The Federal Bureau of Investigation (FBI) reports that identity theft is the fastest growing crime in the United States. It is also the number one consumer complaint received by the Federal Trade Commission, accounting for approximately 255,565 complaints in 2008. In addition, more than 30 states have enacted legislation requiring companies to notify consumers if their personal information may have been compromised. Even in states where notification is not required by law, failure to notify an individual of a potential identity breach may result in severe civil, regulatory and legal liability costs, as well as potential damage to a company’s reputation and loss of consumer confidence. Nearly 10 million Americans are victims of identity theft annually according to the Federal Trade Commission with an estimated cost in 2008 of $48 billion.
The cost of a data breach is now $204 per comprised customer record according to the Ponemon Institute’s 2009 study. In the five years that the Ponemon Institute has conducted its study, costs have increased 48%.
Increasing incidences of corporate privacy breaches have resulted in a greater number of lawsuits, consumer backlash and regulatory actions, including fines. More than ever, customers today expect their personal data to be protected.
What is Identity Theft?
The unauthorized use of a victim’s information for financial gain is popularly referred to as identity theft. The victim is an unsuspecting individual, Business Corporation or other entity. The information used to perpetrate this activity is an instrument that can positively identify the victim and that is usually required by an institution. The institution is an authority that may offer various services, ranging from social benefits to financial credit. Identity theft is not new; the main factor that has contributed to this crime becoming widespread is the flow of sensitive information being easier to access by criminals. It is believed by experts that the current state of the economy has also led to the increase in criminal activity. These days, it is virtually impossible to conduct any type of transaction without collecting and storing personal information. Companies have set up large repositories for this data. Among the information collected in the U.S. is the Social Security number, which is one of the key pieces of data for establishing an individual’s identity. If this and other personal information falls into the hands of criminals, it gives them the ability to impersonate and represent themselves as the victim to the financial institution in the hope of establishing an account. The ability to open a financial account and make use of its offered services without liabilities to the perpetrator makes this a very attractive crime.
Business Implications
The alarming rate at which identity theft occurs and the devastating impact of the financial ruin it causes cannot be underestimated. Most important to the business is the implication that it has not done its due diligence to protect its customer’s information and therefore is liable.
Corporations need to consider customer and investor concern, the outcome of negative and embarrassing information, and the legal and regulatory pressures. Customers and investors alike lose confidence related to any negative news of a corporation, especially when it is perceived that the due diligence required to safeguard customer information was absent. An unforgiving and major event can cause a corporation to lose credibility and business to a competitor. Such an occurrence can be devastating to a company, possibly to an extent where it may not entirely recover.
Steps to Prevent
If people are aware of how identity theft occurs and succeeds, they can take steps to prevent that eventuality. The first step is to shred, shred, and shred. This basic preventative control limits access by external, unauthorized individuals. Internally, the combination of preventative and detective controls deters an authorized employee from taking advantage of privileged access. Access to information should be limited to job-related functions. Classifying data may help reduce the risk of excessive privilege and prevent a high cost of overprotecting information.
A privacy impact analysis is an integral part of an organization’s security management program. This assessment ensures that the risk of exposing personal identifiable information is contained at every level. By identifying vulnerabilities (e.g. personal data stored at processing vendors) throughout the business process, an organization can help reduce the possibility of identity theft occurring at different stages and safeguard (e.g. encrypting laptops) the information that has been entrusted in its care. The assessment creates a structured process for analyzing nontechnical and technical requirements, and compliance with relevant regulations.
Insurance
While the opportunity to contractually transfer the financial risk of identity theft is minimal to non-existent, there are insurance products on the market that can help transfer some of the financial risk that companies face in this area. Insurance products are available that offer coverage to the insured company for the following: legal liability damages; defense costs; regulatory action expenses; notification costs; crisis expenses; as well as post event services including identity theft recovery services such as education, assistance, and credit monitoring for victims. Limits of liability generally are available from $500,000 to $5,000,000 though first party (notifications) coverage is typically sub-limited to $1,000,000 or lower. The best way to get the right coverage that suits your business’ specific needs is to consult with an Independent Risk & Insurance Advisor.
In summary, when properly implemented, due care by organizations helps prevent a loss of credibility and money associated with embarrassing negative publicity, as well as legal repercussions. Organizations with these processes in place position themselves to not only save their reputation, but bottom line dollars spent on their Total Cost of Risk (TCOR) as well. It is imperative for organizations to take appropriate and reasonable measures to help reduce the risk of fraud through identity theft.