--- begin forwarded text
Delivered-To: [EMAIL PROTECTED] Date: Thu, 8 Dec 2005 15:59:25 -0500 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R. A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] Study Finds Mass Data Breaches Not as Risky as Smaller Lapses Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] <http://online.wsj.com/article_print/SB113380595757914237.html> The Wall Street Journal December 8, 2005 FISCALLY FIT By TERRI CULLEN Study Finds Mass Data Breaches Not as Risky as Smaller Lapses December 8, 2005 Two scenarios: a) You're notified by an online retailer that you're among millions of customers whose account information was lost or stolen; or b) you learn a former staffer has stolen employee names, addresses and Social Security numbers from your small business. Which one puts you at greater risk for identity theft? If you chose "b," you'd be correct, according to a study released Wednesday by ID Analytics, a San Diego company that helps companies combat fraud using pattern-recognition technology. The company examined billions of bits of identifiable information, such as Social Security numbers, cellphone numbers, dates of birth and credit-card account numbers, from consumers who were victims of security breaches. The study analyzed four cases of security breaches, two involving the theft or loss of sensitive data, including names and Social Security numbers, and two involving credit-card account information only. SHARE YOUR THOUGHTS What do you think?1 Are corporate notifications of data security breaches necessary to prevent identity theft, or do they cause unnecessary panic? What should companies do to aid customers when they discover sensitive consumer data have been lost or stolen? Write to me at [EMAIL PROTECTED] Turns out size does matter: The study found that individuals involved in mass data security breaches are less likely to have their information misused than victims of smaller data breaches. The sheer volume of consumers affected slows identity thieves down, says Mike Cook, vice president of product services at ID Analytics and one of the company's co-founders. "We applied identity theft to real work terms, eight-hour days, with breaks and vacation time, and found that it would take a fraudster 40 years to work a million stolen IDs," he says. Some disclosure: ID Analytics, which is in the business of detecting identity theft for companies such as financial-services firms and retailers, initiated the study at the request of the companies whose security breaches were examined. The companies didn't sponsor the study, but ID Analytics provides services to one of the breached companies and provided services to another of the companies in the past. The ID Analytics study also found that mass data security breaches didn't result in the identity theft free-for-all many had feared. The odds are less than one in 1,000 that misuse or fraud will be detected for individuals whose sensitive information is compromised in cases of large-scale security breaches. Identity theft was more common when there was an intentional effort to steal information, as opposed to security lapses that occurred by accident, the study found. So, for example, you're more likely to be a victim if a thief intentionally steals a laptop to access the sensitive consumer data it holds, rather than if the thief steals the laptop simply to hock it for cash. The study comes in the wake of a series of highly publicized mass security breaches this year, which raised concern about the potential for widespread identity theft. In June, for example, MasterCard International Inc. reported3 that someone had broken into the computer network of CardSystems Solutions Inc., an Atlanta company that processes credit-card transactions. The breach gave the thief access to names, account numbers and card security codes on more than 40 million credit-card accounts. When breaches such as this are disclosed, many consumers have no idea how likely it is that their information will be used to commit fraud, says Jay Foley, co-executive director of the Identity Theft Resource Center in San Diego, a nonprofit organization that assists victims of identity theft. "What [ID Analytics] is doing is identifying quite accurately where the greatest potential danger is," he says. "The study emphasizes the types of breaches [that] businesses and government need to look at closely and take seriously." What constitutes a higher-risk intentional breach? The riskiest category is one-on-one crimes, where a thief targets a victim to steal identification or account information. When information on thousands of individuals is stolen, however, the chances of one person in that group becoming a victim falls considerably, according to the study. "As you pass information stolen on 200 people or more in one incident, the risk drops off sharply," he says. Consumers Need to Stay on Guard Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, warns that the study is a relatively small sampling, and that the results may lull consumers and lawmakers into believing the threat of identity theft posed by these types of data security breaches is inconsequential. "This is a very limited survey, they are only looking at four breaches and I'm concerned that their findings will be generalized," she says. "A great deal more research needs to be done on this area before any