Identity theft is fastest growing crime

The Federal Trade Commission lists identity theft as the fastest growing crime in the nation. Approximately 10 million American were victims of identity theft in 2008. Both consumers and businesses alike are heavily targeted for and become victims of these crimes. On the business front, one of the top security trends over the next 10 years is the prevalence of data breaches.
Data breaches are now daily occurrences and the numbers are staggering. Since 2005, Privacyrights.org reports 344,605,708 records containing sensitive personal information were exposed in security breaches.

According to the ID Theft Resource Center (ITRC), there were 498 data security breaches reported in 2009 resulting in 222,477,043 records exposed. Considering most breaches are not reported, it's estimated that these numbers are even greater. In 2009, the total number of records exposed was the highest of all time. ITRC's study of 2009 breaches concludes that the largest percentage of breaches were the result of lost laptops / accidental exposure and paper breaches accounted for nearly 26% (an increase of 46% over 2008). Out of the 498 breaches, only six reported that they had either encryption or other strong security measures in place to protect exposed data.

The business sector increased to 41% of all the publicly reported breaches and has continuously increased over the past five years. Financial and medical industries maintain the lowest percentage of breaches perhaps due to stringent regulations, although they are the most heavily targeted by world-wide criminal enterprises.

The cost of data breaches has increased significantly year over year, costing businesses billions in losses; they suffer legal liabilities, loss of market share, brand equity and customers with increased churn. The Ponemon Institute 2009 Cost of a Data Breach study was released on January 25, 2010. The study was derived from a detailed analysis of 45 data breach cases from 15 different industries with a range of 5,000 to 101,000 records that were affected. It reports the average cost per breach in 2009 was $6.75 million compared to $6.65 million in 2008. The most expensive breach studied in 2009, cost $31 million to resolve, whereas the least expensive cost $750,000. The average cost per record breached was $204. Most companies experienced more than one breach incident. For those companies who experienced a breach for the first-time, the cost per record breached was higher than the average at $228 per record.

It's indicated that the main reason breach costs were so exorbitant was due to customer churn. The average churn rate was 3.7%; however, abnormal churn rates were experienced by communications, pharmaceutical healthcare with 6% churn each and financial service companies at 5%.

With 85% of businesses having experienced a breach, it's a matter of when, not if an organization will be breached. No companies are immune and many are unprepared and unaware of their existing, dormant data security risk gaps. The cause of breaches can be
grouped into three main categories: negligence including human error such as lost laptop (40%); system glitches, such as a third-party sending out statements they shouldn't, which was 36%; and malicious and criminal attacks, at 24%.

In an effort to protect consumers and provide deterrents and consequences for businesses responsible for handling sensitive personal information, Red Flag regulations were issued by a number of federal agencies. The Red Flag rules require a financial institution or creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program for combating identity theft in connection with new and existing accounts. Businesses that extend, renew or continue credit to consumers with "covered accounts" must also comply.

The Identity Theft Prevention Program must be appropriate to the size and complexity of the business and the nature and scope of its activities, and be updated periodically to reflect changes in risks to customers and the business. The program must be able to detect, prevent, and mitigate identity theft and enable a business to identify and respond to patterns, practices, and activities that are red flags signalling possible identity theft.

Finance and mortgage companies, banks and credit unions are among the businesses required to comply by June 1, 2010. Compliance with data privacy and security legislation appears to have a positive impact on organizations as those achieving a higher level of compliance reap a financial gain as measured by the reduction in costs associated with a data breach, according to the Ponemon study.

Businesses will continue to need improved practices and technological tools to detect fraud and decrease these losses - and stay ahead of the ever-evolving threat of identity theft. For 2010, it's recommended by Ponemon that companies deploy a comprehensive initiative to help prevent breaches and reduce the associated costs. Components of such an initiative would include the development of a breach crisis management plan with assigned responsibilities, procedures, roles and timelines; encryption of portable data devices; better vetting of third-parties who would access sensitive data; and, the establishment of company structure that allows for a Chief Information Security Officer or other security / privacy leaders to oversee breach detection and response.

Finally, to reduce customer churn, companies should clearly communicate the source and cause of the breach to its victims and minimize harm and damages by offering them free identity theft protection when the breach is caused by theft or criminal attacks. When in doubt, companies should seek the advice of consultants and their legal counsel to ensure compliance with state and federal laws.