Re: rant: Useless Compensation for Data Loss Incidents

["Derek Rigsby" <Derek.Rigsby () idcure com>]

I am certainly biased and for that reason usually keep my comments to
myself.  In this case I am compelled to speak up.  I could not agree more
that credit monitoring is not a solution for victims of a breach event.  I
also believe a victim of a breach event cannot "prevent" the fraudulent use
of ones identity.  However, victims can have all aspects of their identity
(except medical records protected by HIPPA) restored to 100% of their
pre-theft status.  I am not talking about a do it yourself manual.  Victims
should be assigned a dedicated recovery advocate armed with a limited power
of attorney.  This POA gives an advocate the authority to do the recovery
work on behalf of the victim.  At the same time the information gleaned from
the recovery process can be shared with authorities in an effort to help
prosecute the criminals that committed the identity theft.
 
At some point a victim will learn that their identity has been used
fraudulently regardless of whether or not they have credit monitoring.
After the victim suspects fraudulent activity they should be required to
file a police report.  That report will cut down on victims trying to get
their legitimate big screen TV purchase written off as id theft since filing
a false report is a crime.  Then the company that experienced the breach
should pay for a fully managed recovery and warranty the restoration for 3
years.  The cost of doing this would be less than that of blanket credit
monitoring programs and the victim is better off in the long run.  

Again I am not trying to use this rant to sell product.  I just believe it
is an actual solution to post mortem breach responses.  It best serves the
victim, offers a lower price to the company breached (we will all pay higher
prices to cover these costs in the end) and it helps our overstretched law
enforcement deal with the overwhelming surge in identity theft.  


Derek Rigsby
720.278.0756 
Derek.Rigsby () idcure com
 

 
The information contained in this e-mail message is intended only for the
personal and confidential use of the recipient(s) named above.  This message
may be client related and as such is privileged and confidential.  If the
reader of this message is not the intended recipient or an agent responsible
for delivering it to the intended recipient, you are hereby notified that
you have received this document in error and that any review, dissemination,
distribution, or copying of this message is strictly prohibited.  If you
have received this communication in error, please return it to the sender
and delete the original message.
 
-----Original Message-----
From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org]
On Behalf Of Michael Hill, CITRMS
Sent: Wednesday, June 11, 2008 2:58 PM
To: MBarnett () TIFRM com; 'lyger'; dataloss () attrition org
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents

I read posts such as Michael Barnett's (which I totally agree with) and 
continue to conclude that there is absolutely no way any identity theft 
protection plan can prevent your identity from being stolen and used to 
commit fraud in your name.

Consumers need to be prepared for when they become a victim.  So what does 
that plan look like?



Michael Hill
Certified Identity Theft Risk Management Specialist
www.idtheft101.net
404-216-3751


"If You Think You're Not At Risk, Think Again!"


----- Original Message ----- 
From: "M Barnett - TIFRM" <mbarnett () TIFRM com>
To: "'lyger'" <lyger () attrition org>; <dataloss () attrition org>
Sent: Wednesday, June 11, 2008 2:37 PM
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents


