As most who work in this industry know by now, protecting consumers in the wake of a data breach should be one of a company’s highest priorities and is one of the most important aspects of a successful response to an incident. In fact, according to a consumer study conducted by the Ponemon Institute in 2014, nearly a third of respondents noted they discontinued their relationship with a company following a data breach due to the way the company responded to the breach.
Unfortunately, providing the proper protection to customers following an incident is more challenging today than ever before. As hackers continue to evolve their approaches and utilize different types of personally identifiable information, whether it’s a username and password or medical insurance number, companies are challenged to keep pace. No two data breaches are the same, and the incident particulars will determine the right option for consumers. Just like a game of cat and mouse, as the data breach ecosystem innovates and adopts best practices to reduce the harm of incidents, attackers find new ways around them.
With this in mind, I would like to comment on the state of consumer protection today. Faced with these constantly changing threats and customer expectations, the entire data breach ecosystem must continue to evolve its thinking about customer protection following a breach. From identity protection technology providers to company executives faced with deciding what protection needs to be offered and the outside experts that advise them, I believe it’s vital that everyone in the industry better understand what technology and innovation is needed to provide consumers the right protection. We must all work to improve the options available and ensure a better understanding of what specific breach populations most need. It’s ultimately a collective responsibility that requires more dialogue and attention to help companies know their options and ensure consumers are getting the type of protection that will work best.
To start, let’s take a look at the identity protection provider industry. While credit monitoring is what many think of when it comes to identity protection, it may not always be best suited for certain types of breaches we see today. For example, when usernames and passwords are lost, an internet scanning service that will monitor the trading and selling of this data is crucial. While exposure of names and social security numbers also requires that affected consumers have the ability to access to their credit report from each credit bureau so they can regularly monitor for any new accounts opened in their name.
The good news is we are continuing to see innovation in this space and several vendors now have new technologies that help provide remedies beyond credit monitoring. But we need to do more to develop further choices for consumer protection, including better ways to monitor for child identity theft and medical insurance activity so consumers can detect if someone is getting care using their insurance credentials.
However, innovation in monitoring choices is only one piece of the puzzle. For companies, today’s plethora of personal information being exposed makes it even harder to select the right solution as there is no one-size-fits-all approach as well as various product options in the marketplace to choose from.
Ultimately, it is the company’s executives in charge of the breach response who will make the decision of how to protect their affected audience. They need to be well-informed about the options in the marketplace. Not only should they be knowledgeable, but consider protecting their customers as a major priority and not just a last box to be checked off on the list of response tactics. While a minority, I’ve heard of some cases where companies have decided to offer no remedy to breach populations. I believe this is not acceptable, especially given that criminals can piece together any type of personal information to commit fraud and there are now more diverse product options that are better tailored toward a wider range of incident types. While there are certainly some costs with providing protection, the piece of mind it can provide to breach victims and subsequent goodwill it provides for a company are well worth it.
Unfortunately, keeping track of the latest threats and remedies can be a challenge. The good news is that there are several external experts that companies rely on during an incident that can help in making these critical decisions. Outside legal counsel, public relations and forensics experts can provide thoughtful and objective analysis of the right tool for the job. They too have an important role in the ecosystem. It is critical that companies work with advisors who are objective, have critical industry relationships and are educated on all the types of consumer protection options.
Even ahead of an incident, it’s important that companies ask their advisors to help them understand the latest best practice when it comes to protection. They should look for outside counsel to arrange for briefings with identity protection providers to understand the latest technology and even set up pre-breach agreements with a provider that is able to provide regular updates on developments in the market.
While protecting breach victims is only becoming more difficult, I am optimistic that we will see steady improvement in addressing this issue to the satisfaction of companies and consumers.
That said, there is no room for complacency. As sophisticated as criminals are, those of us fighting to keep them at bay need to stay vigilant about the right options to mitigate fallout when a breach does occur.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].
