Issue Paper Year Of The Breach Final 021706

2005: The Year of the Breach? Consumer Perceptions and Their Impact on Best Practices in Information Breach Remediation Issue Briefing | February 7, 2006

2005: The Year of the Breach? Consumer Perceptions and Their Impact on Best Practices in Information Breach Remediation TABLE OF CONTENTS SECTION 1 Executive Summary ___________________________________________ 3 Overview: Defining the data breach_______________________________ 9 Sidebar: The Definition Debate ______________________________ 10 2005: The Year of the Breach? _________________________________ 11 The Future: Legislative intervention or self regulation? _______________ 12 SECTION 2 Overview: The impact of data breaches on consumer behavior ________ 15 Best Practices _______________________________________________ 17 Sidebar: The Benefits of Monitoring __________________________ 25 Best Practices: The list _______________________________________ 26 ADDENDUM Sources____________________________________________________ 28 Biography: Brian G. McGinley __________________________________ 29 Survey Methodology __________________________________________ 30 About Intersections Inc. _______________________________________ 30 Researched and prepared by Carolyn Kopf and Amy Gergely for Intersections Inc., with special thanks to contributor Brian G. McGinley, Wachovia Corporation. 2

SECTION 1 EXECUTIVE SUMMARY The numbers are staggering and the news headlines are alarming, to say the least. “The Year of the Breach” is now one of the monikers that may follow 2005 into perpetuity. But is it really accurate? Are breaches of data more common today than in the recent past? Exactly how serious are data breaches? What constitutes a data breach anyway – lost backup tapes containing encrypted data, a system intrusion by a hacker trying to prove a point or the unauthorized sale of customer files to third parties? The answers to these questions may change over time as public, industry and government responses to this phenomenon continue to develop. In the meantime, the media are focusing increased attention on the occurrences of and reactions to data breaches large and small; legislators debate the responsibilities of businesses and organizations to both prevent and respond to such incidents; and consumers worry about the ability of a variety of industries to handle their confidential information with the utmost care. And, perhaps most importantly, all of these factors are having great influence on consumer behavior. As many as 57 million1 Americans were identified as victims of data breaches in 2005, dwarfing the number of estimated identity theft victims, pegged at between 9 and 10 million2 per year. These statistics are driving consumer perceptions and, in turn, affecting their commercial behavior. Publicity around data breaches is supercharging the privacy debate, sparking new discussions about business practices, government regulation and consumer privacy rights. Exactly how is this dialogue affecting consumer perceptions? What are companies doing in response? How will this change the commercial landscape over the next few years? These are some of the primary questions addressed in this paper. But the most important is this: Why should you care? Privacy is clearly an issue of great importance to a large number of American consumers. This concern can be demonstrated by noting the number of consumers who have placed their phone numbers on the National Do Not Call 3

Registry since its launch in June 2003. The Registry topped 100 million registered phone numbers in 2005, with residents in California, New York, Florida and Texas leading the way.3 Just as telemarketers braced for a sea change in their business practices with the implementation of the National Do Not Call Registry, the many companies that collect, maintain and sell personal data may be faced with similar challenges in the coming months and years. In addition to the costs of possible regulation, some are projecting an immediate and lingering negative effect on consumer trust. Research by Gartner Inc. projected that so-called phishing4 attacks and other breaches of consumers’ personal information “will inhibit three-year U.S. e-commerce growth rates by 1 percent to 3 percent,”5 despite the fact that the majority of identity fraud cases start with an offline theft of data.6 According to Brian G. McGinley, Wachovia Corporation’s Senior Vice President of Loss Management, institutions should expect “some attrition after an incident, regardless of the outcome.” But, he points out, the institution also has “an opportunity to cement the relationship with loyal customers if the institution can show that it has stood behind them by keeping the customer informed all along the way.” Many customers seem to understand that data breaches are, to some extent, inevitable, and that going to the effort of moving their accounts does not guarantee they won’t be subject to potential issues in the future. Even so, a 2004 Unisys study found that nearly half of U.S. households would be willing to switch their accounts to financial institutions that offer stronger theft detection and alert services.7 The risks to institutions from data breaches, of course, are not limited to a potential loss of individual customers. In the case of CardSystems Solutions, the credit card payment processor whose May 2005 breach was the largest reported last year, it meant the loss of two major clients – American Express and VISA. Even though its breach was but one of at least 134 reported in 2005,1 4

CardSystems became the poster child of the financial industry and media due to the scale of its breach and the fact that its prominent clients are the ones that must notify their customers. In other words, the CardSystems breach affected not only that company’s reputation, but also the reputations of its clients, who had to deal directly with the affected consumers. According to Bank Security News, “The CardSystems’ breach has done more than give shivers to customers over their personal data security. It’s also dispersed a large ripple of anxiety across financial institutions and service providers who are suddenly worried they may be the next CNN headline or class-action defendant.”8 The authors of this paper consulted a number of sources, including consumer research and a personal interview with a loss control executive, to derive some common conclusions and actionable recommendations for businesses or organizations that have been or may be affected by breaches of customer, employee or member data. Businesses and organizations should use this information to help develop best practices that may significantly reduce their exposure to the negative consequences of data breaches and as an opportunity to solidify their customer relationships. Data breaches raise issues of privacy and security. There is no definitive evidence that data breaches are more common now than in the past, but more laws requiring notification of breaches are working their way through legislative halls, while voluntary compliance is taking shape in corporate boardrooms, making data security a major issue for corporations and consumers alike. As a result, businesses and organizations have a choice: self- regulation or more involuntary regulation. When it comes to consumers’ privacy, perception is reality. According to McGinley, “Our customers define what identity theft and fraud are, and how it impacts them.” Companies that do not recognize this fact will lose business. A Privacy and American Business and Harris Interactive study found that “more than two thirds of the American public has lost confidence in the handling of their personal information.”9 The study illustrates how deeply the recent disclosures of breaches and online attacks have impacted consumer confidence – and, in turn, businesses – on multiple levels. 5