> I don't typically chime in on these discussions, but I was glad to see this
> one and could not resist. Courtesy of massive advertising campaigns, 
> credit
> monitoring has become the de facto accepted "industry standard response", 
> up
> to and including the federal government as evidenced by a recent Blanket
> Purchase Agreement that mandates that a breach response service offering
> must include credit monitoring. It is, in essence, an attempt to stave off
> class action lawsuits before they are filed.
>
> There are fundamental considerations for both consumers and businesses
> regarding credit monitoring that are consistently overlooked, or blatantly
> ignored:
>
> 1.  CONSUMER CONSIDERATIONS:  First and foremost, it provides the
> obvious false sense of security. Consumers simply do not realize that they
> can be victimized in many ways that may never show on their credit 
> reports.
> IF something does show, the service is not an effective early warning 
> system
> (see the excerpt below) because it functions in the manner that the credit
> reporting system operates, not in the way that the thieves operate.
>
> Example excerpt from the CITRMS Reference Manual:
>
> It is important to note that because of the way that these services are
> designed, and the way that the credit reporting system functions, the 
> credit
> monitoring "early warning system" can and does fail. For example, in
> December of 2006, the New York Times published an article entitled
> "Protectors, Too, Gather Profits from ID Theft".  An excerpt from this 
> story
> follows:
>
> "Melody Millett was shocked when her car loan company asked her if she was
> the wife of Abundio Perez, who had applied for 26 credit cards, financed
> several cars and taken out a home mortgage using a Social Security number
> belonging to her actual husband. Beyond her shock, Mrs. Millett was angry.
> Five months earlier, the Milletts had subscribed to a $79.99-a-year 
> service
> from Equifax, a big financial data warehouse, that promised to monitor any
> access to her credit records. But it never reported the credit activity 
> that
> might have signaled that they were victims of identity theft." (Source: 
> New
> York Times)
>
>
> Secondly, most services simply notify the consumer that "Congratulations -
> you are a victim. Good luck!"  IF there is any form of assistance provided
> in conjunction with the service, it is almost always limited to resolving
> only those matters that involve the credit report. It omits erroneous
> criminal records, employment and taxation issues, banking account fraud 
> and
> related losses, medical identity theft and possible contaminated records,
> exhaustion of benefits, etc.  Finally, the companies publically announce
> what service they are providing (if any), and for how long. The thieves
> monitor these announcements just as anyone else, and can easily sit on the
> information until the alarm bells stop ringing and the service expires. 
> For
> the consumer, theft of their information can be the unwanted gift that 
> keeps
> on giving as their information is sold and re-sold, long after any token
> service offering has ended.
>
>
> Does such a service have a possible place in a consumer's overall risk
> management plan? Yes, but it should certainly never be relied upon as the
> sole means of "protection."
>
>
> 2.  BUSINESS CONSIDERATIONS:  I might concede that offering something
> is, to at least some degree, better than the other side of the spectrum
> which is more common:  "Dear consumer, we lost your information. Check 
> your
> credit reports and please do not sue us."  However, beyond the costs
> associated with providing the service, the most fundamental consideration
> that businesses do not grasp is that, under the myriad of state and 
> federal
> laws that establish rights of action for consumers impacted by a breach, 
> the
> business' liability for damages suffered by victimized consumers is not
> limited to only those types of victimization that show on a credit report.
> Case in point, the recent Utah medical billing records breach. There is a
> good possibility that this information could be utilized to perpetrate
> medical identity theft, which is not only unlikely to show in credit
> reports, but also produces an additional layer of problems for both the
> consumers and the healthcare providers and facilities. It is also possible
> that a business could provide credit monitoring services and, if not
> accompanied by a waiver and release, still be sued in a class action for
> victimizations not uncovered by the service.
>
> In some cases, actual victimization by the impacted consumers is not even 
> a
> prerequisite for actions - the mere fact that the breach occurred at all 
> can
> serve as the justification.
>
>
> In my opinion, the entire topic of data breaches and information security,
> and resultant blame for the rampant problems, rests with numerous
> stakeholders - including the very legislators that draft the related laws.
> Unfortunately for the businesses themselves, the same crazy quilt of data
> security laws that allow for fines, penalties, and actions are often vague
> and ill-worded at best. Common sense or lack thereof, blatant negligence,
> ignorance, or dishonest insiders as contributing factors aside, many
> businesses do attempt to achieve compliance and may go to considerable
> lengths in an attempt to meet the "reasonable" standards discussed in 
> these
> laws and regulations. Yet more often than not, they are not provided with
> clear and concise steps that constitute "reasonable" compliance. Rather,
> they are forced to follow suggestions and illustrative examples. The Red
> Flags Rule is the most recent shining example of this. "Reasonable" is 
> most
> often determined after an incident, in a court of law and the court of
> public opinion, with the full benefit of 20/20 hindsight. Your company
> suffered a breach, therefore the measures that you took obviously were not
> "reasonable" to prevent such an incident.  While it may be impossible to
> draft legislation that keeps pace with the breakneck speed of advancements
> in technology, and negligent businesses should be held accountable, there 
> is
> still vast room for improvement in the specific guidance issued and 
> possible
> safe harbor provisions for companies that do actively attempt to secure 
> the
> data of its customers and employees.  But that is a separate topic
> altogether.
>
> Respectfully,
>
> Michael Barnett, CITRMS
> CEO
> The Institute of Fraud Risk Management, Inc.
> www.TIFRM.Net
> www.TIFRM.coursehost.com
>
> The Institute of Fraud Risk Management, Inc.
> 955 South Virginia Street; Suite #116
> Reno, Nevada  89502
> "Knowledge is the Best Defense Against Fraud"
>
>
>
> -----Original Message-----
> From: dataloss-bounces () attrition org 
> [mailto:dataloss-bounces () attrition org]
> On Behalf Of lyger
> Sent: Wednesday, June 11, 2008 1:32 AM
> To: dataloss () attrition org
> Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
>
>
> http://attrition.org/security/rant/dl-compensation.html
>
> Wed Jun 11 03:38:35 EDT 2008
> Apacid, Jericho
>
> If you have been the victim of a data loss incident, odds are you have
> received a letter from the careless organization that lost your
> information. These letters always offer apologies and sincere hope that
> your identity or personal information isn't abused. The recent BNY Mellon
> incident (which now stands at 4.5 million potential customers affected)
> resulted in customers receiving such a letter:
>
> [.]
>
> Notice that in return for having your personal information lost, they are
> offering free credit monitoring for 12 whole months! This seemingly
> generous offer has apparently become the standard business practice for
> acceptable compensation when your personal information is treated with
> carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert"
> credit monitoring product (despite no mention of that 'product' on the
> consumerinfo.com web page), which watches for changes to your credit
> reports from the three national credit reporting agencies in the United
> States (Experian, Equifax, TransUnion). If you are unlucky and get caught
> up in multiple data loss incidents, you may receive this "gracious
> compensation" many times over.
>
> First, why is this type of reactive credit monitoring acceptable
> compensation? This seems to be another case of one business following
> another and... voila, we have an industry 'standard' that does little to
> serve the customer but does everything to serve businesses that want to
> look caring and "customer-centric" in the media.
>
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
>
>
> _______________________________________________
> Dataloss Mailing List (dataloss () attrition org)
> http://attrition.org/dataloss
>
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml