According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

Medical identity theft is no longer some obscure phrase spoken primarily in data security circles. It’s quickly becoming a household term for millions of Americans who’ve become a victim or know someone victimized by identity theft.

In fact, 90% of the respondents in a recent study knew the definition of medical identity theft this year, compared with 77% last year, according to the Ponemon Institute.

Awareness of the crime, along with its number of victims, is obviously rising. But interestingly, a majority of victims are either not sure what to do or don’t do anything about having their medical identities stolen. What about your organization? Does it know what to do?

Here are three things you should never do if your organization experiences a data breach that puts patients or consumers at risk of identity theft:

• Ignore the incident thinking no one will find out
• Take one year or longer to notify potential victims. Or even worse, don’t notify them at all if you’re not required to do so by law.
• Don’t offer any compensation or services to help potential victims

So what should you do? Here’s what people expect when their medical records are lost or stolen.

1)      Reimbursement for the cost of finding another provider. If you’re a doctor, this may seem worse than it actually is, as most victims take no action. But if they do leave, reimbursing them is an act of goodwill that can only benefit your organization in the long run.

2)      To be notified of the loss or theft within 30 days. It may behoove you to be honest and forthright. Some organizations maintained the loyalty of their patients by issuing a press release and developing a website dedicated to the breach.

3)      To be provided with free identity protection for one year.

The best remedy for identity theft is to avoid it altogether by taking precautions to protect data and train your staff on security measures. But if you do experience a breach that leads to identity theft, the best thing you can do is help your victims. It’s not only the right thing to do, it’s also the best way to protect your brand and reputation.

Swimmers may be stealing the spotlight, but it’s scammers who are taking home the gold–in the form of stolen credit card numbers, PINs, consumers’ personal identities.

One familiar con trotted out this year (and every Olympics) is ticket fraud, including what Britons call ‘ticket touting’ (scalping) and its more sinister cousin, counterfeiting. Paying for tickets that are never delivered is another way unwary buyers are tricked into giving up personal and/or credit card information.

Beware the cyber threats

Acknowledging the widespread use of smartphones, tablets and similar devices to retrieve Games-related content, the UK’s national fraud reporting center, Action Fraud, cautions fans to browse wisely, warning that worms, viruses and other malware can penetrate mobile devices just as easily as PCs.

Top malware delivery threats listed on Action Fraud’s blog site include:

• Search Engine Poisoning – The most prevalent form of malware delivery (40% of all malware infections), in which attackers link what appear to be legitimate search result “bait” pages to malware infected sites.
• Drive-by-Downloads – Technique that automatically downloads malware when devices interact with an infected website, email, pop-up ad or other apparently authentic Olympic content.
• Information Phishing – Disguised links from Facebook and Twitter abound this year. When clicked, infected links, in the shortened bit.ly/ format, for example, can instantly extract, disable or destroy a device’s content or operating system.

Staying off the scammers’ scorecards

A fraudster’s goal is to rip you off in record time and disappear into the shadows with their
ill-gotten gains.  To avoid being victimized during the Olympics (or anytime) follow these common-sense rules for browsing and buying:

• Never click a link from someone you don’t know.
• Avoid giving personal or credit card information to anyone whose identity and organization you can’t positively confirm.
• For Olympics news or memorabilia, frequent only sites known to be credible and trustworthy, such as London2012.com.

Such simple precautions can make for a winning Olympics experience, and help send the fakes, frauds and phonies home empty handed.

Have you or a friend encountered scammers during the Olympics? Take a minute to briefly share your story.

Can you imagine losing backup disks containing information for 300,000 patients? Or having computer back-up tapes stolen? What if someone hacked into your network servers or lost important laptops? These aren’t hypothetical scenarios. They’re real data breach cases that have occurred in recent years. Can this happen to you? You bet. The key is being prepared for the inevitable.

I would like to invite you to participate in an informative webinar on this important issue. I will be joined by Dr. Larry Ponemon, a data protection “think tank” pioneer and Chairman of the Ponemon Institute, and Karen Murray, Vice President, Chief Compliance Officer of Steward Health Care System in a discussion focusing on the latest data breach trends, how to prepare for a data breach and the best ways to respond to a breach.

The 90-minute webinar, delivered in conjunction with the Health Care Compliance Association (HCCA), will be held at noon CST on July 25, 2012 and participants may be eligible for CEUs.

