The Protected Harbor 2022 Legal Services Data Breach Trend Report (2).pdf
Issue Paper Year Of The Breach Final 021706
1. 2005: The Year of the Breach?
Consumer Perceptions and Their Impact on
Best Practices in Information Breach Remediation
Issue Briefing | February 7, 2006
2. 2005: The Year of the Breach?
Consumer Perceptions and Their Impact on
Best Practices in Information Breach Remediation
TABLE OF CONTENTS
SECTION 1
Executive Summary ___________________________________________ 3
Overview: Defining the data breach_______________________________ 9
Sidebar: The Definition Debate ______________________________ 10
2005: The Year of the Breach? _________________________________ 11
The Future: Legislative intervention or self regulation? _______________ 12
SECTION 2
Overview: The impact of data breaches on consumer behavior ________ 15
Best Practices _______________________________________________ 17
Sidebar: The Benefits of Monitoring __________________________ 25
Best Practices: The list _______________________________________ 26
ADDENDUM
Sources____________________________________________________ 28
Biography: Brian G. McGinley __________________________________ 29
Survey Methodology __________________________________________ 30
About Intersections Inc. _______________________________________ 30
Researched and prepared by Carolyn Kopf and Amy Gergely for Intersections Inc.,
with special thanks to contributor Brian G. McGinley, Wachovia Corporation.
2
3. SECTION 1
EXECUTIVE SUMMARY
The numbers are staggering and the news headlines are alarming, to say the
least. “The Year of the Breach” is now one of the monikers that may follow 2005
into perpetuity. But is it really accurate?
Are breaches of data more common today than in the recent past? Exactly how
serious are data breaches? What constitutes a data breach anyway – lost backup
tapes containing encrypted data, a system intrusion by a hacker trying to prove a
point or the unauthorized sale of customer files to third parties?
The answers to these questions may change over time as public, industry and
government responses to this phenomenon continue to develop. In the
meantime, the media are focusing increased attention on the occurrences of and
reactions to data breaches large and small; legislators debate the responsibilities
of businesses and organizations to both prevent and respond to such incidents;
and consumers worry about the ability of a variety of industries to handle their
confidential information with the utmost care. And, perhaps most importantly,
all of these factors are having great influence on consumer behavior.
As many as 57 million1 Americans were identified as victims of data breaches in
2005, dwarfing the number of estimated identity theft victims, pegged at
between 9 and 10 million2 per year. These statistics are driving consumer
perceptions and, in turn, affecting their commercial behavior.
Publicity around data breaches is supercharging the privacy debate, sparking
new discussions about business practices, government regulation and consumer
privacy rights. Exactly how is this dialogue affecting consumer perceptions?
What are companies doing in response? How will this change the commercial
landscape over the next few years? These are some of the primary questions
addressed in this paper. But the most important is this: Why should you care?
Privacy is clearly an issue of great importance to a large number of American
consumers. This concern can be demonstrated by noting the number of
consumers who have placed their phone numbers on the National Do Not Call
3
4. Registry since its launch in June 2003. The Registry topped 100 million registered
phone numbers in 2005, with residents in California, New York, Florida and
Texas leading the way.3
Just as telemarketers braced for a sea change in their business practices
with the implementation of the National Do Not Call Registry, the many
companies that collect, maintain and sell personal data may be faced with
similar challenges in the coming months and years.
In addition to the costs of possible regulation, some are projecting an immediate
and lingering negative effect on consumer trust. Research by Gartner Inc.
projected that so-called phishing4 attacks and other breaches of consumers’
personal information “will inhibit three-year U.S. e-commerce growth rates by 1
percent to 3 percent,”5 despite the fact that the majority of identity fraud cases
start with an offline theft of data.6
According to Brian G. McGinley, Wachovia Corporation’s Senior Vice President
of Loss Management, institutions should expect “some attrition after an incident,
regardless of the outcome.” But, he points out, the institution also has “an
opportunity to cement the relationship with loyal customers if the institution can
show that it has stood behind them by keeping the customer informed all along
the way.”
Many customers seem to understand that data breaches are, to some extent,
inevitable, and that going to the effort of moving their accounts does not
guarantee they won’t be subject to potential issues in the future. Even so, a 2004
Unisys study found that nearly half of U.S. households would be willing to
switch their accounts to financial institutions that offer stronger theft detection
and alert services.7
The risks to institutions from data breaches, of course, are not limited to a
potential loss of individual customers. In the case of CardSystems Solutions, the
credit card payment processor whose May 2005 breach was the largest reported
last year, it meant the loss of two major clients – American Express and VISA.
Even though its breach was but one of at least 134 reported in 2005,1
4
5. CardSystems became the poster child of the financial industry and media due to
the scale of its breach and the fact that its prominent clients are the ones that
must notify their customers. In other words, the CardSystems breach affected not
only that company’s reputation, but also the reputations of its clients, who had to
deal directly with the affected consumers.
According to Bank Security News, “The CardSystems’ breach has done more than
give shivers to customers over their personal data security. It’s also dispersed a
large ripple of anxiety across financial institutions and service providers who are
suddenly worried they may be the next CNN headline or class-action
defendant.”8
The authors of this paper consulted a number of sources, including consumer
research and a personal interview with a loss control executive, to derive some
common conclusions and actionable recommendations for businesses or
organizations that have been or may be affected by breaches of customer,
employee or member data. Businesses and organizations should use this
information to help develop best practices that may significantly reduce their
exposure to the negative consequences of data breaches and as an opportunity to
solidify their customer relationships.
Data breaches raise issues of privacy and security.
There is no definitive evidence that data breaches are more common now than in
the past, but more laws requiring notification of breaches are working their way
through legislative halls, while voluntary compliance is taking shape in
corporate boardrooms, making data security a major issue for corporations and
consumers alike. As a result, businesses and organizations have a choice: self-
regulation or more involuntary regulation.
When it comes to consumers’ privacy, perception is reality.
