NASHVILLE, Tenn. – The nation may remember 2006 as the year the Democrats won the mid-term elections, Gerald Ford and James Brown died, and data breaches made an indelible mark on American business in general and the insurance industry in particular.
As the year draws to a close, security experts report that high-profile data breaches, growing sophistication among cyber criminals, increased media attention and unprecedented legislative activity have changed perceptions and practices around identity theft.
“More has changed in the world of data protection and identity theft over the past year than in the prior six or seven years combined,” says Troy Allen, chief operating officer in the fraud solutions practice at Kroll Background America Inc., a Nashville, Tenn.-based employment screening company. Allen specializes in data breaches and thefts.
Allen attributes the spike in reported data breaches to more use of electronic data in day-to-day business, less expensive data storage options, proliferation of laptop computers and portable memory drives, and weak policies and procedures by businesses.
Meanwhile, more organizations are beginning to recognize what data breaches look like and are responding, Allen says.
He lists five factors that caused shifts in the ID theft landscape in 2006.
1. Government gaffes--The Veterans Administration loss of 26.5 million records, and data loss by big agencies, such as the Internal Revenue Service and The Department of Agriculture, and small entities, like local school districts, captured the attention of policymakers and the public. “Scrutiny of the VA breach raised the bar for everything,” says Allen.
2. Regulatory requirements—Twenty-five states passed laws related to identity theft and members of the United States Congress introduced 34 bills pertaining to the subject. Most of the legislation called for notification of individuals whose data was exposed. Now, even where notification is not required, the public expects it and no longer seems willing to consider breached businesses “victims.”
3. Organized crime--Identity theft is tied to organized crime, and proceeds finance drug operations, illegal immigration and other criminal activity. Crime rings are training people to steal data and providing easy and profitable channels to market the data. “There’s now an online auction to buy and sell identities, where you can even read reviews of the sellers,” says Allen. “This is way beyond smash-and-grab laptop theft, because criminals are learning they might get as much as $40 per clean identity.”
4. Educated consumers—Large-scale efforts by the Federal Trade Commission and others have helped teach consumers to protect their personal information. More people are reluctant to divulge their identification to businesses and organizations that don’t need it. Even employees are getting savvy and demanding employers use proxy numbers instead of Social Security numbers. “There’s progress, but there also are still a lot of bad practices to be remedied, and it’s not changing fast enough,” according to Allen.
5. The Growing “Business of Identity Theft”--The demand for identity theft and data protection services has created an explosion of companies marketing identity-theft related products and services. Some are experienced organizations with security expertise, but others are questionable Internet or telemarketing operations that have sprung up overnight. False promises and marketing by fear are tainting the industry, says Allen. “Consumers need to understand that--although some businesses are offering guarantees--when it comes to protecting identities, there is no such thing. Period,” he says.
Just as 2006 brought increases in awareness, confusion and uncertainty, Allen predicts 2007 will produce its own trends., including the following:
1. Corporate preparedness—More companies will assign individuals or cross-functional teams the responsibility for data security and breach response. Employee training will increase, too.
2. Corporate restrictions--More companies will limit the use of computers and data devices, like flash drive USBs. Some businesses will disable the capability to download information. “Portable memory and CD downloads are conveniences--not necessities,” says Allen. Employers will begin insisting that more information exchange takes place via secure online transfer.
3. Social engineering crimes--Criminals will look for more efficient ways to get larger amounts of data. One scheme that is gathering momentum is bribing employees or planting employees who stay in jobs only long enough to steal records. Such criminals are tough to catch, because they use stolen identities when they apply for positions, Allen says.
Source: Kroll Background America Inc.