In addition, the webinar will feature:

• The latest research about consumer notification from the Ponemon Institute
• A look at healthcare data breach statistics
• Best practices for data breach preparation from a compliance officer’s perspective.
• Examples of what works – and doesn’t work – when responding to a data breach
• How and why data breaches happen
• How to budget the resources for a  potential breach
• What do regulators expect from an organization that experienced a breach?
• A question and answer period for participants

Come learn the best ways to try and prevent a data breach and the most effective methods to respond to one. Learn to minimize your costs and help protect your reputation.

The latest Ponemon Institute Medical Identity Theft survey reflects the classic good news, bad news scenario. The good news is that more consumers understand how medical identity theft happens, and the importance of checking healthcare invoices and records for accuracy. The bad news is that the victim count has hit an all-time high (nearly 2 million annually), while breach frequency and financial damages continue
to rise, unabated.   

Losses up 44% from 2010

Data extrapolated for 2012 reveals that losses from medical identity theft will top $40 billion, up 34% from last year and 44% from 2010. During any given hour thieves using pilfered credentials will steal nearly $5 million worth of medical services, equipment and prescriptions.

The survey also revealed:

• Higher costs for recovery and resolution: victims pay on average $22,346
  (up 10% from 2011) to resolve medical identity theft, including the cost of identity theft protection and retaining legal counsel
• Difficulty knowing when the crime occurred: one quarter of those asked did not know when their medical identity was stolen, while 34% said it took more than a year to find out
• Collection letters still top the list: though more consumers learn of medical identity theft from suspicious statement or invoice entries, nearly 40% of victims first hear of their misfortune through collection letters

In a subtle but potentially instructive revelation, just 4% of survey respondents said a healthcare provider or insurance company notified them of the theft.  

Providers beware

So how is all this flavoring consumers’ attitudes toward healthcare and insurance providers? The biggest non-financial consequence, according to Ponemon, is a loss of trust and confidence. If people perceive a lack of effective data safeguards, most (58%) feel no compunction about going elsewhere for services. If their medical records were ever lost or stolen 56% of respondents would also feel justified making a change.  

Watch the vital signs

The top three actions desired by victims following medical identity theft include: reimbursement for the costs of changing providers; prompt notification of the loss or theft; and free identity theft protection for at least one year. (Hint: Providers can use these survey insights to develop post-breach strategies and programs aimed at reestablishing trust and confidence.)  

Employers can also play a role in medical identity theft awareness by encouraging (and if needed, teaching) employees how to:

• Keep medical information private
• Regularly check medical records for accuracy (57% of those surveyed don’t)
• Be more proactive about monitoring statements and charges
• Review and interpret credit reports
• Engage an identity theft protection service

Bottom line? When it comes to medical identity theft, vigilance is good medicine–for consumers and healthcare providers alike.

Data breaches occur in every industry, but, in healthcare, they’re a whole different ballgame. Black market prices and mobile devices drive data theft and loss. Federal regulations govern breach reporting.
With breaches of medical records increasing 97% from 2010 to 2011, the medical field has been especially hard hit. Here’s a look at five factors that make breaches in this one industry so cumbersome, dangerous and difficult to deter.
 
1. Heavy regulations
While various state laws govern many breaches, a healthcare breach falls under federal law—both for providers and their business associates. The Department of Health and Human Services (HHS) enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to govern PHI management. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 further enforced it. HITECH’s tiered system of fines can cost a company as much as $1.5 million for mishandling a breach.

2. Black market premium
By many estimates, a medical record sells for $50 on the black market, compared to just $1 for a Social Security number (SSN), according to a GovTech.com article. A single breach can be highly lucrative with an average of 49,000 records impacted per incident. This profitability makes it all the more difficult to deter medical breaches and protected health information (PHI) fraud stemming from both internal and external threats.

3. Substantial harm to patients
Ninety percent of healthcare organizations in a recent study agreed that breaches cause patients harm. One example of this is medical identity theft. Another study found that resolving medical identity theft costs victims $20,663, an extrapolated average. Patients with breached PHI may face even worse. They could lose their medical insurance altogether, due to abuse of their benefits by an imposter. And that imposter’s health conditions, blood type, allergies and prescriptions could end up being part of the victim’s medical file. That misinformation could lead to improper medical care, potentially resulting in a life-threatening situation for the victim.

4. High volume of breaches
According to data from the Identity Theft Resource Center, the overall volume of breached records increased 35% from 2010 to 2011. Yet, according to HHS data, the volume of breached PHI records increased 97% in the same timeframe. In fact, three of the top six breaches of 2011 were in healthcare, according to the Privacy Rights Clearinghouse. The numbers point to an industry in crisis. Ninety-six percent of providers in a recent study have experienced at least one breach in the past two years.

