2014 was a record year for data breaches, but not in a good way. There were more reports of internal and external data breaches affecting everything from major corporations to small mom-and-pop operations. Of course, it wasn’t only businesses that were affected, as consumers reported high numbers of identity thefts as well.

This month’s Twitter chat (#IDTheftChat) will go into greater detail about what went wrong, and how it affects both businesses and consumers. Co-hosted by @IDT911, we’ll hear from experts who will weigh in on how we can all work to reverse these numbers in the coming year.

Join us on Thursday, February 5th, at 2pm ET for this chat by following the #IDTheftChat hashtag on Twitter. Simply log into your account and search for the hashtag to read the updates, and be sure to add the hashtag to your own tweets in order to participate.

Some of the questions that we’ll be addressing during the chat include:

  1. What is a data breach? Do you think all breaches are the same?
  2. What is the difference between a data breach and identity theft?
  3. After receiving a data breach notification letter, what should consumers do?
  4. Data breaches have occurred with such regularity that we’re becoming desensitized. Should we still be concerned?
  5. How can you protect yourself from identity theft if data has been compromised in a breach?
  6. How many types of ID theft can you name?
  7. Have you been a victim of a breach? If so, what did you do?
  8. Do you think companies are adequately protecting private info?
  9. What should companies communicate to consumers to assure them their info is kept private?
  10. Are you scared of a cyber-attack, similar to the Sony hack?

 

In order to participate in this informative event on February 5th, you may join the #IDTheftChat TweetChat room by going to http://tweetchat.com/room/IDTheftChat after signing into your Twitter account. Be sure to type “#IDTheftChat” at the end of each of your tweets so that others may see your comments and questions, and search for that hashtag to read all of the information on the topic of data breaches.

Be sure to also follow the Identity Theft Resource Center (@IDTheftCenter) and IDT911 (@IDT911) for great information that will help you protect yourself and your loved ones throughout the year.

We all have important documents that we need to have handy, but that we really need a thief not to find. This leads people to question the need for a safe deposit box through a bank, or to choose to purchase an in-home safe. But there are pros and cons to both fire safes for your home and safe deposit boxes offered through your bank.

  • Fire Safe: A fire safe is a one-time expense, often comparable to the cost of only one year of safe deposit box rental. It can be mounted to the floor to make it harder for a burglar to make off with, and can easily be locked by a key or combination, depending on the model you choose. These boxes can protect the contents from theft, fire, and water, but are not completely secured against those threats.

 

  • Safe Deposit Box: A bank’s safe deposit box is secured in a bank vault under double lock, and access usually requires a photo ID. The box itself is under certain legal protections, such as preventing others from accessing it upon your death. The vault itself offers a stronger measure of protection than a portable box in your home, but requires you to go to the bank to retrieve your contents.

There are some things to remember about both options. A fire safe is fire and water resistant, not proof, unless you purchase models made specifically to withstand those elements. Extreme heat from an extensive house fire can melt contents inside the safe, especially digital contents that you store on a USB drive or other media. Water from putting out the fire can also soak the contents inside, unless you opt for a more expensive, fully waterproof model. Remember, if you choose to use a home safe, be sure to store it on the first floor of your home since it can be very dangerous to the firefighters below if the floor that supports it is damaged.

Safe deposit boxes tend to be less convenient since they can only be accessed during bank hours. Upon the box holder’s death, the contents are inaccessible unless the will states who is to have access, and even then that access is only available once the will is probated. One other factor that people often overlook is natural disaster; if your town is affected by a hurricane, flood, tornado, or other widespread damaging event, the bank may be just as vulnerable as your home and your contents can be impacted.

Some sources recommend considering both options, instead of either-or. A small fire safe in your home can offer a layer of protection for the documents and valuables you need to access routinely, such as a will, jewelry that you plan to wear from time to time, Social Security cards, and insurance papers. A safe deposit box would be ideal for items you don’t need to access on a regular basis but that you need to protect, such as your car title, your diploma, your life insurance papers, your marriage certificate, and digital copies of special mementos like a wedding photo, some baby pictures, or more. If you have valuable jewelry that you don’t plan to wear, it might be better to store it for safe keeping in a place off-site.

For documentation, you might also consider scanning the documents and uploading them to a cloud-based storage option. That way, your originals can be stored in either a fire safe or a safe deposit box, while you can access copies of them from a computer.

