databreach whitepaper

Before the Aftermath: The Importance of

Identity Protection in the Age of the Data Breach

Brought to you by:

by Generali Global Assistance

1

The majority of consumers have personally been victims of a data breach or know someone who has been affected - with most on the receiving end of a letter containing similar language as in the above. Data breaches are rampant throughout every conceivable industry – retail, financial, education, healthcare and government – touching nearly all aspects of everyday life. After all, everyday life for many people includes shopping for groceries, paying bills, going to school, or visiting a doctor. This means that the odds are not exactly in our favor for avoiding a data breach on any given day. This white paper from Generali Global Assistance (GGA) explores the chronology of a data breach, focusing on its impact to consumers, what (if any) restitution they can expect, and how credit monitoring alone fails to effectively secure personally identifiable information (PII) in the aftermath.

Consumers recall all too well when retail giant Target reported a massive breach that occurred at their stores between November 27 and December 15, 2013. With the frenzy of holiday shopping in full swing, this couldn’t come at a worse time for Target or its customers. Nearly 40 million customer records were stolen that included credit and debit card data, and 70 million shoppers had personal information compromised that included their names, addresses and phone numbersi.

Unfortunately, data breaches are the “new normal” and likely will be for the foreseeable future. The Identity Theft Resource Center (ITRC) reports that in 2015, there were 781 tracked data breaches in the U.Sii. - the second highest year on record since 2005, when the ITRC began tracking breaches. This number could even be under-inflated as it doesn’t include other data breaches that may have gone undetected or unreported. GGA’s internal

data shows that the number of customers affected by data breaches has increased over 40% every year since 2011. Figure 1 illustrates a sampling of the wide range of industries impacted by data breaches, which have compromised millions of data records.

The Limits of LegislationGiven the frequency, severity and magnitude of data breaches, one would assume that there is a uniform federal standard to which businesses must adhere. Quite the contrary: there is no federal legislation in place that comprehensively addresses data breaches – leaving many questions as to the laws that govern them (or lack thereof). Current laws are in place in 47 states as well as in the District of Columbia, Guam, Puerto Rico, and the Virgin Islands that require businesses who experience a security breach to notify affected consumersiii. The details of these laws, however, vary widely by state – including what is considered an appropriate method of notification (e.g. first-class mail or telephone) or what the time period should be for issuing a notification. Progress notwithstanding, there is much left to debate as to the level and amount of credit monitoring that businesses should legally have to provide their customers.

“Dear valued customer, we regret to inform you that your personal information may have been compromised. We are providing this notice and outlining some steps you may take to protect yourself and sincerely apologize for any inconvenience or concern this may cause.”

Data Breach An incident or violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. This data can include personally identifiable information (PII) like names, addresses, or Social Security numbers; hospital or physician records; school/university records; payment card data; log-in credentials and much more.

2

As it stands today, businesses who experience data breaches must rely on their individual state’s laws to determine what type of information triggers a consumer notice as well as the content and timing and any restitution measures. Companies with customers in multiple jurisdictionsiv are left with the difficult task of interpreting the multitude of inconsistencies between state laws. Should a company with nationwide operations experience a breach, this means that nearly 50 laws – all different – may apply to the same breach. This creates confusion and frustration for both businesses and consumers alike, with each side seeking to define and interpret requirements and expectations.

For years, advocates have attempted to pass bills to form a national standard but none have been signed into law. One such example is The Data Security and Breach Notification Act of 2015v, a bipartisan effort intended to address the nation’s growing data security threats and challenges. However, sentiment is mixed regarding the benefits of having federal laws and regulations around security breaches. Despite the benefits of having one federal law, there are state laws already in existencevi; California, for example offers far better protection. Should the proposed 2015 bill pass, these state laws could be undermined. The Federal Communications Commission (FCC) has recently instituted new privacy policiesvii relating to telephone, broadband Internet, cable and satellite user information which could likewise be superseded.

A recent survey conducted by the Pew Research Centerviii reports that “91% of adults agree or strongly agree that consumers have lost control over how personal information is collected and used by companies.” The million dollar question is how to help empower consumers amidst the great absence of federal legislation. Since no two data breaches are exactly alike, they cannot be mitigated by the same types of protection. This makes it complicated to create a federal regulatory standard that best protects consumers. Without guidelines to follow in the wake of a data breach, in somewhat of an obligatory gesture, many businesses find themselves extending offers of free credit monitoring to their customers. But what exactly does this free credit monitoring really provide?

