Identity crisis

As data breaches and cases of identity theft become increasingly prevalent, the business sector needs improved practises and technological tools to stay ahead of the threat, says Bill Morrow.

The Federal Trade Commission lists identity theft as the fastest growing crime in the nation. Approximately 10 million Americans were victims of identity theft in 2008. Both consumers and businesses alike are targeted for and victims of these crimes. On the business front, one of the top security trends over the next 10 years is the prevalence of data breaches.

Data breaches have now become unfortunate, daily occurrences and the numbers are staggering. Since 2005, Privacyrights.org reports 343,485,708 records containing sensitive personal information were exposed in security breaches.

According to the ID Theft Resource Center (ITRC), there were 498 data security breaches reported in 2009 resulting in 222,477,043 records exposed. Considering not all breaches are reported, it's estimated that these numbers are much greater. In 2009, the total number of records exposed was the highest of all time. ITRC's study of 2009 breaches concludes that the largest percentage of breaches were the result of lost laptops, accidental exposure and paper breaches accounting for nearly 26 percent (an increase of 46 percent over 2008). Out of the 498 breaches, only six reported that they had either encryption or other strong security measures in place to protect exposed data.

The business sector increased to 41 percent of all the publicly reported breaches and has continuously increased over the past five years. Financial and medical industries maintain the lowest percentage of breaches perhaps due to stringent regulations, although they are still at risk, as they are the biggest targets.

The cost of data breaches has increased significantly year on year, costing businesses billions in losses; they suffer legal liabilities, loss of market share, brand equity and customers with increased churn. The average cost per breach in 2008 was $6.6 million, up from $4.8 million in 2006.

With 85 percent of businesses having experienced a breach, however most are not aware of it, it's a matter of when, not if an organization will be breached. No companies are immune and many are unprepared and unaware of their existing, dormant data security risk gaps.

In an effort to protect consumers and provide deterrents and consequences for businesses responsible for handling sensitive personal information, Red Flag regulations were issued by a number of federal agencies. The Red Flag rules require a financial institution or creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts. Businesses that extend, renew or continue credit to consumers with 'covered accounts' must also comply. Covered accounts are those used for mostly personal, family or household purposes to make multiple payments or conduct transactions.

The Identity Theft Prevention Program must be appropriate to the size and complexity of the business and the nature and scope of its activities, and be updated periodically to reflect changes in risks to customers and the business. The program must be able to detect, prevent, and mitigate identity theft and enable a business to identify and respond to patterns, practices, and activities that are red flags signalling possible identity theft.

Finance and mortgage companies, banks and credit unions are among the businesses required to comply by June 1, 2010. Compliance with data privacy and security legislation appears to have a positive impact on organizations as those achieving a higher level of compliance reap a financial gain as measured by the reduction in costs associated with a data breach, according to the Ponemon Institute 2009 study Cost of a Data Breach. Businesses will continue to need improved practices and technological tools to detect fraud and decrease these losses - and stay ahead of the ever-evolving threat of identity theft.

Bill Morrow, a 20-year business innovator, is the Chairman and CEO of CSIdentity, the leader in Identity Theft Protection, Voice Biometrics, ID Verification, and Data Breach Management. He was appointed by the Governor of Texas to serve as Chairman and Board Member of the $220M Texas Emerging Technology Fund.