However you plan to secure your valuables and documents, the most important thing is building the habit of protecting them. If you leave your Social Security card lying in a drawer where a burglar can find it because you didn’t have time to take it to your bank, or you leave the key to your home safe hanging on a bulletin board in your kitchen, that could lead to bigger problems than just the loss of some household items. Decide how you’re going to protect yourself by understanding how you’re most likely to practice these security measures.

Every business or organization, large and small, has a responsibility to protect employee and customer information, and the centerpiece of that protection should be an information governance plan.

Businesses that have not yet developed their 2015 governance plan are taking a big risk because without an effective plan that has specified policies, protocols and processes, the business is almost inviting identity theft and data-breach exposures.

Your business creates, collects and stores new information every day. E-mail is one example, and the content of your e-mail is a big target for hackers and identity theft criminals.

The risk of your personal or business e-mail accounts being hacked is high, but the risk of all your data — such as employee, bank-account or health-care information — being stolen is even higher.

Information security and governance are problems that continue to challenge every size of business, as evidenced by data breaches making headlines.

So, what’s the answer? All of your data needs to be managed, and it needs to be secure. And it needs to be managed and secured by every employee and vendor that has access to your business information.

This can be done by “creating and implementing an annual information governance plan that establishes policies and procedures to ensure a company’s proprietary and sensitive information are protected from both cyber and physical loss,” according to Michael O’Shaughnessy, president of Guardian Pro, a Phoenix-based data governance company.

According to O’Shaughnessy, every small business should consider the following six components in their information governance plan:

— Cyber and physical security.

— Employee and contractor training.

— Procedural policy.

— Equipment and technology policy.

— Human-resource policy.

— Marketplace threat level.

Your written information governance plan should be reviewed and signed on an annual basis by every company employee (regardless of the size of the organization) to document and support your information security and governance best practices.

In talking with many small-business owners at speaking engagements or one-on-one, I see a significant gap on how small businesses protect their employee and customer data vs. the actions they take such as the creation and implementation of an information governance plan.

The costs of cybercrime and data breachs are doing serious damage to both the public and private sectors. Small businesses need to know and understand how to respond to state and federal breach notification laws and how to communicate with affected individuals, including its employees and customers.

Your information governance plan will help your business accomplish this while minimizing the potential for identity theft to your employees and customers.

Approximately 19.6 million Americans are employed by companies with fewer than 20 employees, and small businesses are at a greater risk of experiencing a data breach.

 

Mark’s most important: Your small business needs to complete and implement an information governance plan with a focus on employee education to ensure the enduring success of your business.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Since the Identity Theft Resource Center first began tracking reports of data breaches, there have been more than 5,000 – and a record-high number of breaches, 784, occurred in 2014 alone. Of these events, the highest percentage at 42.5% were medical and healthcare breaches.

In 2014, 33% of data breaches occurred in the business sector, 11.7% of breaches involved the government or military, educational institution breaches accounted for 7.3%, and the financial industry accounted for 5.5% of breaches.

The overwhelming majority of these data breaches were accomplished through hacking, in which criminals were able to access sensitive content through networks from outside the server. A concept known as “data on the move,” which refers to sensitive information stored on portable technology like flash drives, laptops, and even smartphones, accounted for the second highest number of breaches when that technology was lost or allowed to be compromised. Internal breaches, when an employee or third-party contractor accessed sensitive data without permission, were the third highest cause of leaks.

“The ubiquitous nature of data breaches has left some consumers and businesses in a state of fatigue and denial about the serious nature of this issue,” said Eva Velasquez, president and CEO of the ITRC. “While not all breaches will result in identity theft or other crimes, the fact that information is consistently being compromised increases the odds that individuals will have to deal with the fall out.  The ITRC data breach reports are a necessary educational tool for businesses, government and advocates alike in our communication efforts.”

“It is important to note that the 5,000 breach milestone only encompasses those reported – many breaches fly under the radar each day because there are many institutions that prefer to avoid the financial dislocation, liability and loss of goodwill that comes with disclosure and notification,” said Adam Levin, founder and chairman of IDT911. “Additionally, not all businesses are required to report they’ve had a breach for a variety of reasons, which means the number of breaches and records affected is realistically much higher.”

The Identity Theft Resource Center uses this information to work towards better consumer protection, and to raise public awareness on the need for better personal data security. With a clearer picture of the cybercrime landscape, the ITRC can continue its mission of offering free assistance to consumers who’ve been affected by a data breach of some kind, as well as keep law enforcement and the IT sector up to date on the latest activities and vulnerabilities related to this type of crime.