According to McGinley, “Our customers define what identity theft and fraud are,
and how it impacts them.” Companies that do not recognize this fact will lose
business. A Privacy and American Business and Harris Interactive study found
that “more than two thirds of the American public has lost confidence in the
handling of their personal information.”9 The study illustrates how deeply the
recent disclosures of breaches and online attacks have impacted consumer
confidence – and, in turn, businesses – on multiple levels.
5
6. The repercussions of data breaches are real.
From customer churn to potential class-action lawsuits to negative publicity that
may affect future business, consumers are reacting to concerns over privacy and
the security of their personal data.
More than three out of four consumers who are aware of data breaches are
personally concerned about the security of their own information, and more than
half have taken some type of action as a result of this concern.15
And while there is comparatively little research into consumer behavior after a
data breach incident, early surveys indicate that the impact on affected
businesses may be considerable.
All breaches are not the same.
A data breach occurs when privileged information is lost, stolen or simply
misplaced. A breach might result from direct, malicious intent to undermine an
organization’s security systems or procedures. A data breach can also occur
when information is lost in transit – either physically or electronically – between
two companies or two locations. Once a breach does occur, the chance that
exposed data are used to commit fraud is dependent upon a number of factors.
According to available data, the majority of confidential information that is
potentially exposed to unauthorized persons as the result of a data breach is
never used to commit fraud, but this is not often well understood or
communicated. It is also possible that the detailed facts and circumstances that
contribute to a specific breach, loss of information or exposure of privileged data
may not be clear at the time of discovery.
It is for these reasons that companies and organizations should analyze the
nature of each breach incident and use all available information to both better
explain the incident to affected customers as well as to determine which services
would best serve a particular group of customers.
6
7. All organizations are not the same.
Consumers have widely varying perceptions about which organizations they
trust to protect their personal data. The majority of Americans have positive
perceptions about banks and financial institutions and health care providers.
However, consumers have little confidence in the ability of other types of
organizations – including educational institutions, online retailers, small
businesses and mobile phone companies – to protect their privacy effectively and
shield them from the risk of fraud.
These findings suggest that certain organizations, including educational
institutions and small businesses, may have the most to gain by implementing
business practices that improve the privacy and security of their customers’
personal information.
Most consumers affected by breaches don’t think organizations are doing
enough to assist them.
Consumers are most concerned about four issues after a data breach:
o How likely is it that their personal information will be misused?
o How will they know if their information is used to perpetuate fraud?
o What do they need to do in the aftermath of a breach?
o What services will be available to assist them?
The majority of consumers want companies to provide victim assistance,
including help in resolving any fraud, such as hotlines to address their questions.
Many consumers also indicate that they would like affected organizations to
provide complimentary credit reports, data monitoring services and identity
theft insurance. However, the vast majority of organizations today do not offer
these services.
Consumers are willing to do some legwork.
Many of the post-breach services consumers want are those that encourage them
to participate in their own security. Consumers want as much information as
possible after a breach and they are willing to do some of the legwork after such
7
8. an incident to ensure the continued security of their assets. Organizations should
view this as a golden opportunity to engage the consumer in taking joint
responsibility for ensuring the security of their information. Engaged and
security-conscious consumers are likely to be more willing to accept other shared
security measures, such as shared secrets, more complicated passwords,
passkeys, tokens and biometrics.
Furthermore, the Federal Trade Commission (FTC) found that more than 50
percent of identity theft victims first discovered the theft by monitoring their
accounts.2 Customers who are able to monitor their accounts, credit reports and,
in the future, credit applications and public data files, may help reduce overall
fraud losses and be better, more loyal customers. (See The Benefits of Monitoring
on page 25.)
A quick and honest response is the single most effective way to respond to
a data breach.
Nearly nine in ten consumers said it would be very important to them that, after
a data breach, the company or organization communicate the problem honestly
and quickly. To accomplish this, organizations should use the fastest and most
personal – rather than the least expensive – means of notification and provide a
dedicated channel (such as a toll-free hotline) by which consumers can contact
the organization for more information.
Organizations that are not capable of providing these services directly can look
to fraud resolution companies such as the Intersections Inc. Identity Theft
Recovery Unit or the Identity Theft Assistance Center to set up and manage
fraud resolution services on a per incident or ongoing basis.
The method by which a consumer is notified of a data breach is extremely
important to the effectiveness of an organization’s response.
The method by which a consumer is notified could impact their level of trust in
the notification and, ultimately, their decision to continue conducting business
with the organization that experienced the breach. Among those consumers who
said they did not trust a notification they received from an institution following a
data breach incident, 86 percent said they would take their business elsewhere.10
8
9. Furthermore, the Ponemon Institute cautioned against using form letters and e-
mails to notify consumers of data breach incidents. “Those businesses that
deploy canned e-mails or form letters to communicate a data breach to victims
are more than three times as likely to lose customers as those that contact victims
by telephone or personalized letters or a combination of both.”10
Education is key.
Consumers would greatly benefit from unbiased education, support and a
variety of tools and services that enable them to stay informed and feel protected,
before and after a data breach. The media, consumer advocacy organizations
such as the Identity Theft Resource Center (ITRC) and identity theft and fraud
protection companies are leading the efforts to bring a greater understanding of
the true risks of compromised data to consumers. Affected companies and
organizations should accept a larger role in educating their customers, while
avoiding misleading advertising and marketing messages that confuse
consumers.
OVERVIEW: Defining the data breach
A data breach can expose data on one person or millions of individuals in one
fell swoop, which criminals may then use to fraudulently take control of the
victim’s credit, assets or other benefits. It turns out, however, that the risk of such
fraud varies greatly depending upon a variety of factors. Research conducted by
ID Analytics, a risk management company that is also an Intersections Inc.
partner, found that different breaches pose distinctly different degrees of risk
depending on the size of the breach, the type of information obtained and the
nature of the incident. 11
While all data breaches are not the same, by definition they expose (or
potentially expose) to unauthorized parties personal information that may be
used to commit fraud. For many consumers, any increased risk of fraud
perpetuated by such an incident is unacceptable and constitutes a fundamental
breach of trust. Meanwhile, corporations and legislators are attempting to come
to consensus about the variable severity of different types of breaches in order to
determine what types of remedial action may be required for any given type of
breach.
