--- begin forwarded text

 Delivered-To: [EMAIL PROTECTED]
 Date: Thu, 8 Dec 2005 15:59:25 -0500
 To: Philodox Clips List <[EMAIL PROTECTED]>
 From: "R. A. Hettinga" <[EMAIL PROTECTED]>
 Subject: [Clips] Study Finds Mass Data Breaches Not as Risky as Smaller


 The Wall Street Journal

  December 8, 2005

 Study Finds Mass Data Breaches
  Not as Risky as Smaller Lapses
 December 8, 2005

 Two scenarios: a) You're notified by an online retailer that you're among
 millions of customers whose account information was lost or stolen; or b)
 you learn a former staffer has stolen employee names, addresses and Social
 Security numbers from your small business.

 Which one puts you at greater risk for identity theft?

 If you chose "b," you'd be correct, according to a study released Wednesday
 by ID Analytics, a San Diego company that helps companies combat fraud
 using pattern-recognition technology. The company examined billions of bits
 of identifiable information, such as Social Security numbers, cellphone
 numbers, dates of birth and credit-card account numbers, from consumers who
 were victims of security breaches. The study analyzed four cases of
 security breaches, two involving the theft or loss of sensitive data,
 including names and Social Security numbers, and two involving credit-card
 account information only.
  What do you think?1 Are corporate notifications of data security breaches
 necessary to prevent identity theft, or do they cause unnecessary panic?
 What should companies do to aid customers when they discover sensitive
 consumer data have been lost or stolen? Write to me at [EMAIL PROTECTED]

 Turns out size does matter: The study found that individuals involved in
 mass data security breaches are less likely to have their information
 misused than victims of smaller data breaches.

 The sheer volume of consumers affected slows identity thieves down, says
 Mike Cook, vice president of product services at ID Analytics and one of
 the company's co-founders. "We applied identity theft to real work terms,
 eight-hour days, with breaks and vacation time, and found that it would
 take a fraudster 40 years to work a million stolen IDs," he says.

 Some disclosure: ID Analytics, which is in the business of detecting
 identity theft for companies such as financial-services firms and
 retailers, initiated the study at the request of the companies whose
 security breaches were examined. The companies didn't sponsor the study,
 but ID Analytics provides services to one of the breached companies and
 provided services to another of the companies in the past.

 The ID Analytics study also found that mass data security breaches didn't
 result in the identity theft free-for-all many had feared. The odds are
 less than one in 1,000 that misuse or fraud will be detected for
 individuals whose sensitive information is compromised in cases of
 large-scale security breaches.

 Identity theft was more common when there was an intentional effort to
 steal information, as opposed to security lapses that occurred by accident,
 the study found. So, for example, you're more likely to be a victim if a
 thief intentionally steals a laptop to access the sensitive consumer data
 it holds, rather than if the thief steals the laptop simply to hock it for

 The study comes in the wake of a series of highly publicized mass security
 breaches this year, which raised concern about the potential for widespread
 identity theft. In June, for example, MasterCard International Inc.
 reported3 that someone had broken into the computer network of CardSystems
 Solutions Inc., an Atlanta company that processes credit-card transactions.
 The breach gave the thief access to names, account numbers and card
 security codes on more than 40 million credit-card accounts.

 When breaches such as this are disclosed, many consumers have no idea how
 likely it is that their information will be used to commit fraud, says Jay
 Foley, co-executive director of the Identity Theft Resource Center in San
 Diego, a nonprofit organization that assists victims of identity theft.

 "What [ID Analytics] is doing is identifying quite accurately where the
 greatest potential danger is," he says. "The study emphasizes the types of
 breaches [that] businesses and government need to look at closely and take

 What constitutes a higher-risk intentional breach? The riskiest category is
 one-on-one crimes, where a thief targets a victim to steal identification
 or account information. When information on thousands of individuals is
 stolen, however, the chances of one person in that group becoming a victim
 falls considerably, according to the study. "As you pass information stolen
 on 200 people or more in one incident, the risk drops off sharply," he says.

 Consumers Need to Stay on Guard

 Beth Givens, director of the Privacy Rights Clearinghouse in San Diego,
 warns that the study is a relatively small sampling, and that the results
 may lull consumers and lawmakers into believing the threat of identity
 theft posed by these types of data security breaches is inconsequential.

 "This is a very limited survey, they are only looking at four breaches and
 I'm concerned that their findings will be generalized," she says. "A great
 deal more research needs to be done on this area before any generalizations
 can be made."

