Breach Notification and AwarenessOrganizations Need to do Better Job of Educating Consumers
Historically, financial institutions, and others, have not done a good job when it comes to educating consumers about risks and keeping them informed when breaches or new risks emerge, Foley says. But with a little organizational refining, communications can be vastly improved, especially if banks and credit unions take advantage of regular dialogue they already have with their customers.
When banks and credit unions, or other entities such as utilities, send out reminder notices, marketing messages and bills, "It's a good time to remind people of potential scams that may be occurring," Foley says.
IT security professionals across all industries need to assist in educating the public. As an example, Foley points to a pilot program in San Diego, where banks and credit unions successfully implemented a customer awareness campaign that offers tips about how to recognize common fraud schemes. "The credit unions and banks put up charts talking about what the most common scams are, and while people are standing in line [at the branch], they're reading them," she says.
Hospitals should follow the same example, posting privacy notices so people are mindful of fraudulent procedures happening in the healthcare space. And government agencies, when sending out notices, should continue to warn of the newest scams as well.
But, Foley agrees, public apathy continues to be a road block. "They've seen these alerts before, and think they apply to someone else, not to them," she says.
Organizations need to be aware of how to educate the public and what sources they should use to grab and maintain consumer attention.
During this interview, Foley [transcript below] discusses:
- Emerging threats that are expected to pose the greatest challenges for the financial industry, government, healthcare and law enforcement;
- How breaches connect to identity theft;
- Steps every organization should take to ensure consumer data is protected.
Foley founded the Identity Theft Resource Center with Jay Foley in 1999. The nationally recognized victim assistance and public education organization was established in response to an epidemic rise in identity theft crimes. Today, Linda is acknowledged as an expert on identity theft issues.
Data Breaches and Identity TheftTRACY KITTEN: Most of today's financial fraud has a link to identity theft. Could you tell us how the ITRC views the link between data breaches and identity theft?
LINDA FOLEY: It's very difficult to pin the problem directly just on data breaches. Financial fraud can occur in so many different ways, including lost and stolen wallets, information taken out of your mailboxes, which is the low-tech side, people with skimmers where you are using credit or debit cards in the shop itself, or ATMs and payment processors where you're sliding your card through something, like at the gas station.
There are sometimes ways of calling them a breach but sometimes we can't. We've been seeing communities that have been having problems but we can't say what the company is that's causing the breach so it doesn't get on the breach list. I would say it is a mixed bag.
Breach Trends in 2011KITTEN: 2010 saw a number of data breaches from those that hit financial institutions and merchants to those that compromised medical records. The ITRC tracked 662 breaches in 2010, which was an increase from 2009. What do the trends tell us and what can we expect to see in 2011?
FOLEY: In 2010 Health and Human Services were mandated to put on a public website all breaches that affected more than 500 individuals. Because of those, the media was digging deeper and we saw more articles that gave us the information we needed to add those compromised medical records, which may include Social Security numbers or billing information, onto our breach list.
Our breach list in 2010 was larger because there were more breaches reported in some cases to states that have a public website. I'm not sure that there were more breaches. My guess is there probably was, but the point is we are not seeing what the total number of breaches is nor will we ever. It's an educated guess based on understanding the crime of identity theft and thieves.
KITTEN: Did we see an improvement in security measures that were put in place to prevent breaches from 2009 to 2010, or from your perspective do you think that we have stagnated?
FOLEY: I think we saw a little of both. Because of Red Flag regulations and regulations put up by HITECH Act there have been more security measures put into place. The problem is that we are still seeing apathy, thinking it's just another thing they have to do at work. They are not explaining it to their employees in such a way that their employees are embracing the idea of doing these security measures.
So if you say documents must be shredded, and there is a shredder down the hallway, they may still put it in the trash because it is easier and they don't understand the importance of following through with in-house policies.
KITTEN: And how do businesses or financial institutions address that type of apathy?
FOLEY: When we are talking about best practices, businesses need to identify where their weak areas are and what security measures need to be taken, even if they are already in place.
And second would be to document it into a written policy. Then have it shared with every single person in that company, from the CEO all the way down to the receptionist and any other support personnel, even if some of the security measures don't affect those people, so that they understand this is what the company expects. This is the level of security.
I think we are seeing more security measures but we are also seeing that once they are put into place, companies aren't monitoring to make sure that there is continued regulation of those particular measures.
KITTEN: In the financial space, 2010 was the so-called year of corporate account takeovers where fraudsters, either through a hack, phishing attack or some other socially engineered method, illegally gained log-in credentials for businesses' online bank accounts. Then they subsequently drained those accounts via ACH fraud. What progress, if any, do you expect to see in the way of security improvements aimed at fighting those types of attacks?
FOLEY: With these corporate account takeovers, what is happening is they are siphoning money out of companies. They are writing checks with companies' names on the top of them, receiving money and payments, and then using those to pay for things that they are indeed purchasing themselves and not for the company.
