I've Been Mugged Blog

John Taylopr writes a good blog about "Identity Theft and Business." Frankly, I need to spend more time reading his blog. Last month, John covered a topic I haven't yet written about: "Applications and Identity Theft."

John's post highlights some of the organizations that handle consumers' sensitive personal data. John quoted a New York Times article where consumers purchasing an apartment believed that carelessness by condo board members resulted in the release of sensitive personal data used by identity thieves. John's analysis:

"Smaller local databases are extremely vulnerable to theft and loss...What the prevailing wisdom tends to ignore are these thousands of lists and databases that already exist with our personal information. When someone is victimized by an identity thief in Eastern Europe who has bought his or her information for $25 in bulk and resold it to someone else who files a phony medical insurance claim, or a crack addict who sells it to someone with a criminal record who obtains employment using a stolen SSN, do you think they care which database was the source of the theft? The victim is stuck with the fallout that statistically takes from 3 to 5 years to clear up, and even then often resurfaces at a later time."

The bottom of John's post presents a graphic image with many of the databases that contain consumers' sensitive personal data.

My impression is that most consumers don't think about how well (or not) their landlord or condo association protects their sensitive personal data. I know that i didn't when i bought my first condo in Ohio in the 1980s. Today, my wife and I pay close attention to our current condo association.

John makes some excellent conclusions, which I also agree with:

"The public is essentially unaware of what identity theft is, and business has almost no clue as to their legal and moral obligation to protect and properly store and dispose of sensitive personal information... Only through public awareness can the crimes of identity theft be squelched... We are all responsible for each other’s data. Creating better habits of safekeeping it will establish the “culture of security” we all seek."

I am pleased to announce that the 2008 edition of "The Age of Conversation" book is available for purchase. 100 bloggers contributed to the 2007 edition. 237 marketing, technology, and creative bloggers from 15 countries contributed essays to this year's edition titled, "The Age of Conversation: Why Don't They Get It?". You can buy the book online at Lulu.com. All proceeds benefit the Variety Children's Charity.

In addition to nearly tripling the number of authors, the book has eight topics:

1. Age of Conversation Manifestos
2. Keeping Secrets in the Age of Conversation
3. Moving from Conversation to Action
4. The Accidental Marketer
5. A New Brand of Creative
6. My Marketing Tragedy
7. Business Model Evolution
8. Life in the Conversation Lane

I'm excited to be one of the contributors to the 2008 edition, which many consider one of the coolest social media events of the year. I have worked with a couple of the contributors, including Lori Magno of "Moda di Magno" and Ryan Barrett of "Cheap Thrills." I'd like to introduce you to the 237 contributors:

Adrian Ho, Aki Spicer, Alex Henault, Amy Jussel, Andrew Odom, Andy Nulman, Andy Sernovitz, Andy Whitlock, Angela Maiers, Ann Handley, Anna Farmery, Armando Alves, Arun Rajagopal, Asi Sharabi, Becky Carroll, Becky McCray, Bernie Scheffler, Bill Gammell, Bob LeDrew, Brad Shorr, Brandon Murphy, Branislav Peric, Brent Dixon, Brett Macfarlane, Brian Reich, C.C. Chapman, Cam Beck, Casper Willer, Cathleen Rittereiser, Cathryn Hrudicka, Cedric Giorgi, Charles Sipe, Chris Kieff, Chris Cree, Chris Wilson, Christina Kerley, C.B. Whittemore, Chris Brown, Connie Bensen, Connie Reece, Corentin Monot, Craig Wilson, Daniel Honigman, Dan Schawbel, Dan Sitter, Daria Radota Rasmussen, Darren Herman, Dave Davison, David Armano, David Berkowitz, David Koopmans, David Meerman Scott, David Petherick, David Reich, David Weinfeld, David Zinger, Deanna Gernert, Deborah Brown, Dennis Price, Derrick Kwa, Dino Demopoulos, Doug Haslam, Doug Meacham, Doug Mitchell, Douglas Hanna, Douglas Karr, Drew McLellan, Duane Brown, Dustin Jacobsen, Dylan Viner, Ed Brenegar, Ed Cotton, Efrain Mendicuti, Ellen Weber, Eric Peterson, Eric Nehrlich, Ernie Mosteller, Faris Yakob, Fernanda Romano, Francis Anderson, G. Kofi Annan, Gareth Kay, Gary Cohen, Gaurav Mishra, Gavin Heaton, Geert Desager, George Jenkins, G.L. Hoffman, Gianandrea Facchini, Gordon Whitehead, Greg Verdino, Gretel Going & Kathryn Fleming, Hillel Cooperman, Hugh Weber, J. Erik Potter, James G. Lindberg, James Gordon-Macintosh, Jamey Shiels, Jasmin Tragas, Jason Oke, Jay Ehret, Jeanne Dininni, Jeff De Cagna, Jeff Gwynne & Todd Cabral, Jeff Noble, Jeff Wallace, Jennifer Warwick, Jenny Meade, Jeremy Fuksa, Jeremy Heilpern, Jeroen Verkroost, Jessica Hagy, Joanna Young, Joe Pulizzi, John Herrington, John Moore, John Rosen, John Todor, Jon Burg, Jon Swanson, Jonathan Trenn, Jordan Behan, Julie Fleischer, Justin Foster, Karl Turley, Kate Trgovac, Katie Chatfield, Katie Konrath, Kenny Lauer, Keri Willenborg, Kevin Jessop, Kristin Gorski, Lewis Green, Lois Kelly, Lori Magno, Louise Manning, Luc Debaisieux, Mario Vellandi, Mark Blair, Mark Earls, Mark Goren, Mark Hancock, Mark Lewis, Mark McGuinness, Matt Dickman, Matt J. McDonald, Matt Moore, Michael Karnjanaprakorn, Michelle Lamar, Mike Arauz, Mike McAllen, Mike Sansone, Mitch Joel, Neil Perkin, Nettie Hartsock, Nick Rice, Oleksandr Skorokhod, Ozgur Alaz, Paul Chaney, Paul Hebert, Paul Isakson, Paul McEnany, Paul Tedesco, Paul Williams, Pet Campbell, Pete Deutschman, Peter Corbett, Phil Gerbyshak, Phil Lewis, Phil Soden, Piet Wulleman, Rachel Steiner, Sreeraj Menon, Reginald Adkins, Richard Huntington, Rishi Desai, Robert Hruzek, Roberta Rosenberg, Robyn McMaster, Roger von Oech, Rohit Bhargava, Ron Shevlin, Ryan Barrett, Ryan Karpeles, Ryan Rasmussen, Sam Huleatt, Sandy Renshaw, Scott Goodson, Scott Monty, Scott Townsend, Scott White, Sean Howard, Sean Scott, Seni Thomas, Seth Gaffney, Shama Hyder, Sheila Scarborough, Sheryl Steadman, Simon Payn, Sonia Simone, Spike Jones, Stanley Johnson, Stephen Collins, Stephen Landau, Stephen Smith, Steve Bannister, Steve Hardy, Steve Portigal, Steve Roesler, Steven Verbruggen, Steve Woodruff, Sue Edworthy, Susan Bird, Susan Gunelius, Susan Heywood, Tammy Lenski, Terrell Meek, Thomas Clifford, Thomas Knoll, Tim Brunelle, Tim Connor, Tim Jackson, Tim Mannveille, Tim Tyler, Timothy Johnson, Tinu Abayomi-Paul, Toby Bloomberg, Todd Andrlik, Troy Rutter, Troy Worman, Uwe Hook, Valeria Maltoni, Vandana Ahuja, Vanessa DiMauro, Veronique Rabuteau, Wayne Buckhanan, William Azaroff, Yves Van Landeghem

You can also browse clippings and author interviews on our Facebook page, or follow us on Twitter. What did I write about in my essay? To find out, you'll have to buy a copy (paperback, hardcover, or online). I think that you'll enjoy the book and the unique perspectives presented.

[Editor's note: The fund-raising goal is $15,000 for the Variety charity. Also, I encourage everyone to read this this review by Media Post.]

The Fair and Accurate Credit Transactions Act of 2003 required the U.S. Federal Trade Commission to develop new rules about identity theft for financial institutions and companies that handle consumer financial accounts:

"The final rules require each financial institution and creditor that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft, to develop and implement an Identity Theft Prevention Program (Program) for combating identity theft in connection with new and existing accounts. The Program must include reasonable policies and procedures for detecting, preventing, and mitigating identity theft and enable a financial institution or creditor to:"

"Identify relevant patterns, practices, and specific forms of activity that are “red flags” signaling possible identity theft and incorporate those red flags into the Program;"

"Detect red flags that have been incorporated into the Program;"

"Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and"

"Ensure the Program is updated periodically to reflect changes in risks from identity theft."

