Data breaches lead to 4X higher incidence of identity fraud

by Doug Pollack

In a recently released report, Javelin Research has highlighted a key finding that is important to those of us who have received a data breach notification letter from an organization that we have entrusted with our personal information — whether a bank, healthcare provider, insurer or merchant. This finding is that individuals who receive a data breach notification leter are four times (4X) more likely to become victims of identity fraud.

“The Javelin report, Data Breach Notifications: Victims Face Four Times Higher Risk of Fraud, is based on multiple years of data and includes updates on 2009 data breaches, implications of changes to the legislative landscape and the technical means by which data breaches occur.”

This statistic is striking, in that it has been thought that the vast majority of data breach incidents are benign in nature. And because of this perception, recipients of data breach notification letters to some extent may have become desensitized to the level of risk of fraud that they face.

This research should be a wakeup call to consumers, but even more importantly, organizations that maintain databases of personal information on their cusotmers and patients need to be hyper-aware that data breach incidents are being increasingly proven to do harm to those in the affected populations.

Posted in Data Breach News | No Comments »

Confirmation of Blue Cross Blue Shield Breach

by Doug Pollack

The Blue Cross Blue Shield Association (BCBSA) has affirmed that is has experienced a data breach incident affecting over 800,000 doctors in the US. According to Jeff Smokler at BCBSA, as reported in SC Magazine, thieves stole an employee’s computer that contained an unencrypted file with the personal information of nearly every doctor who accepts this popular health insurance plan.

“We had an employee who did not follow company procedure and removed information from a BCBSA computers and put it on a personal laptop,” Smokler said

While the national BCBSA is offering a year of free credit monitoring to those affected by the breach, they appear to be working closely with the state BCBS affiliates in order to notify doctors of the incident. In Massachusetts, this notification occured on October 2nd as reported in a Boston Globe article.

A majority of US states have formal breach notification laws that require notification by letter to affected members of a  breach population. There is also now a requirement to follow the HITECH Act notification rules, although it is unclear whether this particular incident would require this due to the somewhat ambigous “harm threshold” that is written into the interim Rules published by the Department of Health and Human Services.

Posted in Data Breach News, hitech act | No Comments »

Blue Cross Blue Shield Breach

by Doug Pollack

This past week, the Boston Globe wrote about a data breach incident at Blue Cross Blue Shield of Massachusetts that occurred in August of this year and where the affected population of people is just now being notified. The breach, which included social security numbers, included over 39,000 physicians and healthcare providers in Massachusetts.

“It took some time to figure out what type of data was on the laptop,’’ said Tara Murray, Blue Cross and Blue Shield of Massachusetts spokeswoman. “There is no reason to be believe the data has been used to steal people’s identity, but we are just being cautious . . . to notify them and offering free credit monitoring.’’

The Boston Globe reported that:

“Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant - roughly 90 percent of physicians nationwide are in its network - encrypts all of its information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The laptop was stolen after the employee left headquarters with it.”

It is nice to see Blue Cross-Blue Shield taking the high ground and notifying the affected individuals and providing them with a modicum of protection, given that their analysis didn’t lead to a high level of concern that the information would be misused.

The recently enacted HITECH Act requires that healthcare organizations notify individuals, Health and Human Services (HHS) and the public (via press release or other visible medium) for data breaches that exceed 500 individuals. HHS Interim Rules only mandate notification if an internal risk assessment concludes that there is significant risk of financial, reputational or other harm. Given how “squishy” this harm threshold is, it is prudent for organizations to notify under most circumstances.

This case also exemplifies how the majority of data breach incidents are not due to cybercrime, and related external threats, as is often believed, but are more often  caused by a accidental (or intentional) failure by employess to follow internal policies and practices, or in other cases situations where there is a the intent on the part of an employee to perpetrate fraud using their access to personal information. But in either case, the internal rather than the external threat.

Posted in data breach, hhs, hitech act | No Comments »

Measuring Data Breach Risk

In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk. I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations. Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident. The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.  This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk. Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.

To this end, we created what we call the Breach Healthcheck(tm),  tool that uses a proprietary model to assists organizations in quantifying two dimensions of measurement into a Breach Protection Index(tm) — measuring both an organizations level of data breach exposure as well as their level of data breach protection.  Breach Healthcheck then maps this index onto a two dimensional risk map that allows organizations to get a visual indicator as to their level of data breach risk.