 Regardless of the size of the security breach, consumers should remain
 vigilant against the threat of identity theft, says Eric Zahren, a
 spokesman for the U.S. Secret Service. "Any and all breaches should be
 considered serious and potentially damaging," he says.

 Indeed, while the new survey provides some comforting insight on the real
 and perceived dangers of breaches of information, large and small,
 consumers need to actively monitor and protect their sensitive financial
 information. (See box for tips on guarding your identity.)

 A 2005 study5 released earlier this year by Javelin Strategy & Research, a
 Pleasanton, Calif., consulting firm, found that when people monitor their
 accounts online, they are far less likely to be victims of fraud. The
 average paper and mail loss to identity theft and fraud was $4,500, says
 Jim Van Dyke, a principal at Javelin, while the average loss suffered by
 victims who detected crime online was $551.

 "The difference is people are detecting the fraud and contacting their
 financial institutions sooner, and not sending checks or other personal
 information through the mail," he says.

 Too Many Notifications, or Not Enough?

 ID Analytics' findings come just as a number of bills are being considered
 by federal legislators that would require companies to notify consumers of
 security lapses. Many of the proposals focus on mass security breaches,
 while the study indicates that victims of smaller breaches are more
 vulnerable to fraud, says Fred H. Cate, director of the Center for Applied
 Cybersecurity Research at Indiana University in Bloomington. (See a related

 "Legislators have been justifiably unsure of what to do because up until
 now there has been so little information on what works," Mr. Cate says.

 Businesses have been arguing against stricter notification laws, saying the
 cost would be prohibitive and that notifications should be limited to
 breaches that threaten a significant risk of identity theft. California was
 the first state to require all companies to send notifications when
 security breaches are detected.

 John Hall, a spokesman for the American Bankers Association in Washington
 D.C., contends that businesses should be the ones to determine whether
 notifications are warranted. Regulators require that financial-services
 firms send notifications only when the companies consider the security
 breaches a risk to the individuals involved.

 "We feel that a plethora of unnecessary warnings runs the risk of creating
 a 'cry-wolf' mentality, where consumers begin to ignore notifications
 whether they're serious or not," Mr. Hall says.

 Mike Zaneis, a lobbyist with the U.S. Chamber of Commerce, which is working
 with several congressional committees to secure a national flexible
 notification standard, says too many notifications may raise unnecessary
 concerns about the companies who have suffered data breaches.

 "Certainly there is a potential to erode the consumer confidence in a
 certain company, and of course we want to avoid that," he says, noting that
 a recent survey by privacy-research organization Ponemon Institute,
 sponsored by the law firm White & Case of New York, found that nearly 20%
 of respondents said they terminated a relationship with a company after
 being notified of a security breach, and 40% said they were thinking about
 terminating the relationship.

 Mr. Foley, a consumer advocate, argues that notifications are necessary for
 any breaches, regardless of size, and that businesses create a liability
 issue when they don't share information about lost or stolen data.

 "The companies need to analyze the information exposed, notify [consumers],
 give them the information necessary to offset potential problems and then
 just let it go," he says.

 I strongly agree. Consumers should be given the information they need to
 determine whether a company is trustworthy or not, based on the nature of
 the security breaches that are reported. If mandatory notifications do
 result in a blizzard of paperwork stuffing consumers' mailboxes, perhaps
 the ensuing outrage will finally convince companies and lawmakers that a
 great deal more needs to be done to protect consumers' sensitive financial

 * * *


 Here are a few steps to reduce your risk of having your sensitive
 information lost or stolen:
 Track your accounts. Review all financial account statements at least once
 a month, and periodically request free credit reports4 from the three major
 credit bureaus (Equifax, Experian, TransUnion).
 Keep information to yourself. Don't give out credit card or Social Security
 numbers to anyone unless you know why it is needed. If called, hang up and
 contact the company requesting the information directly. Keep a list of all
 your account numbers and passwords in a safe place, and don't leave credit
 cards or checkbooks lying around the house.
 Monitor your mail. Don't allow mail to sit in your box for more than a day,
 and consider purchasing a box with a lock. Never leave checks or other
 sensitive mail in your mailbox for pickup; instead, use a collection box.
 Buy a shredder or go paperless. Destroy any document that contains personal
 information, and offers for credit you receive in the mail. Consider
 viewing financial account statements online, and opting out of receiving
 paper statements by mail.

 R. A. Hettinga <mailto: [EMAIL PROTECTED]>
 The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
 44 Farquhar Street, Boston, MA 02131 USA
 "... however it may deserve respect for its usefulness and antiquity,
 [predicting the end of the world] has not been found agreeable to
 experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
 Clips mailing list

--- end forwarded text

R. A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to