9
10. The Definition Debate
In their research, ID Analytics Defining identity theft and identity fraud has
distinguished between identity-level been a tricky issue, fraught with political and
economic ramifications, as are so many hot-
breaches, where names and Social Security
button issues. The financial industry has spent
numbers were stolen, and account-level
a lot of energy trying to determine what identity
breaches, where only account numbers theft is and is not. While this exercise is
(sometimes associated with names) were necessary to identify appropriate responses to
stolen. They found that the most serious specific types of threats, in the end, it is the
risk is posed by smaller identity-level customer who defines identity theft and how it
breaches that involve clearly malicious impacts them.
intent, such as hacking or insider theft.11
Advocates and government often define identity
theft much more broadly than do financial
This research supports some experts’ beliefs institutions and other companies that collect
that data breaches should be more personal information in the course of doing
narrowly defined. Said McGinley, “An business. Largely, that’s because advocates
internal breach to me indicates that there and government seek awareness, legislative
and regulatory action and funding for new
has been a breakdown in process or
initiatives, while companies want to
somebody has overcome your defenses.”
demonstrate that they already have safeguards
in place to protect consumers.
This is an opinion that has figured into
legislative debate over what constitutes a It can be argued that the lack of consensus
breach, who is at risk of fraud and who around what constitutes identity theft and how it
should be notified. The ID Analytics relates to fraud has hampered efforts to find
solutions. For purposes of this paper, however,
research should be useful to companies and
identity theft and identity fraud are defined as
organizations that want to determine what follows.
services comprise the most appropriate
response to a particular breach incident.
Identity theft: A crime that occurs when a thief
gains unauthorized access to a person’s private
Consumer advocates agree. “Consumers information with the intention of using that
information to impersonate the victim or to
need to know the level of risk that is posed
create a new identity and thereby fraudulently
if they are part of a data breach. While any
use the victim’s credit, assets or benefits.
data breach is cause for concern, consumers
that have been impacted need guidance as
Identity fraud: A crime that occurs when a
to the degree of risk involved,” said Linda thief actually utilizes a person’s private
Foley, executive director of the ITRC. “It’s information to purposefully and fraudulently
not helpful for consumers to receive a take control of the victim’s credit, assets or
generic letter in the mail, telling them that benefits.
they may or may not be at risk. We need to
Using these definitions, we can clarify that a
help victims of breaches understand when
significant number of data breaches result in
multiple cases of identity theft, but not every
identity theft will result in fraud. In other words,
identity theft is a privacy issue and identity fraud
is a security issue. 9
11. they need to be more vigilant and prevent them from being unnecessarily
alarmed.”11
While a better understanding of what type of breach constitutes the greatest risk
to the consumer would help companies develop better prevention and
remediation techniques, it is important to remember that perception is reality.
2005: The Year of the Breach?
According to the ITRC, which has tracked data breaches since 2001, “One thing
we can say is that this is not a new problem.”12
Data security is also not an issue that is of concern only to American
corporations. According to Deloitte, 83 percent of financial institutions worldwide
acknowledged that their systems were compromised in 2004, with 40 percent
sustaining financial losses.13
In the U.S., the ITRC points to laws – including SB 1386, the California breach
notification law that was the first of its kind in the nation – and public pressure
as the primary reasons why news about data breaches has grown more common.
Another reason is the media. Consumers are inundated by news of their
increased risk of identity theft and fraud. A Google news search, in fact, turned
up 60 articles during a three-week period from late August through mid-
September 2005 under the term “data breach” and 514 under “identity theft and
Katrina” (referring to Hurricane Katrina, which struck the U.S. Gulf Coast
August 29, 2005).14 A follow-up search in December yielded 121 articles under the
search term “data breaches” during the previous 30 days.
According to McGinley, “The media [are] serving a purpose of making people
aware of the fact that identity information is valuable. In some cases, it’s
misreported or misconstrued where there’s a natural assumption that any
identification information or personal information that is lost, or stolen, or
otherwise compromised is going to be used for identity theft, and that correlation
isn’t true.”
11
12. So, is 2005 really “The Year of the Breach,” or may it more accurately be called
“The Year of the Breach Notification?” In August 2005, one in ten consumers
reported they had received notification that they were among the individuals
whose information was compromised during the preceding 12 months.15
While many consider data security an issue exclusive to financial institutions and
data brokers, proliferating notification requirements have shown that data
breaches are not confined to a single type of organization. The ITRC found that
out of 134 disclosed breaches as of December 19, 2005, more than 50 percent
impacted educational institutions such as colleges, universities and even high
schools. Financial, government and health-related organizations each
represented 16 percent or less of disclosed breaches. The remainder were
reported by some of the nation’s largest employers – such as Time Warner and
MCI – along with retail, data and other companies.1 (For the most updated list of
reported breaches, visit www.idtheftcenter.org/breaches.pdf.)
Educational institutions were among the least likely to offer their affected
populations any type of service to help them identify or recover from potential
breach-related fraud, according to an analysis of publicly-available information
and Intersections’ own experience delivering breach-related services to millions
of affected consumers. This is particularly troublesome because, according to
research conducted for Intersections Inc. by Ipsos-Reid, younger Americans
(aged 18-34) were the most unaware of data breaches among all groups polled.15
The data clearly point to the need for more consumer education, as well as active
cooperation and collaboration with the media, in order to explain the nature and
potential consequences of a breach and remediation efforts available prior to and
immediately after a breach.
THE FUTURE: Legislative intervention or self-regulation?
News of data breaches has radically affected the national dialogue about identity
theft and identity fraud. Many now expect a national breach notification law and
momentum is increasing toward giving consumers the right to freeze their credit
records. Some states have already adopted such laws. Other efforts are under
way to regulate the sale of consumer data and to create an Office of Identity
Theft at the FTC.