The repercussions of data breaches are real. From customer churn to potential class-action lawsuits to negative publicity that may affect future business, consumers are reacting to concerns over privacy and the security of their personal data. More than three out of four consumers who are aware of data breaches are personally concerned about the security of their own information, and more than half have taken some type of action as a result of this concern.15 And while there is comparatively little research into consumer behavior after a data breach incident, early surveys indicate that the impact on affected businesses may be considerable. All breaches are not the same. A data breach occurs when privileged information is lost, stolen or simply misplaced. A breach might result from direct, malicious intent to undermine an organization’s security systems or procedures. A data breach can also occur when information is lost in transit – either physically or electronically – between two companies or two locations. Once a breach does occur, the chance that exposed data are used to commit fraud is dependent upon a number of factors. According to available data, the majority of confidential information that is potentially exposed to unauthorized persons as the result of a data breach is never used to commit fraud, but this is not often well understood or communicated. It is also possible that the detailed facts and circumstances that contribute to a specific breach, loss of information or exposure of privileged data may not be clear at the time of discovery. It is for these reasons that companies and organizations should analyze the nature of each breach incident and use all available information to both better explain the incident to affected customers as well as to determine which services would best serve a particular group of customers. 6

All organizations are not the same. Consumers have widely varying perceptions about which organizations they trust to protect their personal data. The majority of Americans have positive perceptions about banks and financial institutions and health care providers. However, consumers have little confidence in the ability of other types of organizations – including educational institutions, online retailers, small businesses and mobile phone companies – to protect their privacy effectively and shield them from the risk of fraud. These findings suggest that certain organizations, including educational institutions and small businesses, may have the most to gain by implementing business practices that improve the privacy and security of their customers’ personal information. Most consumers affected by breaches don’t think organizations are doing enough to assist them. Consumers are most concerned about four issues after a data breach: o How likely is it that their personal information will be misused? o How will they know if their information is used to perpetuate fraud? o What do they need to do in the aftermath of a breach? o What services will be available to assist them? The majority of consumers want companies to provide victim assistance, including help in resolving any fraud, such as hotlines to address their questions. Many consumers also indicate that they would like affected organizations to provide complimentary credit reports, data monitoring services and identity theft insurance. However, the vast majority of organizations today do not offer these services. Consumers are willing to do some legwork. Many of the post-breach services consumers want are those that encourage them to participate in their own security. Consumers want as much information as possible after a breach and they are willing to do some of the legwork after such 7

an incident to ensure the continued security of their assets. Organizations should view this as a golden opportunity to engage the consumer in taking joint responsibility for ensuring the security of their information. Engaged and security-conscious consumers are likely to be more willing to accept other shared security measures, such as shared secrets, more complicated passwords, passkeys, tokens and biometrics. Furthermore, the Federal Trade Commission (FTC) found that more than 50 percent of identity theft victims first discovered the theft by monitoring their accounts.2 Customers who are able to monitor their accounts, credit reports and, in the future, credit applications and public data files, may help reduce overall fraud losses and be better, more loyal customers. (See The Benefits of Monitoring on page 25.) A quick and honest response is the single most effective way to respond to a data breach. Nearly nine in ten consumers said it would be very important to them that, after a data breach, the company or organization communicate the problem honestly and quickly. To accomplish this, organizations should use the fastest and most personal – rather than the least expensive – means of notification and provide a dedicated channel (such as a toll-free hotline) by which consumers can contact the organization for more information. Organizations that are not capable of providing these services directly can look to fraud resolution companies such as the Intersections Inc. Identity Theft Recovery Unit or the Identity Theft Assistance Center to set up and manage fraud resolution services on a per incident or ongoing basis. The method by which a consumer is notified of a data breach is extremely important to the effectiveness of an organization’s response. The method by which a consumer is notified could impact their level of trust in the notification and, ultimately, their decision to continue conducting business with the organization that experienced the breach. Among those consumers who said they did not trust a notification they received from an institution following a data breach incident, 86 percent said they would take their business elsewhere.10 8

Furthermore, the Ponemon Institute cautioned against using form letters and e- mails to notify consumers of data breach incidents. “Those businesses that deploy canned e-mails or form letters to communicate a data breach to victims are more than three times as likely to lose customers as those that contact victims by telephone or personalized letters or a combination of both.”10 Education is key. Consumers would greatly benefit from unbiased education, support and a variety of tools and services that enable them to stay informed and feel protected, before and after a data breach. The media, consumer advocacy organizations such as the Identity Theft Resource Center (ITRC) and identity theft and fraud protection companies are leading the efforts to bring a greater understanding of the true risks of compromised data to consumers. Affected companies and organizations should accept a larger role in educating their customers, while avoiding misleading advertising and marketing messages that confuse consumers. OVERVIEW: Defining the data breach A data breach can expose data on one person or millions of individuals in one fell swoop, which criminals may then use to fraudulently take control of the victim’s credit, assets or other benefits. It turns out, however, that the risk of such fraud varies greatly depending upon a variety of factors. Research conducted by ID Analytics, a risk management company that is also an Intersections Inc. partner, found that different breaches pose distinctly different degrees of risk depending on the size of the breach, the type of information obtained and the nature of the incident. 11 While all data breaches are not the same, by definition they expose (or potentially expose) to unauthorized parties personal information that may be used to commit fraud. For many consumers, any increased risk of fraud perpetuated by such an incident is unacceptable and constitutes a fundamental breach of trust. Meanwhile, corporations and legislators are attempting to come to consensus about the variable severity of different types of breaches in order to determine what types of remedial action may be required for any given type of breach. 9