The year-end report was unveiled at nearly the same that the Obama administration announced its plan for cybersecurity legislation that would alleviate some of the liability following an attack from companies who had voluntarily cooperated with the government’s cybersecurity information sharing initiatives.

To look back at ITRC records from 2005 to 2014, see the Data Breach section of the ITRC website, supported by IDT911.

Your Social Security number is not very safe for two reasons – where it’s been and where it will be going. Considering how widespread the abuse of SSNs by ID-theft criminals is, maybe it should be renamed our Social In-Security number.

Let me bring the point home by sharing a moment from a recent speaking engagement to business students at the University of Arizona. I was challenged by a couple of students who said they had no risk of identity theft because “they were so young” and their “personally identifiable information had not had a chance to be at risk yet.”

My response dashed their naïve thinking. I reminded the students that chances are their parents had multiple jobs as they were growing up, which included multiple health insurance providers and that their names and SSNs were still with those providers, along with the doctors, dentists and hospitals that they had visited over the years. I then asked how safe were their names and SSNs today?

Finally, I mentioned that most college students have a driver’s license and receive some form of financial aid, both of which require a name and Social Security number. How safe were their Division of Motor Vehicle records, along with their financial-aid forms, in these days of rampant data breaches? One of the two inquiring students acknowledged that she transferred from a community college from whom she received a letter notifying her of a data breach including her SSN.

I also shared with the college audience portions of a speech I gave to a national association in Las Vegas last year, when a financial institution CEO told me that his life and SSN were locked down and that he was a low risk to become a victim of identity theft. My response was to ask a few basic questions including, had this CEO worked for the same employer his entire life? Did he use the same home and auto insurance agent, tax preparation service provider, doctor, and dentist his entire life? Did he purchase his cars from the same auto dealer his entire life? Did he have health insurance from the same health insurance provider his entire life?

The answer of course was “no” to all of these – which means his name and SSN have been with multiple businesses and organizations throughout his career and personal life. Statistically, it’s likely some of these entities have had data breaches. When SSNs were first issued in 1936, the federal government told the public that the use of SSNs would be limited to Social Security programs only, including retirement benefits. Today, however, SSNs are the the default national identifier – used as an authenticator to confirm the identity of individuals. That makes SSNs highly desirable to identity thieves.

Mark’s most important: Add security to your Social Security number by assuming it’s been breached somewhere, or will be. Always be vigilant, regularly checking your accounts and records for unauthorized actions.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

Merchants Information Solutions is a proud sponsors and provides financial support to the ITRC. For more information on the ITRC’s financial support relationships please see our sponsorship policy.

Is Sony’s data-breach event about to change how hackers go after our personally identifiable information in 2015?

When the news broke that the information of more than 6,800 Sony employees including Social Security numbers, birth dates, and salaries – most consumers, including me, thought “Here we go again” with another typical major data breach event.

However, this is anything but typical. Unlike Target or Home Depot hacks, the Sony breach exposes a new threat realm that includes stealing and exposing health-care information, employee e-mails and project e-mails involving clients, partners and other employees.

Can you imagine private e-mails from your employer, health provider, banker, social media or child’s school about your salary, medical records, credit score, child’s grades, personal or business relationships going public for everyone to read and see?

In Sony’s case, files that were hacked included unreleased movies (even forcing the cancellation of one), thousands of employees’ Social Security numbers, executive pay packages and internal e-mails that were uploaded to the Internet. Sony has described this breach as an “unparalleled crime” that is unprecedented in nature.

Sony Pictures now has legal, financial and public relations liabilities in protecting its image, responding to the needs of individuals affected by the breach and complying with state and federal data- breach laws.

I believe we will see more of the Sony-type hacks — targeted attacks specific to both our personal and business information.

I encourage you to check out Experian’s just released second annual data breach industry forecast report. Here are some of Experian’s 2015 data breach predictions:

  • Internet of things. Cyberattacks likely will increase via data accessed from third-party vendors
  • Employees will be companies’ biggest threat. A majority of companies will miss the mark on the largest data breach threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls.
  • Data-breach fatigue will grow among consumers. A growing number of consumers are becoming more apathetic and are taking less action to personally protect themselves.
  • Business leaders will face increased scrutiny. Where previously IT departments were responsible for explaining security incidents, cyberattacks have expanded from a tech problem to a corporate-wide issue. With this shift, business leaders are being held directly accountable.
  • More hackers will target cloud data. Cloud services have been a productivity boon for consumers and businesses. However, as more information gets stored in the cloud and consumers rely on online services for everything, the cloud becomes a more attractive target for attackers.