Free Credit Monitoring: Check the Fine PrintAlong with their customers, the companies affected by breaches also suffer devastating consequences. While the biggest impact to a business is largely financial, regaining and rebuilding customer trust over the long-term can be a challenge. At first glance, offering free credit monitoring services seems to demonstrate a company’s care and concern

Healthcare

Education

Retail

Financial

Government

Service

Banking

Insurance

Technology

Media

Others

26.9%

16.8%

15.9%

12.5%

9.2%

3.5%

2.8%

2.6%

1.6%

1.4%

6.8%

Figure 1: Industries affected by data breachesix

Healthcare

Education

Retail

Financial

Government

Service

Banking

Insurance

Technology

Media

Others

26.9%

16.8%

15.9%

12.5%

9.2%

3.5%

2.8%

2.6%

1.6%

1.4%

6.8%

3

– a noble first step and token of goodwill. However, upon closer inspection, these appear to be more of a regulatory ‘check box’ for businesses conducting damage control instead of providing true protection for the consumer. Paige Schaffer, President and COO of Identity and Digital Protection Services at GGA, agrees: “Proactive and robust risk mitigation goes far beyond just credit monitoring. What really offers the most value to customers is comprehensive identity theft protection that includes education, protection, detection, monitoring, alerts and full-scale resolution.”

While free credit monitoring may provide a “feel-good” measure to help consumers through their initial distress, it’s far from a complete solution. In reality, standalone credit monitoring does little more than alert consumers of suspicious activity involving their credit files; it does not track fraudulent credit or debit card charges or help prevent other identity theft-related activity. Moreover, these credit monitoring services typically include monitoring from just one of the three major credit bureaus (Experian, Transunion and Equifax). This means that potential identity fraud can get missed.

To illustrate, when a fraudulent new credit account is opened, it may only show up on one report. Once spending activity begins, the

account will eventually be captured on the other two reports if the company reports to all three credit bureaus – not all do. The problem is the lapse in time from when an identity thief initially opens a fraudulent account and the subsequent activity that’s reflected later on, if at all. A fraudster could easily apply for multiple accounts prior to them being reported across all three bureaus. Consumers who only receive monitoring from one bureau could be exposed to several months’ worth of damage to their credit before they’re even aware of it.

Perhaps most concerning is the fact that many free credit monitoring services are only offered for six months to a year – some for just three months. To many unsuspecting consumers, one year can seem like a long time. In the context of identity theft, however, one year is woefully insufficient. A consumer’s compromised Social Security number, for example, can be used in many ways and cannot be changed as easily as a credit card number. Data breaches can leave behind a path of destruction that lasts for years, sometimes forever.

In response to a cyberattack that involved the hacking of sensitive PII that included Social Security numbers, a major health insurer provided not one but two years of credit monitoring for its policyholders. Two years may appear generous but isn’t nearly long

Figure 2: Breach methods observed from 2005 to April 2015ix

800

400

0

2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013

Hacking or malware

Insider leak

Payment card fraud

Physical device loss

Portable device

Stationary device

Unintended disclosure

Unknown

800

400

0

2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013

Hacking or malware

Insider leak

Payment card fraud


Portable device

Stationary device


Unknown

800

400

0

2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013

Hacking or malware

Insider leak

Payment card fraud


Portable device

Stationary device


Unknown

800

400

0

2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013

Hacking or malware

Insider leak

Payment card fraud


Portable device

Stationary device


Unknown

800

400

0

2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013

Hacking or malware

Insider leak

Payment card fraud


Portable device

Stationary device


Unknown

800

400

0

2014 20152005 2006 2007 2008 2009 2010 2011 2012 2013

Hacking or malware

Insider leak

Payment card fraud


Portable device

Stationary device


Unknown

4

enough, as savvy criminals will hold on to information for years and wait until people become less vigilant. Some organizations provide the additional option to maintain credit monitoring after the free period is over, but often with strings attached. In the above case, policyholders were given the option to keep their credit monitoring but only as long as they remained members. Buried further within the fine print of the terms and conditions was language requiring those members who chose extended monitoring to: 1) accept arbitration to settle any disputes (which had to take place in a specific city and state) and 2) agree to give up their right to sue the company.

