An On-the-Ground Look at Consumer Impacts of Data Breaches

Note: A summary of Givens’ presentation is included in this National Academies of Sciences publication: Forum on Cyber Resilience

National Academies of Sciences Forum
Data Breach Aftermath and Recovery for Individuals and Institutions

“An On-the-Ground Look at Consumer Impacts of Data Breaches”
Presentation by Beth Givens, Privacy Rights Clearinghouse
January 12, 2016

Introduction

Thank you for the opportunity to speak today.

I’m Beth Givens, executive director of the Privacy Rights Clearinghouse. The organization’s mission is to empower and educate consumers to protect their privacy. It’s a nonprofit organization located in San Diego.

The Privacy Rights Clearinghouse was established 1992 – this is its 24th year. We are a nationwide organization in terms of our consumer assistance. But regarding public policy, we focus on California state legislation.

A popular feature on our website is the Chronology of Data Breaches, dating back to 2005 when data breaches first became news.  You might remember the Choicepoint data breach from 2005.  Our Chronology provides a summary of each breach, along with its category and the number of records compromised, if known.  It should be noted that our breach listing is not comprehensive.

My presentation covers the following topics:

  • California’s data breach notice law – evolution and lessons learned
  • Typical experiences of data breach victims
  • Today’s breach environment
  • Looking ahead

Evolution of California’s Data Breach Notice Law

California’s data breach notice law has evolved considerably since it was first implemented in 2003. [The dates provided below are the year in which the law was implemented.]

2003: California passed the first data breach notice law in the country in 2002; implemented in 2003.

    • For compromise of unencrypted name + Social Security number, or driver’s license, or state identification number, or financial account number.   
    • Catalyst:  Data breach in 2002 of the state government payroll database at the Teale Data Center – affecting all 265,000 employees, the Governor, and the entire Legislature. This data breach hit close to home for the California Legislature.

2008:   Breaches of medical and health insurance information were added to data elements requiring notice when compromised. 

2009:   Law was strengthened regarding medical breach notice and penalties.

      • Catalyst: Los Angeles hospital employees browsed celebrities’ records.  Arnold Schwarzenegger was Governor at that time

2012:   Requirement of specific content in notices.

      • Description of incident, type of information breached, timeframe of breach, toll-free numbers, and addresses of credit reporting agencies were required in breach notices.  
      • This was the first of two laws to require specific content in the breach notices—to get away from the vague notices that had been the norm.
      • In 2012, reporting to the Attorney General was also required.  Notice letters are posted on California Attorney General’s public website.

2014:     The reporting requirement was extended to local government agencies. Prior to that, the law covered business and state agencies.

      • Also the definition of personal information was expanded to include “user name or email address, in combination with a password or security question and answer that would permit access to an online account”.

2015:       The law was expanded to require free “identity theft prevention and mitigation” service for one year. Note that the law does not state “credit monitoring” per se.

      •  This is for breaches of SSN, driver’s license number or state identification number

2016:     2016 saw three amendments implemented:

      • A definition of encryption was added.  The law contains an exception to reporting if the records are encrypted.  
      • There are new requirements for the content and form of notice with headings: What Happened, What Information Was Involved, What We Are Doing, What You Can Do, and For More Information.
      • Operators and users of automated license plate recognition systems (ALPR) must comply with data breach notice requirements.

Lessons Learned from the Evolution of California’s Data Breach Notice Law

My first observation:  As you well know, criminals who perpetrate fraud are a wily bunch. Their targets and techniques are always evolving.  As a result, public policy struggles to keep abreast of the ever-evolving world of fraud. But an active state legislature is more nimble than federal legislation in terms of consumer protection.

A second observation:  Transparency regarding data breaches is important.  As an example, the California Attorney General’s breach website posts notice letters regarding breaches in which Californians’ personal information has been compromised. 

A third observation:  Theoretically, clearly written notices are more widely-read and comprehended.  The California Legislature has now passed two laws that require clarity in data breach notices. The latest law is just now being implemented.  I will be very interested to see how the new headings required in breach notices will play out.

This is a potential area for academic research: How notice format and content now required by California law will be received by consumers.

Typical Experiences for Individuals Whose Personal Information has been Compromised

How many of you have received one or more data breach notices in the mail.  Given the huge number of breaches, it’s not surprising for people to have received several.

My assessment of such notices over the years is that they lack clarity and useful information for consumers. And of course, that’s why the California Legislature has acted to require clarity.

Let’s not forget the purpose of such notices. It’s to provide enough information about the breach to the affected individuals so they can take steps to avoid becoming victims of fraud. 

Typically, the breached entity offers a credit monitoring service for one to two years at no charge. The company that has been selected to provide this service monitors the individual’s credit report for accounts opened by fraudsters, then helps the individual close them before any damage is done.