Our sense is that organizations that are trusted to hold PII and PHI will find it useful to be able to measure their level of data breach risk, and to understand the primary areas where their practices may lead to unanticipated levels of risk. To get complimentary access to the Breach Healthcheck tool, qualified organizations can contact ID Experts at www.idexpertscorp.com or866-726-4271.

Posted in data breach | No Comments »

Healthcare: Get Ready for HITECH Data Breach Notification Requirements

by Doug Pollack

Starting September 23, 2009, healthcare organizations covered by HIPAA and the HITECH Act will be required, in the case of data breach incidents where personal health information (PHI) is improperly exposed, to notify both the individuals affected by the breach as well as the federal government, who will post this information publicly.

The data breach notification provision was an important element of the HITECH Act which is the first federal legislation, in this case targeted at healthcare organiations, that specifies what constitutes as data breach and what notification is required for such incidents. In this case, “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information (PHI).”

An interesting controversy has recently surfaced in the way the Office of Health and Human Services has “interpreted” the HITECH Act breach notification provisions. The Interim Final Rule issued by HHS on August 24, 2009 has specified that a data breach incident of PHI only requires notification if the breach represents a “signficant risk of financial, reputational or other harm to the individual whose PHI has been compromised.”

In the making of this Rule, many in the industry believe that HHS has transcended congressional intent, by adding a “harm threshold” that is to be self-assessed by the organization that has caused the data breach incident.

A recent article in Computerworld titled “HHS guts health-care breach notification law, groups warn” illustrates this disconnect. It quotes Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights as saying:

“This harm requirement actually violates Congress’ intent in the stimulus bill. This is essentially an industry rewrite of the law. Given the way the law is worded, health-care organizations will have little incentive to own up to a breach involving protected health care data. This is totally for the protection of the industry. It eliminates the consumer protection that Congress intended to be built into it.” She added that her organization will be part of a “giant response” to the proposed change by national consumer protection and privacy organizations.

While the over-notification of individuals for totally benign incidents is not a positive thing, because of the level of concern and anguish that can accompany such situations, what HHS has done in terms of setting a harm threshold allowing self-assessed determination as to whether a data breach incident shoudl be reported seems to give healthcare providers more of a  “get out of jail free card” when incidents occur than what was intended by those who wrote the law.

Independent of how this controvery resolves itself, there is no question that healthcare organizations, starting on September 23rd, must carry out a “risk assessment” whenever an incident occurs that could possibly breach the security and privacy of PHI that they hold. It would be advisable that such organizations have clear policies and processes for such events, and document the analysis and conclusions clearly.

Posted in Data Breach News, hitech act | No Comments »

Update on Lifelock-Experian Lawsuit

by Doug Pollack

It was reported today in Finextra that US judge Andrew Guilford has concluded that “Lifelock….has been employing unfair business practices by placing fraud alerts on customer credit files it maintains.”

Data breach incidents have been on the rise this year. Typically a credit monitoring offering is provided to the victims of a data breach as part of the remediation offered by the organization that experienced the breach. Rather than provide credit monitoring, Lifelock relies on setting fraud alerts with the credit bureaus as a means of offering some protection to their customers.

The Experian lawsuit claimed, and this appears to have been upheld, that Lifelock uses “unfair business practices” by setting and resetting fraud alerts every 90 days, independent of whether there is any reason to believe the individuals are at risk of identity theft.

Posted in Announcements | No Comments »

Social Media Risks

by Doug Pollack

A recent news segment on the risks of identity crime that occur in the common usage of social networking sites such as Facebook, Myspace and Twitter.

Posted in Data Breach News | No Comments »

Do Breach Notification Laws Work?

by Doug Pollack

This past week, a seminar was held on the campus of UC Berkeley on the topic of Security Breach Notification. Wired Magazine published an article about this topic and the unfortunately conclusion that while breach notification laws are substantially increasing the awareness of data breaches with the public and the security risks of data breaches with those who hold your personal data, data breach events nonetheless are on the rise.

“It’s clear that the laws have made the public more aware of breaches and the vulnerability of their data, and have exposed poor security practices at many businesses. A 2005 study by the FBI showed that in the absence of a legal requirement to report breaches, only 20 percent of firms would report serious breaches to law enforcement.”

And while there has been a great deal of study as to whether the breach notification laws have reduced the incidence of subsequent identity theft due to breach events, the results remain inconclusive.

