Protecting Companies from Identity Theft

Organizations must think company-wide and across public/private barriers to prevent data breaches


A man walking down an empty residential street opens a mailbox and shoves its contents — including a credit card statement containing four convenience checks — into his jacket. A hacker breaks into a corporate database and downloads information on all the company’s 1,200 employees. A group collects social security numbers from a phishing scam that asks e-mail recipients to update their personal information on a sham Web site.
Teenagers watch a retail employee throwing paper transaction logs into a trash bin behind a shopping center and dig them out once she’s gone. An organized gang pays a hospital worker to hand over the medical or insurance information of patients in bulk.

The problem with identity theft is that it is all of these things, and its results include all types of fraud, from credit card and check fraud to medical and government benefits fraud, as well as blackmail. Because identity theft is such a broad and perhaps ill-defined crime category, it is often shrouded in misconceptions, and its potential as a damaging threat is often underestimated.

In most of the above scenarios, the consumer is the immediate intended victim who stands to lose from the information theft. Businesses and organizations — the corporation whose database is breached, the company whose logo is on the phishing e-mail, the retailer whose dumpster is searched, the hospital and the insurance companies that lose patient information — also stand to suffer significant long-term consequences.

A Rampant Problem
There is no way to accurately estimate the number of identity thefts that occur annually. Many companies and organizations track reported cases of various types of identity theft, but few can monitor every method, and since the crime may go undiscovered or unreported for a long time, it is possible that existing estimates are the tip of the iceberg. Several estimates place the number of incidents between 8 and 10 million each year. The Identity Theft Resource Center, which continually catalogues confirmed electronic and paper data breaches, reports 259 breaches in 2008 as of May 13, with nearly 12 million individual records exposed.
More than 4 million of those records are accounted for by a major security breach reported by Hannaford Brothers supermarkets in March. This immense theft of credit and debit card numbers has already led to at least 1,800 confirmed cases of fraud.

It is this type of breach that sends shivers up the spines of retailers, banks and other companies that handle financial data. Whereas other types of identity theft, like the recovery of paper records outside a store, generally impact a limited number of customers and may easily duck attention, the high-level financial data security breach quickly exposes millions of records, making for spectacular headline news.

Potential Costs in the Billions
Last year, Forrester Research released a study called “Calculating the Cost of a Security Breach” that estimated the business costs of data breach at anywhere from $90 to $305 per customer record, depending on the type of company and the profile of the breach. When millions of accounts are exposed, the final figure is staggering.

Impacted businesses must front the cost of notifying customers of the breach, satisfying applicable fines, paying legal fees, instituting new protections, and investigating complaints. And in theft of credit card data specifically, victimized consumers are generally not held responsible for fraudulent charges, so banks or businesses end up bearing the direct financial losses.

Reputational loss and the loss of future sales take a toll as well. An online survey conducted by the Business Software Alliance and Harris Interactive in 2006 found that 30 percent of adults said they felt compelled to shop online less or not at all during the 2005/2006 holiday season because of security fears. Also, when the data exposed in a breach is financial, it seems to elicit a stronger response from consumers than, say, the loss of social security numbers or birth dates, because the danger feels more immediate and hits them where it hurts: in their bank accounts.

This content continues onto the next page...