But unfortunately data breaches don’t fit the one-size-fits-all treatment.  Yes, if your Social Security number has been breached, offering credit monitoring is appropriate because with the SSN, the criminal is often able to use that information, plus other pieces of data about you, to fill out an application, or multiple applications, as is usually the case.

But if the breach has been of a point-of-sale system – like several major breaches in the past two years including Target and Home Depot -- and if credit and debit card numbers have been compromised, credit monitoring isn’t appropriate. It only gives the data breach victim a false sense of security.

Interestingly, and shockingly, I was told by an industry representative that the subscription rate for free credit monitoring services among the victims of data breaches is just 5%. 

Why the low sign-up rate, especially when the service is free?  Many data breach victims have told us that when they are online and are completing the subscription form, they stop and curtail the process when they are asked for their Social Security number and date of birth.  As data breach victims, this is understandable: They are extremely risk averse when it comes to disclosing their sensitive personal information. I spoke with another representative of an identity monitoring company who said they also experience the low 5% subscription rate. They researched this and found that those affected by data breaches don’t want credit monitoring, per se. They are most interested in identity repair if indeed the breach turns into fraud.  This particular company has designed its services around repair rather than monitoring. 

This company, in addition to credit monitoring, monitors a broader array of data points that are indicative of fraud – both in the underground marketplace and the resources of federal agencies like the FBI. Major companies also participate.  This is the program of the National Cyber Forensics and Training Alliance

The breached company can choose to offer this service – called identity theft monitoring -- to the affected individuals. And interestingly enough, it costs the company less than offering credit monitoring. 

But I was told by an industry representative that many breached entities fear that not offering the traditional credit monitoring could be perceived by consumers and regulators as being inadequate.  As such, credit monitoring has become a “best practice.”

From Data Breach Victim to Fraud Victim: How Many Individuals become Victims of Fraud?

I think we sometimes get so caught up in the specifics of data breaches and breach reporting that we forget that the reason we’re doing all this is so the affected individuals can take steps to prevent becoming victims of fraud.

How many victims of breaches actually become identity theft victims?

The Northern California company, Javelin Strategy and Research, conducts a nationwide survey annually on identity theft and data breaches. Their findings show an increase in the fraud rate from 2011 through 2013, followed by a much lower fraud rate for 2014.

  • 2011 – 1 in 5 breach victims who received notices became fraud victims
  • 2012 -  1 in 4 breach victims became fraud victims
  • 2013 – 1 in 3 breach victims became fraud victims
  • 2014 -  1 in 7 breach victims became fraud victims

The main reason for the reduced fraud rate for 2014 is the result of the mass reissuance of credit and debit cards after point-of-sale breaches, which, although expensive, was an effective strategy for preventing fraud. [The PRC thanks Javelin Strategy and Research for sharing these research results.]

Today’s Data Breach Environment

Javelin’s 2015 Data Breach Fraud Impact Report explains that increasingly, fraudsters are interested in any data they can obtain about individuals – not just data such as SSNs and financial account numbers which are used for financial fraud.  Rather, they are casting their nets wider in order to build rich profiles of individuals that can be used for more lucrative exploits.

From their June 2015 report: 

“School or medical records, ID card numbers, login information for online accounts, mothers’ maiden names — nearly any piece of information that fraudsters can get their hands on can be used to initiate or strengthen an attack.” [2015 Data Breach Fraud Impact Report, Javelin Strategy and Research]

I would be remiss in not bringing up suspected nation-state breaches of late, and breaches by those who are loosely associated with nation states.  These are not necessarily motivated by financial gain according to Javelin, but, rather, in gathering intelligence for a variety of purposes. For example, data from the breaches of Anthem and Premera, thought to have been hacked by Chinese groups, did not show up on the black market.  The Office of Personnel Management breaches also appear to not be motivated by financial gain. 

 In Conclusion: Looking Ahead

Experts explain that the wide adoption of EMV chip cards will result in less credit and debit card fraud. Like squeezing the balloon, fraud is expected to move to new account fraud, and this means that individuals’ Social Security numbers will be in high demand.  [2015 Data Breach Fraud Impact Report, Javelin Strategy and Research, fee required for complete report]

Entities with great quantities of SSNs and other personal information are likely to be targeted – such as government agencies and universities. These institutions will need to strengthen their IT systems, update their security practices, and train employees to be aware of and thwart social engineering schemes. 

Healthcare institutions will continue to be targeted.  Medical records are a treasure trove of personal information. They typically include Social Security numbers, date of birth, payment data, the medical information itself, and, often, information on family members. The latter is especially useful for social engineering schemes.

According to one source I researched, the value of medical records is 10 times that of credit and debit card data on the black market.  Healthcare institutions will need to invest in up-to-date security technologies. [Experian’s 2016 Data Breach Industry Forecast]

There is also expected to be an increase in Card Not Present (CNP) fraud, for example, in online commerce.  Technical strategies will need to be employed, such as tokenization and improved authentication to thwart this type of fraud. 

In closing, thank you for the opportunity to discuss these issues with you today.