Posted in Data Breach News | No Comments »

Old Scam Making Alarming Comeback on Facebook

By Rebecca Seaman

Remember the classic “Nigerian 419” scam; where a rich Prince or Bank Executive from a foreign country just needed your banking information to facilitate a transfer of funds? In exchange for your help, you would receive a percentage of those funds; Gratis. And just like that, you could make a profit. Unfortunately, the only ones profiting were the thieves, who would use the banking information given to them to drain the funds from your account and disappear.

Hopefully, you didn’t fall for this scam, but thousands of would-be Good Samaritans and those hoping to make a quick profit did-some of them even went to Nigeria to meet the ‘Prince’ or ‘Bank Executive’ themselves. More on this here.

A disturbing new spin on the classic “Nigerian 419” scam has emerged recently. You may be too savvy to fall for the Prince, but what if you received word that one of your own friends or loved ones was in danger and needed your help and funds immediately? Many of us, no matter how aware we may be, would do anything to help our loved ones in a time of need. In fact, a recent article by Bob Sullivan of The Red Tape Chronicles highlights just such a scenario:

One evening, Bryan Rutberg’s daughter ran into his bedroom asking why he’d changed his Facebook status to read “BRYAN IS IN URGENT NEED OF HELP!!!.”  Initially, Bryan let this go, until his wife woke him to ask him what was wrong. By this time the incident had his attention and soon, he realized his Facebook account had been hacked. Friends began to call incessantly-several of them had received an email stating that Bryan had been held up at gunpoint while travelling abroad and needed cash to return home.  One concerned friend even wired $1,200.00 to London via Western Union.

Bryan began an urgent search for a way to reach Facebook and stop the hackers. But by this time the hackers had managed to lock Bryan out of his own account. They had changed his username and password so that he couldn’t access his Facebook page. Because of this, he couldn’t remove the ominous status message or contact his friends to let them know this was a scam. The hackers had even “de-friended,” his wife, so he was unable to post a message in her account alerting his friends to the situation and let them know he was really safe at home.  Eventually, he was able to get his account deactivated; but not before his friend had lost a considerable amount of money, not to mention the time it took for Bryan to sort out the mess. “It was all over by Thursday (the next day) but not without a hell of a lot of drama” he said. By then, one concerned colleague had even called Microsoft to warn the firm that Rutberg was in trouble.

Bryan and his friend who wired the money were both educated Microsoft employees; which speaks to the fact that anyone can fall victim to new and increasingly sophisticated attacks. Bryan was the victim of a newer, more precise version of the “Nigerian 419” scam.  Instead of sending out millions of spam messages in the hopes of fooling a small percentage of recipients, Cyber Thieves are getting much more personal in their attacks, using social networking sites like Facebook and MySpace to victimize users. In Bryan’s case, criminals were able to steal his Facebook password, steal his Facebook identity, and change his status to make it seem he was in trouble and needed help.

What can you do to protect yourself from social networking scams? A few basic precautions are as follows:

·      Change your password regularly, be sure that it is unique and preferably alphanumeric

·      It’s not a good idea to have the same password for more than one account

·      Be very cautious of any friend or contact asking for money or for personally identifying information. If you do receive such a request, call the person and verify their request over the phone

·    Have more than one email address, in case one address is hacked or compromised 

If you feel that your Facebook identity has been compromised, Facebook has established a link to report the abuse. Note: It’s difficult to find navigating Facebook’s home page; so keep this link handy. http://www.facebook.com/help/contact.php?show_form=account_compromised

Posted in Announcements, Data Breach Alerts, Data Breach News | No Comments »

Third Parties in Data Breaches

by Doug Pollack

The VA this week announced that they will pay up to $20 million to veterans whose personal information was exposed in 2006 when a laptop was lost by an employee of Unisys, a government contractor that was handling claims processing for them.

USA Today reported that while the laptop was later recovered, it had personal information such as social security numbers for over 26 million veterans and active duty troops. This exemplifies a growing trend in data breaches in that almost half of the data breaches reported in 2008 were caused by so-called “3rd parties”, outside information agencies, facilities, integrators and consultants who are entrusted with personal data from their corporate and government clients.

Given this trend, organizations must look harder at how they certify and validate the security and privacy policies of 3rd parties to whom they entrust information on their customers, patients and constituents.

Posted in Data Breach News | No Comments »