12
13. For the most updated information on state legislative efforts, visit the National
Conference of State Legislatures’ Web site:
Credit freeze laws:
www.ncsl.org/programs/banking/SecurityFreeze_2005.htm
Breach notification laws:
www.ncsl.org/programs/lis/CIP/priv/breach.htm
Financial institutions by and large seem to think they are doing a good job
regulating their own business practices, and the Financial Services Roundtable,
which represents 100 of the largest financial services companies in the U.S., has
been working with legislators to develop national standards for breach
notification.
In March 2005, the Federal Deposit Insurance Corporation (FDIC) – along with
the Board of Governors of the Federal Reserve System, the Office of the
Comptroller of the Currency and the Office of Thrift Supervision – issued
interagency guidance instructing financial institutions to “implement a response
program to address security breaches involving customer information.” The
guidance provides that the institution should conduct a reasonable investigation
to promptly determine the likelihood that the information has been or will be
misused. It also states, “If the institution determines that misuse of its
information about a customer has occurred or is reasonably possible, it should
notify the affected customer as soon as possible.”16
The financial industry has other initiatives under way as well. The Financial
Services Roundtable, through its BITS task force, launched the Identity Theft
Assistance Center (ITAC) in 2005. Funded by Roundtable members, ITAC is a
fraud recovery assistance service that is provided free of charge to affected
consumers of member organizations. (For more information about ITAC services,
visit www.identitytheftassistance.org.)
While the financial industry is confident that it is making strides toward
protecting customers from data breaches, Steve Bartlett, President and Chief
Executive Officer of the Financial Service Roundtable, told U.S. Banker that one of
the industry’s goals is to “safeguard our customers from data breaches that occur
elsewhere, in unregulated industries.”17
13
14. Indeed, advocacy groups such as the Electronic Privacy Information Center
(EPIC) are calling for greater regulation of Internet commerce and data collectors.
Pointing to the FTC’s success in regulating the telemarketing industry through
implementation of the National Do Not Call Registry, Chris Hoofnagle of EPIC
points out, “The FTC can protect privacy better than the industry can with self-
regulation. We now have ten years of experience with privacy self-regulation
online, and the evidence points to a sustained failure of business to provide
reasonable privacy protections.”18
In the end, it will be public perception and pressure that dictate the future of
data protection. Companies and institutions that have the foresight to develop
business practices that require, support and encourage improved privacy
practices for customers, employees and third parties will be better positioned
competitively for the future.
14
15. SECTION 2
OVERVIEW: The impact of data breaches on consumer
behavior
A Privacy and American Business and Harris Interactive study found that “more
than two thirds of the American public has lost confidence in the handling of
their personal information.”9 The study illustrates how deeply the disclosures of
breaches and online attacks have impacted consumer confidence.
There is increasing evidence that dampening consumer confidence in companies’
perceived ability to protect consumers’ privacy and security may lead to a
decrease in the overall number of online transactions.
Research by Gartner Inc., which
More than two thirds of the
found that 50 percent of online
American public has lost adults are extremely concerned
confidence in the handling of about unauthorized access to their
9
their personal information. credit reports and sensitive data,
suggests that increased reporting of
data breach incidents, combined
with growing awareness of phishing attacks, has negatively influenced some
consumers’ online behavior. First, some consumers have changed their online
shopping behavior and are taking more precautions with where they shop as
well as with the amount of online shopping in which they engage. Second, more
than one in four consumers reported a decrease in their online banking activities.
Third, media attention around data breaches and phishing attacks has made
many consumers less likely to trust commercial e-mail correspondence.5
According to a Consumer Reports poll, “One in four Web users say they have
stopped shopping online because of perceived security risks, and more than half
no longer give personal information, such as addresses or birthdates, over the
Internet.”19 Such risks to online businesses may, however, be disguised by the
fact that the number of Internet users – and thereby online shoppers – continues
to grow at a steady clip. Forrester Research found that total online sales in 2004
increased 24 percent to $141 billion,19 and that number continues to grow.
15
16. In the online banking world, the Federal Financial Institutions Examination
Council (FFIEC) stepped in to issue guidance in late 2005 requiring multi-factor
authentication for online banking customers by the end of 2006, sidelining the
“wait and see attitude” many institutions were taking in regard to this additional
security out of their “concerns about expense and consumer convenience,”
according to U.S. Banker.27
Barring additional regulatory action, it remains to be seen whether other types of
businesses and organizations will do much to alleviate the fears of security-
conscious consumers until the rapid growth in the online market levels off.
Meanwhile, software companies, Internet service providers and other vendors
are upping their efforts to create a more secure marketplace with enhanced
services such as protection against spyware, anti-virus software, firewalls and
increased authentication for online financial services and purchases to help
consumers head off the threat themselves.
Indeed, lagging consumer confidence and the resulting consumer behavior is not
limited to online activity. As further evidence of changing consumer behavior,
Financial Insights found that “60 percent of U.S. consumers sampled in January
2005 expressed concern about identity theft, and 6 percent admitted to switching
banks to reduce their risk of becoming a victim of identity theft.”20
Awareness vs. experience
If consumers’ commercial behavior is being significantly affected by their
heightened awareness of data breach incidents, what is happening to consumer
perceptions and behaviors after they have actually experienced a data breach?
While there is comparatively little research into consumer behavior after a data
breach incident, early surveys indicate that the impact on affected businesses
may be considerable. According to a survey conducted by the Ponemon Institute
in 2005, “nearly 20 percent of respondents say they have terminated a
relationship with a company after being notified of a security breach” and “a
whopping 40 percent say they are thinking about terminating their
relationship.”21
Intersections’ research found that more than three out of four consumers who are
aware of data breaches are personally concerned about the security of their own
information, and more than half have taken some type of action as a result of this
16
17. concern, such as checking their • 95% of industry executives said
credit reports, forgoing online
their organization experienced
shopping or avoiding
fraud in the past year.
transactions that require them
to share personal data.15
• 66% said fraud was a major
problem for their industry.