The Definition Debate In their research, ID Analytics Defining identity theft and identity fraud has distinguished between identity-level been a tricky issue, fraught with political and economic ramifications, as are so many hot- breaches, where names and Social Security button issues. The financial industry has spent numbers were stolen, and account-level a lot of energy trying to determine what identity breaches, where only account numbers theft is and is not. While this exercise is (sometimes associated with names) were necessary to identify appropriate responses to stolen. They found that the most serious specific types of threats, in the end, it is the risk is posed by smaller identity-level customer who defines identity theft and how it breaches that involve clearly malicious impacts them. intent, such as hacking or insider theft.11 Advocates and government often define identity theft much more broadly than do financial This research supports some experts’ beliefs institutions and other companies that collect that data breaches should be more personal information in the course of doing narrowly defined. Said McGinley, “An business. Largely, that’s because advocates internal breach to me indicates that there and government seek awareness, legislative and regulatory action and funding for new has been a breakdown in process or initiatives, while companies want to somebody has overcome your defenses.” demonstrate that they already have safeguards in place to protect consumers. This is an opinion that has figured into legislative debate over what constitutes a It can be argued that the lack of consensus breach, who is at risk of fraud and who around what constitutes identity theft and how it should be notified. The ID Analytics relates to fraud has hampered efforts to find solutions. For purposes of this paper, however, research should be useful to companies and identity theft and identity fraud are defined as organizations that want to determine what follows. services comprise the most appropriate response to a particular breach incident. Identity theft: A crime that occurs when a thief gains unauthorized access to a person’s private Consumer advocates agree. “Consumers information with the intention of using that information to impersonate the victim or to need to know the level of risk that is posed create a new identity and thereby fraudulently if they are part of a data breach. While any use the victim’s credit, assets or benefits. data breach is cause for concern, consumers that have been impacted need guidance as Identity fraud: A crime that occurs when a to the degree of risk involved,” said Linda thief actually utilizes a person’s private Foley, executive director of the ITRC. “It’s information to purposefully and fraudulently not helpful for consumers to receive a take control of the victim’s credit, assets or generic letter in the mail, telling them that benefits. they may or may not be at risk. We need to Using these definitions, we can clarify that a help victims of breaches understand when significant number of data breaches result in multiple cases of identity theft, but not every identity theft will result in fraud. In other words, identity theft is a privacy issue and identity fraud is a security issue. 9

they need to be more vigilant and prevent them from being unnecessarily alarmed.”11 While a better understanding of what type of breach constitutes the greatest risk to the consumer would help companies develop better prevention and remediation techniques, it is important to remember that perception is reality. 2005: The Year of the Breach? According to the ITRC, which has tracked data breaches since 2001, “One thing we can say is that this is not a new problem.”12 Data security is also not an issue that is of concern only to American corporations. According to Deloitte, 83 percent of financial institutions worldwide acknowledged that their systems were compromised in 2004, with 40 percent sustaining financial losses.13 In the U.S., the ITRC points to laws – including SB 1386, the California breach notification law that was the first of its kind in the nation – and public pressure as the primary reasons why news about data breaches has grown more common. Another reason is the media. Consumers are inundated by news of their increased risk of identity theft and fraud. A Google news search, in fact, turned up 60 articles during a three-week period from late August through mid- September 2005 under the term “data breach” and 514 under “identity theft and Katrina” (referring to Hurricane Katrina, which struck the U.S. Gulf Coast August 29, 2005).14 A follow-up search in December yielded 121 articles under the search term “data breaches” during the previous 30 days. According to McGinley, “The media [are] serving a purpose of making people aware of the fact that identity information is valuable. In some cases, it’s misreported or misconstrued where there’s a natural assumption that any identification information or personal information that is lost, or stolen, or otherwise compromised is going to be used for identity theft, and that correlation isn’t true.” 11

So, is 2005 really “The Year of the Breach,” or may it more accurately be called “The Year of the Breach Notification?” In August 2005, one in ten consumers reported they had received notification that they were among the individuals whose information was compromised during the preceding 12 months.15 While many consider data security an issue exclusive to financial institutions and data brokers, proliferating notification requirements have shown that data breaches are not confined to a single type of organization. The ITRC found that out of 134 disclosed breaches as of December 19, 2005, more than 50 percent impacted educational institutions such as colleges, universities and even high schools. Financial, government and health-related organizations each represented 16 percent or less of disclosed breaches. The remainder were reported by some of the nation’s largest employers – such as Time Warner and MCI – along with retail, data and other companies.1 (For the most updated list of reported breaches, visit www.idtheftcenter.org/breaches.pdf.) Educational institutions were among the least likely to offer their affected populations any type of service to help them identify or recover from potential breach-related fraud, according to an analysis of publicly-available information and Intersections’ own experience delivering breach-related services to millions of affected consumers. This is particularly troublesome because, according to research conducted for Intersections Inc. by Ipsos-Reid, younger Americans (aged 18-34) were the most unaware of data breaches among all groups polled.15 The data clearly point to the need for more consumer education, as well as active cooperation and collaboration with the media, in order to explain the nature and potential consequences of a breach and remediation efforts available prior to and immediately after a breach. THE FUTURE: Legislative intervention or self-regulation? News of data breaches has radically affected the national dialogue about identity theft and identity fraud. Many now expect a national breach notification law and momentum is increasing toward giving consumers the right to freeze their credit records. Some states have already adopted such laws. Other efforts are under way to regulate the sale of consumer data and to create an Office of Identity Theft at the FTC. 12

