SlideShare a Scribd company logo

The Importance of Identity Protection Beyond Credit Monitoring

P
Paige Schaffer
1 of 7
Download to read offline
Before the Aftermath: The Importance of Identity Protection in the Age of the Data Breach Brought to you by: by Generali Global Assistance
1 The majority of consumers have personally been victims of a data breach or know someone who has been affected - with most on the receiving end of a letter containing similar language as in the above. Data breaches are rampant throughout every conceivable industry – retail, financial, education, healthcare and government – touching nearly all aspects of everyday life. After all, everyday life for many people includes shopping for groceries, paying bills, going to school, or visiting a doctor. This means that the odds are not exactly in our favor for avoiding a data breach on any given day. This white paper from Generali Global Assistance (GGA) explores the chronology of a data breach, focusing on its impact to consumers, what (if any) restitution they can expect, and how credit monitoring alone fails to effectively secure personally identifiable information (PII) in the aftermath. Consumers recall all too well when retail giant Targetreportedamassivebreachthatoccurred at their stores between November 27 and December 15, 2013. With the frenzy of holiday shopping in full swing, this couldn’t come at a worse time for Target or its customers. Nearly 40 million customer records were stolen that included credit and debit card data, and 70 million shoppers had personal information compromised that included their names, addresses and phone numbersi . Unfortunately, data breaches are the “new normal” and likely will be for the foreseeable future. The Identity Theft Resource Center (ITRC) reports that in 2015, there were 781 tracked data breaches in the U.Sii . - the second highest year on record since 2005, when the ITRC began tracking breaches. This number could even be under-inflated as it doesn’t include other data breaches that may have gone undetected or unreported. GGA’s internal data shows that the number of customers affected by data breaches has increased over 40% every year since 2011. Figure 1 illustrates a sampling of the wide range of industries impacted by data breaches, which have compromised millions of data records. The Limits of Legislation Given the frequency, severity and magnitude of data breaches, one would assume that there is a uniform federal standard to which businesses must adhere. Quite the contrary: there is no federal legislation in place that comprehensively addresses data breaches – leaving many questions as to the laws that govern them (or lack thereof). Current laws are in place in 47 states as well as in the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that require businesses who experience a security breach to notify affected consumersiii . The details of these laws, however, vary widely by state – including what is considered an appropriate method of notification (e.g. first-class mail or telephone) or what the time period should be for issuing a notification. Progress notwithstanding, there is much left to debate as to the level and amount of credit monitoring that businesses should legally have to provide their customers. “Dear valued customer, we regret to inform you that your personal information may have been compromised. We are providing this notice and outlining some steps you may take to protect yourself and sincerely apologize for any inconvenience or concern this may cause.” Data Breach An incident or violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. This data can include personally identifiable information (PII) like names, addresses, or Social Security numbers; hospital or physician records; school/university records; payment card data; log-in credentials and much more.
2 As it stands today, businesses who experience data breaches must rely on their individual state’s laws to determine what type of information triggers a consumer notice as well as the content and timing and any restitution measures. Companies with customers in multiple jurisdictionsiv are left with the difficult task of interpreting the multitude of inconsistencies between state laws. Should a company with nationwide operations experience a breach, this means that nearly 50 laws – all different – may apply to the same breach. This creates confusion and frustration for both businesses and consumers alike, with each side seeking to define and interpret requirements and expectations. For years, advocates have attempted to pass bills to form a national standard but none have been signed into law. One such example is The Data Security and Breach Notification Act of 2015 v , a bipartisan effort intended to address the nation’s growing data security threats and challenges. However, sentiment is mixed regarding the benefits of having federal laws and regulations around security breaches. Despite the benefits of having one federal law, there are state laws already in existencevi ; California, for example offers far better protection. Should the proposed 2015 bill pass, these state laws could be undermined. The Federal Communications Commission (FCC) has recently instituted new privacy policiesvii relating to telephone, broadband Internet, cable and satellite user information which could likewise be superseded. A recent survey conducted by the Pew Research Centerviii reports that “91% of adults agree or strongly agree that consumers have lost control over how personal information is collected and used by companies.” The million dollar question is how to help empower consumers amidst the great absence of federal legislation. Since no two data breaches are exactly alike, they cannot be mitigated by the same types of protection. This makes it complicated to create a federal regulatory standard that best protects consumers. Without guidelines to follow in the wake of a data breach, in somewhat of an obligatory gesture, many businesses find themselves extending offers of free credit monitoring to their customers. But what exactly does this free credit monitoring really provide? Free Credit Monitoring: Check the Fine Print Along with their customers, the companies affected by breaches also suffer devastating consequences. While the biggest impact to a business is largely financial, regaining and rebuilding customer trust over the long-term can be a challenge. At first glance, offering free credit monitoring services seems to demonstrate a company’s care and concern Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8% Figure 1: Industries affected by data breachesix Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8%
3 – a noble first step and token of goodwill. However, upon closer inspection, these appear to be more of a regulatory ‘check box’ for businesses conducting damage control instead of providing true protection for the consumer. Paige Schaffer, President and COO of Identity and Digital Protection Services at GGA, agrees: “Proactive and robust risk mitigation goes far beyond just credit monitoring. What really offers the most value to customers is comprehensive identity theft protection that includes education, protection, detection, monitoring, alerts and full-scale resolution.” While free credit monitoring may provide a “feel-good” measure to help consumers through their initial distress, it’s far from a complete solution. In reality, standalone credit monitoring does little more than alert consumers of suspicious activity involving their credit files; it does not track fraudulent credit or debit card charges or help prevent other identity theft-related activity. Moreover, these credit monitoring services typically include monitoring from just one of the three major credit bureaus (Experian, Transunion and Equifax). This means that potential identity fraud can get missed. To illustrate, when a fraudulent new credit account is opened, it may only show up on one report. Once spending activity begins, the account will eventually be captured on the other two reports if the company reports to all three credit bureaus – not all do. The problem is the lapse in time from when an identity thief initially opens a fraudulent account and the subsequent activity that’s reflected later on, if at all. A fraudster could easily apply for multiple accounts prior to them being reported across all three bureaus. Consumers who only receive monitoring from one bureau could be exposed to several months’ worth of damage to their credit before they’re even aware of it. Perhaps most concerning is the fact that many free credit monitoring services are only offered for six months to a year – some for just three months.Tomanyunsuspectingconsumers,one year can seem like a long time. In the context of identity theft, however, one year is woefully insufficient. A consumer’s compromised Social Security number, for example, can be used in many ways and cannot be changed as easily as a credit card number. Data breaches can leave behind a path of destruction that lasts for years, sometimes forever. In response to a cyberattack that involved the hacking of sensitive PII that included Social Security numbers, a major health insurer provided not one but two years of credit monitoring for its policyholders. Two years may appear generous but isn’t nearly long Figure 2: Breach methods observed from 2005 to April 2015ix 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown
4 enough, as savvy criminals will hold on to information for years and wait until people become less vigilant. Some organizations provide the additional option to maintain credit monitoring after the free period is over, but often with strings attached. In the above case, policyholders were given the option to keep their credit monitoring but only as long as theyremainedmembers.Buriedfurtherwithin the fine print of the terms and conditions was language requiring those members who chose extended monitoring to: 1) accept arbitration to settle any disputes (which had to take place in a specific city and state) and 2) agree to give up their right to sue the company. ABetterWaytoEnsureIdentity Protection Personally identifiable information (PII) can be likened to the pieces of a jigsaw puzzle, with fraudsters attempting to fill in the missing pieces. As identity thieves become savvier, it’s more critical than ever to stop them from completing the whole ‘picture’. While nothing and no one can totally prevent identity theft from occurring, a comprehensive identity protection solution most effectively mitigates its risks. Indeed, even the most conscientious consumers can overlook suspicious activity; many simply do not have the time or expertise to devote to fully safeguarding their identities on a regular basis. Just as automobile and medical insurance offer security in the event of an unforeseen accident, identity protection provides consumers with protection before, during and after a breach. Prevention is the important foundation to full- scale identity protection. When evaluating identity protection providers, consumers should seek out those that offer educational resources and best practices. Digital privacy protection software that includes anti-phishing and password protector tools is also helpful in protectingagainsthackersandblockingthreats from malicious websites - allowing consumers to use the internet without worry. Other preventive measures like opt-out services help to reduce pre-approved credit card offers and other methods that thieves employ to steal PII. While credit monitoring is important, it is just one component of identity protection. Credit monitoring only flags activity on credit reports, meaning other types of identity theft will go undetected (e.g. when bank account information or a Social Security number is exposed.) Identity monitoring, on the other hand, focuses on identity – alerting consumers when their PII is being used in ways that typically don’t appear on credit reports, such as when new utility accounts or payday loans have been opened. Consumers who receive standalone free credit monitoring as a result Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8% Figure 3: Record-type combinations compromisedix Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8%
5 of a data breach should be aware of the limited protection they are likely receiving. Only a full identity protection solution provides both identity and credit monitoring and will include the option for credit tracking across all three credit bureaus - ensuring quick and seamless notification of fraudulent activity and the prevention of potentially spiraling damage. Most consumer activity takes place on the mainstream World Wide Web (also known as the Surface Web) which is comprised of traditional websites and social networks and indexed by popular search engines like Google. Advanced identity monitoring services will also scour the farthest regions of the Internet, which includes the deep and dark web, for suspicious activity. The deep web is said to comprise about 90% of the internet and can only be accessed by conducting a search that is within a specific website. The dark web is not indexed by search engines and is accessible only with the help of anonymizing software. In particular, the dark web is where cyber criminals conduct illegal activity such as the buying or selling of personal information and credit cards. Identity protection companies who have the experience and capability in monitoring the deep and dark web may offer this higher level of identity monitoring, including the technology that continuously scans for current andpotentialthreatsbeforetheysurface.These services could include internet surveillance to proactively compare a consumer’s PII and the data they enter into a monitoring dashboard against data that has been compromised. Advanced identity monitoring will also detect any compromised credentials that may be linked to malicious breaches and underground infiltration.Consumerscanreceivealertsalong with next steps for them to take, including the option to speak 24/7 with a live resolution specialist, to help ensure that their personal information stays personal. The last key part of an identity protection program is resolution, which many companies do not provide for their customers who are affected by a data breach. In the event that identity theft occurs, the benefits of having full- scale identity resolution are many. Certified resolution specialists will work 24/7 to help victims restore their identities providing assistance with affidavit submission, creditor notification/follow-up, credit freezes, fraud alert placement and other services. Some will act on behalf of the victim, if authorized, to deal with creditors and can help navigate the intricacies of identity theft involving legal matters or the Internal Revenue Service. These services not only provide personal and expert assistance to victims during their critical time of need but also save them valuable time and resources. Most major identity protection providers will offer identity theft insurance, 2K 1K 0 PII Health Financial + PII + PII card Health Payment Credentials + PII Education Financial + PII PII + + health + PII payment Financial card Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Credentials + PII Education Financial + PII PII + + health + PII payment Financial card Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Figure 4: Top 10 record-type combinations compromised versus breach methods usedix
A People-First Partner in Protection In 2003, Generali Global Assistance (GGA) was one of the first companies to provide identity theft resolution services in the U.S. and today is a leading provider of identity protection services, proudly protecting millions of identities from the growing threat of identity theft. GGA has protected our clients and their customers for over 50 years. As the pioneer of the assistance concept, it is our core DNA to assist customers in the most dire and difficult of circumstances. Customer service is not just a philosophy – it’s our culture. Our Identity and Digital Protection Services business unit was named the 2016 Gold winner in the Stevie International Business Awards - Customer Service Department of the Year. This is the fourth consecutive year that GGA has been the recipient of a Stevie Award, with four awards for excellence in the Customer Service category and one for innovation in customer service technology. We go the distance to ensure customer care, including several “do it for you” resolution services not offered by other identity protection companies. We stand ready to provide hands-on assistance to minimize the distress consumers face when confronted with identity fraud, wherever life takes them. Our comprehensive 360° approach mitigates the risks of identity fraud and provides the true value of protection, resolution and peace of mind. GGA, formerly Europ Assistance in the U.S., is based in Bethesda, MD, and has been a leader in the assistance industry since its founding in 1963. GGA is a division of the multinational Generali Group which, over 185 years, has created a presence in more than 60 countries with over 76,000 employees. which covers the reimbursement of expenses related to the recovery process like lost wages and legal fees. As long as there is identity theft and the world continues to become increasingly connected, consumers must be their own best advocate. Keeping up with the latest string of data breaches is dizzying. Having a proactive and on-going identity protection solution already in place alleviates the need for consumers to continually brace themselves for yet another incident, allowing them to go about their daily lives as normally as possible. GGA’s Schaffer stresses the importance of having a proactive identity protection plan to businesses who are equally concerned about the threat of data breaches: “Implementing a comprehensive program for employees and/or customers goes a long way to help a company mitigate their financial and reputational risks.” A trusted identity protection provider who can address the “full circle of identity theft” will give consumers – and businesses – the valuable peace of mind they need to stay ahead of the aftermath in today’s age of the data breach. Sources i https://corporate.target.com/article/2013/12/import- ant-notice-unauthorized-access-to-payment-ca ii Identity Theft Resource Center (ITRC), http://www. idtheftcenter.org/ITRC-Surveys-Studies/2015data- breaches.html iii National Conference of State Legislatures (NCSL), http://www.ncsl.org/research/telecommunica- tions-and-information-technology/security-breach-no- tification-laws.aspx iv http://thehill.com/blogs/congress-blog/judi- cial/248978-businesses-need-a-preemptive-feder- al-law-on-data-breach v https://www.congress.gov/114/bills/hr1770/BILLS- 114hr1770ih.pdf vi California Data Breach Report, https://oag.ca.gov/ sites/all/files/agweb/pdfs/dbr/2016-data-breach-re- port.pdf vii Federal Communications Commission (FCC), http://transition.fcc.gov/Daily_Releases/Daily_Busi- ness/2016/db0401/FCC-16-39A1.pdf viii Pew Research Center, http://www.pewresearch.org/ fact-tank/2016/01/20/the-state-of-privacy-in-america/ ix http://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp-analyz- ing-breaches-by-industry.pdf