Unfortunately, checking account takeover and the electronic draining of money is not something that we've found ways to prevent successfully yet. That is the next area. That is the next target and what we are going to be hearing about. With credit cards it goes through payment processing and we can stop it all because it's the cohesive payment system where they can immediately say that credit card is not good or you don't have authorization for that card. We don't have that with checking and electronic banking right now. Criminals are taking advantage of the electronic banking system right now.
Healthcare Industry: Sweet Spot for BreachesKITTEN: Now moving from the financial industry to the healthcare industry, the ITRC notes that healthcare is a sweet spot for breaches. But, the healthcare industry has been kind of held to the flames if you will, required to notify the public when a breach occurs. What can other industries learn from the precedent set in the healthcare space?
FOLEY: I think it's more negative learning. Unfortunately the healthcare industry has been very reticent to make any changes in improving security measures. It's been a struggle just to get them to ask for secondary identification when people provide an insurance card so that they can find out whether it is a stolen insurance card or not. We've heard of situations where a person presents an insurance card and the employees ask to see an ID. The person says it's out in the car and they never come back in. That starts with the stolen wallets again.
We have a lot of people who have access to information within the healthcare industry, about every single patient that a doctor treats or that particular facility treats. And they are not segmenting their computer systems so that it's "need to know" about certain information. The nurses don't need to see social security numbers and the doctors don't need to see it. It could be a segmented section apart from the medical records.
That's what industries can learn from the healthcare industry, but unfortunately no one is learning that at the moment. Where across the board we see data on the move and people getting in on an insider being able to breach a system, it's because they can see everything with a very low password or security status.
KITTEN: If we were to look at the healthcare space, would you say that security measures have improved or would you say that it's basically just the fact that they have been separating things out? I mean that could be an improvement in and of itself.
FOLEY: I don't think the healthcare industry has made any improvements to be quite honest. They have fought against Red Flag compliance, which I don't understand why when it's in their best interest. It's not that difficult to establish written policies, educating employees and following through. We see in the news everyday that people are looking into files of patients, maybe not for the purpose of identity theft but because of curiosity. They want to see why such-and-such a person is in the hospital or what they are being treated for. I'm not necessarily seeing improvement in that area.
KITTEN: Again, as you've noted, perhaps in the healthcare space that is a good place to start because there could be a lot of opportunity there, just as in the financial space, to breach information.
FOLEY: Correct, and in many cases more so because you have more people that have hands-on access. Right now the healthcare industry is paper-oriented. The financial services industry is electronic-oriented as far as how they are holding records.
KITTEN: So, they've made a few more advancements?
Breaches are UnderreportedKITTEN: Now, you note, based on the reporting that the ITRC has published, that breaches remain vastly under-reported. Would you say most of the under-reporting is coming from the financial side where corporate account takeovers and card-related fraud are concerned, or is it across the board?
FOLEY: Actually on the financial side we're seeing more reporting of actual numbers, especially when it is card related, because they knew how many cards needed to be replaced. They have to have a forensic IT person go in, audit the system, take a look, and then a forensic accountant goes through the system and sees how many people or records may have been affected. Those are two different items. When we say that there has been such-and-such number of records potentially compromised, that's not people - those are records. It could be a checking account, a savings account or a money market account. The financial field every year has been the number one field in terms of the least amount of breaches. However, when there's a breach, we're looking at large numbers.
KITTEN: The ITRC notes that approximately 200 breaches, 29 percent of the 662 that were reported in 2010, came from mandatory reporting states. How many states have mandatory reporting, and what seems to be keeping the federal government from pushing a national notification mandate?
FOLEY: Forty-six states current have mandatory reporting, but only three or four have public websites where the public can see the notices that have come into the state's attorney general office. That's where those 200 breaches are that we found out about that were nowhere in the media. No one would have known about it if those states, New Hampshire, Maryland, Vermont and Wisconsin, had not had a public website.
The reason we aren't seeing a federal government website is simply because legislation hasn't yet moved to that. They haven't even moved to data breach legislation itself on a national level. It's in the works. I think Senator Dianne Feinstein's bill is well-written and there's been a lot of arguing back and forth as far as what should be included and what shouldn't be included. It would be easier for every business in the country if there was a single place, a single notifier, which they have to send information to, rather than across the board to 50 different AGs.
KITTEN: You mentioned 46 states have these mandatory reporting policies but not all of them have these public websites. So then how are they notifying consumers when a breach occurs?
FOLEY: They notify them by a letter. What the mandatory notification laws typically require is that the breached companies notify the individuals that may be at risk. There are a couple of talking points in different state laws. Some of them include a phrase called "risk of harm", and it's up to the individual company to determine whether the records are at a "risk of harm" or not. It's not something that's easily measurable. It's like the fox protecting the hen house.
The other problem is that in some states it's only certain entities that must report to that state, so it doesn't cover everything. That's why we want one notification list; then you send a letter to this specific government agency. Our goal is to have that government agency post the information so that the public has the opportunity to see what's going on and find out the information for themselves.