In his Identity theft and Business blog, John Taylor emphasized the types of companies which must comply to the new "red flag" rules:

"Every covered business, non-profit, municipality, county, financial institution, auto dealership, mortgage brokerage, utility company, insurance agency, medical office, or any organization that accepts regular payment accounts for services or goods..."

John also described well the consequences of non-compliance:

"From this point forward not having such a plan in place could possibly result in individual laws suits, class actions, fines, audits, and possibly federal and state prosecution of all officers if any personally identifiable information (PII), is found to have been lost or stolen from the organization."

Affected companies were to have their programs in place and ready by November 1, 2008. Last week, the FTC announced that the deadline for compliance was delayed six months to May 1, 2009. In its news release, the FTC listed the following reasons for the delayed deadline:

"The Commission staff launched outreach efforts last year to explain the Rule to the many different types of entities that are covered by the Rule. The agency published a general alert on what the Rule requires, and, in particular, an explanation of what types of entities are covered by the Rule. During the course of these efforts, Commission staff learned that some industries and entities within the FTC’s jurisdiction were uncertain about their coverage under the Rule. These entities indicated that they were not aware that they were engaged in activities that would cause them to fall under the FACT Act’s definition of creditor or financial institution. Many entities also noted that, because they generally are not required to comply with FTC rules in other contexts, they had not followed or even been aware of the rulemaking, and therefore learned of the Rule’s requirements too late to be able to come into compliance by November 1, 2008. The Commission’s delay of enforcement will enable these entities sufficient time to establish and implement appropriate identity theft prevention programs, in compliance with the Rule.

Any review will discover that the nationwide statistics for data breaches include colleges and universities. Colleges and universities archive the sensitive data about a wide range of consumers: students, applicants, alumni, parents, faculty, and employees.

Unlike corporations, most colleges and universities are transparent with their breach notices and disclose the number of records stolen or lost. Some of the larger data breaches* among higher education:

• Boston College: march 2005: computer system hacked: 120,00 records
• Tufts University; April 2005: computer system hacked: 106,000 records
• University of Utah: August 2005: computer system hacked: 100,000 records
• University of Texas McCombs School of Business: April 2006: computer system hacked: 197,000 records
• Ohio University: April 2006: computer system hacked: 300,000 records
• Western Illinois University: June 2006: computer system hacked: 180,000 records
• University of California at Los Angeles: December 2006: computer system hacked: 800,000 records
• University of Miami (Florida): April 2008: stolen computer tapes: 2.1 million records
• University of Utah Hospitals and Clinics: June 2008: stolen billing records: 2.2 million records

I was pleased to read that several colleges and universities are conducting identity-theft awareness and prevention events for students, faculty, and staff:

• "Protecting Yourself Against Identity Theft Lunch and Learn" on October 28, 2008 at the University of Baltimore to provide, "steps one can take to minimize the risk of identity theft. This training will highlight precautionary measures in addition to key facts and protection essentials."
• Miami University (Ohio) will conduct several events during October 28 - 30, 2008. Topics include "Computer Break-ins: From Beginning to Prosecution," "Security Awareness: Payment Cards," "Music and Video Downloads: Avoiding Legal Trouble," and more.
• On November 7, 2008 the University of Illinois will conduct a "Personal Privacy: Protecting Your Identity" session on identity theft
• Texas Tech University and the University of the Pacific both provide scam warnings, prevention, and recovery resources for their communities to protect against ID-theft

If you are a parent, its a good idea to encourage your son or daughter to attend any identity-theft training sessions at their school. If you are a student or faculty member, it's in your own best interest to attend events at your school. If your college or university doesn't provide identity-theft prevention training, ask them why they don't and when they will.

*Source: Chronology of Data Breaches, Privacy Rights Clearinghouse

I like to acknowledge the work of law enforcement to pursue, prosecute, and sentence identity thieves and scam perpetrators. Last week, the U.S. Federal Bureau of Investigation (F.B.I.) announced:

"The Hurricane Katrina Fraud Task Force has brought federal charges against 907 individuals in 43 federal judicial districts across the country since Hurricane Katrina made landfall in southern Louisiana in August 2005..."