Based on significant evidence
that data breach awareness is • Only 6% said [fraud] was a major
negatively affecting consumer
problem for their own company.
behavior, it appears that
consumers could greatly benefit KPMG Forensic Fraud Survey 2003
from education, support and a
variety of tools and services that
enable them to stay informed and feel protected. In fact, financial institutions and
related organizations have recently launched a number of campaigns to help
calm consumer fears.
Some of these campaigns, such as Your Credit Card Companies
(www.yourcreditcardcompanies.com), simply attempt to assure consumers that
they are already protected by the companies’ fraud detection capabilities rather
than engaging them in the process of protecting themselves. As a result, they
may be losing a golden opportunity to both educate consumers on what steps
they can take to actively contribute to their own protection and to identify the
security solutions consumers want.
According to McGinley, privacy protection is “a joint role between anybody
who’s acting as a caretaker for the data and the consumers themselves.” Bearing
a perspective of shared responsibility, companies and organizations of all sizes
could benefit from decreased customer churn and more engaged consumers.
BEST PRACTICES
Background
In a world that is increasingly focused on privacy and security, consumers have
clear needs and expectations for safeguarding and protecting their personal data.
The best practices that follow draw on the experiences of a senior executive from
17
18. a top-ten U.S. financial institution, consumer research and the first-hand
experiences of a consumer-facing company that specializes in identity fraud
protection. Moreover, it incorporates Intersections’ experience in offering
information breach remediation services to millions of customers of major North
American companies.
Over the past year, Wachovia has been the target of phishing attacks and has had
to identify, manage and mitigate data loss incidents. Brian G. McGinley,
Wachovia’s Senior Vice President of Loss Management, shared his experiences
and advice on how organizations should prepare for and respond to a data
breach incident, including customer notification and support services.
In August 2005, Intersections engaged Ipsos-Reid to conduct a telephone survey
of consumers, indexed to the U.S. population, with the objective of
understanding consumer needs and expectations of enterprises that hold their
personal data. The survey addressed such issues as consumers’ awareness of
data breaches, their trust in various types of organizations, the actions they have
taken to protect themselves in light of their awareness of data breaches and, most
importantly, their preferences regarding what organizations should do to
maintain their trust – and their business – after a data breach occurs.
Plan ahead: Avoid the “it won’t happen to my organization” mentality
Security studies, such as the KPMG Forensic Fraud Survey 2003, reveal that the
majority of organizations are worried about security breaches and other types of
fraud, but few think such incidents are a major concern for their organization.
While many organizations are confident they have adequately protected against
external threats, technology investments are often being “undermined by process
flaws,” according to Deloitte. Indeed, it is clear that many security breaches are
caused by human error or negligence resulting from weak operational practices,
including lack of employee awareness or training and failure to conduct
compliance assessments of vendors, according to Deloitte’s research.28
McGinley believes it is necessary for organizations to build a task force and
breach remediation plan before a data breach incident happens to manage the
operational and technical aspects of the incident. Doing so could limit the
potential financial impact and damage to the organization’s reputation, and also
addresses consumers’ concerns and needs. “I think all organizations need to
18
19. have a plan ready to address a data loss incident and all organizations should
recognize their vulnerability, while also taking accountability for the sensitive
consumer information they hold.” McGinley also pointed out that the majority of
breaches in 2005 involved non-financial organizations, many of which did not
seem fully ready to deal with the repercussions of such as incident.
Wachovia formulated a data loss incident management plan that they can
immediately activate if needed. The formalized plan allows for the company to
bring together, within hours, senior members from a number of different
disciplines such as corporate communications, telephone contact units, loss
management, information security and privacy in order to coordinate the
company’s response.
Who is responsible for safeguarding personal data?
McGinley believes that data protection is a responsibility to be shared jointly by
the enterprise and the consumer. But, he states, “Financial institutions need to do
everything they can to create a safe
environment for the customers to
transact.”
Who Do Consumers Trust?15
Consumers, however, are sometimes
receiving messages that suggest Mobile Phone
Companies
otherwise, with credit card companies
promising Total Security Protection22 Small Businesses
and policies that limit consumers’
Online Retailers
fraud liability. Naturally, these
Educational
messages may lead consumers to Institutions
believe that they have little
Health Care Providers
responsibility for detecting or resolving
Banks/Financial
fraudulent activity. Institutions
0% 10% 20% 30% 40% 50% 60% 70%
Furthermore, data breach incidents
and the fraudulent actions that
sometimes follow are not limited to
credit cards. Yet consumers are ill-informed of this risk by organizations with
ample opportunity to communicate, educate and engage them.
19
20. The Intersections Inc. survey found that 66 percent of consumers are aware of
data breaches. Of those, more than three quarters indicated that they are
concerned about potential loss of or unauthorized access to their information
while in the hands of an institution.
Although consumers may have general expectations that institutions will protect
the personal data they hold, their confidence level in an organization’s ability to
do so varies greatly based on the type of organization.
“I think all organizations need to have a plan ready to address a data loss
incident. And, all organizations should recognize their vulnerability while also
taking accountability for the sensitive consumer information they hold.”
Brian G. McGinley, Senior Vice President of Loss Management, Wachovia Corporation
The Intersections Inc. survey asked consumers to rate institutions based on how
much they believe the institution is doing to protect their personal data from
fraudulent access or use. The results show that the majority of Americans have
positive perceptions about the efforts of banks and financial institutions (63
percent) and health care providers (53 percent) to protect their data. But they
have little confidence in the ability of educational institutions (35 percent), online
retailers (28 percent), small businesses (25 percent) and mobile phone companies
(20 percent) to effectively protect their privacy. These perceptions do not seem to
correlate directly to the types of organizations most often experiencing data
breaches, but may more accurately reflect increased consumer trust due to the
regulation of personal data required of the financial and health sectors.
These findings suggest that certain organizations, such as educational
institutions and small businesses, may have the most to gain by voluntarily
implementing business practices that improve the privacy and security of
consumers’ personal information. Financial and health-related organizations
should not be complacent, though, as there are many consumers for whom trust
has been lost and who may seek opportunities to take their business elsewhere.
20
21. Notification: How to
According to the Intersections Inc. survey, one in ten consumers said they had
received notification from a company or institution during the preceding 12
months that their data had been compromised. Indexed to the most recent U.S.