Mark’s most important: Set goals in 2015 to focus on risk management and cybersecurity. Be proactive and prepared for a broader range of hacking threats.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

A number of government employees had their productivity cut short late last week when the government shut down its unclassified email system through the State Department. This shutdown occurred after IT experts noticed some unusual activity on the servers. This response, which didn’t affect any classified email systems or content, was swift and widespread throughout the department, with plans to return the system to operation on Monday or Tuesday after updating the security protocols and investigating the causes and the reach of the hackers’ access.

What made the action so sudden? Experts inside the system have reason to believe this most recent attack is linked to the data breach of the White House’s unclassified computers last month, a hacking event that they believe to have originated in Russia. A spokesman for Russian President Vladimir Putin, however, told CNN that the US has no proof that Russia is in any way behind that breach and that they would not discuss any allegations of hacking until proof was provided.

Immediately after the time that the White House computers were hacked, other mysterious activity was detected across government networks, but the extent of it has not yet been isolated. So far, computers at the US Postal System and the National Weather Service have also reported breaches.

In a statement published on Huffington Post, however, a senior State Department official who wished to remain anonymous said that the email outage was actually intentionally scheduled in an effort to conduct security maintenance on the system as a result of the earlier breach. This belies some of the media response that indicated the State Department had essentially pulled the plug on the system once suspicious activity was noticed. This official confirmed that investigators are still at work on the extent of the October breach, but reiterated that no classified information has been compromised.

It’s easy to give in to fear-mongering from sources who see this as our government’s inability to secure its own networks or who claim that our technology isn’t all that secure, but the better viewpoint is to applaud the State Department for taking action to minimize the amount of content that hackers could access. Even as recently as a year ago, reports of large scale data breaches in the private and corporate sectors were only made public months after the event and after investigators confirmed it had taken place. If anything has been learned from this, it’s that immediate action is important, even when suspicious activity is only suspected.

When most people think of a hacking event that results in the loss of highly sensitive government information, they probably envision foreign spies or figures like Edward Snowden. People who not only have an agenda to fulfill but also the means and the know-how to infiltrate what has to be the most secure network in the world.

Instead, the reality is that a shocking number of data breaches are caused by user error on the part of government employees, people who are all too often wholly untrained about the dangers associated with certain internet behaviors. These behaviors have led to a reported increase in cyber “incidents,” of which there were more than 200,000 last year alone, according to the Associated Press.

But with government officials placing cybersecurity as the number one threat to our country—even higher than terrorism—and a reported $10 billion a year of government funding spent on cybersecurity, why are we still subject to this kind of vulnerability?

Unlike the laws being put in place around the country requiring private businesses, from tiny startups to major corporations, to inform consumers if their personally identifiable information has been accessed through a data breach, the government isn’t required to inform the public if they’re the victims of a breach. Cyber security failures have fallen to news outlets to report. Those organizations uncovered a shocking amount of employee failure, most of which stemmed from falling for phishing emails, clicking on fake links which downloaded malicious software to a government computer, losing crucial pieces of technology like laptop computers with highly sensitive information stored on them, and more. Overall, the AP has uncovered that at least half of all government cyber incidents are the fault of an employee error.

Of course, it’s not only employees and contractors who are to blame for their online missteps. The other side of the coin is that the government’s data comes under constant threat from hackers, both from intentional foreign spies and from individuals who just want to see if they can accomplish the seemingly impossible by breaking in to this secure data. Unfortunately, as news outlets like The Washington Post have reported, it’s all too easy to access a government computer or server when employees are not trained on safe online security practices.

What is vitally important is better training and awareness of security threats, and the need to report these incidents to the public as they occur. When the White House’s own report states that 21% of the cyber incidents last year were due to employees violating workplace computer policies, and another 16% were due to employees losing a physical piece of technology, better instructional practices, constant threat management training, and penalties for outright violations might make our information more secure.

“What do we do next?”

Picture this: Your small business has been hacked and you are now asking yourself, your business partners or your management team that question.

If the question characterizes the state of your ID-theft preparedness, the painful answer I have is: It’s already too late.

You need to be ready before your data is hit and immediately launch your data-breach incident response plan. In case you’re not ready, let me give you the essentials I provide to my business and civic audiences so you can be prepared.

