BreachExchange mailing list archives
Re: rant: Useless Compensation for Data Loss Incidents
From: "Derek Rigsby" <Derek.Rigsby () idcure com>
Date: Wed, 11 Jun 2008 18:41:27 -0600
I am certainly biased and for that reason usually keep my comments to myself. In this case I am compelled to speak up. I could not agree more that credit monitoring is not a solution for victims of a breach event. I also believe a victim of a breach event cannot "prevent" the fraudulent use of ones identity. However, victims can have all aspects of their identity (except medical records protected by HIPPA) restored to 100% of their pre-theft status. I am not talking about a do it yourself manual. Victims should be assigned a dedicated recovery advocate armed with a limited power of attorney. This POA gives an advocate the authority to do the recovery work on behalf of the victim. At the same time the information gleaned from the recovery process can be shared with authorities in an effort to help prosecute the criminals that committed the identity theft. At some point a victim will learn that their identity has been used fraudulently regardless of whether or not they have credit monitoring. After the victim suspects fraudulent activity they should be required to file a police report. That report will cut down on victims trying to get their legitimate big screen TV purchase written off as id theft since filing a false report is a crime. Then the company that experienced the breach should pay for a fully managed recovery and warranty the restoration for 3 years. The cost of doing this would be less than that of blanket credit monitoring programs and the victim is better off in the long run. Again I am not trying to use this rant to sell product. I just believe it is an actual solution to post mortem breach responses. It best serves the victim, offers a lower price to the company breached (we will all pay higher prices to cover these costs in the end) and it helps our overstretched law enforcement deal with the overwhelming surge in identity theft. Derek Rigsby 720.278.0756 Derek.Rigsby () idcure com The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be client related and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please return it to the sender and delete the original message. -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Michael Hill, CITRMS Sent: Wednesday, June 11, 2008 2:58 PM To: MBarnett () TIFRM com; 'lyger'; dataloss () attrition org Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents I read posts such as Michael Barnett's (which I totally agree with) and continue to conclude that there is absolutely no way any identity theft protection plan can prevent your identity from being stolen and used to commit fraud in your name. Consumers need to be prepared for when they become a victim. So what does that plan look like? Michael Hill Certified Identity Theft Risk Management Specialist www.idtheft101.net 404-216-3751 "If You Think You're Not At Risk, Think Again!" ----- Original Message ----- From: "M Barnett - TIFRM" <mbarnett () TIFRM com> To: "'lyger'" <lyger () attrition org>; <dataloss () attrition org> Sent: Wednesday, June 11, 2008 2:37 PM Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents
I don't typically chime in on these discussions, but I was glad to see this one and could not resist. Courtesy of massive advertising campaigns, credit monitoring has become the de facto accepted "industry standard response", up to and including the federal government as evidenced by a recent Blanket Purchase Agreement that mandates that a breach response service offering must include credit monitoring. It is, in essence, an attempt to stave off class action lawsuits before they are filed. There are fundamental considerations for both consumers and businesses regarding credit monitoring that are consistently overlooked, or blatantly ignored: 1. CONSUMER CONSIDERATIONS: First and foremost, it provides the obvious false sense of security. Consumers simply do not realize that they can be victimized in many ways that may never show on their credit reports. IF something does show, the service is not an effective early warning system (see the excerpt below) because it functions in the manner that the credit reporting system operates, not in the way that the thieves operate. Example excerpt from the CITRMS Reference Manual: It is important to note that because of the way that these services are designed, and the way that the credit reporting system functions, the credit monitoring "early warning system" can and does fail. For example, in December of 2006, the New York Times published an article entitled "Protectors, Too, Gather Profits from ID Theft". An excerpt from this story follows: "Melody Millett was shocked when her car loan company asked her if she was the wife of Abundio Perez, who had applied for 26 credit cards, financed several cars and taken out a home mortgage using a Social Security number belonging to her actual husband. Beyond her shock, Mrs. Millett was angry. Five months earlier, the Milletts had subscribed to a $79.99-a-year service from Equifax, a big financial data warehouse, that promised to monitor any access to her credit records. But it never reported the credit activity that might have signaled that they were victims of identity theft." (Source: New York Times) Secondly, most services simply notify the consumer that "Congratulations - you are a victim. Good luck!" IF there is any form of assistance provided in conjunction with the service, it is almost always limited to resolving only those matters that involve the credit report. It omits erroneous criminal records, employment and taxation issues, banking account fraud and related losses, medical identity theft and possible contaminated records, exhaustion of benefits, etc. Finally, the companies publically announce what service they are providing (if any), and for how long. The thieves monitor these announcements just as anyone else, and can easily sit on the information until the alarm bells stop ringing and the service expires. For the consumer, theft of their information can be the unwanted gift that keeps on giving as their information is sold and re-sold, long after any token service offering has ended. Does such a service have a possible place in a consumer's overall risk management plan? Yes, but it should certainly never be relied upon as the sole means of "protection." 