Recommended

TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Consumer financial protections
Consumer financial protectionsConsumer financial protections
Consumer financial protectionsA.W. Berry
 
FTC Releases Report Outlining Mobile Payment Concerns
FTC Releases Report Outlining Mobile Payment ConcernsFTC Releases Report Outlining Mobile Payment Concerns
FTC Releases Report Outlining Mobile Payment ConcernsPatton Boggs LLP
 
Authentication slides 04.07.2003
Authentication slides 04.07.2003Authentication slides 04.07.2003
Authentication slides 04.07.2003Alan Mather
 
Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Graeme Cross
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4danc752
 
Accounting
AccountingAccounting
Accountingjerryrabin
 

Recommended

TBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance ServiceTBG Security Mgl93 H 201 CMR17.00 Compliance Service
TBG Security Mgl93 H 201 CMR17.00 Compliance Servicegorsline
 
Consumer financial protections
Consumer financial protectionsConsumer financial protections
Consumer financial protectionsA.W. Berry
 
FTC Releases Report Outlining Mobile Payment Concerns
FTC Releases Report Outlining Mobile Payment ConcernsFTC Releases Report Outlining Mobile Payment Concerns
FTC Releases Report Outlining Mobile Payment ConcernsPatton Boggs LLP
 
Authentication slides 04.07.2003
Authentication slides 04.07.2003Authentication slides 04.07.2003
Authentication slides 04.07.2003Alan Mather
 
Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Global Cyber Market Overview June 2017
Global Cyber Market Overview June 2017Graeme Cross
 
Security Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkSecurity Compliance Models- Checklist v. Framework
Security Compliance Models- Checklist v. FrameworkDivya Kothari
 
Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4Adrs Flip Chart With Red Flags Rev4
Adrs Flip Chart With Red Flags Rev4danc752
 
Accounting
AccountingAccounting
Accountingjerryrabin
 
Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Cfpb manual v2 102012
Cfpb manual v2 102012Cfpb manual v2 102012
Cfpb manual v2 102012Hilda Fagan
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1cRaj Goel
 
Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims InsightGraeme Cross
 
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?- Mark - Fullbright
 
Building a Better Credit Report
Building a Better Credit ReportBuilding a Better Credit Report
Building a Better Credit Report- Mark - Fullbright
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106Ted Richmond
 
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings Christina Gagnier
 
Accenture re-organizing-todays-cyber-threats
Accenture re-organizing-todays-cyber-threatsAccenture re-organizing-todays-cyber-threats
Accenture re-organizing-todays-cyber-threatsLapman Lee ✔
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report- Mark - Fullbright
 
Your Top 10 TCPA Questions Answered
Your Top 10 TCPA Questions AnsweredYour Top 10 TCPA Questions Answered
Your Top 10 TCPA Questions AnsweredExperian
 
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Patton Boggs LLP
 
Carpe Datum! Who knows who you are?
Carpe Datum! Who knows who you are?Carpe Datum! Who knows who you are?
Carpe Datum! Who knows who you are?Kuliza Technologies
 
The Internet of Things: Opportunity for Insurers
The Internet of Things: Opportunity for InsurersThe Internet of Things: Opportunity for Insurers
The Internet of Things: Opportunity for InsurersAndrea Silvello
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentAkshay Ajgaonkar
 
Building online truste commerce
Building online truste commerceBuilding online truste commerce
Building online truste commerceĐô Dương Tuấn
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010Cade Zvavanjanja
 
TheFutureofOnline_WP
TheFutureofOnline_WPTheFutureofOnline_WP
TheFutureofOnline_WPPaul Benson
 
Evolutionary strategies for p&c insurers
Evolutionary strategies for p&c insurersEvolutionary strategies for p&c insurers
Evolutionary strategies for p&c insurersSubhash Chandra
 
Spokeo v Robins
Spokeo v RobinsSpokeo v Robins
Spokeo v RobinsTumi Atolagbe, CIPP/E, MBCS
 
Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Carolyn Kopf
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agendanationalconsumersleague
 

More Related Content

What's hot

Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015James Sheehan
 
Cfpb manual v2 102012
Cfpb manual v2 102012Cfpb manual v2 102012
Cfpb manual v2 102012Hilda Fagan
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1cRaj Goel
 
Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims InsightGraeme Cross
 
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?- Mark - Fullbright
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106Ted Richmond
 
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings Christina Gagnier
 
Accenture re-organizing-todays-cyber-threats
Accenture re-organizing-todays-cyber-threatsAccenture re-organizing-todays-cyber-threats
Accenture re-organizing-todays-cyber-threatsLapman Lee ✔
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report- Mark - Fullbright
 
Your Top 10 TCPA Questions Answered
Your Top 10 TCPA Questions AnsweredYour Top 10 TCPA Questions Answered
Your Top 10 TCPA Questions AnsweredExperian
 
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Patton Boggs LLP
 
Carpe Datum! Who knows who you are?
Carpe Datum! Who knows who you are?Carpe Datum! Who knows who you are?
Carpe Datum! Who knows who you are?Kuliza Technologies
 
The Internet of Things: Opportunity for Insurers
The Internet of Things: Opportunity for InsurersThe Internet of Things: Opportunity for Insurers
The Internet of Things: Opportunity for InsurersAndrea Silvello
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentAkshay Ajgaonkar
 
TheFutureofOnline_WP
TheFutureofOnline_WPTheFutureofOnline_WP
TheFutureofOnline_WPPaul Benson
 
Evolutionary strategies for p&c insurers
Evolutionary strategies for p&c insurersEvolutionary strategies for p&c insurers
Evolutionary strategies for p&c insurersSubhash Chandra
 

What's hot (20)

Cyber Review_April 2015
Cyber Review_April 2015Cyber Review_April 2015
Cyber Review_April 2015
 
Cfpb manual v2 102012
Cfpb manual v2 102012Cfpb manual v2 102012
Cfpb manual v2 102012
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c
 
Cyber Claims Insight
Cyber Claims InsightCyber Claims Insight
Cyber Claims Insight
 
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
CONSUMER PERCEPTIONS ON SECURITY: DO THEY STILL CARE?
 
Building a Better Credit Report
Building a Better Credit ReportBuilding a Better Credit Report
Building a Better Credit Report
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
Data Privacy: A Snapshot of Recent Federal Trade Commission Rulings
 
Accenture re-organizing-todays-cyber-threats
Accenture re-organizing-todays-cyber-threatsAccenture re-organizing-todays-cyber-threats
Accenture re-organizing-todays-cyber-threats
 
What You Should Know About Your Credit Report
What You Should Know About Your Credit ReportWhat You Should Know About Your Credit Report
What You Should Know About Your Credit Report
 
Your Top 10 TCPA Questions Answered
Your Top 10 TCPA Questions AnsweredYour Top 10 TCPA Questions Answered
Your Top 10 TCPA Questions Answered
 
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
Privacy Client Alert: FTC Issues Preliminary Staff Report on Privacy
 
Carpe Datum! Who knows who you are?
Carpe Datum! Who knows who you are?Carpe Datum! Who knows who you are?
Carpe Datum! Who knows who you are?
 