For the most updated information on state legislative efforts, visit the National Conference of State Legislatures’ Web site: Credit freeze laws: www.ncsl.org/programs/banking/SecurityFreeze_2005.htm Breach notification laws: www.ncsl.org/programs/lis/CIP/priv/breach.htm Financial institutions by and large seem to think they are doing a good job regulating their own business practices, and the Financial Services Roundtable, which represents 100 of the largest financial services companies in the U.S., has been working with legislators to develop national standards for breach notification. In March 2005, the Federal Deposit Insurance Corporation (FDIC) – along with the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency and the Office of Thrift Supervision – issued interagency guidance instructing financial institutions to “implement a response program to address security breaches involving customer information.” The guidance provides that the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. It also states, “If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.”16 The financial industry has other initiatives under way as well. The Financial Services Roundtable, through its BITS task force, launched the Identity Theft Assistance Center (ITAC) in 2005. Funded by Roundtable members, ITAC is a fraud recovery assistance service that is provided free of charge to affected consumers of member organizations. (For more information about ITAC services, visit www.identitytheftassistance.org.) While the financial industry is confident that it is making strides toward protecting customers from data breaches, Steve Bartlett, President and Chief Executive Officer of the Financial Service Roundtable, told U.S. Banker that one of the industry’s goals is to “safeguard our customers from data breaches that occur elsewhere, in unregulated industries.”17 13

Indeed, advocacy groups such as the Electronic Privacy Information Center (EPIC) are calling for greater regulation of Internet commerce and data collectors. Pointing to the FTC’s success in regulating the telemarketing industry through implementation of the National Do Not Call Registry, Chris Hoofnagle of EPIC points out, “The FTC can protect privacy better than the industry can with self- regulation. We now have ten years of experience with privacy self-regulation online, and the evidence points to a sustained failure of business to provide reasonable privacy protections.”18 In the end, it will be public perception and pressure that dictate the future of data protection. Companies and institutions that have the foresight to develop business practices that require, support and encourage improved privacy practices for customers, employees and third parties will be better positioned competitively for the future. 14

SECTION 2 OVERVIEW: The impact of data breaches on consumer behavior A Privacy and American Business and Harris Interactive study found that “more than two thirds of the American public has lost confidence in the handling of their personal information.”9 The study illustrates how deeply the disclosures of breaches and online attacks have impacted consumer confidence. There is increasing evidence that dampening consumer confidence in companies’ perceived ability to protect consumers’ privacy and security may lead to a decrease in the overall number of online transactions. Research by Gartner Inc., which More than two thirds of the found that 50 percent of online American public has lost adults are extremely concerned confidence in the handling of about unauthorized access to their 9 their personal information. credit reports and sensitive data, suggests that increased reporting of data breach incidents, combined with growing awareness of phishing attacks, has negatively influenced some consumers’ online behavior. First, some consumers have changed their online shopping behavior and are taking more precautions with where they shop as well as with the amount of online shopping in which they engage. Second, more than one in four consumers reported a decrease in their online banking activities. Third, media attention around data breaches and phishing attacks has made many consumers less likely to trust commercial e-mail correspondence.5 According to a Consumer Reports poll, “One in four Web users say they have stopped shopping online because of perceived security risks, and more than half no longer give personal information, such as addresses or birthdates, over the Internet.”19 Such risks to online businesses may, however, be disguised by the fact that the number of Internet users – and thereby online shoppers – continues to grow at a steady clip. Forrester Research found that total online sales in 2004 increased 24 percent to $141 billion,19 and that number continues to grow. 15

In the online banking world, the Federal Financial Institutions Examination Council (FFIEC) stepped in to issue guidance in late 2005 requiring multi-factor authentication for online banking customers by the end of 2006, sidelining the “wait and see attitude” many institutions were taking in regard to this additional security out of their “concerns about expense and consumer convenience,” according to U.S. Banker.27 Barring additional regulatory action, it remains to be seen whether other types of businesses and organizations will do much to alleviate the fears of security- conscious consumers until the rapid growth in the online market levels off. Meanwhile, software companies, Internet service providers and other vendors are upping their efforts to create a more secure marketplace with enhanced services such as protection against spyware, anti-virus software, firewalls and increased authentication for online financial services and purchases to help consumers head off the threat themselves. Indeed, lagging consumer confidence and the resulting consumer behavior is not limited to online activity. As further evidence of changing consumer behavior, Financial Insights found that “60 percent of U.S. consumers sampled in January 2005 expressed concern about identity theft, and 6 percent admitted to switching banks to reduce their risk of becoming a victim of identity theft.”20 Awareness vs. experience If consumers’ commercial behavior is being significantly affected by their heightened awareness of data breach incidents, what is happening to consumer perceptions and behaviors after they have actually experienced a data breach? While there is comparatively little research into consumer behavior after a data breach incident, early surveys indicate that the impact on affected businesses may be considerable. According to a survey conducted by the Ponemon Institute in 2005, “nearly 20 percent of respondents say they have terminated a relationship with a company after being notified of a security breach” and “a whopping 40 percent say they are thinking about terminating their relationship.”21 Intersections’ research found that more than three out of four consumers who are aware of data breaches are personally concerned about the security of their own information, and more than half have taken some type of action as a result of this 16

concern, such as checking their • 95% of industry executives said credit reports, forgoing online their organization experienced shopping or avoiding fraud in the past year. transactions that require them to share personal data.15 • 66% said fraud was a major problem for their industry. Based on significant evidence that data breach awareness is • Only 6% said [fraud] was a major negatively affecting consumer problem for their own company. behavior, it appears that consumers could greatly benefit KPMG Forensic Fraud Survey 2003 from education, support and a variety of tools and services that enable them to stay informed and feel protected. In fact, financial institutions and related organizations have recently launched a number of campaigns to help calm consumer fears. Some of these campaigns, such as Your Credit Card Companies (www.yourcreditcardcompanies.com), simply attempt to assure consumers that they are already protected by the companies’ fraud detection capabilities rather than engaging them in the process of protecting themselves. As a result, they may be losing a golden opportunity to both educate consumers on what steps they can take to actively contribute to their own protection and to identify the security solutions consumers want. According to McGinley, privacy protection is “a joint role between anybody who’s acting as a caretaker for the data and the consumers themselves.” Bearing a perspective of shared responsibility, companies and organizations of all sizes could benefit from decreased customer churn and more engaged consumers. BEST PRACTICES Background In a world that is increasingly focused on privacy and security, consumers have clear needs and expectations for safeguarding and protecting their personal data. The best practices that follow draw on the experiences of a senior executive from 17