Census data, that means as many as 21 million notifications were made during
that time.23 While that number is significant, it represents only slightly more than
one third of all affected consumers.1
Effective notifications have the potential to address many concerns consumers
have after a breach incident, including whether their information is likely to be
used fraudulently, what the company or organization is doing to protect them
and what services are available to help consumers protect themselves from
further harm.
Furthermore, according to ID Analytics, in certain targeted data breaches, notices
may have a deterrent effect on criminals. In one large-scale identity-level breach,
thieves slowed their use of the data to commit identity fraud after public
notification, according to the company’s analysis.
The method by which a consumer is notified is extremely relevant to the impact
of the breach on an individual consumer’s level of trust in the organization.
According to the Ponemon Institute, how a consumer is notified could
potentially impact their level of trust in the notification and, ultimately, their
decision to continue conducting business with the organization that experienced
the breach. Among those surveyed by the Ponemon Institute who said they did
not trust that a notification they received from an institution following a data
breach incident was authentic, 86 percent said they would take their business
elsewhere.10, 21
According to the Intersections Inc. survey, the majority of consumers who were
notified of a breach incident received notification through the mail (56 percent).
Fewer consumers reported receiving notification by telephone (17 percent) or e-
mail (16 percent). Unlike the Ponemon Institute’s findings, respondents to the
Intersections Inc. study indicated that they trusted that the notifications they
received were from the stated company (92 percent), but this may be due to the
fact that most indicated that they received written correspondence, which
consumers may believe to be a more credible source of information.
21
22. McGinley believes that the nature and scope of a data breach incident will dictate
the organization’s response. “It’s going to be different depending on the scope of
the incidents and the urgency. If we have direct accounts under attack we are
going to pick up the phone and contact [those customers] immediately. If we
received an alert from an ATM’s [notification system] indicating [a customer’s]
debit card was used at an ATM that may have been under attack, we may mail
them a letter and put them under special monitoring.”
Intersections’ findings, however, suggest that after a breach incident most
consumers express a strong preference to be contacted by phone (74 percent),
presumably because they prefer faster, more personal communication.
The Ponemon Institute underscored this finding. It cautioned against using form
letters and e-mails to notify consumers of data breach incidents. ”Those
businesses that deploy canned e-mails or form letters to communicate a data
breach to victims are more than three times as likely to lose customers as those
that contact victims by telephone or personalized letters or a combination of
both.”21
Beyond notification: Victim assistance
Consumers are most concerned about four issues after a data breach:
o How likely is it that their personal information will be misused?
o How will they know if their information is used to perpetuate fraud?
o What do they need to do in the aftermath of a breach?
o What services will be available to assist them?
The Intersections Inc. survey provided insight into what actions, if any, are being
taken by the companies targeted by data breaches on behalf of their affected
customers. Alarmingly, 29 percent of respondents who were notified that their
personal information was or may have been compromised said that no action
beyond the initial notification was taken by the company or organization to help
consumers determine how to protect themselves from additional harm (or,
perhaps, it was not clearly communicated to them).
22
23. The most frequent actions taken by companies and organizations on behalf of
affected customers included replacing credit or debit cards (24 percent),
providing an explanation of the problem (15 percent) and providing educational
information via mail (13 percent).
McGinley confirmed the relative
77% of consumers want access
frequency of financial companies
to a hotline to address their offering replacement cards as a
15
questions. post-breach service. To quell
consumers’ anticipated fears that
their compromised information may
be misused, he explained that, depending on the nature of the incident, it is
standard practice in the financial industry to issue new credit or debit cards,
change verification credentials (such as PINs and passwords) or close consumers’
existing accounts. But beyond financial institutions, it appears unlikely that any
other frequently affected group regularly provides post-breach services to their
customers, employees or members.
When asked what actions consumers have taken on their own behalf and at their
own expense as a result of their concern about their data being compromised and
potentially misused, respondents indicated that they are choosing to not give out
personal information (10 percent) and checking credit reports (6 percent) most
frequently. They also cited destroying documents containing sensitive
information (5 percent) and forgoing online shopping (5 percent). However, the
findings show that almost half of consumers are not taking any action to protect
themselves.
The Intersections survey confirmed that consumers want institutions to take
more active steps to protect their data and to provide tools and services that help
them identify misuse of their data or recover if they become a victim of fraud
after a data breach. The Ponemon Institute’s research identified a similar
sentiment. In that survey, more than 82 percent of respondents expected
organizations to do more to assist them.24
Swift, direct and thorough action is the most effective way for a company to
respond to a data breach, according to the consumers surveyed by Intersections
Inc. Nearly nine in ten said it would be very important to them that the company
communicate the problem honestly and quickly.
23
24. Such information should be presented consistently across all communication
channels and should be supplemented by a dedicated resource that consumers
can use to contact the organization for more information. A toll-free number with
trained, dedicated agents has proven beneficial to many
companies – including Wachovia – and their customers.
More than three quarters (77 percent) of consumers
What Consumers Want in
want access to a hotline to address their questions,
the Wake of a Breach15
according to the Intersections Inc. survey. Furthermore,
most consumers (85 percent) want companies to Identity Theft
Insurance
provide comprehensive victim assistance, including
Free Credit
help in resolving any fraud. Monitoring
Free Credit
Report
Wachovia has a special investigations unit specific to 62% 64% 66% 68% 70% 72% 74%
customer identity theft fraud claims and works closely
with the Identity Theft Assistance Center (ITAC). This
group is able to guide the customer through the
recovery process from beginning to end. Agents trained in handling identity
theft cases provide support to consumers as they navigate the resolution process,
which includes walking the consumer through his or her credit report to identify
any suspicious activity, notifying the affected creditors, placing fraud alerts with
the credit bureaus and sharing information with the appropriate law
enforcement agencies.