The Internet of Things: Opportunity for Insurers
The Internet of Things: Opportunity for InsurersThe Internet of Things: Opportunity for Insurers
The Internet of Things: Opportunity for Insurers
 
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk AssessmentUW - IMT 552-JPMorgan Chase & Co. Risk Assessment
UW - IMT 552-JPMorgan Chase & Co. Risk Assessment
 
Building online truste commerce
Building online truste commerceBuilding online truste commerce
Building online truste commerce
 
Top online frauds 2010
Top online frauds 2010Top online frauds 2010
Top online frauds 2010
 
TheFutureofOnline_WP
TheFutureofOnline_WPTheFutureofOnline_WP
TheFutureofOnline_WP
 
Evolutionary strategies for p&c insurers
Evolutionary strategies for p&c insurersEvolutionary strategies for p&c insurers
Evolutionary strategies for p&c insurers
 
Spokeo v Robins
Spokeo v RobinsSpokeo v Robins
Spokeo v Robins
 

Similar to The Importance of Identity Protection Beyond Credit Monitoring

Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Carolyn Kopf
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agendanationalconsumersleague
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plansarahb171
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White PaperDmcenter
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White PaperTodd Ruback
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paperspencerharry
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data PrivacyGigya
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Michael C. Keeling, Esq.
 
Emerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdfEmerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdfSubashDangal4
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Financial Poise
 
Data Breaches
Data BreachesData Breaches
Data Breachessstose
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014garyjohnson500
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityPaul Ferrillo
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousEthan S. Burger
 
The FDA’s role in the approval and subsequent review of Vioxx, a.docx
The FDA’s role in the approval and subsequent review of Vioxx, a.docxThe FDA’s role in the approval and subsequent review of Vioxx, a.docx
The FDA’s role in the approval and subsequent review of Vioxx, a.docxmehek4
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERYashiVaidya
 

Similar to The Importance of Identity Protection Beyond Credit Monitoring (20)

Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706Issue Paper Year Of The Breach Final 021706
Issue Paper Year Of The Breach Final 021706
 
National Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy AgendaNational Consumers League's 2015 Cybersecurity Policy Agenda
National Consumers League's 2015 Cybersecurity Policy Agenda
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Managing Consumer Data Privacy
Managing Consumer Data PrivacyManaging Consumer Data Privacy
Managing Consumer Data Privacy
 
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data BreachResponding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
 
Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1Cloud security law cyber insurance issues phx 2015 06 19 v1
Cloud security law cyber insurance issues phx 2015 06 19 v1
 
Emerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdfEmerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdf
 
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
Data Privacy Compliance (Series: Corporate & Regulatory Compliance Boot Camp)
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecial
 
employee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurityemployee-awareness-and-training-the-holy-grail-of-cybersecurity
employee-awareness-and-training-the-holy-grail-of-cybersecurity
 
Data Privacy Compliance
Data Privacy ComplianceData Privacy Compliance
Data Privacy Compliance
 
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is HazardousComplacency in the Face of Evolving Cybersecurity Norms is Hazardous
Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
 
The FDA’s role in the approval and subsequent review of Vioxx, a.docx
The FDA’s role in the approval and subsequent review of Vioxx, a.docxThe FDA’s role in the approval and subsequent review of Vioxx, a.docx
The FDA’s role in the approval and subsequent review of Vioxx, a.docx
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
 

More from Paige Schaffer

PurchasingB2B - Mistaken Identity - October 2016
PurchasingB2B - Mistaken Identity - October 2016PurchasingB2B - Mistaken Identity - October 2016
PurchasingB2B - Mistaken Identity - October 2016Paige Schaffer
 
BTN _Duty of Care_19Sep16
BTN _Duty of Care_19Sep16BTN _Duty of Care_19Sep16
BTN _Duty of Care_19Sep16Paige Schaffer
 
Jamsa_Press Release Aug 2016
Jamsa_Press Release Aug 2016Jamsa_Press Release Aug 2016
Jamsa_Press Release Aug 2016Paige Schaffer
 
Insurance Innovation Reporter _ Aug 2016
Insurance Innovation Reporter _ Aug 2016Insurance Innovation Reporter _ Aug 2016
Insurance Innovation Reporter _ Aug 2016Paige Schaffer
 
Travel Market Report July 2016
Travel Market Report July 2016Travel Market Report July 2016
Travel Market Report July 2016Paige Schaffer
 
ITIJ Assistance and Repatriation- August 2014
ITIJ Assistance and Repatriation- August 2014ITIJ Assistance and Repatriation- August 2014
ITIJ Assistance and Repatriation- August 2014Paige Schaffer
 

More from Paige Schaffer (10)

ITSP Magazine 29Dec16
ITSP Magazine 29Dec16ITSP Magazine 29Dec16
ITSP Magazine 29Dec16
 
UTCID MarketWired
UTCID MarketWiredUTCID MarketWired
UTCID MarketWired
 
PC360 NOV 2016
PC360 NOV 2016PC360 NOV 2016
PC360 NOV 2016
 
PurchasingB2B - Mistaken Identity - October 2016
PurchasingB2B - Mistaken Identity - October 2016PurchasingB2B - Mistaken Identity - October 2016
PurchasingB2B - Mistaken Identity - October 2016
 