The first priority for your business is to understand the three primary data-breach risk factors: people, processes and technology. The people factor includes current and former employees, customers, associates, vendors and independent contractors.

Processes include information technology, enterprise risk management, marketing, sales and human resources.

The technology that you rely on to conduct and grow your business also is being used by cybercriminals to identify vulnerabilities of your business.

Your second priority is to complete a data assessment of all types of information that your business collects, uses, stores and transmits.

• What type of data (on employees, customers or patients) is in your files?

• What type of personally identifiable information is in your business data (for example, name, address, Social Security number, driver’s license, bank account, credit/debit card, medical plan information)?

• What aspects of your business are performed within and outside your business?

• What would be the value of your data assets if they were stolen and made public?

• What would be your overall financial risk if your data was breached?

• In which states does your business conduct business and in which what states are your customers/employees/patients living?

• Does your business insurance include cyber/network liability?

Your third priority is to include the following five components in your small-business data-breach incident-response plan:

• Determine breach source. Make sure the data compromise is isolated and access is closed. You may need a forensic investigation company.

• Breach assessment. Determine the scope of the data breach and privacy and data-security regulatory requirements.

• Response plan. Include internal employee education and talking points; public relations, customer education and resources; business or consumer solutions to be considered; and the content and timely release of notification letters.

• Protection plan. Determine what protection services will be offered to the compromised record group and confirm professional call-center and recovery advocate-support services.

• Breach-victim resolution plan. Provide access to professionally trained and certified identity-fraud recovery advocates who will work on behalf of the victims to mitigate and resolve the issues caused by breach.

Templates are freely available online to assist with the creation of your data-breach incident response. Also, consider contacting your insurance broker and professional trade associations to which your business belongs. They often have good resources.

Mark’s most important: Promise yourself today that you will have a data-breach response plan in place by the end of the month.

 

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at markpribish@merchantsinfo.com.

This article was originally published on AZcentral.com and republished with the author’s permission.

News broke this week of a breach of AT&T customers’ data, the second event this year for the cellular provider. In an eerily similar method of stealing private information for the purpose of reusing it, an employee allegedly accessed sensitive data, this time of over 1,600 AT&T customers.

Phone data breachThe breach that took place earlier in the year involved “unlocking” smartphones in order to take them to any provider. In that event, several third party contractors to the company quite literally entered an AT&T store and used the computer system to look up and record the private information on a few hundred customers. The thieves needed the private information in order to override the protocols that make an individual phone specific to the AT&T network. Once the retrieved data is used to unlock the phone from AT&T’s cellular service, the phone can then be used on any provider’s network. This is what makes a stolen phone useful for resale, since it would otherwise have to be sold to an in-network customer.

The thieves had a batch of stolen phones—either that they had stolen themselves or that they were in connection with—and needed customers’ security information in order to unlock them. There hasn’t been any definitive word on whether the thieves then went on to sell that information for identity theft purposes, but AT&T provided a year of credit monitoring protection to the affected consumers to be safe.

Now, an AT&T employee has accessed the data of almost two thousand customers, despite the fact that the company hasn’t been able to determine why the employee looked at the information. It’s believed that the purpose was for identity theft, but that hasn’t been confirmed. What is known is the types of information were accessed, and it was enough identifying information—like Social Security numbers, birthdates, and driver’s license numbers—that AT&T has terminated the employee and is once again covering the costs of credit monitoring services for the affected customers.

Whenever a breach like this one occurs, industry watchers have to ask the same question: why do companies gather and store this kind of information on their customers?

In the case of a service provider like a cell phone company, a credit check may be required in order to initiate a contract, but there’s no reason for the company to continue to store the Social Security numbers, especially when some reports indicate that the majority of consumer data breaches are inside jobs involving the companies’ own employees.

Moreover, the question needs to be asked, “Why are employees able to access this information in the first place?” Even if a legitimate reason for gathering the data was found, why are all employees able to view customers’ secure data?

There are an unfortunately low number of steps consumers can take to minimize their risks in this situation. Those who receive letters from AT&T must take advantage of the free credit monitoring option and will need to keep a close watch on their credit reports to look for suspicious activity. Customers who are not affected, even those from a different cell phone provider, can attempt to contact the companies and have their Social Security numbers deleted from the system’s computers in order to avoid an employee-based or network hacking data breach; if that doesn’t work, prepaid cell phone services do not require Social Security numbers as they are not running a background check.

 

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.