Additionally, consumers recognize the value of services that allow them to
identify and monitor potential future repercussions of data breaches. A majority
of consumers indicated that they would like affected organizations to provide
credit reports at no cost (73 percent),
along with a complimentary credit
“Tri-bureau credit monitoring
report monitoring service (69
is one of the best ways
percent). Consumers are also
consumers can protect their interested in identity theft insurance
accounts and a very good products (66 percent).
way of identifying whether
there have been any attacks These findings demonstrate that
on one’s identity.” consumers want as much
information as possible after a
Brian G. McGinley, Senior Vice breach and that they are willing to
President of Loss Management,
Wachovia Corporation do some of the legwork after an
incident to ensure the continued
24
25. The Benefits of Monitoring
security of their assets. Organizations Many financial industry executives believe
should view this as a prime opportunity to that providing their customers with the
engage the consumer in taking joint ability to monitor their accounts and credit
responsibility for ensuring the security of information is a valuable step toward
their information and for enhancing the combating fraud, both before and after a
value of the consumer relationship. data breach. Tri-bureau credit monitoring
Engaged and security-conscious consumers allows consumers to receive prompt
are likely to be more willing to accept other
notifications when changes have been
made to their credit files. The consumer
shared security measures, such as account,
can then address potentially suspicious
credit and public information monitoring,
activities before significant financial
shared secrets, more complicated
damage occurs. Consumers who subscribe
passwords, passkeys, tokens and
to a credit monitoring service see a
biometrics.
substantial drop – more than 90 percent –
in total fraud losses.25
According to McGinley, “Tri-bureau credit
monitoring is one of the best ways Intersections Inc. is the largest provider of
consumers can protect their accounts and a private-label consumer credit monitoring
very good way of identifying whether there services in North America. Recognizing
have been any attacks on one’s identity.” that consumer credit monitoring is not only
Moreover, Wachovia believes that it is the a proven fraud detection tool, but also
organization’s responsibility to provide holds great promise to help consumers
such a service at no cost to the consumer – prevent fraud after a loss or theft of
at least for a defined period of time – in the information, Intersections Inc. assembled a
event of a breach. variety of partners to tap that potential.
In previous data loss incidents, Wachovia Through partnerships with Seisint,
engaged Intersections to offer affected
Cyveillance and ID Analytics, the company
has developed a fraud monitoring product
customers one year of credit monitoring at
that allows consumers to use industry-
no cost to the consumer. (See The Benefits of
proven enterprise technologies to expand
Monitoring.) Wachovia has also increased
their monitoring capabilities to public
the depth and breadth of its services to aid
information databases, chat rooms,
consumers through partnerships with
message boards and credit applications. It
entities such as the Identity Theft
is estimated that application fraud losses
Assistance Center (ITAC).
alone are estimated to be $170 for every
U.S. credit user every year.26
A significant number of the top financial
services companies in the U.S. have aligned A combination of credit and public
themselves with the ITAC, a cooperative information monitoring services provides
initiative of the financial services industry consumers the most comprehensive fraud
protection available today. Intersections
Inc. offers this service at costs similar to tri-
bureau monitoring. 23
26. that provides victim assistance services free to customers of member companies.
The center assists victims of identity theft by helping to reduce the delay and
frustration that consumers may experience as they go through the identity
restoration process.
BEST PRACTICES: The list
Drawing on Wachovia’s experiences,
1. Plan consumer research and a decade of
2. Educate
experience assisting victims of identity theft,
3. Investigate & Activate
4. Communicate Intersections developed this five-step best
5. Assist practices list to help organizations manage
the consumer risk associated with data
breaches. It is grounded by primary research drawing on both the enterprise and
consumer perspectives.
Plan
o Provide a safe environment within which your customers can transact as
well as a secure messaging platform for communicating with customers.
o Encourage the use of online banking and alerts when personal data
associated with customer account profiles change (name, address, phone
number, e-mail address, credit lines, etc.).
o Prepare an information breach remediation plan to activate immediately if
such an incident should occur. Be aware of any state or federal legislation
with which compliance is necessary.
Educate
o Educate consumers about their role in protecting their personal data.
o Provide training and education to employees to help and encourage them to
identify and report suspicious activity from internal and external threats.
o Require unregulated business customers and vendors to comply with
voluntary privacy guidelines in order to protect data across all levels of
service. Audit these groups regularly to ensure compliance.
26
27. Investigate & Activate
o Work quickly with all available resources to investigate and understand the
precise nature and extent of the breach event.
o Activate the prepared breach remediation plan to minimize the impact on
the assets at risk.
o As appropriate, engage law enforcement to help identify affected individuals
and thereby reduce delays in notification. Work with law enforcement to
pursue leads that are outside the purview of the institution.
o Take immediate action to address the specific incident. (For example, close
certain consumer accounts.)
Communicate
o Notify consumers and clients as quickly as possible and communicate as
much information as possible about the incident.
o Notify consumers promptly by mail and, when possible, by phone. Avoid
form letters and e-mail.
o Integrate communications messages across all channels. Present a consistent,
thorough message.
o Keep affected customers informed of steps you have taken to prevent repeat
incidents and improve security.
Assist
o Establish a telephone hotline or other dedicated resource (such as a Web site)
handled by agents trained in identity theft resolution practices to address
and answer consumers’ concerns.
o Provide a complimentary tri-bureau monitoring service to detect credit fraud
or a service such as Intersections’ fraud protection service to protect against
identity fraud by monitoring a combination of credit and public information
to help affected customers identify possible identity theft before it turns into
fraud.
o Provide identity theft insurance.
27
28. ADDENDUM
SOURCES
1
2005 Disclosures of U.S. Data Incidents, Identity Theft Resource Center, December 19, 2005.
2
Identity Theft Survey Report, U.S. Federal Trade Commission and Synovus, September 2003.
3
“Do Not Call.” CardWeb.com, August 22, 2005.
4
From Wikipedia.com: “Phishing is a form of social engineering, characterized by attempts to
fraudulently acquire sensitive information, such as passwords and credit card details, by
masquerading as a trustworthy person or business in an apparently official electronic
communication, such as an email or an instant message. The term phishing arises from the use
of increasingly sophisticated lures to ‘fish’ for users’ financial information and passwords.”