BTN _Duty of Care_19Sep16
BTN _Duty of Care_19Sep16BTN _Duty of Care_19Sep16
BTN _Duty of Care_19Sep16
 
Jamsa_Press Release Aug 2016
Jamsa_Press Release Aug 2016Jamsa_Press Release Aug 2016
Jamsa_Press Release Aug 2016
 
Insurance Innovation Reporter _ Aug 2016
Insurance Innovation Reporter _ Aug 2016Insurance Innovation Reporter _ Aug 2016
Insurance Innovation Reporter _ Aug 2016
 
GARP Article Aug 2016
GARP Article Aug 2016GARP Article Aug 2016
GARP Article Aug 2016
 
Travel Market Report July 2016
Travel Market Report July 2016Travel Market Report July 2016
Travel Market Report July 2016
 
ITIJ Assistance and Repatriation- August 2014
ITIJ Assistance and Repatriation- August 2014ITIJ Assistance and Repatriation- August 2014
ITIJ Assistance and Repatriation- August 2014
 

The Importance of Identity Protection Beyond Credit Monitoring

  • 1. Before the Aftermath: The Importance of Identity Protection in the Age of the Data Breach Brought to you by: by Generali Global Assistance
  • 2. 1 The majority of consumers have personally been victims of a data breach or know someone who has been affected - with most on the receiving end of a letter containing similar language as in the above. Data breaches are rampant throughout every conceivable industry – retail, financial, education, healthcare and government – touching nearly all aspects of everyday life. After all, everyday life for many people includes shopping for groceries, paying bills, going to school, or visiting a doctor. This means that the odds are not exactly in our favor for avoiding a data breach on any given day. This white paper from Generali Global Assistance (GGA) explores the chronology of a data breach, focusing on its impact to consumers, what (if any) restitution they can expect, and how credit monitoring alone fails to effectively secure personally identifiable information (PII) in the aftermath. Consumers recall all too well when retail giant Targetreportedamassivebreachthatoccurred at their stores between November 27 and December 15, 2013. With the frenzy of holiday shopping in full swing, this couldn’t come at a worse time for Target or its customers. Nearly 40 million customer records were stolen that included credit and debit card data, and 70 million shoppers had personal information compromised that included their names, addresses and phone numbersi . Unfortunately, data breaches are the “new normal” and likely will be for the foreseeable future. The Identity Theft Resource Center (ITRC) reports that in 2015, there were 781 tracked data breaches in the U.Sii . - the second highest year on record since 2005, when the ITRC began tracking breaches. This number could even be under-inflated as it doesn’t include other data breaches that may have gone undetected or unreported. GGA’s internal data shows that the number of customers affected by data breaches has increased over 40% every year since 2011. Figure 1 illustrates a sampling of the wide range of industries impacted by data breaches, which have compromised millions of data records. The Limits of Legislation Given the frequency, severity and magnitude of data breaches, one would assume that there is a uniform federal standard to which businesses must adhere. Quite the contrary: there is no federal legislation in place that comprehensively addresses data breaches – leaving many questions as to the laws that govern them (or lack thereof). Current laws are in place in 47 states as well as in the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that require businesses who experience a security breach to notify affected consumersiii . The details of these laws, however, vary widely by state – including what is considered an appropriate method of notification (e.g. first-class mail or telephone) or what the time period should be for issuing a notification. Progress notwithstanding, there is much left to debate as to the level and amount of credit monitoring that businesses should legally have to provide their customers. “Dear valued customer, we regret to inform you that your personal information may have been compromised. We are providing this notice and outlining some steps you may take to protect yourself and sincerely apologize for any inconvenience or concern this may cause.” Data Breach An incident or violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. This data can include personally identifiable information (PII) like names, addresses, or Social Security numbers; hospital or physician records; school/university records; payment card data; log-in credentials and much more.
  • 3. 2 As it stands today, businesses who experience data breaches must rely on their individual state’s laws to determine what type of information triggers a consumer notice as well as the content and timing and any restitution measures. Companies with customers in multiple jurisdictionsiv are left with the difficult task of interpreting the multitude of inconsistencies between state laws. Should a company with nationwide operations experience a breach, this means that nearly 50 laws – all different – may apply to the same breach. This creates confusion and frustration for both businesses and consumers alike, with each side seeking to define and interpret requirements and expectations. For years, advocates have attempted to pass bills to form a national standard but none have been signed into law. One such example is The Data Security and Breach Notification Act of 2015 v , a bipartisan effort intended to address the nation’s growing data security threats and challenges. However, sentiment is mixed regarding the benefits of having federal laws and regulations around security breaches. Despite the benefits of having one federal law, there are state laws already in existencevi ; California, for example offers far better protection. Should the proposed 2015 bill pass, these state laws could be undermined. The Federal Communications Commission (FCC) has recently instituted new privacy policiesvii relating to telephone, broadband Internet, cable and satellite user information which could likewise be superseded. A recent survey conducted by the Pew Research Centerviii reports that “91% of adults agree or strongly agree that consumers have lost control over how personal information is collected and used by companies.” The million dollar question is how to help empower consumers amidst the great absence of federal legislation. Since no two data breaches are exactly alike, they cannot be mitigated by the same types of protection. This makes it complicated to create a federal regulatory standard that best protects consumers. Without guidelines to follow in the wake of a data breach, in somewhat of an obligatory gesture, many businesses find themselves extending offers of free credit monitoring to their customers. But what exactly does this free credit monitoring really provide? Free Credit Monitoring: Check the Fine Print Along with their customers, the companies affected by breaches also suffer devastating consequences. While the biggest impact to a business is largely financial, regaining and rebuilding customer trust over the long-term can be a challenge. At first glance, offering free credit monitoring services seems to demonstrate a company’s care and concern Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8% Figure 1: Industries affected by data breachesix Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8%