2. BUSINESS CONSIDERATIONS: I might concede that offering something is, to at least some degree, better than the other side of the spectrum which is more common: "Dear consumer, we lost your information. Check your credit reports and please do not sue us." However, beyond the costs associated with providing the service, the most fundamental consideration that businesses do not grasp is that, under the myriad of state and federal laws that establish rights of action for consumers impacted by a breach, the business' liability for damages suffered by victimized consumers is not limited to only those types of victimization that show on a credit report. Case in point, the recent Utah medical billing records breach. There is a good possibility that this information could be utilized to perpetrate medical identity theft, which is not only unlikely to show in credit reports, but also produces an additional layer of problems for both the consumers and the healthcare providers and facilities. It is also possible that a business could provide credit monitoring services and, if not accompanied by a waiver and release, still be sued in a class action for victimizations not uncovered by the service. In some cases, actual victimization by the impacted consumers is not even a prerequisite for actions - the mere fact that the breach occurred at all can serve as the justification. In my opinion, the entire topic of data breaches and information security, and resultant blame for the rampant problems, rests with numerous stakeholders - including the very legislators that draft the related laws. Unfortunately for the businesses themselves, the same crazy quilt of data security laws that allow for fines, penalties, and actions are often vague and ill-worded at best. Common sense or lack thereof, blatant negligence, ignorance, or dishonest insiders as contributing factors aside, many businesses do attempt to achieve compliance and may go to considerable lengths in an attempt to meet the "reasonable" standards discussed in these laws and regulations. Yet more often than not, they are not provided with clear and concise steps that constitute "reasonable" compliance. Rather, they are forced to follow suggestions and illustrative examples. The Red Flags Rule is the most recent shining example of this. "Reasonable" is most often determined after an incident, in a court of law and the court of public opinion, with the full benefit of 20/20 hindsight. Your company suffered a breach, therefore the measures that you took obviously were not "reasonable" to prevent such an incident. While it may be impossible to draft legislation that keeps pace with the breakneck speed of advancements in technology, and negligent businesses should be held accountable, there is still vast room for improvement in the specific guidance issued and possible safe harbor provisions for companies that do actively attempt to secure the data of its customers and employees. But that is a separate topic altogether. Respectfully, Michael Barnett, CITRMS CEO The Institute of Fraud Risk Management, Inc. www.TIFRM.Net www.TIFRM.coursehost.com The Institute of Fraud Risk Management, Inc. 955 South Virginia Street; Suite #116 Reno, Nevada 89502 "Knowledge is the Best Defense Against Fraud" -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of lyger Sent: Wednesday, June 11, 2008 1:32 AM To: dataloss () attrition org Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents http://attrition.org/security/rant/dl-compensation.html Wed Jun 11 03:38:35 EDT 2008 Apacid, Jericho If you have been the victim of a data loss incident, odds are you have received a letter from the careless organization that lost your information. These letters always offer apologies and sincere hope that your identity or personal information isn't abused. The recent BNY Mellon incident (which now stands at 4.5 million potential customers affected) resulted in customers receiving such a letter: [.] Notice that in return for having your personal information lost, they are offering free credit monitoring for 12 whole months! This seemingly generous offer has apparently become the standard business practice for acceptable compensation when your personal information is treated with carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" credit monitoring product (despite no mention of that 'product' on the consumerinfo.com web page), which watches for changes to your credit reports from the three national credit reporting agencies in the United States (Experian, Equifax, TransUnion). If you are unlucky and get caught up in multiple data loss incidents, you may receive this "gracious compensation" many times over. First, why is this type of reactive credit monitoring acceptable compensation? This seems to be another case of one business following another and... voila, we have an industry 'standard' that does little to serve the customer but does everything to serve businesses that want to look caring and "customer-centric" in the media. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tenable Network Security offers data leakage and compliance monitoring solutions for large and small networks. Scan your network and monitor your traffic to find the data needing protection before it leaks out! http://www.tenablesecurity.com/products/compliance.shtml
Current thread:
- rant: Useless Compensation for Data Loss Incidents lyger (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents DAIL, WILLARD A (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents M Barnett - TIFRM (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Michael Hill, CITRMS (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Derek Rigsby (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Al Mac Wheel (Jun 12)
- Re: rant: Useless Compensation for Data Loss Incidents Michael Hill, CITRMS (Jun 11)
- <Possible follow-ups>
- Re: rant: Useless Compensation for Data Loss Incidents MKEVHILL (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents David Metcalf (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents Nell Walton (Jun 11)
- Re: rant: Useless Compensation for Data Loss Incidents David Metcalf (Jun 11)