generalizations can be made." Regardless of the size of the security breach, consumers should remain vigilant against the threat of identity theft, says Eric Zahren, a spokesman for the U.S. Secret Service. "Any and all breaches should be considered serious and potentially damaging," he says. Indeed, while the new survey provides some comforting insight on the real and perceived dangers of breaches of information, large and small, consumers need to actively monitor and protect their sensitive financial information. (See box for tips on guarding your identity.) A 2005 study5 released earlier this year by Javelin Strategy & Research, a Pleasanton, Calif., consulting firm, found that when people monitor their accounts online, they are far less likely to be victims of fraud. The average paper and mail loss to identity theft and fraud was $4,500, says Jim Van Dyke, a principal at Javelin, while the average loss suffered by victims who detected crime online was $551. "The difference is people are detecting the fraud and contacting their financial institutions sooner, and not sending checks or other personal information through the mail," he says. Too Many Notifications, or Not Enough? ID Analytics' findings come just as a number of bills are being considered by federal legislators that would require companies to notify consumers of security lapses. Many of the proposals focus on mass security breaches, while the study indicates that victims of smaller breaches are more vulnerable to fraud, says Fred H. Cate, director of the Center for Applied Cybersecurity Research at Indiana University in Bloomington. (See a related article6.) "Legislators have been justifiably unsure of what to do because up until now there has been so little information on what works," Mr. Cate says. Businesses have been arguing against stricter notification laws, saying the cost would be prohibitive and that notifications should be limited to breaches that threaten a significant risk of identity theft. California was the first state to require all companies to send notifications when security breaches are detected. John Hall, a spokesman for the American Bankers Association in Washington D.C., contends that businesses should be the ones to determine whether notifications are warranted. Regulators require that financial-services firms send notifications only when the companies consider the security breaches a risk to the individuals involved. "We feel that a plethora of unnecessary warnings runs the risk of creating a 'cry-wolf' mentality, where consumers begin to ignore notifications whether they're serious or not," Mr. Hall says. Mike Zaneis, a lobbyist with the U.S. Chamber of Commerce, which is working with several congressional committees to secure a national flexible notification standard, says too many notifications may raise unnecessary concerns about the companies who have suffered data breaches. "Certainly there is a potential to erode the consumer confidence in a certain company, and of course we want to avoid that," he says, noting that a recent survey by privacy-research organization Ponemon Institute, sponsored by the law firm White & Case of New York, found that nearly 20% of respondents said they terminated a relationship with a company after being notified of a security breach, and 40% said they were thinking about terminating the relationship. Mr. Foley, a consumer advocate, argues that notifications are necessary for any breaches, regardless of size, and that businesses create a liability issue when they don't share information about lost or stolen data. "The companies need to analyze the information exposed, notify [consumers], give them the information necessary to offset potential problems and then just let it go," he says. I strongly agree. Consumers should be given the information they need to determine whether a company is trustworthy or not, based on the nature of the security breaches that are reported. If mandatory notifications do result in a blizzard of paperwork stuffing consumers' mailboxes, perhaps the ensuing outrage will finally convince companies and lawmakers that a great deal more needs to be done to protect consumers' sensitive financial information. * * * PROTECT YOUR IDENTITY Here are a few steps to reduce your risk of having your sensitive information lost or stolen: Track your accounts. Review all financial account statements at least once a month, and periodically request free credit reports4 from the three major credit bureaus (Equifax, Experian, TransUnion). Keep information to yourself. Don't give out credit card or Social Security numbers to anyone unless you know why it is needed. If called, hang up and contact the company requesting the information directly. Keep a list of all your account numbers and passwords in a safe place, and don't leave credit cards or checkbooks lying around the house. Monitor your mail. Don't allow mail to sit in your box for more than a day, and consider purchasing a box with a lock. Never leave checks or other sensitive mail in your mailbox for pickup; instead, use a collection box. Buy a shredder or go paperless. Destroy any document that contains personal information, and offers for credit you receive in the mail. Consider viewing financial account statements online, and opting out of receiving paper statements by mail. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]