a top-ten U.S. financial institution, consumer research and the first-hand experiences of a consumer-facing company that specializes in identity fraud protection. Moreover, it incorporates Intersections’ experience in offering information breach remediation services to millions of customers of major North American companies. Over the past year, Wachovia has been the target of phishing attacks and has had to identify, manage and mitigate data loss incidents. Brian G. McGinley, Wachovia’s Senior Vice President of Loss Management, shared his experiences and advice on how organizations should prepare for and respond to a data breach incident, including customer notification and support services. In August 2005, Intersections engaged Ipsos-Reid to conduct a telephone survey of consumers, indexed to the U.S. population, with the objective of understanding consumer needs and expectations of enterprises that hold their personal data. The survey addressed such issues as consumers’ awareness of data breaches, their trust in various types of organizations, the actions they have taken to protect themselves in light of their awareness of data breaches and, most importantly, their preferences regarding what organizations should do to maintain their trust – and their business – after a data breach occurs. Plan ahead: Avoid the “it won’t happen to my organization” mentality Security studies, such as the KPMG Forensic Fraud Survey 2003, reveal that the majority of organizations are worried about security breaches and other types of fraud, but few think such incidents are a major concern for their organization. While many organizations are confident they have adequately protected against external threats, technology investments are often being “undermined by process flaws,” according to Deloitte. Indeed, it is clear that many security breaches are caused by human error or negligence resulting from weak operational practices, including lack of employee awareness or training and failure to conduct compliance assessments of vendors, according to Deloitte’s research.28 McGinley believes it is necessary for organizations to build a task force and breach remediation plan before a data breach incident happens to manage the operational and technical aspects of the incident. Doing so could limit the potential financial impact and damage to the organization’s reputation, and also addresses consumers’ concerns and needs. “I think all organizations need to 18

have a plan ready to address a data loss incident and all organizations should recognize their vulnerability, while also taking accountability for the sensitive consumer information they hold.” McGinley also pointed out that the majority of breaches in 2005 involved non-financial organizations, many of which did not seem fully ready to deal with the repercussions of such as incident. Wachovia formulated a data loss incident management plan that they can immediately activate if needed. The formalized plan allows for the company to bring together, within hours, senior members from a number of different disciplines such as corporate communications, telephone contact units, loss management, information security and privacy in order to coordinate the company’s response. Who is responsible for safeguarding personal data? McGinley believes that data protection is a responsibility to be shared jointly by the enterprise and the consumer. But, he states, “Financial institutions need to do everything they can to create a safe environment for the customers to transact.” Who Do Consumers Trust?15 Consumers, however, are sometimes receiving messages that suggest Mobile Phone Companies otherwise, with credit card companies promising Total Security Protection22 Small Businesses and policies that limit consumers’ Online Retailers fraud liability. Naturally, these Educational messages may lead consumers to Institutions believe that they have little Health Care Providers responsibility for detecting or resolving Banks/Financial fraudulent activity. Institutions 0% 10% 20% 30% 40% 50% 60% 70% Furthermore, data breach incidents and the fraudulent actions that sometimes follow are not limited to credit cards. Yet consumers are ill-informed of this risk by organizations with ample opportunity to communicate, educate and engage them. 19

The Intersections Inc. survey found that 66 percent of consumers are aware of data breaches. Of those, more than three quarters indicated that they are concerned about potential loss of or unauthorized access to their information while in the hands of an institution. Although consumers may have general expectations that institutions will protect the personal data they hold, their confidence level in an organization’s ability to do so varies greatly based on the type of organization. “I think all organizations need to have a plan ready to address a data loss incident. And, all organizations should recognize their vulnerability while also taking accountability for the sensitive consumer information they hold.” Brian G. McGinley, Senior Vice President of Loss Management, Wachovia Corporation The Intersections Inc. survey asked consumers to rate institutions based on how much they believe the institution is doing to protect their personal data from fraudulent access or use. The results show that the majority of Americans have positive perceptions about the efforts of banks and financial institutions (63 percent) and health care providers (53 percent) to protect their data. But they have little confidence in the ability of educational institutions (35 percent), online retailers (28 percent), small businesses (25 percent) and mobile phone companies (20 percent) to effectively protect their privacy. These perceptions do not seem to correlate directly to the types of organizations most often experiencing data breaches, but may more accurately reflect increased consumer trust due to the regulation of personal data required of the financial and health sectors. These findings suggest that certain organizations, such as educational institutions and small businesses, may have the most to gain by voluntarily implementing business practices that improve the privacy and security of consumers’ personal information. Financial and health-related organizations should not be complacent, though, as there are many consumers for whom trust has been lost and who may seek opportunities to take their business elsewhere. 20

