[Clips] Study Finds Mass Data Breaches Not as Risky as Smaller Lapses
R. A. Hettinga
rah at shipwright.com
Thu Dec 8 16:01:13 EST 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Thu, 8 Dec 2005 15:59:25 -0500
To: Philodox Clips List <clips at philodox.com>
From: "R. A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Study Finds Mass Data Breaches Not as Risky as Smaller
Lapses
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://online.wsj.com/article_print/SB113380595757914237.html>
The Wall Street Journal
December 8, 2005
FISCALLY FIT
By TERRI CULLEN
Study Finds Mass Data Breaches
Not as Risky as Smaller Lapses
December 8, 2005
Two scenarios: a) You're notified by an online retailer that you're among
millions of customers whose account information was lost or stolen; or b)
you learn a former staffer has stolen employee names, addresses and Social
Security numbers from your small business.
Which one puts you at greater risk for identity theft?
If you chose "b," you'd be correct, according to a study released Wednesday
by ID Analytics, a San Diego company that helps companies combat fraud
using pattern-recognition technology. The company examined billions of bits
of identifiable information, such as Social Security numbers, cellphone
numbers, dates of birth and credit-card account numbers, from consumers who
were victims of security breaches. The study analyzed four cases of
security breaches, two involving the theft or loss of sensitive data,
including names and Social Security numbers, and two involving credit-card
account information only.
SHARE YOUR THOUGHTS
What do you think?1 Are corporate notifications of data security breaches
necessary to prevent identity theft, or do they cause unnecessary panic?
What should companies do to aid customers when they discover sensitive
consumer data have been lost or stolen? Write to me at fiscallyfit at wsj.com2.
Turns out size does matter: The study found that individuals involved in
mass data security breaches are less likely to have their information
misused than victims of smaller data breaches.
The sheer volume of consumers affected slows identity thieves down, says
Mike Cook, vice president of product services at ID Analytics and one of
the company's co-founders. "We applied identity theft to real work terms,
eight-hour days, with breaks and vacation time, and found that it would
take a fraudster 40 years to work a million stolen IDs," he says.
Some disclosure: ID Analytics, which is in the business of detecting
identity theft for companies such as financial-services firms and
retailers, initiated the study at the request of the companies whose
security breaches were examined. The companies didn't sponsor the study,
but ID Analytics provides services to one of the breached companies and
provided services to another of the companies in the past.
The ID Analytics study also found that mass data security breaches didn't
result in the identity theft free-for-all many had feared. The odds are
less than one in 1,000 that misuse or fraud will be detected for
individuals whose sensitive information is compromised in cases of
large-scale security breaches.
Identity theft was more common when there was an intentional effort to
steal information, as opposed to security lapses that occurred by accident,
the study found. So, for example, you're more likely to be a victim if a
thief intentionally steals a laptop to access the sensitive consumer data
it holds, rather than if the thief steals the laptop simply to hock it for
cash.
The study comes in the wake of a series of highly publicized mass security
breaches this year, which raised concern about the potential for widespread
identity theft. In June, for example, MasterCard International Inc.
reported3 that someone had broken into the computer network of CardSystems
Solutions Inc., an Atlanta company that processes credit-card transactions.
The breach gave the thief access to names, account numbers and card
security codes on more than 40 million credit-card accounts.
When breaches such as this are disclosed, many consumers have no idea how
likely it is that their information will be used to commit fraud, says Jay
Foley, co-executive director of the Identity Theft Resource Center in San
Diego, a nonprofit organization that assists victims of identity theft.
"What [ID Analytics] is doing is identifying quite accurately where the
greatest potential danger is," he says. "The study emphasizes the types of
breaches [that] businesses and government need to look at closely and take
seriously."
What constitutes a higher-risk intentional breach? The riskiest category is
one-on-one crimes, where a thief targets a victim to steal identification
or account information. When information on thousands of individuals is
stolen, however, the chances of one person in that group becoming a victim
falls considerably, according to the study. "As you pass information stolen
on 200 people or more in one incident, the risk drops off sharply," he says.
Consumers Need to Stay on Guard
Beth Givens, director of the Privacy Rights Clearinghouse in San Diego,
warns that the study is a relatively small sampling, and that the results
may lull consumers and lawmakers into believing the threat of identity
theft posed by these types of data security breaches is inconsequential.
