The Year of the Data Breach - 2006 Dramatically Changed the Identity Theft Landscape

As 2006 draws to a close, national experts in data security report that high-profile data breaches, growing criminal sophistication, increased media attention and unprecedented legislative activity have changed perceptions and practices around identity theft and left an indelible mark on the business environment. "More has changed in the world of data protection and identity theft over the past year than in the prior six or seven years combined,” said Troy Allen, Chief operating officer at Kroll’s Fraud Solutions practice, and a recognized expert in the rapidly changing and complex world of data breaches and thefts. Allen attributes the spike in reported data breaches to more use of electronic data in day-to-day business, increasingly cheaper data storage options, proliferation of laptop computers and portable memory drives, and insufficient development and enforcement of comprehensive policies and procedures by businesses. In addition, because more organizations now recognize what different forms of data breaches look like, there is greater recognition and response activity. What was most responsible for shifts in the ID theft landscape in 2006? Allen lists the following five factors: 1. Government gaffes -- The Veterans Administration’s controversial breach involving 26.5 million records, and data loss by big agencies such as the Internal Revenue Service and The Department of Agriculture, and small entities like local school districts captured the attention of policymakers and the public. "Scrutiny of the VA breach raised the bar for everything,” says Allen. 2. Regulatory requirements – Twenty five state laws and 34 bills were introduced in the U.S. Congress related to identity theft. Most were directly related to notification of those individuals whose data was exposed. Now, even where notification is not required, it is increasingly expected by the public, who no longer seem willing to perceive breached businesses as "victims” themselves. 3. Organized Crime – Identity theft is increasingly tied to sophisticated, organized crime and used to finance drug operations, illegal immigration and other criminal activity. Crime rings are training people to steal data and providing easy and profitable channels to market the data. "There’s now an online auction to buy and sell identities, where you can even read reviews of the sellers,” says Allen. "This is way beyond smash-and-grab laptop theft because criminals are learning they might get as much as $40 per clean identity.” 4. Educated Consumers – Large scale efforts by the Federal Trade Commission and others have helped educate consumers about protecting their personal information. More people are reluctant to give out their personal identification to businesses and organizations that don’t need it. Even employees are getting more savvy and demanding their employers use proxy numbers instead of Social Security numbers. "There’s progress, but there also are still a lot of bad practices to be remedied, and it’s not changing fast enough,” according to Allen. 5. The Growing "Business of Identity Theft” – The demand for identity theft and data protection services has created an explosion of companies marketing identity-theft related products and services. Some are experienced organizations with security expertise, but others are questionable internet and/or telemarketing operations that have sprung up overnight. False promises and marketing by fear are tainting the industry, says Allen: "Consumers need to understand that, although some businesses are offering guarantees, when it comes to protecting identities, there is no such thing. Period.” Just as 2006 brought increases in awareness, confusion and uncertainty, Allen predicts 2007 will produce its own trends, including the following: 1. Corporate Preparedness Focus – Companies and organizations will increasingly designate individuals or cross-functional teams with responsibility for proactive data security and breach response, and conduct greater employee education and training. 2. Down with Downloads -- More organizations will implement policies and practices placing restrictions on computers and data devices, like flash drive USBs. This will include companies disabling capabilities to download information from computers. "Portable memory and CD downloads are conveniences, not necessities,” says Allen. Employers will begin insisting that more information exchange takes place via secure online transfer. 3. Social Engineering Crimes – Criminals are looking for more efficient ways to get larger amounts of data. One scheme that is gathering momentum is bribing employees or actually planting employees who get hired with the sole intention of staying only long enough to steal records. Sadly, the criminals are tough to catch because they get these jobs using stolen identities. Increased employee background screening will be essential. 4. Standards for ID Theft Services – Consumers and businesses need help determining what companies are reputable and trustworthy. In the absence of any federal regulation, there is growing momentum among responsible service providers and consumer advocates for self-regulation of this industry through best practices governing how services are marketed and what business promise. "It’s in everyone’s interest to get this under control,” says Allen. "People should to be able to trust the organizations they are turning to for help.” About Kroll Kroll, the world's leading risk consulting company, provides a broad range of investigative, intelligence, financial, security and technology services to help clients reduce risks, solve problems and capitalize on opportunities. Kroll Inc. is a wholly-owned subsidiary of Marsh & McLennan Companies, Inc. (NYSE: MMC), the global professional services firm. Kroll began providing identity theft solutions in 1999 and created its Fraud Solutions practice in 2002 in response to increasing requests from clients for counsel and services associated with the loss of sensitive personal information, and related identity protection and restoration issues facing organizations and individuals. Since then, Kroll’s Fraud Solutions clients have included Fortune 500 companies, non-profit organizations, and government entities dealing with healthcare, financial services, insurance, consumer service, and any activity involving the collection and use of personal information. Kroll’s Fraud Solutions team presently serves over 10,000 businesses and millions of individual consumers.