[Dataloss] rant: Useless Compensation for Data Loss Incidents

Michael Hill, CITRMS mhill at idtexperts.com
Wed Jun 11 20:57:40 UTC 2008

I read posts such as Michael Barnett's (which I totally agree with) and 
continue to conclude that there is absolutely no way any identity theft 
protection plan can prevent your identity from being stolen and used to 
commit fraud in your name.

Consumers need to be prepared for when they become a victim.  So what does 
that plan look like?

Michael Hill
Certified Identity Theft Risk Management Specialist

"If You Think You're Not At Risk, Think Again!"

----- Original Message ----- 
From: "M Barnett - TIFRM" <mbarnett at TIFRM.com>
To: "'lyger'" <lyger at attrition.org>; <dataloss at attrition.org>
Sent: Wednesday, June 11, 2008 2:37 PM
Subject: Re: [Dataloss] rant: Useless Compensation for Data Loss Incidents

>I don't typically chime in on these discussions, but I was glad to see this
> one and could not resist. Courtesy of massive advertising campaigns, 
> credit
> monitoring has become the de facto accepted "industry standard response", 
> up
> to and including the federal government as evidenced by a recent Blanket
> Purchase Agreement that mandates that a breach response service offering
> must include credit monitoring. It is, in essence, an attempt to stave off
> class action lawsuits before they are filed.
> There are fundamental considerations for both consumers and businesses
> regarding credit monitoring that are consistently overlooked, or blatantly
> ignored:
> 1.  CONSUMER CONSIDERATIONS:  First and foremost, it provides the
> obvious false sense of security. Consumers simply do not realize that they
> can be victimized in many ways that may never show on their credit 
> reports.
> IF something does show, the service is not an effective early warning 
> system
> (see the excerpt below) because it functions in the manner that the credit
> reporting system operates, not in the way that the thieves operate.
> Example excerpt from the CITRMS Reference Manual:
> It is important to note that because of the way that these services are
> designed, and the way that the credit reporting system functions, the 
> credit
> monitoring "early warning system" can and does fail. For example, in
> December of 2006, the New York Times published an article entitled
> "Protectors, Too, Gather Profits from ID Theft".  An excerpt from this 
> story
> follows:
> "Melody Millett was shocked when her car loan company asked her if she was
> the wife of Abundio Perez, who had applied for 26 credit cards, financed
> several cars and taken out a home mortgage using a Social Security number
> belonging to her actual husband. Beyond her shock, Mrs. Millett was angry.
> Five months earlier, the Milletts had subscribed to a $79.99-a-year 
> service
> from Equifax, a big financial data warehouse, that promised to monitor any
> access to her credit records. But it never reported the credit activity 
> that
> might have signaled that they were victims of identity theft." (Source: 
> New
> York Times)
> Secondly, most services simply notify the consumer that "Congratulations -
> you are a victim. Good luck!"  IF there is any form of assistance provided
> in conjunction with the service, it is almost always limited to resolving
> only those matters that involve the credit report. It omits erroneous
> criminal records, employment and taxation issues, banking account fraud 
> and
> related losses, medical identity theft and possible contaminated records,
> exhaustion of benefits, etc.  Finally, the companies publically announce
> what service they are providing (if any), and for how long. The thieves
> monitor these announcements just as anyone else, and can easily sit on the
> information until the alarm bells stop ringing and the service expires. 
> For
> the consumer, theft of their information can be the unwanted gift that 
> keeps
> on giving as their information is sold and re-sold, long after any token
> service offering has ended.
> Does such a service have a possible place in a consumer's overall risk
> management plan? Yes, but it should certainly never be relied upon as the
> sole means of "protection."
> 2.  BUSINESS CONSIDERATIONS:  I might concede that offering something
> is, to at least some degree, better than the other side of the spectrum
> which is more common:  "Dear consumer, we lost your information. Check 
> your
> credit reports and please do not sue us."  However, beyond the costs
> associated with providing the service, the most fundamental consideration
> that businesses do not grasp is that, under the myriad of state and 
> federal
> laws that establish rights of action for consumers impacted by a breach, 
> the
> business' liability for damages suffered by victimized consumers is not
> limited to only those types of victimization that show on a credit report.
> Case in point, the recent Utah medical billing records breach. There is a