A Better Way to Ensure Identity Protection Personally identifiable information (PII) can be likened to the pieces of a jigsaw puzzle, with fraudsters attempting to fill in the missing pieces. As identity thieves become savvier, it’s more critical than ever to stop them from completing the whole ‘picture’. While nothing and no one can totally prevent identity theft from occurring, a comprehensive identity protection solution most effectively mitigates its risks. Indeed, even the most conscientious consumers can overlook suspicious activity; many simply do not have the time or expertise to devote to fully safeguarding their identities

on a regular basis. Just as automobile and medical insurance offer security in the event of an unforeseen accident, identity protection provides consumers with protection before, during and after a breach.

Prevention is the important foundation to full-scale identity protection. When evaluating identity protection providers, consumers should seek out those that offer educational resources and best practices. Digital privacy protection software that includes anti-phishing and password protector tools is also helpful in protecting against hackers and blocking threats from malicious websites - allowing consumers to use the internet without worry. Other preventive measures like opt-out services help to reduce pre-approved credit card offers and other methods that thieves employ to steal PII.

While credit monitoring is important, it is just one component of identity protection. Credit monitoring only flags activity on credit reports, meaning other types of identity theft will go undetected (e.g. when bank account information or a Social Security number is exposed.) Identity monitoring, on the other hand, focuses on identity – alerting consumers when their PII is being used in ways that typically don’t appear on credit reports, such as when new utility accounts or payday loans have been opened. Consumers who receive standalone free credit monitoring as a result

Healthcare

Education

Retail

Financial

Government

Service

Banking

Insurance

Technology

Media

Others

26.9%

16.8%

15.9%

12.5%

9.2%

3.5%

2.8%

2.6%

1.6%

1.4%

6.8%

Figure 3: Record-type combinations compromisedix

Healthcare

Education

Retail

Financial

Government

Service

Banking

Insurance

Technology

Media

Others

26.9%

16.8%

15.9%

12.5%

9.2%

3.5%

2.8%

2.6%

1.6%

1.4%

6.8%

5

of a data breach should be aware of the limited protection they are likely receiving. Only a full identity protection solution provides both identity and credit monitoring and will include the option for credit tracking across all three credit bureaus - ensuring quick and seamless notification of fraudulent activity and the prevention of potentially spiraling damage.

Most consumer activity takes place on the mainstream World Wide Web (also known as the Surface Web) which is comprised of traditional websites and social networks and indexed by popular search engines like Google. Advanced identity monitoring services will also scour the farthest regions of the Internet, which includes the deep and dark web, for suspicious activity. The deep web is said to comprise about 90% of the internet and can only be accessed by conducting a search that is within a specific website. The dark web is not indexed by search engines and is accessible only with the help of anonymizing software. In particular, the dark web is where cyber criminals conduct illegal activity such as the buying or selling of personal information and credit cards.

Identity protection companies who have the experience and capability in monitoring the deep and dark web may offer this higher level of identity monitoring, including the technology that continuously scans for current and potential threats before they surface. These

services could include internet surveillance to proactively compare a consumer’s PII and the data they enter into a monitoring dashboard against data that has been compromised. Advanced identity monitoring will also detect any compromised credentials that may be linked to malicious breaches and underground infiltration. Consumers can receive alerts along with next steps for them to take, including the option to speak 24/7 with a live resolution specialist, to help ensure that their personal information stays personal.

The last key part of an identity protection program is resolution, which many companies do not provide for their customers who are affected by a data breach. In the event that identity theft occurs, the benefits of having full-scale identity resolution are many. Certified resolution specialists will work 24/7 to help victims restore their identities providing assistance with affidavit submission, creditor notification/follow-up, credit freezes, fraud alert placement and other services. Some will act on behalf of the victim, if authorized, to deal with creditors and can help navigate the intricacies of identity theft involving legal matters or the Internal Revenue Service. These services not only provide personal and expert assistance to victims during their critical time of need but also save them valuable time and resources. Most major identity protection providers will offer identity theft insurance,

