covered entities (CEs) to now include business associates (BAs).

So why is this significant? For two reasons. First, combined with the HITECH Act, the new rules will expand both the application of certain HIPAA Security and Privacy requirements and penalties to business associates.  Secondly, the proposal expands the definition of BA to include subcontractors who handle health information. Subcontractors would be considered BAs and are subject to direct liability under the HIPAA rules.

Many provider networks, physician practices and insurance plans work with outside vendors to manage their businesses and patient health information.  Many of these providers are BAs who use sub-contractors.  Under the proposed new regulations, these subcontractors must also be HIPAA compliant and follow the HITECH regulations or face penalties. This also means that CEs could be held liable when a BA does not comply.

How well does your company know its business associates…and the businesses that they do business with? As health care organizations expand their operations, it is imperative that due diligence is performed to avoid potential liability stemming from non-compliant vendors.  Some privacy professionals feel the best way to prevent liability under the new requirements is to be proactive about adhering to compliance standards.

Companies should consider actively working with their vendors to address the stringent HITECH requirements and ensure that anyone that falls under the BA category is aware of the full implications as it relates to HITECH and HIPAA.  The more proactive you are the better chance you have of avoiding potentially heavy fines due to the ignorance of a BA that was not aware of the law.

According to a recent study by the Identity Theft Resource Center, data breaches in the healthcare sector are occurring at a higher rate than in other industries.  The study found that of the 385 data breaches that occurred in the U.S. in the first half of 2010, 30% of those affected were healthcare providers.  In comparison, data breaches reported in banking and other financial institutions for the same time period totaled 10%.

What is the cause of this large discrepancy between industries?  According to commentary provided by eSecurity Planet, the increase may be due to the many different types of workers that have access to areas in healthcare organizations buildings where sensitive data is stored. This unrestricted access provides an opportunity for unauthorized employees to access laptops, USB drives or desktops with sensitive information from areas that are far less secure than at a bank or other financial institutions.

This sharp increase has caught the attention of the US Congress that is set to approve $1.7 billion to fight healthcare fraud. A large portion of that spend will go towards creating fraud “task forces” in up to 20 cities across the U.S. Watchdog groups and patient privacy advocates are also putting pressure on healthcare organizations to protect patient’s medical records and personal information especially as patient records become digital and are stored by third parties.

Deterring and detecting data breach threats does not happen by chance.  Now more than ever, it is important for healthcare companies to take advantage of proven data security solutions and to develop policies, like those used in other industries, to help protect patient data.