  • 4. 3 – a noble first step and token of goodwill. However, upon closer inspection, these appear to be more of a regulatory ‘check box’ for businesses conducting damage control instead of providing true protection for the consumer. Paige Schaffer, President and COO of Identity and Digital Protection Services at GGA, agrees: “Proactive and robust risk mitigation goes far beyond just credit monitoring. What really offers the most value to customers is comprehensive identity theft protection that includes education, protection, detection, monitoring, alerts and full-scale resolution.” While free credit monitoring may provide a “feel-good” measure to help consumers through their initial distress, it’s far from a complete solution. In reality, standalone credit monitoring does little more than alert consumers of suspicious activity involving their credit files; it does not track fraudulent credit or debit card charges or help prevent other identity theft-related activity. Moreover, these credit monitoring services typically include monitoring from just one of the three major credit bureaus (Experian, Transunion and Equifax). This means that potential identity fraud can get missed. To illustrate, when a fraudulent new credit account is opened, it may only show up on one report. Once spending activity begins, the account will eventually be captured on the other two reports if the company reports to all three credit bureaus – not all do. The problem is the lapse in time from when an identity thief initially opens a fraudulent account and the subsequent activity that’s reflected later on, if at all. A fraudster could easily apply for multiple accounts prior to them being reported across all three bureaus. Consumers who only receive monitoring from one bureau could be exposed to several months’ worth of damage to their credit before they’re even aware of it. Perhaps most concerning is the fact that many free credit monitoring services are only offered for six months to a year – some for just three months.Tomanyunsuspectingconsumers,one year can seem like a long time. In the context of identity theft, however, one year is woefully insufficient. A consumer’s compromised Social Security number, for example, can be used in many ways and cannot be changed as easily as a credit card number. Data breaches can leave behind a path of destruction that lasts for years, sometimes forever. In response to a cyberattack that involved the hacking of sensitive PII that included Social Security numbers, a major health insurer provided not one but two years of credit monitoring for its policyholders. Two years may appear generous but isn’t nearly long Figure 2: Breach methods observed from 2005 to April 2015ix 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown 800 400 0 2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013 Hacking or malware Insider leak Payment card fraud Physical device loss Portable device Stationary device Unintended disclosure Unknown
  • 5. 4 enough, as savvy criminals will hold on to information for years and wait until people become less vigilant. Some organizations provide the additional option to maintain credit monitoring after the free period is over, but often with strings attached. In the above case, policyholders were given the option to keep their credit monitoring but only as long as theyremainedmembers.Buriedfurtherwithin the fine print of the terms and conditions was language requiring those members who chose extended monitoring to: 1) accept arbitration to settle any disputes (which had to take place in a specific city and state) and 2) agree to give up their right to sue the company. ABetterWaytoEnsureIdentity Protection Personally identifiable information (PII) can be likened to the pieces of a jigsaw puzzle, with fraudsters attempting to fill in the missing pieces. As identity thieves become savvier, it’s more critical than ever to stop them from completing the whole ‘picture’. While nothing and no one can totally prevent identity theft from occurring, a comprehensive identity protection solution most effectively mitigates its risks. Indeed, even the most conscientious consumers can overlook suspicious activity; many simply do not have the time or expertise to devote to fully safeguarding their identities on a regular basis. Just as automobile and medical insurance offer security in the event of an unforeseen accident, identity protection provides consumers with protection before, during and after a breach. Prevention is the important foundation to full- scale identity protection. When evaluating identity protection providers, consumers should seek out those that offer educational resources and best practices. Digital privacy protection software that includes anti-phishing and password protector tools is also helpful in protectingagainsthackersandblockingthreats from malicious websites - allowing consumers to use the internet without worry. Other preventive measures like opt-out services help to reduce pre-approved credit card offers and other methods that thieves employ to steal PII. While credit monitoring is important, it is just one component of identity protection. Credit monitoring only flags activity on credit reports, meaning other types of identity theft will go undetected (e.g. when bank account information or a Social Security number is exposed.) Identity monitoring, on the other hand, focuses on identity – alerting consumers when their PII is being used in ways that typically don’t appear on credit reports, such as when new utility accounts or payday loans have been opened. Consumers who receive standalone free credit monitoring as a result Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8% Figure 3: Record-type combinations compromisedix Healthcare Education Retail Financial Government Service Banking Insurance Technology Media Others 26.9% 16.8% 15.9% 12.5% 9.2% 3.5% 2.8% 2.6% 1.6% 1.4% 6.8%
