Wonder what your business and customers can expect next year in the way of identity fraud and privacy trends?
We assembled a roundtable of experts at the third annual Privacy XChange Forum, a premier privacy and data security conference, to review the biggest identity theft trends and faux pas of 2015, as well as offer a forecast for 2016.
The panel included: Eva Velasquez, president and CEO of the Identity Theft Resource Center; Alex Cameron, a partner the international business law firm Fasken Martineau; Jason Thomas, chief of innovation at Thomson Reuters Special Services; Brian Thornton, president of ProWriters; and Jared Wilbur, vice president and fraud prevention director at Citizens Bank.
Q: What was the biggest identity theft faux pas of 2015?
Wilbur: The Sony Pictures breach and the reaction to it would top the list. It’s more about the fact of the precedent we set with the people who conducted the breach and caving to their demands. Eventually Sony was able to release the film in a different format, over Netflix and not in theaters. But the stance they took in terms of pulling the release back from the theaters was a mistake because it sets a precedent and it emboldens the criminals and the nation-state actors in the space that it’s a good tactic to use moving forward.
Thornton: I was a broker that had a franchisee that owned about 25 Dairy Queens. They didn’t want to buy because they thought the coverage was too expensive. After the breach, this franchisee was not involved but ended up wanting to revisit the coverage and we quickly had 26 declinations in from all the markets that had previously quoted it. So when we talk about trends, I think franchisees are the big issue. Franchisees are very tough to place from that standpoint and I think they’ll continue to be. It’s a challenge from the standpoint of who owns the data. Are you using a franchisor system vs. the franchisees managing the risk themselves?
Thomas: There are too many data breaches where folks are getting access to data that’s not encrypted at rest. The U.S. Office of Personnel Management breach (OPM) is my faux pas. If you’re going to house lots of data about people, there seems to be a requirement on top of it to make sure the data is encrypted.
And from a flip side, you’re seeing hacks that are lifestyle-oriented and not financially oriented. Ashley Madison, RentBoy. So two faux pas: encryption at rest and organizations that don’t deal in transactional data are equally as dangerous.
Q: Are the motives to commit identity fraud and data breaches changing?
Thomas: In my view there seems to be more focus on influencing foreign policy decision-making based on data breaches. You saw it in Sony. It was the first time the president commented on a data breach and influenced our foreign policy going forward.
And the OPM breach, where 22 million people had their identities stolen and 5 million people had fingerprints stolen. I don’t know if you’ve gone through a background investigation. You start with this very long form called an SF-86 that asks you everything: your financial history, your mental health history, your drug and alcohol abuse, all your criminal violations. It asks you for neighbors, your family members, your children’s names and Social Security numbers, and you get fingerprinted.
You add to that the Ashley Madison data and other transactional data. These are all data breaches that show transactional data, meaning you can tell what I bought or where I went to buy something. You take that and correlate it with biographical data, and bad guys can make predictions about what you’re going to do next. So the past is relevant.
When you start applying big data analytic techniques to both sets of content at the same time, now you’re cooking with gas. I can tell you’re going to Target and going to by X, and by the way I also know you have a mental health history where you’ve been institutionalized, and I know your children’s names, and the data breach becomes less about money and more about pressure and pain, and can I influence you to make a decision based on the data that I now possess that benefits me. And that not only applies to governments but to private sector as well. If I can get an executive in an organization to give me something because I know he has a foot fetish, that’s hugely more more dangerous than stealing a credit card number.
Q: Considering credit card fraud, wire transfer fraud and mobile banking fraud, how should banks respond and prepare for the next wave?
Wilbur: With EMV [EuroPay, MasterCard® and Visa® encrypted chip technology used in debit and credit cards] coming out, we’re predicting a shift to more traditional forms of fraud. Right now, even with early indicators, we’re starting to see a dramatic increase in individuals committing fraud through people such as in romance scams, lottery scams, and inducing people to part with their money through social engineering schemes.
Thornton: One of the things I see is an issue with cyber and privacy coverage, and the gap with that and traditional crime coverage. So when you’re talking about different types of fraud and phishing, there are a lot of issues of, ‘Is that a cyber claim or a privacy claim?’ There are gaps between those policies and some carriers are better at it than others. We certainly see a lot of clients that are victims of phishing and they thought they had some coverage, but it turns out they didn’t.
Wilbur: In the commercial space, if a commercial customer is induced to wire money the liability model is very different [than it is for individual consumers]. That loss comes back to the company. The bank doesn’t eat that. A lot of times in the small business space they’re not aware of that. It’s a painful lesson to learn.
Q: How will Canada’s new Digital Privacy Act impact U.S. businesses?
Cameron: In June we had passage of major changes to our federal data protection law, PIPEDA, and this will have ramifications all across Canada. Previously, we had breach notification requirements only in Alberta and in health sector in Ontario. Now we have passage of breach notification reporting and record-keeping rules for the whole country. This has had a dramatic affect on the work we’re doing with clients to operationalize these new requirements to ensure that organizations are detecting breaches, responding appropriately, escalating and ultimately meeting their notification obligations.
We will see the passage of regulations under the new government, which will specify what the content of notifications needs to include and what the content of the record-keeping requirement will include. That’s coming late this year or early next year, and that will bring those provisions into force. The notification obligation is triggered where this a real risk of significant harm. So there is a threshold you need to meet. That’s a low threshold in the eyes of the commissioners. It sounds like it’s a high bar.
There will be a lot more notifications happening in Canada. Up until this point there were no notifications in those provinces.
Q: Let’s think about the next big trend we’re going to see, not just in data breaches and identity theft, but in the fraud spectrum, that will affect our privacy.
Thomas: We could talk about specific technologies, but I don’t think we take identity theft seriously enough. The trend is that that will continue. For example, Chapman University released a study this year, an annual survey of American fears, and what they found is that more people believe that houses are haunted than are scared of identity theft. People just don’t care at the end of the day until something impacts them or they have to address it. What’s coming for 2016 is more of the same. There’s unique and more sophisticated technological things we have to worry about, but 90 percent of information security problems would go away if people stopped clicking on links in email.
Ashley Madison is one of the only breaches where violence was an outcome. A few people committed suicide over it. Husbands were leaving wives and wives were leaving husbands. There have been a lot of domestic issues. Previous to that, most breaches haven’t been about that. As more of these lifestyle-oriented organizations are targeted for a breach, going forward we’re going to see more physical violence as an outcome of a breach. Whoever is providing services in those areas is going to have to start thinking about suicide prevention and mental health counseling in a much more concerted way than we have in the past.
Q: How do you think consumers are reacting when it comes to fraud and data breaches? Do you think they’re shying away from companies and certain industries or certain types of transactions?
Thomas: I didn’t stop going to Target when my data got breached. I couldn’t stop going to Blue Cross Blue Shield. I had to continue going as a customer. In some cases, people don’t care. In others, like Ashley Madison, people realize very quickly that it has an impact. It depends on where it is that you’re buying your stuff. For example, I’m never going to stop buying stuff from Amazon. The benefit I get it too high.
Wilbur: The other opportunity you have with a customer that has that type of experience, it can boost your customer retention. If you have a good program in place, handle the customer experience well, and put their needs first, you probably have an opportunity to turn a bad experience into a good one.