Notification: How to According to the Intersections Inc. survey, one in ten consumers said they had received notification from a company or institution during the preceding 12 months that their data had been compromised. Indexed to the most recent U.S. Census data, that means as many as 21 million notifications were made during that time.23 While that number is significant, it represents only slightly more than one third of all affected consumers.1 Effective notifications have the potential to address many concerns consumers have after a breach incident, including whether their information is likely to be used fraudulently, what the company or organization is doing to protect them and what services are available to help consumers protect themselves from further harm. Furthermore, according to ID Analytics, in certain targeted data breaches, notices may have a deterrent effect on criminals. In one large-scale identity-level breach, thieves slowed their use of the data to commit identity fraud after public notification, according to the company’s analysis. The method by which a consumer is notified is extremely relevant to the impact of the breach on an individual consumer’s level of trust in the organization. According to the Ponemon Institute, how a consumer is notified could potentially impact their level of trust in the notification and, ultimately, their decision to continue conducting business with the organization that experienced the breach. Among those surveyed by the Ponemon Institute who said they did not trust that a notification they received from an institution following a data breach incident was authentic, 86 percent said they would take their business elsewhere.10, 21 According to the Intersections Inc. survey, the majority of consumers who were notified of a breach incident received notification through the mail (56 percent). Fewer consumers reported receiving notification by telephone (17 percent) or e- mail (16 percent). Unlike the Ponemon Institute’s findings, respondents to the Intersections Inc. study indicated that they trusted that the notifications they received were from the stated company (92 percent), but this may be due to the fact that most indicated that they received written correspondence, which consumers may believe to be a more credible source of information. 21

McGinley believes that the nature and scope of a data breach incident will dictate the organization’s response. “It’s going to be different depending on the scope of the incidents and the urgency. If we have direct accounts under attack we are going to pick up the phone and contact [those customers] immediately. If we received an alert from an ATM’s [notification system] indicating [a customer’s] debit card was used at an ATM that may have been under attack, we may mail them a letter and put them under special monitoring.” Intersections’ findings, however, suggest that after a breach incident most consumers express a strong preference to be contacted by phone (74 percent), presumably because they prefer faster, more personal communication. The Ponemon Institute underscored this finding. It cautioned against using form letters and e-mails to notify consumers of data breach incidents. ”Those businesses that deploy canned e-mails or form letters to communicate a data breach to victims are more than three times as likely to lose customers as those that contact victims by telephone or personalized letters or a combination of both.”21 Beyond notification: Victim assistance Consumers are most concerned about four issues after a data breach: o How likely is it that their personal information will be misused? o How will they know if their information is used to perpetuate fraud? o What do they need to do in the aftermath of a breach? o What services will be available to assist them? The Intersections Inc. survey provided insight into what actions, if any, are being taken by the companies targeted by data breaches on behalf of their affected customers. Alarmingly, 29 percent of respondents who were notified that their personal information was or may have been compromised said that no action beyond the initial notification was taken by the company or organization to help consumers determine how to protect themselves from additional harm (or, perhaps, it was not clearly communicated to them). 22

The most frequent actions taken by companies and organizations on behalf of affected customers included replacing credit or debit cards (24 percent), providing an explanation of the problem (15 percent) and providing educational information via mail (13 percent). McGinley confirmed the relative 77% of consumers want access frequency of financial companies to a hotline to address their offering replacement cards as a 15 questions. post-breach service. To quell consumers’ anticipated fears that their compromised information may be misused, he explained that, depending on the nature of the incident, it is standard practice in the financial industry to issue new credit or debit cards, change verification credentials (such as PINs and passwords) or close consumers’ existing accounts. But beyond financial institutions, it appears unlikely that any other frequently affected group regularly provides post-breach services to their customers, employees or members. When asked what actions consumers have taken on their own behalf and at their own expense as a result of their concern about their data being compromised and potentially misused, respondents indicated that they are choosing to not give out personal information (10 percent) and checking credit reports (6 percent) most frequently. They also cited destroying documents containing sensitive information (5 percent) and forgoing online shopping (5 percent). However, the findings show that almost half of consumers are not taking any action to protect themselves. The Intersections survey confirmed that consumers want institutions to take more active steps to protect their data and to provide tools and services that help them identify misuse of their data or recover if they become a victim of fraud after a data breach. The Ponemon Institute’s research identified a similar sentiment. In that survey, more than 82 percent of respondents expected organizations to do more to assist them.24 Swift, direct and thorough action is the most effective way for a company to respond to a data breach, according to the consumers surveyed by Intersections Inc. Nearly nine in ten said it would be very important to them that the company communicate the problem honestly and quickly. 23

Such information should be presented consistently across all communication channels and should be supplemented by a dedicated resource that consumers can use to contact the organization for more information. A toll-free number with trained, dedicated agents has proven beneficial to many companies – including Wachovia – and their customers. More than three quarters (77 percent) of consumers What Consumers Want in want access to a hotline to address their questions, the Wake of a Breach15 according to the Intersections Inc. survey. Furthermore, most consumers (85 percent) want companies to Identity Theft Insurance provide comprehensive victim assistance, including Free Credit help in resolving any fraud. Monitoring Free Credit Report Wachovia has a special investigations unit specific to 62% 64% 66% 68% 70% 72% 74% customer identity theft fraud claims and works closely with the Identity Theft Assistance Center (ITAC). This group is able to guide the customer through the recovery process from beginning to end. Agents trained in handling identity theft cases provide support to consumers as they navigate the resolution process, which includes walking the consumer through his or her credit report to identify any suspicious activity, notifying the affected creditors, placing fraud alerts with the credit bureaus and sharing information with the appropriate law enforcement agencies. Additionally, consumers recognize the value of services that allow them to identify and monitor potential future repercussions of data breaches. A majority of consumers indicated that they would like affected organizations to provide credit reports at no cost (73 percent), along with a complimentary credit “Tri-bureau credit monitoring report monitoring service (69 is one of the best ways percent). Consumers are also consumers can protect their interested in identity theft insurance accounts and a very good products (66 percent). way of identifying whether there have been any attacks These findings demonstrate that on one’s identity.” consumers want as much information as possible after a Brian G. McGinley, Senior Vice breach and that they are willing to President of Loss Management, Wachovia Corporation do some of the legwork after an incident to ensure the continued 24