"This is a very limited survey, they are only looking at four breaches and
I'm concerned that their findings will be generalized," she says. "A great
deal more research needs to be done on this area before any generalizations
can be made."
Regardless of the size of the security breach, consumers should remain
vigilant against the threat of identity theft, says Eric Zahren, a
spokesman for the U.S. Secret Service. "Any and all breaches should be
considered serious and potentially damaging," he says.
Indeed, while the new survey provides some comforting insight on the real
and perceived dangers of breaches of information, large and small,
consumers need to actively monitor and protect their sensitive financial
information. (See box for tips on guarding your identity.)
A 2005 study5 released earlier this year by Javelin Strategy & Research, a
Pleasanton, Calif., consulting firm, found that when people monitor their
accounts online, they are far less likely to be victims of fraud. The
average paper and mail loss to identity theft and fraud was $4,500, says
Jim Van Dyke, a principal at Javelin, while the average loss suffered by
victims who detected crime online was $551.
"The difference is people are detecting the fraud and contacting their
financial institutions sooner, and not sending checks or other personal
information through the mail," he says.
Too Many Notifications, or Not Enough?
ID Analytics' findings come just as a number of bills are being considered
by federal legislators that would require companies to notify consumers of
security lapses. Many of the proposals focus on mass security breaches,
while the study indicates that victims of smaller breaches are more
vulnerable to fraud, says Fred H. Cate, director of the Center for Applied
Cybersecurity Research at Indiana University in Bloomington. (See a related
article6.)
"Legislators have been justifiably unsure of what to do because up until
now there has been so little information on what works," Mr. Cate says.
Businesses have been arguing against stricter notification laws, saying the
cost would be prohibitive and that notifications should be limited to
breaches that threaten a significant risk of identity theft. California was
the first state to require all companies to send notifications when
security breaches are detected.
John Hall, a spokesman for the American Bankers Association in Washington
D.C., contends that businesses should be the ones to determine whether
notifications are warranted. Regulators require that financial-services
firms send notifications only when the companies consider the security
breaches a risk to the individuals involved.
"We feel that a plethora of unnecessary warnings runs the risk of creating
a 'cry-wolf' mentality, where consumers begin to ignore notifications
whether they're serious or not," Mr. Hall says.
Mike Zaneis, a lobbyist with the U.S. Chamber of Commerce, which is working
with several congressional committees to secure a national flexible
notification standard, says too many notifications may raise unnecessary
concerns about the companies who have suffered data breaches.
"Certainly there is a potential to erode the consumer confidence in a
certain company, and of course we want to avoid that," he says, noting that
a recent survey by privacy-research organization Ponemon Institute,
sponsored by the law firm White & Case of New York, found that nearly 20%
of respondents said they terminated a relationship with a company after
being notified of a security breach, and 40% said they were thinking about
terminating the relationship.
Mr. Foley, a consumer advocate, argues that notifications are necessary for
any breaches, regardless of size, and that businesses create a liability
issue when they don't share information about lost or stolen data.
"The companies need to analyze the information exposed, notify [consumers],
give them the information necessary to offset potential problems and then
just let it go," he says.
I strongly agree. Consumers should be given the information they need to
determine whether a company is trustworthy or not, based on the nature of
the security breaches that are reported. If mandatory notifications do
result in a blizzard of paperwork stuffing consumers' mailboxes, perhaps
the ensuing outrage will finally convince companies and lawmakers that a
great deal more needs to be done to protect consumers' sensitive financial
information.
* * *
PROTECT YOUR IDENTITY
Here are a few steps to reduce your risk of having your sensitive
information lost or stolen:
Track your accounts. Review all financial account statements at least once
a month, and periodically request free credit reports4 from the three major
credit bureaus (Equifax, Experian, TransUnion).
Keep information to yourself. Don't give out credit card or Social Security
numbers to anyone unless you know why it is needed. If called, hang up and
contact the company requesting the information directly. Keep a list of all
your account numbers and passwords in a safe place, and don't leave credit
cards or checkbooks lying around the house.
Monitor your mail. Don't allow mail to sit in your box for more than a day,
and consider purchasing a box with a lock. Never leave checks or other
sensitive mail in your mailbox for pickup; instead, use a collection box.
Buy a shredder or go paperless. Destroy any document that contains personal
information, and offers for credit you receive in the mail. Consider
viewing financial account statements online, and opting out of receiving
paper statements by mail.
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list