[Dataloss] rant: Useless Compensation for Data Loss Incidents

M Barnett - TIFRM mbarnett at TIFRM.com
Wed Jun 11 18:37:04 UTC 2008


I don't typically chime in on these discussions, but I was glad to see this
one and could not resist. Courtesy of massive advertising campaigns, credit
monitoring has become the de facto accepted "industry standard response", up
to and including the federal government as evidenced by a recent Blanket
Purchase Agreement that mandates that a breach response service offering
must include credit monitoring. It is, in essence, an attempt to stave off
class action lawsuits before they are filed. 

There are fundamental considerations for both consumers and businesses
regarding credit monitoring that are consistently overlooked, or blatantly
ignored:

1.	CONSUMER CONSIDERATIONS:  First and foremost, it provides the
obvious false sense of security. Consumers simply do not realize that they
can be victimized in many ways that may never show on their credit reports.
IF something does show, the service is not an effective early warning system
(see the excerpt below) because it functions in the manner that the credit
reporting system operates, not in the way that the thieves operate. 

Example excerpt from the CITRMS Reference Manual:

It is important to note that because of the way that these services are
designed, and the way that the credit reporting system functions, the credit
monitoring "early warning system" can and does fail. For example, in
December of 2006, the New York Times published an article entitled
"Protectors, Too, Gather Profits from ID Theft".  An excerpt from this story
follows:

"Melody Millett was shocked when her car loan company asked her if she was
the wife of Abundio Perez, who had applied for 26 credit cards, financed
several cars and taken out a home mortgage using a Social Security number
belonging to her actual husband. Beyond her shock, Mrs. Millett was angry.
Five months earlier, the Milletts had subscribed to a $79.99-a-year service
from Equifax, a big financial data warehouse, that promised to monitor any
access to her credit records. But it never reported the credit activity that
might have signaled that they were victims of identity theft." (Source: New
York Times)


Secondly, most services simply notify the consumer that "Congratulations -
you are a victim. Good luck!"  IF there is any form of assistance provided
in conjunction with the service, it is almost always limited to resolving
only those matters that involve the credit report. It omits erroneous
criminal records, employment and taxation issues, banking account fraud and
related losses, medical identity theft and possible contaminated records,
exhaustion of benefits, etc.  Finally, the companies publically announce
what service they are providing (if any), and for how long. The thieves
monitor these announcements just as anyone else, and can easily sit on the
information until the alarm bells stop ringing and the service expires. For
the consumer, theft of their information can be the unwanted gift that keeps
on giving as their information is sold and re-sold, long after any token
service offering has ended.


Does such a service have a possible place in a consumer's overall risk
management plan? Yes, but it should certainly never be relied upon as the
sole means of "protection."  
 

2.	BUSINESS CONSIDERATIONS:  I might concede that offering something
is, to at least some degree, better than the other side of the spectrum
which is more common:  "Dear consumer, we lost your information. Check your
credit reports and please do not sue us."  However, beyond the costs
associated with providing the service, the most fundamental consideration
that businesses do not grasp is that, under the myriad of state and federal
laws that establish rights of action for consumers impacted by a breach, the
business' liability for damages suffered by victimized consumers is not
limited to only those types of victimization that show on a credit report.
Case in point, the recent Utah medical billing records breach. There is a
good possibility that this information could be utilized to perpetrate
medical identity theft, which is not only unlikely to show in credit
reports, but also produces an additional layer of problems for both the
consumers and the healthcare providers and facilities. It is also possible
that a business could provide credit monitoring services and, if not
accompanied by a waiver and release, still be sued in a class action for
victimizations not uncovered by the service.

In some cases, actual victimization by the impacted consumers is not even a
prerequisite for actions - the mere fact that the breach occurred at all can
serve as the justification. 


In my opinion, the entire topic of data breaches and information security,
and resultant blame for the rampant problems, rests with numerous
stakeholders - including the very legislators that draft the related laws.
Unfortunately for the businesses themselves, the same crazy quilt of data
security laws that allow for fines, penalties, and actions are often vague
and ill-worded at best. Common sense or lack thereof, blatant negligence,
ignorance, or dishonest insiders as contributing factors aside, many
businesses do attempt to achieve compliance and may go to considerable
lengths in an attempt to meet the "reasonable" standards discussed in these
laws and regulations. Yet more often than not, they are not provided with
clear and concise steps that constitute "reasonable" compliance. Rather,
they are forced to follow suggestions and illustrative examples. The Red
Flags Rule is the most recent shining example of this. "Reasonable" is most
often determined after an incident, in a court of law and the court of
public opinion, with the full benefit of 20/20 hindsight. Your company
suffered a breach, therefore the measures that you took obviously were not
"reasonable" to prevent such an incident.  While it may be impossible to
draft legislation that keeps pace with the breakneck speed of advancements
in technology, and negligent businesses should be held accountable, there is
still vast room for improvement in the specific guidance issued and possible
safe harbor provisions for companies that do actively attempt to secure the
data of its customers and employees.  But that is a separate topic
altogether.

Respectfully,

Michael Barnett, CITRMS
CEO
The Institute of Fraud Risk Management, Inc.
www.TIFRM.Net  
www.TIFRM.coursehost.com  
 
The Institute of Fraud Risk Management, Inc.
955 South Virginia Street; Suite #116
Reno, Nevada  89502
"Knowledge is the Best Defense Against Fraud" 
 


-----Original Message-----
From: dataloss-bounces at attrition.org [mailto:dataloss-bounces at attrition.org]
On Behalf Of lyger
Sent: Wednesday, June 11, 2008 1:32 AM
To: dataloss at attrition.org
Subject: [Dataloss] rant: Useless Compensation for Data Loss Incidents


http://attrition.org/security/rant/dl-compensation.html

Wed Jun 11 03:38:35 EDT 2008
Apacid, Jericho

If you have been the victim of a data loss incident, odds are you have 
received a letter from the careless organization that lost your 
information. These letters always offer apologies and sincere hope that 
your identity or personal information isn't abused. The recent BNY Mellon 
incident (which now stands at 4.5 million potential customers affected) 
resulted in customers receiving such a letter:

[.]

Notice that in return for having your personal information lost, they are 
offering free credit monitoring for 12 whole months! This seemingly 
generous offer has apparently become the standard business practice for 
acceptable compensation when your personal information is treated with 
carelessness. BNY opted to go with ConsumerInfo.com's "Triple Alert" 
credit monitoring product (despite no mention of that 'product' on the 
consumerinfo.com web page), which watches for changes to your credit 
reports from the three national credit reporting agencies in the United 
States (Experian, Equifax, TransUnion). If you are unlucky and get caught 
up in multiple data loss incidents, you may receive this "gracious 
compensation" many times over.

First, why is this type of reactive credit monitoring acceptable 
compensation? This seems to be another case of one business following 
another and... voila, we have an industry 'standard' that does little to 
serve the customer but does everything to serve businesses that want to 
look caring and "customer-centric" in the media.

[...]
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml




More information about the Dataloss mailing list