The Benefits of Monitoring security of their assets. Organizations Many financial industry executives believe should view this as a prime opportunity to that providing their customers with the engage the consumer in taking joint ability to monitor their accounts and credit responsibility for ensuring the security of information is a valuable step toward their information and for enhancing the combating fraud, both before and after a value of the consumer relationship. data breach. Tri-bureau credit monitoring Engaged and security-conscious consumers allows consumers to receive prompt are likely to be more willing to accept other notifications when changes have been made to their credit files. The consumer shared security measures, such as account, can then address potentially suspicious credit and public information monitoring, activities before significant financial shared secrets, more complicated damage occurs. Consumers who subscribe passwords, passkeys, tokens and to a credit monitoring service see a biometrics. substantial drop – more than 90 percent – in total fraud losses.25 According to McGinley, “Tri-bureau credit monitoring is one of the best ways Intersections Inc. is the largest provider of consumers can protect their accounts and a private-label consumer credit monitoring very good way of identifying whether there services in North America. Recognizing have been any attacks on one’s identity.” that consumer credit monitoring is not only Moreover, Wachovia believes that it is the a proven fraud detection tool, but also organization’s responsibility to provide holds great promise to help consumers such a service at no cost to the consumer – prevent fraud after a loss or theft of at least for a defined period of time – in the information, Intersections Inc. assembled a event of a breach. variety of partners to tap that potential. In previous data loss incidents, Wachovia Through partnerships with Seisint, engaged Intersections to offer affected Cyveillance and ID Analytics, the company has developed a fraud monitoring product customers one year of credit monitoring at that allows consumers to use industry- no cost to the consumer. (See The Benefits of proven enterprise technologies to expand Monitoring.) Wachovia has also increased their monitoring capabilities to public the depth and breadth of its services to aid information databases, chat rooms, consumers through partnerships with message boards and credit applications. It entities such as the Identity Theft is estimated that application fraud losses Assistance Center (ITAC). alone are estimated to be $170 for every U.S. credit user every year.26 A significant number of the top financial services companies in the U.S. have aligned A combination of credit and public themselves with the ITAC, a cooperative information monitoring services provides initiative of the financial services industry consumers the most comprehensive fraud protection available today. Intersections Inc. offers this service at costs similar to tri- bureau monitoring. 23

that provides victim assistance services free to customers of member companies. The center assists victims of identity theft by helping to reduce the delay and frustration that consumers may experience as they go through the identity restoration process. BEST PRACTICES: The list Drawing on Wachovia’s experiences, 1. Plan consumer research and a decade of 2. Educate experience assisting victims of identity theft, 3. Investigate & Activate 4. Communicate Intersections developed this five-step best 5. Assist practices list to help organizations manage the consumer risk associated with data breaches. It is grounded by primary research drawing on both the enterprise and consumer perspectives. Plan o Provide a safe environment within which your customers can transact as well as a secure messaging platform for communicating with customers. o Encourage the use of online banking and alerts when personal data associated with customer account profiles change (name, address, phone number, e-mail address, credit lines, etc.). o Prepare an information breach remediation plan to activate immediately if such an incident should occur. Be aware of any state or federal legislation with which compliance is necessary. Educate o Educate consumers about their role in protecting their personal data. o Provide training and education to employees to help and encourage them to identify and report suspicious activity from internal and external threats. o Require unregulated business customers and vendors to comply with voluntary privacy guidelines in order to protect data across all levels of service. Audit these groups regularly to ensure compliance. 26

Investigate & Activate o Work quickly with all available resources to investigate and understand the precise nature and extent of the breach event. o Activate the prepared breach remediation plan to minimize the impact on the assets at risk. o As appropriate, engage law enforcement to help identify affected individuals and thereby reduce delays in notification. Work with law enforcement to pursue leads that are outside the purview of the institution. o Take immediate action to address the specific incident. (For example, close certain consumer accounts.) Communicate o Notify consumers and clients as quickly as possible and communicate as much information as possible about the incident. o Notify consumers promptly by mail and, when possible, by phone. Avoid form letters and e-mail. o Integrate communications messages across all channels. Present a consistent, thorough message. o Keep affected customers informed of steps you have taken to prevent repeat incidents and improve security. Assist o Establish a telephone hotline or other dedicated resource (such as a Web site) handled by agents trained in identity theft resolution practices to address and answer consumers’ concerns. o Provide a complimentary tri-bureau monitoring service to detect credit fraud or a service such as Intersections’ fraud protection service to protect against identity fraud by monitoring a combination of credit and public information to help affected customers identify possible identity theft before it turns into fraud. o Provide identity theft insurance. 27