  • 6. 5 of a data breach should be aware of the limited protection they are likely receiving. Only a full identity protection solution provides both identity and credit monitoring and will include the option for credit tracking across all three credit bureaus - ensuring quick and seamless notification of fraudulent activity and the prevention of potentially spiraling damage. Most consumer activity takes place on the mainstream World Wide Web (also known as the Surface Web) which is comprised of traditional websites and social networks and indexed by popular search engines like Google. Advanced identity monitoring services will also scour the farthest regions of the Internet, which includes the deep and dark web, for suspicious activity. The deep web is said to comprise about 90% of the internet and can only be accessed by conducting a search that is within a specific website. The dark web is not indexed by search engines and is accessible only with the help of anonymizing software. In particular, the dark web is where cyber criminals conduct illegal activity such as the buying or selling of personal information and credit cards. Identity protection companies who have the experience and capability in monitoring the deep and dark web may offer this higher level of identity monitoring, including the technology that continuously scans for current andpotentialthreatsbeforetheysurface.These services could include internet surveillance to proactively compare a consumer’s PII and the data they enter into a monitoring dashboard against data that has been compromised. Advanced identity monitoring will also detect any compromised credentials that may be linked to malicious breaches and underground infiltration.Consumerscanreceivealertsalong with next steps for them to take, including the option to speak 24/7 with a live resolution specialist, to help ensure that their personal information stays personal. The last key part of an identity protection program is resolution, which many companies do not provide for their customers who are affected by a data breach. In the event that identity theft occurs, the benefits of having full- scale identity resolution are many. Certified resolution specialists will work 24/7 to help victims restore their identities providing assistance with affidavit submission, creditor notification/follow-up, credit freezes, fraud alert placement and other services. Some will act on behalf of the victim, if authorized, to deal with creditors and can help navigate the intricacies of identity theft involving legal matters or the Internal Revenue Service. These services not only provide personal and expert assistance to victims during their critical time of need but also save them valuable time and resources. Most major identity protection providers will offer identity theft insurance, 2K 1K 0 PII Health Financial + PII + PII card Health Payment Credentials + PII Education Financial + PII PII + + health + PII payment Financial card Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Credentials + PII Education Financial + PII PII + + health + PII payment Financial card 2K 1K 0 PII Health Financial + PII + PII card Health Payment Credentials + PII Education Financial + PII PII + + health + PII payment Financial card Hacking or malware Insider leak Payment card fraud Physical loss Portable device loss Stationary device loss Unintended disclosure Unknown Figure 4: Top 10 record-type combinations compromised versus breach methods usedix
  • 7. A People-First Partner in Protection In 2003, Generali Global Assistance (GGA) was one of the first companies to provide identity theft resolution services in the U.S. and today is a leading provider of identity protection services, proudly protecting millions of identities from the growing threat of identity theft. GGA has protected our clients and their customers for over 50 years. As the pioneer of the assistance concept, it is our core DNA to assist customers in the most dire and difficult of circumstances. Customer service is not just a philosophy – it’s our culture. Our Identity and Digital Protection Services business unit was named the 2016 Gold winner in the Stevie International Business Awards - Customer Service Department of the Year. This is the fourth consecutive year that GGA has been the recipient of a Stevie Award, with four awards for excellence in the Customer Service category and one for innovation in customer service technology. We go the distance to ensure customer care, including several “do it for you” resolution services not offered by other identity protection companies. We stand ready to provide hands-on assistance to minimize the distress consumers face when confronted with identity fraud, wherever life takes them. Our comprehensive 360° approach mitigates the risks of identity fraud and provides the true value of protection, resolution and peace of mind. GGA, formerly Europ Assistance in the U.S., is based in Bethesda, MD, and has been a leader in the assistance industry since its founding in 1963. GGA is a division of the multinational Generali Group which, over 185 years, has created a presence in more than 60 countries with over 76,000 employees. which covers the reimbursement of expenses related to the recovery process like lost wages and legal fees. As long as there is identity theft and the world continues to become increasingly connected, consumers must be their own best advocate. Keeping up with the latest string of data breaches is dizzying. Having a proactive and on-going identity protection solution already in place alleviates the need for consumers to continually brace themselves for yet another incident, allowing them to go about their daily lives as normally as possible. GGA’s Schaffer stresses the importance of having a proactive identity protection plan to businesses who are equally concerned about the threat of data breaches: “Implementing a comprehensive program for employees and/or customers goes a long way to help a company mitigate their financial and reputational risks.” A trusted identity protection provider who can address the “full circle of identity theft” will give consumers – and businesses – the valuable peace of mind they need to stay ahead of the aftermath in today’s age of the data breach. Sources i https://corporate.target.com/article/2013/12/import- ant-notice-unauthorized-access-to-payment-ca ii Identity Theft Resource Center (ITRC), http://www. idtheftcenter.org/ITRC-Surveys-Studies/2015data- breaches.html iii National Conference of State Legislatures (NCSL), http://www.ncsl.org/research/telecommunica- tions-and-information-technology/security-breach-no- tification-laws.aspx iv http://thehill.com/blogs/congress-blog/judi- cial/248978-businesses-need-a-preemptive-feder- al-law-on-data-breach v https://www.congress.gov/114/bills/hr1770/BILLS- 114hr1770ih.pdf vi California Data Breach Report, https://oag.ca.gov/ sites/all/files/agweb/pdfs/dbr/2016-data-breach-re- port.pdf vii Federal Communications Commission (FCC), http://transition.fcc.gov/Daily_Releases/Daily_Busi- ness/2016/db0401/FCC-16-39A1.pdf viii Pew Research Center, http://www.pewresearch.org/ fact-tank/2016/01/20/the-state-of-privacy-in-america/ ix http://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp-analyz- ing-breaches-by-industry.pdf