The Department of Justice established the Hurricane Katrina Fraud Task Force after the devastation of Hurricane Katrina in September 2005. The Task Force is responsible for:

"... deterring, detecting, and prosecuting individuals who try to take advantage of the disasters related to Hurricanes Katrina, Rita, Wilma, Gustav, and Ike, as well as other natural disasters. The Task Force tracks referrals of potential cases and complaints, coordinates with law enforcement agencies to initiate investigations, and works with the appropriate U.S. Attorneys’ Offices to ensure timely and effective prosecution of disaster-related fraud cases."

It is sad that a task force is needed to combat this criminal activity. You can read the F.B.I. press release for details about specific cases where identity thieves were prosecuted and jailed. The F.B.I. advises consumers to report fraud, waste, abuse or allegations of mismanagement involving disaster relief operations to the Disaster Fraud Hotline at 866-720-5721, the Disaster Fraud Fax at 225-334-4707 or the Disaster Fraud e-mail at disaster@leo.gov.

Does your Internet Service Provider (ISP) monitor all of your Internet activity? Do you trust it?

The US. Federal Trade Commission will host a free two-day "Fraud Forum" seminar February 25 and 26, 2009, in Washington, DC. The seminar will examine how the FTC can more effectively protect consumers from scams and fraud. The event is open to the public and will cover the following topics for law enforcement, consumer advocates, business representatives and representatives from higher education:

• "The extent of fraud in the economy and what survey research indicates about fraud victimization rates;"
• "The drivers – economic, sociological, and psychological – that create and sustain fraudulent actors; how new fraudulent actors learn the tools of the trade, and how they target victims;"
• "Whether some segments of the population are at greater risk of being targeted by fraudulent actors; whether victim surveys adequately identify the magnitude and types of fraud launched against all segments of the population; what techniques law enforcement has employed to reach these segments of the population; and"
• "Which best practices in private industries, such as banking, telecommunications, and online commerce, are best suited to identify fraud and prevent their services from being used by fraudulent actors; which systems adequately track potentially fraudulent activity and whether opportunities exist to use new or improved self-regulatory efforts to combat fraud."

The FTC seeks panelists for this event. Interested parties should contact the FTC online to submit their request to be a panelist. The deadline for requests is November 14, 2008.

Consumer Reports has published a really good article about the seven mistakes consumers make that invite identity theft:

• Assuming the anti-virus software on your home computer is active and current, when it isn't
• Clicking on a link in an e-mail message to access your bank or financial accounts
• Using the same ID and password for all of your online accounts and web sites you visit
• Assuming that you are automatically protected because your home computer is an Apple or MacIntosh

To read the complete list of 7 common mistakes, visit the Consumer Reports web site. Frequent readers of I've Been Mugged are aware of these common blunders, and keep their home computer's anti-virus software active and current. To learn about more protection tips and advice, click on the "Advice/Tips/Solutions" link in the tag cloud in the right column.

Tomorrow (Sunday) is the start of the national Protect Your Identity Week (PYIW). The National Foundation for Credit Counseling (NFCC) has started a campaign to provide help and guidelines for identity theft awareness and prevention. The NFCC also developed a web site for consumers:

• www.protectyouridnow.org

At the site, consumers can browse a map to find nearby PYIW events, test their knowledge with the ID-Theft Quiz, or browse the site section with tips and advice. If you are an identity-theft victim, the site has a section with helpful solutions.

The NFCC includes over 100 member agencies that offer credit counseling to consumers. Given the recent disruptions within the financial, banking, and mortgage sectors of the economy, it is important for consumers to make informed decisions about managing their finances. NFCC member agencies can be identified by the NFCC member seal. According to the NFCC web site:

"Each year, more than one million people receive counseling and educational services from NFCC member agencies. More than one-third of all consumers who come to an NFCC agency for counseling are able to manage their debt on their own after receiving financial education and counseling."

NFCC member agencies provide counseling and education about how to create and manage a household budget, how to manage your debt, financial literacy courses, and counseling about how to manage your housing costs and foreclosure. MSN Money, the 2008 PYIW National Media Sponsor, will host a community message board on Tuesday, October 21 where consumers can post their questions about identity theft and have them answered by an NFCC Member Agency Certified Credit Counselor.