ADDENDUM SOURCES 1 2005 Disclosures of U.S. Data Incidents, Identity Theft Resource Center, December 19, 2005. 2 Identity Theft Survey Report, U.S. Federal Trade Commission and Synovus, September 2003. 3 “Do Not Call.” CardWeb.com, August 22, 2005. 4 From Wikipedia.com: “Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The term phishing arises from the use of increasingly sophisticated lures to ‘fish’ for users’ financial information and passwords.” 5 Increased Phishing and Online Attacks Cause Dip in Consumer Confidence, Gartner Inc., June 22, 2005. 6 “2005 Identity Fraud Survey Report,” Javelin Strategy & Research, January 2005. 7 Unisys Research Shows Banks Face Potential Customer Exodus Over Identity Theft, Unisys Press Release, November 9, 2004. 8 Fest, Glen. “Data Losses: Cardsystems Takes A Bullet After Breach.” Bank Technology News, August 2005. 9 New Survey Reports An Increase in ID Theft and Decrease in Consumer Confidence, Privacy and American Business Press Release, June 29, 2005. 10 “National Survey on Data Breach Security Notification,” Ponemon Institute. September 26, 2005. 11 ID Analytics’ First-Ever National Data Breach Analysis Shows the Rate of Misuse of Breached Identities May be Lower than Anticipated, ID Analytics Press Release, December 8, 2005. 12 Security Breaches & Freezes, Identity Theft Resource Center, December 2005. 13 Global Security Survey, Deloitte, May 2004. 14 Google news search, September 15, 2005. 15 Consumer Perceptions on Data Breaches, Ipsos-Reid for Intersections Inc., August 2005. 16 Federal Bank Regulatory Agencies Jointly Issue Interagency Guidance on Response Programs for Security Breaches, Federal Insurance Deposit Corporation Joint Press Release, March 23, 2005. 17 “Banks Need to Be Proactive In Dealing with Data Breaches.” U.S. Banker, August 2005. 18 Hoofnagle, Chris Jay. “Privacy Self-Regulation: A Decade of Disappointment.” Electronic Privacy Information Center, March 4, 2005. 19 “The State of Retailing Online 8.0,” Forrester Research for Shop.org, May 2005. 20 “Banks May Feel the Pinch of Identity Theft Worries.” emarketer, March 25, 2005. 21 “Data Breaches Bad for Business.” ConsumerAffairs.com, September 27, 2005. 22 Total Security Protection is a registered trademark of VISA USA. 23 U.S. Census Bureau 2000, released December 22, 2005, based on 20.9 million U.S. residents age 18 or over. 24 “Opinion: After a privacy breach, how should you break the news?” Computerworld, July 5, 2005. 25 Credit Monitoring and Identity Fraud Insurance: What Do Consumers Need, and How Should it be Offered?, Javelin Strategy and Research, March 2005. 26 Rawe, Julie. “Identity Thieves.” TIME Magazine, February 11, 2002. 27 “Authentication: FFIEC Commands Two-Factor ID by 2006.” U.S. Banker, December 2005. 28 2005 Global Security Survey, Deloitte, June 22, 2005. 28

BIOGRAPHY: Brian G. McGinley Senior Vice President & Group Executive Director, Loss Management Wachovia Corporation Brian G. McGinley has been in the financial institution security and loss management field for more than 25 years. He is currently the Senior Vice President of Loss Management at Wachovia Corporation. With 3,100 financial centers, 5,000 ATMs and 700 brokerage offices, Wachovia holds $521 billion in assets. McGinley joined the company in August 1999 when he was employed by First Union, which Wachovia acquired in 2001. He manages a staff of more than 500 loss management personnel and is responsible for the overall development, implementation and management of loss control programs for the corporation. These accountabilities include loss prevention and fraud control, claim and litigation management, investigations, non-credit loss management and charge- off, Channel Risk Management functions and credit fraud. He previously managed the corporation’s AML Investigative Services functions as well. Prior to joining First Union/Wachovia, Brian worked in various loss control-related capacities for Citibank North America for 20 years, most recently as its Director of Risk Management & Control and Group Information Security Officer. An ASIS International Certified Protection Professional, McGinely serves on the Financial Services Roundtable/BITS Identity Theft Assistance Center (ITAC) Board and chairs its Operations Committee. He has also served on many national bank industry committees and workgroups including the Bank Administration Institute, BITS, NACHA – The Electronic Payments Association, the Electronic Funds Transfer Association and others. Brian served with U.S. Army Military Intelligence and is a graduate of the University of Illinois. 29

SURVEY METHODOLOGY The Ipsos-Reid survey for Intersections Inc., “Consumer Perceptions on Data Breaches,” conducted via the Ipsos-US Express telephone poll of American consumers August 16-18, 2005, captured consumer perspectives in order to gauge their levels of concern regarding data breaches, as well as what type of responses they expect from companies that experience breaches. A group of Americans was polled to ascertain their level of awareness and concern about the recent surge in reported data breaches. Additionally, consumer insight was captured about the services and products they expect to be offered after receiving notification by the breached organization – the organization responsible for holding and safeguarding their sensitive information. For the survey, a representative, randomly selected sample of 1,001 adults was interviewed by telephone. The results are considered accurate to within ±3.1 percentage points. The margins of error may differ within regions and for other sub-groupings of the survey population. These data were weighted to ensure the sample’s regional and demographic composition reflects that of the actual American population, according to the latest U.S. Census data. ABOUT INTERSECTIONS INC. Intersections Inc. is the leading provider of branded and fully-customized consumer credit management and identity theft prevention, detection and resolution services to the customers of many of North America's largest financial services companies. By integrating our technology solutions, marketing capabilities, and end-to-end production and fulfillment infrastructure, we assist these companies in meeting the needs of their customers in a secure, efficient and ethical environment. We currently safeguard more than 5 million customers in the U.S. and Canada – including approximately 3.6 million subscribers to our service offerings and 1.4 million consumers who receive special services such as data breach mitigation and identity theft resolution. We receive those customers primarily through our partners, as well as direct-to-consumer through our IDENTITY GUARD® and SBGUARDIANSM brands. Additionally, we offer pre- employment background screening through our wholly-owned subsidiary, American Background Information Services, Inc. Learn more about Intersections Inc. at www.intersections.com. 30

® ® SM INTERSECTIONS , IDENTITY GUARD , SBGUARDIAN and the associated logos and designs are trademarks or federally registered trademarks of Intersections Inc. © 2006 Intersections Inc. All rights reserved. Intersections Inc. 14901 Bogle Drive, Chantilly, VA 20151 703.488.6100 NASDAQ: INTX www.intersections.com

Issue Paper Year Of The Breach Final 021706

by Carolyn Kopf

Accessibility

Upload Details

Usage Rights

1 Embed 2

Statistics

Issue Paper Year Of The Breach Final 021706 Document Transcript