ID Experts Launches New Data Breach Services

by Doug Pollack

Tomorrow at the International Association of Privacy Professionals (IAPP) conference in Washington, D.C., we will announce our new ID Experts Data Breach Services.

Developed to resolve the growing consumer dissatisfaction with current breach notification and response methods, these services include breach assessment, notification and communications, monitoring and identity theft recovery components. Tailored to meet the individual needs of the private sector and government agencies, ID Experts is delivering a comprehensive approach to responding to data breach events that alleviates legal liability, manages public perception, and protects and restores individuals’ identities from identity theft.


We have also released a preview of the results from a study that we recently commissioned with the Ponemon Institute, the leading privacy and information management research firm, to be released in April 2008 . The study delves into how consumer victims of corporate breach events are terminating their business relationships because of a lack of responsiveness.

“Our research shows that consumers are growing increasingly dissatisfied with the way they are being treated following a data breach,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “The manner in which breach notification communications are often conducted fails to appropriately convey what the consumer needs to make an informed decision about protecting their personal information and, as such, does not succeed in being the first step in helping to repair a breakdown in trust.”

You can download a pre-release copy of this Ponemon report at our website at www.idexpertscorp.com.

ID Safeguards now ID Experts(tm)

by Doug Pollack

ID Safeguards is changing its name. ID Safeguards will become ID Experts(tm). Founded in 2003 with a mission to protect Americans from identity theft, we have grown into a leader in identity theft protection. Today, we apply best practices to protect over three million Americans from this growing problem.

Our team of experts is passionate about helping victims of identity theft. We are one of the only companies in the industry that provide fully-managed recovery services, in other words we do all the work for victims of identity theft in order to restore them to pre-theft status. We are also trusted by some of our country's largest and most prominent companies to provide a full spectrum of data breach response services.

As our market and our services have evolved, we have found that the common thread across all aspects of our business is our people and the expertise they provide in addressing the problems associated with identity theft. For this reason, we feel that the name ID Experts expresses more clearly and appropriately who we are today.

So ID Safeguards is now ID Experts. But rest assured, we still provide the best in identity theft protection services for individuals and families, and we provide leading corporations and public sector organizations with the most complete and tailored data breach services.

Visit us on the web at www.idexpertscorp.com, and continue to visit our blog for the latest in news and advice on identity theft.

Is the U.S. Losing the Information War?

By Rick Kam

In a March 13, 2008 article in GovernmentExecutive.com by Gautham Nagesh titled "Feds losing war on information security, senators told",

"The federal government is losing the battle to keep its information systems secure, according to expert testimony at a Senate hearing on Wednesday."

Why?

Protecting information has become a significant challenge for all organizations large or small, in pubic or private industry. The amount of personal information any organization has on its customers and employees and the many ways they are stored; both in electronic and paper form, make protecting information from thieves a daunting task.

What are these organizations trying to protect?

There is value in information considered personal or health related. Your name, address, SSN, mother's maiden name, and yes, even the name of your favorite pet (if you use it as a password recovery keyword) has value to ID thieves who utilize it to access your bank accounts, set up new accounts using this information, or use you to mask their criminal past.

Think about the places you have your information stored in your home like files in your kitchen or home office, boxes in the garage, utility bills, and explanation of benefits statements posted on the refrigerator awaiting payment.

Now think about where you work, whether in health care, insurance, government agencies, car dealerships, accounting firms, etc. You may see a lot of this information accessible to anyone, including ID thieves. There in lies one of the biggest challenges. Protected information is easily available to anyone everywhere you look!

What do you do about it?

In your home, secure this information in a locked file cabinet and away from people who may see it and decide to use. At work, let your supervisor know that there is information that you think should be protected so the organization can secure it properly.

Is this a losing battle?

No. We can win the information war by each of us making an effort to do our part to protect our information and alert others when we see possible exposures. You can make a difference.

SEC Proposal to Amend Data Breach Regulations

by Doug Pollack

The Securities and Exchange Commission (SEC) is proposing amendments to the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) that would create more specific requirements for safeguarding information and responding to information security breaches.

"Under the proposed amendments, if a covered institution determined that an unauthorized person had obtained access to or used sensitive personal information, and that misuse of the information had occurred or was reasonably possible, the institution also would be required to provide notification, in a clear and conspicuous manner, to each individual identified with the information."

The amendments are currently open for comment. If they go through in substantially their current form, the SEC will be requiring public companies to analyze each data breach for the risk of exposure of personal information, and then, if their determination is that the risk of unauthorized access is "reasonably possible", notify all individuals affected by the data breach.

Currently, there are no federal regulations that require notification of individuals affected by a corporate data breach. There are however numerous states that have notification laws with varying provisions.

It would be a very positive step for all of us if there are federal laws and regulations that would ensure that those affected by data breaches are notified on a timely basis and provided with useful, instructive information. All too often, individuals (millions of them each year) are notified of a data breach in such as way that it causes them great concern, but provides them with little help.

More on Experian vs. Lifelock

by Doug Pollack

There is a growing amount of legal commentary emerging in the discussion surrounding the Experian vs. LifeLock lawsuit. This week, Peter Bronson from The Union.com published an article titled "Business Law Bulletin: Experian vs. LifeLock Heats Up".

Relative to the false and misleading advertising issue, Mr. Bronson notes that:

"According to Experian's lawsuit, at least one Lifelock ad claims that the company's services make it virtually impossible for identity thieves to strike, but that fraud alerts are only effective against those particular types of fraud that require accessing a credit report. In other words, says Experian, Lifelock cannot protect against such forms of identity theft as an undocumented worker using someone's Social Security number to obtain a job; or against unauthorized use of a credit card."

It is interesting to see a credit bureau that advertises their credit monitoring services as a means to help deter identity theft relentlessly (who hasn't seen the FreeCreditReport.com ads on TV?) make the case for the inherent limitations in this area.

Mr. Bronson goes on to point out the ambiguities with LifeLock's famous $1 million guarantee:

"Lifelock does offer a $1 million guarantee that if a customer's identity is compromised, Lifelock will help restore the customer's credit standing and pay the cost of doing so. However, Lifelock's web site states that the guarantee comes into effect when a customer's identity is compromised "due to a failure or defect in our Service", a phrase that seems open to more than one interpretation. (If the service offers protection against only certain types of identity theft, does the guarantee only cover those specific types?)"

This is the first instance where I've seen someone dig into the specifics of this guarantee. The "service defect" provision certainly provides LifeLock with a get-out-of-jail-free card. Not to mention, given that it is the financial institutions who provide most of the financial fraud protection, how valuable really is a $1 million guarantee other than as a marketing gimic. I guess we'll all find out as this lawsuit unfolds.