> good possibility that this information could be utilized to perpetrate
> medical identity theft, which is not only unlikely to show in credit
> reports, but also produces an additional layer of problems for both the
> consumers and the healthcare providers and facilities. It is also possible
> that a business could provide credit monitoring services and, if not
> accompanied by a waiver and release, still be sued in a class action for
> victimizations not uncovered by the service.
> In some cases, actual victimization by the impacted consumers is not even 
> a
> prerequisite for actions - the mere fact that the breach occurred at all 
> can
> serve as the justification.
> In my opinion, the entire topic of data breaches and information security,
> and resultant blame for the rampant problems, rests with numerous
> stakeholders - including the very legislators that draft the related laws.
> Unfortunately for the businesses themselves, the same crazy quilt of data
> security laws that allow for fines, penalties, and actions are often vague
> and ill-worded at best. Common sense or lack thereof, blatant negligence,
> ignorance, or dishonest insiders as contributing factors aside, many
> businesses do attempt to achieve compliance and may go to considerable
> lengths in an attempt to meet the "reasonable" standards discussed in 
> these
> laws and regulations. Yet more often than not, they are not provided with
> clear and concise steps that constitute "reasonable" compliance. Rather,
> they are forced to follow suggestions and illustrative examples. The Red
> Flags Rule is the most recent shining example of this. "Reasonable" is 
> most
> often determined after an incident, in a court of law and the court of
> public opinion, with the full benefit of 20/20 hindsight. Your company
> suffered a breach, therefore the measures that you took obviously were not
> "reasonable" to prevent such an incident.  While it may be impossible to
> draft legislation that keeps pace with the breakneck speed of advancements
> in technology, and negligent businesses should be held accountable, there 
> is
> still vast room for improvement in the specific guidance issued and 
> possible
> safe harbor provisions for companies that do actively attempt to secure 
> the
> data of its customers and employees.  But that is a separate topic
> altogether.
> Respectfully,
> Michael Barnett, CITRMS
> The Institute of Fraud Risk Management, Inc.
> www.TIFRM.Net
> www.TIFRM.coursehost.com
> The Institute of Fraud Risk Management, Inc.
> 955 South Virginia Street; Suite #116
> Reno, Nevada  89502
> "Knowledge is the Best Defense Against Fraud"
> -----Original Message-----
> From: dataloss-bounces at attrition.org 
> [mailto:dataloss-bounces at attrition.org]
> On Behalf Of lyger
> Sent: Wednesday, June 11, 2008 1:32 AM
> To: dataloss at attrition.org
> Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents
> http://attrition.org/security/rant/dl-compensation.html
> Wed Jun 11 03:38:35 EDT 2008
> Apacid, Jericho
> If you have been the victim of a data loss incident, odds are you have
> received a letter from the careless organization that lost your
> information. These letters always offer apologies and sincere hope that
> your identity or personal information isn't abused. The recent BNY Mellon
> incident (which now stands at 4.5 million potential customers affected)
> resulted in customers receiving such a letter:
> [.]
> Notice that in return for having your personal information lost, they are
> offering free credit monitoring for 12 whole months! This seemingly
> generous offer has apparently become the standard business practice for
> acceptable compensation when your personal information is treated with
> carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert"
> credit monitoring product (despite no mention of that 'product' on the
> consumerinfo.com web page), which watches for changes to your credit
> reports from the three national credit reporting agencies in the United
> States (Experian, Equifax, TransUnion). If you are unlucky and get caught
> up in multiple data loss incidents, you may receive this "gracious
> compensation" many times over.
> First, why is this type of reactive credit monitoring acceptable
> compensation? This seems to be another case of one business following
> another and... voila, we have an industry 'standard' that does little to
> serve the customer but does everything to serve businesses that want to
> look caring and "customer-centric" in the media.
> [...]
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tenable Network Security offers data leakage and compliance monitoring
> solutions for large and small networks. Scan your network and monitor your
> traffic to find the data needing protection before it leaks out!
> http://www.tenablesecurity.com/products/compliance.shtml

More information about the Dataloss mailing list