5. Unprepared entities
The increase in medical breaches comes at a time when entities are updating their offices with both electronic health records (EHR) and mobile devices. Many are doing so without putting the proper security measures and access controls in place first. In a recent study, 81% of healthcare entities reported using mobile devices to “collect, store and/or transmit” PHI but 49% haven’t implemented any protection measures for the devices.

With so many different factors at play in healthcare breaches, the sector will continue to be an interesting one to watch. As the HHS promotes greater transferability of EHR, the road ahead may become even rockier.

Customers see a data breach and the loss of their personal data as a threat to their security and finances, and with good reason. Identity theft occurs every four seconds in the United States, according to figures from the Federal Trade Commission.

As consumers become savvier about protecting their personal data, they expect companies to do the same. And to go the extra mile for them if a data breach occurs. That means providing protection that holds up under scrutiny. Protection that offers peace of mind, not just in the interim but years down the line.

The stronger the level of protection you provide to individuals affected in a breach, the stronger their brand loyalty. Just like with any product, consumers can tell the difference between valid protection products that work and ones that just don’t.

Experian® Data Breach Resolution takes care to provide the former, protection that works for your customers or employees affected in a breach and that reflects positively on you, as the company providing the protection.

Experian’s ProtectMyID® Elite or ProtectMyID Alert provides industry-leading identity protection and, now, extended fraud resolution care. ExtendCARE™ now comes standard with every ProtectMyID data breach redemption membership, at no additional cost to you or the member.

With ExtendCARE, the identity theft resolution portion of ProtectMyID remains active even when the full membership isn’t. ExtendCARE allows members to receive personalized assistance, not just advice, from an Identity Theft Resolution Agent. This high level of assistance is available any time identity theft occurs after individuals redeem their ProtectMyID memberships.

Extended protection from a global leader like Experian can put consumers’ minds at ease following a breach. If we can help you with pre-breach planning or data breach resolution, please contact us at 1 866 751 1323 or databreachinfo@experian.com.

A great deal of data is collected on students of all ages. Registration forms, health forms, emergency contact forms and permission slips are all a part of the information overload that schools typically require from their pupils, and many of these forms request sensitive data such as social security numbers. Unfortunately, school administrators don’t always protect this information as well as they should and education institutions are just as susceptible to data breaches as any other organization.

This vulnerability, combined with the fact that stealing personal information from minors can go undetected for years, is just part of the reason why minors are 51 times more likely to suffer from identity theft than adults.

The Federal Trade Commission recently issued a release alerting parents about how to protect students from fraudulent activity. Of particular note is information about the federal Family Educational Rights Privacy Act (FERPA), enforced by the U.S. Department of Education, which protects the privacy of student records and gives parents of school-age kids the right to opt out of sharing contact information with third parties, including other families.

The FTC’s safety tips for parents include:
• Read the notice schools must distribute that explains the rights of students and parents under FERPA. This legislation protects the privacy of student education records and gives parents the right to inspect and review your child’s education records, consent to the disclosure of information in the records and correct errors in the records.
• Ask your child’s school about its directory information policy. Student directory information can include a child’s name, address, date of birth, telephone number, email address, and photo. FERPA requires schools to notify parents and guardians about their school directory policy and give them the right to opt out of the release of directory information to third parties. Absent opting out, directory information may be available not only to the people in a child’s class and school, but also to the general public.
• Take action if your child’s school experiences a data breach. If you believe there’s been a data breach and your child’s information has been compromised, contact the school to learn more. Talk with teachers, staff, or administrators about the incident and their practices. Keep a written record of your conversations. Write a letter to the appropriate administrator, and to the school board, if necessary. The U.S. Department of Education takes complaints about these incidents. Contact the Family Policy Compliance Office, U.S. Department of Education, 400 Maryland Ave., SW, Washington, DC 20202-5920, and keep a copy for your records.

Perhaps it’s no coincidence that as more attention is directed to the risks of identity theft amongst children, cyber defense is becoming a hot new field of study for students. National cyber defense competitions have emerged as spirited forums for budding technical talent, including the National Security Agency’s Cyber Defense Exercise – a competition that pits students from a series of military academies against each other – and against the competition’s leaders at NSA; the Air Force Association’s National High School Cyber Defense Competition, CyberPatriot, created to inspire high school students towards careers in cyber security and associated fields; and the National Collegiate Cyber Defense Competition, designed to provide practical experience for students in a fast-changing field that needs ever more talented workers.
We can only hope that this new generation of cyber experts – borne from a time when new risks have posed threats to their own personal safety – can meet the growing challenges of cyber defense.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.