2K

1K

0PII Health Financial

+ PII + PII cardHealth Payment Credentials

+ PIIEducation Financial

+ PIIPII +

+ health+ PII

paymentFinancial

card

Hacking or malware

Insider leak

Payment card fraud

Physical loss

Portable device loss

Stationary device loss


Unknown

2K

1K


+ PII + PII cardHealth Payment

Hacking or malware

Insider leak

Payment card fraud

Physical loss




Unknown

Credentials+ PII

Education Financial+ PII

PII ++ health

+ PIIpayment

Financial

card

2K

1K



Hacking or malware

Insider leak

Payment card fraud

Physical loss




Unknown

Credentials+ PII


PII ++ health

+ PIIpayment

Financial

card

2K

1K



Hacking or malware

Insider leak

Payment card fraud

Physical loss




Unknown

Credentials+ PII


PII ++ health

+ PIIpayment

Financial

card

2K

1K



Hacking or malware

Insider leak

Payment card fraud

Physical loss




Unknown

Credentials+ PII


PII ++ health

+ PIIpayment

Financial

card

2K

1K


+ PII + PII cardHealth Payment Credentials

+ PIIEducation Financial

+ PIIPII +

+ health+ PII

paymentFinancial

card

Hacking or malware

Insider leak

Payment card fraud

Physical loss




Unknown

Figure 4: Top 10 record-type combinations compromised versus breach methods usedix

A People-First Partner in ProtectionIn 2003, Generali Global Assistance (GGA) was one of the first companies to provide identity theft resolution services in the U.S. and today is a leading provider of identity protection services, proudly protecting millions of identities from the growing threat of identity theft. GGA has protected our clients and their customers for over 50 years. As the pioneer of the assistance concept, it is our core DNA to assist customers in the most dire and difficult of circumstances. Customer service is not just a philosophy – it’s our culture.

Our Identity and Digital Protection Services business unit was named the 2016 Gold winner in the Stevie International Business Awards - Customer Service Department of the Year. This is the fourth consecutive year that GGA has been the recipient of a Stevie Award, with four awards for excellence in the Customer Service category and one for innovation in customer service technology. We go the distance to ensure customer care, including several “do it for you” resolution services not offered by other identity protection companies.

We stand ready to provide hands-on assistance to minimize the distress consumers face when confronted with identity fraud, wherever life takes them. Our comprehensive 360° approach mitigates the risks of identity fraud and provides the true value of protection, resolution and peace of mind.

GGA, formerly Europ Assistance in the U.S., is based in Bethesda, MD, and has been a leader in the assistance industry since its founding in 1963. GGA is a division of the multinational Generali Group which, over 185 years, has created a presence in more than 60 countries with over 76,000 employees.

which covers the reimbursement of expenses related to the recovery process like lost wages and legal fees.

As long as there is identity theft and the world continues to become increasingly connected, consumers must be their own best advocate. Keeping up with the latest string of data breaches is dizzying. Having a proactive and on-going identity protection solution already in place alleviates the need for consumers to continually brace themselves for yet another incident, allowing them to go about their daily lives as normally as possible. GGA’s Schaffer stresses the importance of having a proactive identity protection plan to businesses who are equally concerned about the threat of data breaches: “Implementing a comprehensive program for employees and/or customers goes a long way to help a company mitigate their financial and reputational risks.” A trusted identity protection provider who can address the “full circle of identity theft” will give consumers – and businesses – the valuable peace of mind they need to stay ahead of the aftermath in today’s age of the data breach.

Sourcesihttps://corporate.target.com/article/2013/12/import-ant-notice-unauthorized-access-to-payment-caiiIdentity Theft Resource Center (ITRC), http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015data-breaches.htmliiiNational Conference of State Legislatures (NCSL), http://www.ncsl.org/research/telecommunica-tions-and-information-technology/security-breach-no-tification-laws.aspxivhttp: / / thehi l l .com/blogs/congress-blog/ judi-cial/248978-businesses-need-a-preemptive-feder-al-law-on-data-breachvhttps://www.congress.gov/114/bills/hr1770/BILLS-114hr1770ih.pdfviCalifornia Data Breach Report, https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-re-port.pdfviiFederal Communications Commission (FCC), http://transition.fcc.gov/Daily_Releases/Daily_Busi-ness/2016/db0401/FCC-16-39A1.pdf

viiiPew Research Center, http://www.pewresearch.org/fact-tank/2016/01/20/the-state-of-privacy-in-america/ixhttp://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-analyz-ing-breaches-by-industry.pdf

databreach whitepaper

Documents