KITTEN: Giving the power back to the consumer?
FOLEY: Correct. And I think that's important for law enforcement. Very similar to other types of crimes, there are patterns and some of these hackers have a pattern of going from one business to another or going to different states to do their skimming with ATMs or with gas stations. These are patterns that federal law enforcement agencies can study and this is why they are cracking these large cases. But it's based on merchants, or the companies that have been breached, letting the FBI or the Secret Service know that there is something going on. We can't figure out what's going on so can you come in and help us?
Types of Breaches and NotificationKITTEN: I want to go back for a moment to the types of breaches. Let's go ahead and highlight some of the things that have come out of some of the research that the ITRC has done over the last year. Of the breaches recorded by the ITRC, malicious attacks accounted for the most breaches, more so than even human error. In fact, 17.1 percent of the breaches related to hacking and 15.4 percent related to insider theft. The ITRC expects those breaches to increase in 2011 as scams become more prevalent on social networking sites via smart phones and other mobile devices. What is the connection between social networking sites and cyber attacks, as well as insider risks? And, how will those things impact the financial industry, the medical space and government in the coming year?
FOLEY: This is the second year in a row that we have seen malicious attacks account for more breaches than human error. I would love to see that human error number go down to zero percent because those are avoidable - accidental posting, data that has been put onto a laptop and then lost. Insider theft is a very dangerous place. This is dangerous water because we are looking at more organized crime doing this hacking. They have the people who know the technology. What they may be doing is planting someone in an area where they have access to different codes and where they would have access to information. Then they may be hacking from inside. Every expert in identity theft says insider theft is going to become more and more prevalent. Getting information via cyber attacks is going to be the next target area due to the lack of security.
KITTEN: What about the social networking sites and the component there? Is that also part of the problem because sites like Facebook and Twitter for instance don't necessarily have the security in place that they need to?
FOLEY: Even when we are talking about social networking, we don't see a lot of businesses using social networking to keep in touch with their customers other than as a marketing tool. This is on individuals to be aware of what they put on their social networking sites, understanding it is permanent and that a friend may not be the person they say they are at all.
You never put anything personal on your Facebook page or any of your social networking sites that can be then profiled and put together with other information that they get from your tweets. For example, say you have a new puppy and that puppy's name is such and such. That probably becomes a password eventually.
KITTEN: You talked quite a bit about the need for more education when it comes to employees and I wanted to ask you about the steps that businesses, especially banks and credit unions, should be taking. What more should they be doing when it comes to ensuring fraud doesn't infiltrate systems in the first place? And does a lot of that just tie back to customer education, as well as the employee education?
FOLEY: If we are talking about hacking problems, and keeping the network and the servers safe, that means that the IT department, the chief privacy officer and the other executives within the company all have to be on the same page. They have to fund those security departments. It isn't enough to have one person putting in all the patches that keep your IT up-to-date because there are more patches that need to be installed. You need to have someone monitoring your systems 24 hours a day to look for spikes in activity that may indicate a hacker, which is what these forensic IT people are finding. For example, four months ago you had an abnormal spike and that is when the fraud or breach occurred. Then they go back to see what number was used to get into that system. That's an area we cannot afford to cut back on. We need to invest in it.
Identity Theft TrendsKITTEN: Finally, as we look to 2011 and some of the identity theft trends that we've talked about, what would you pin as being the top three-to-five areas in industries and agencies involved with banking, healthcare and government we should be mindful of?
FOLEY: As collaborative partners in this fight against identity theft, the six industries and agencies involved, including banking, healthcare, government, military, business and education, all have to understand that they have relationships with customers and that when they send out bills and notices, it's a good time to remind people of potential scams that may be occurring. The banking community can be mindful when they see someone coming in and doing unusually large withdrawals to bring in a senior person and just ask what this is about. It could be that the person is buying a car. Or maybe someone won the lottery and I am sending it they're asking for it to be converted to a money order.
They can be doing scam awareness right then and there. There was a pilot program that was done here in San Diego very successfully. The credit unions and banks in the area put up charts talking about what the most common scams are, and while people are standing in line they're reading them. Hospitals need to have privacy notices posted so that people are mindful if someone asks a question that isn't a question they should be asking.
KITTEN: And what about in the government space?
FOLEY: In the government space, the most interaction people have is the IRS and the Social Security Administration. The Social Security Administration once a year sends out your statement of working benefits to see if they seem abnormally high that year, which may mean someone else is working as you as well. Don't just take that mail that you get, glance at it and say it's too much to read. The IRS again will be putting out notices. The FBI is putting out notices. The Attorney General, the Federal Trade Commission and non-profits who all work in this area will be looking to see what the new scam is and notifying the public.
And what we've seen is public apathy. They have seen these alerts before and think they apply to someone else and not to them. They become less responsive. I really do believe that public service announcements are possibly one of the ways to go. We have to be aware of how to educate the public and what sources we use to get their attention.