5
Increased Phishing and Online Attacks Cause Dip in Consumer Confidence, Gartner Inc., June
22, 2005.
6
“2005 Identity Fraud Survey Report,” Javelin Strategy & Research, January 2005.
7
Unisys Research Shows Banks Face Potential Customer Exodus Over Identity Theft, Unisys
Press Release, November 9, 2004.
8
Fest, Glen. “Data Losses: Cardsystems Takes A Bullet After Breach.” Bank Technology News,
August 2005.
9
New Survey Reports An Increase in ID Theft and Decrease in Consumer Confidence, Privacy
and American Business Press Release, June 29, 2005.
10
“National Survey on Data Breach Security Notification,” Ponemon Institute. September 26, 2005.
11
ID Analytics’ First-Ever National Data Breach Analysis Shows the Rate of Misuse of Breached
Identities May be Lower than Anticipated, ID Analytics Press Release, December 8, 2005.
12
Security Breaches & Freezes, Identity Theft Resource Center, December 2005.
13
Global Security Survey, Deloitte, May 2004.
14
Google news search, September 15, 2005.
15
Consumer Perceptions on Data Breaches, Ipsos-Reid for Intersections Inc., August 2005.
16
Federal Bank Regulatory Agencies Jointly Issue Interagency Guidance on Response Programs
for Security Breaches, Federal Insurance Deposit Corporation Joint Press Release, March 23,
2005.
17
“Banks Need to Be Proactive In Dealing with Data Breaches.” U.S. Banker, August 2005.
18
Hoofnagle, Chris Jay. “Privacy Self-Regulation: A Decade of Disappointment.” Electronic Privacy
Information Center, March 4, 2005.
19
“The State of Retailing Online 8.0,” Forrester Research for Shop.org, May 2005.
20
“Banks May Feel the Pinch of Identity Theft Worries.” emarketer, March 25, 2005.
21
“Data Breaches Bad for Business.” ConsumerAffairs.com, September 27, 2005.
22
Total Security Protection is a registered trademark of VISA USA.
23
U.S. Census Bureau 2000, released December 22, 2005, based on 20.9 million U.S. residents
age 18 or over.
24
“Opinion: After a privacy breach, how should you break the news?” Computerworld, July 5, 2005.
25
Credit Monitoring and Identity Fraud Insurance: What Do Consumers Need, and How Should it
be Offered?, Javelin Strategy and Research, March 2005.
26
Rawe, Julie. “Identity Thieves.” TIME Magazine, February 11, 2002.
27
“Authentication: FFIEC Commands Two-Factor ID by 2006.” U.S. Banker, December 2005.
28
2005 Global Security Survey, Deloitte, June 22, 2005.
28
29. BIOGRAPHY: Brian G. McGinley
Senior Vice President & Group Executive
Director, Loss Management
Wachovia Corporation
Brian G. McGinley has been in the financial institution security and loss
management field for more than 25 years. He is currently the Senior Vice
President of Loss Management at Wachovia Corporation. With 3,100 financial
centers, 5,000 ATMs and 700 brokerage offices, Wachovia holds $521 billion in
assets.
McGinley joined the company in August 1999 when he was employed by First
Union, which Wachovia acquired in 2001. He manages a staff of more than 500
loss management personnel and is responsible for the overall development,
implementation and management of loss control programs for the corporation.
These accountabilities include loss prevention and fraud control, claim and
litigation management, investigations, non-credit loss management and charge-
off, Channel Risk Management functions and credit fraud. He previously
managed the corporation’s AML Investigative Services functions as well. Prior to
joining First Union/Wachovia, Brian worked in various loss control-related
capacities for Citibank North America for 20 years, most recently as its Director
of Risk Management & Control and Group Information Security Officer.
An ASIS International Certified Protection Professional, McGinely serves on the
Financial Services Roundtable/BITS Identity Theft Assistance Center (ITAC)
Board and chairs its Operations Committee. He has also served on many national
bank industry committees and workgroups including the Bank Administration
Institute, BITS, NACHA – The Electronic Payments Association, the Electronic
Funds Transfer Association and others.
Brian served with U.S. Army Military Intelligence and is a graduate of the
University of Illinois.
29
30. SURVEY METHODOLOGY
The Ipsos-Reid survey for Intersections Inc., “Consumer Perceptions on Data
Breaches,” conducted via the Ipsos-US Express telephone poll of American
consumers August 16-18, 2005, captured consumer perspectives in order to
gauge their levels of concern regarding data breaches, as well as what type of
responses they expect from companies that experience breaches. A group of
Americans was polled to ascertain their level of awareness and concern about the
recent surge in reported data breaches. Additionally, consumer insight was
captured about the services and products they expect to be offered after
receiving notification by the breached organization – the organization
responsible for holding and safeguarding their sensitive information.
For the survey, a representative, randomly selected sample of 1,001 adults was
interviewed by telephone. The results are considered accurate to within ±3.1
percentage points. The margins of error may differ within regions and for other
sub-groupings of the survey population. These data were weighted to ensure the
sample’s regional and demographic composition reflects that of the
actual American population, according to the latest U.S. Census data.
ABOUT INTERSECTIONS INC.
Intersections Inc. is the leading provider of branded and fully-customized
consumer credit management and identity theft prevention, detection and
resolution services to the customers of many of North America's largest financial
services companies. By integrating our technology solutions, marketing
capabilities, and end-to-end production and fulfillment infrastructure, we assist
these companies in meeting the needs of their customers in a secure, efficient and
ethical environment. We currently safeguard more than 5 million customers in
the U.S. and Canada – including approximately 3.6 million subscribers to our
service offerings and 1.4 million consumers who receive special services such as
data breach mitigation and identity theft resolution. We receive those customers
primarily through our partners, as well as direct-to-consumer through our
IDENTITY GUARD® and SBGUARDIANSM brands. Additionally, we offer pre-
employment background screening through our wholly-owned subsidiary,
American Background Information Services, Inc. Learn more about Intersections
Inc. at www.intersections.com.
30