With Better Reporting, Study Finds It Difficult to Tally Data Breach Trends
CU Times Staff Reporter
BRENTWOOD, Tenn. -- With the Nov. 1 Red Flag regulations deadline approaching from the Federal Reserve Board, a recent study by the Identity Theft Resource Center showed that data breach reports are up 69% in 2008 from the same time period in 2007.
Tom Harkins, chief strategy officer of Secure Identity Systems and former vice president of risk and security for MasterCard, said that he is not certain that the survey truly reflects an increase in data breaches.
"Data breaches have been going on for a years," Harkins said. "So I'm not sure if the data breach rise is real or people are just becoming more aware of it. I'm not really convinced the numbers are up or down. There are just better reports that lead us to certain conclusions that may not necessarily be the truth."
Harkins also said that the majority of data breaches reported are not breaches that had information stolen. For example, he said that a lot of data breaches are stolen or lost laptops where a company reports it because there was information on the laptop, but the computer was stolen for its value not the information it holds.
"You have to take these results into context," Harkins said.
Linda Foley, founder of the Identity Theft Resource Center and one of the authors of the study, said that while the information showed there was an increase in data breach reports that it is impossible to say what caused the increase.
"The information is inconclusive at this point," Foley said. "We have access to more information than ever before and more institutions are sending out releases to the press to notify of breaches. We've looked at the data upside down and inside out and we can't figure out why there is an increase."
Foley said that the information does point out that there is still a problem with information handling and that this time they were able to break down the information and see exactly where the problem came from.
To help lower data breaches and prepare for the Nov. 1 Red Flag regulation deadline, Secure Identity Systems is offering a free initial risk assessment and a policies and procedures manual for the next two months to all financial institutions that enroll in its ID protection service.
"We offer turnkey and one-stop solutions," Harkins said. "That makes life a lot easier for financial institutions."
Risk assessment is the first of seven requirements of the Red Flag regulations. The other requirements include developing a policy and procedure manual to combat identity theft, training employees, an anti-phishing solution, a new-account authentication program, verification of change of address and an identity theft solution.
Two months ago a LexisNexis survey showed that 84% of financial institutions either had not started their Red Flag plans or were in very early stages of their efforts. Harkins said that a more recent survey had shown that number was down to approximately 60%.
"People tend to wait for the last minute because they don't want to spend the money and the resource," Harkins said. "But once you have the ability to help a victim of identity theft go through the process and get back to their normal credit you have a customer for life."
Aside from the Red Flag regulations Harkins said that one of the best things a credit union can do to protect customers is to look for patterns of behavior. He said that credit unions should have reports that show a customer's usual account activity.
"I can't tell you how many times I see this, and it's a week or so later and I ask didn't someone realize that this was not normal activity?"
Mail order and Internet fraud are very popular right now, Harkins said, and knowing the customer can help protect the member and prevent theft. If a member is 80-years-old, Harkins said, and doesn't own a computer and you see a lot of Internet purchases then there's a good chance the activity is not coming from the member and should be examined.
"Whenever you can put in additional controls to limit risk it always helps and it will help all the products credit unions offer across the board," Harkins said. "These regulations make sense and they are things that should be done to keep credit unions profitable and to help members."