Last week, the ComputerWorld Security blog reported:

"For the second time in 12 months, California Gov. Arnold Schwarzenegger last week vetoed legislation that would have required retailers and other businesses operating in the state to take a series of steps to protect credit and debit card data. The Consumer Data Protection Act, or AB 1656, would also have required retailers to disclose more details about data breaches to the people affected by them."

Both the California State Assembly and the state's Senate had already approved the new legislation. The Governor cited as his veto reason a desire not to create laws, where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers."

In my opinion, the governor's veto flies in the face against many ID-theft facts. 2008 hasn't been a good year regarding data breaches. Companies continue to suffer data breaches where millions of consumer records are lost or stolen. The California legislation recognized the need for more consumer protections by passing the RFID Skimming law earlier this year.

I've written repeatedly in this blog about the need for stronger penalties for corporate executives and their companies that don't adequately protect the sensitive personal data their companies collect. The governor seems more interested in assisting small businesses, rather than helping consumers -- who are often customers of those small businesses. It's possible to help both.

In a prior post about the Bank of New York Mellon's latest offer to its data breach victims, a commenter asked:

"Couldn't individual states require more than 2 years and perhaps 10 years credit assistance?"

At first glance, a state law requiring a minimum period of credit assistance for data-breach victims sounds like a great idea. A minimum period of 10 or 15 years of free credit monitoring would be fabulous since companies archive massive amounts of consumers' data, and companies' data breaches create a lengthy risk period for consumers. However, I'm not so sure such a law will work.

First, not all states have data breach notification and Security Freeze laws. About 43 states have laws requiring companies to notify consumers after a data breach. (See the interactive map in the CSO article.) Of these, most lack civil or criminal penalties for a failure to promptly notify consumers.

After the millions of exposed consumer records and hundreds of data breaches, you'd think that every state legislature already would have mandated data breach notification and Security Freeze laws. You'd think that the laws would include civil and criminal penalties for a company's failure to notify consumers.

Nope.

Second, there is no clear single definition of what would or should be in a credit assistance offer. I learned from my experience with IBM's post-data-breach offer of credit assistance that IBM narrowly defined it as credit restoration and not credit monitoring. The issue of what should be in a credit assistance offer was also the focus of a September 2007 American Banker news article I was interviewed for.

Companies know that a minority (perhaps 30%) of their data-breach victims accept the company's offer of free credit monitoring. Why? some consumers don't need it, and some consumers already have a credit monitoring service in place.

An even smaller percentage of data-breach victims also need credit restoration to fix damaged credit and/or financial accounts opened by identity thieves. So, any state laws mandating a minimum period of free credit monitoring period must also define the features and components of a credit monitoring service. Otherwise, to minimize their post-data breach costs companies will likely:

• Pick the weakest or credit monitoring service with the fewest features,
• Offer credit restoration instead of credit monitoring, knowing that an even smaller percentage of data-breach victims will use that,
• Lower insurance amounts,
• Insert in the offer stricter rules requiring customers to prove their data breach was the cause before reimbursement of expenses, or
• All of the above

So far, states legislatures seem unwilling to mandate periods of free credit monitoring. Heck, there doesn't seem to be any consistency on what credit bureaus should be covered. For example, the Innovis credit bureau is rarely, if ever, mentioned in corporate data breach notifications. And, current state data breach laws don't cover C.L.U.E. insurance reports. Consumers need to monitor all of these reports in order to adequately protect their identity information.

I encourage consumers to write to your elected officials and tell them you want your state's identity theft and data breach notification laws to mandate a minimum period of credit assistance after a company's data breach. What do you think? Should states mandate a minimum period of credit monitoring assistance? Share your opinions below.

Like everyone else, I watched the news last week as the stock market tumbled and drained a chunk from mine -- and everyone else's -- investments and retirement savings. While watching the free fall, I definitely felt mugged by Wall Street and the investment banks.

So, this past weekend I surfed the Internet to better understand the causes of this financial disaster. A wise person once said that those who ignore history are destined to repeat it. I found this video:

Crisis explainer: Uncorking CDOs from Marketplace on Vimeo.

This is one of the best explanations I've seen -- in clear visuals and plain English. After watching this video, there seem to be three culprits:

A) People who defaulted on their mortgages
B) Investment bankers who repackaged poor securities and sold them off as good (e.g., AAA)
C) The investment ratings companies didn't do their jobs, and let executives in "B" get away with rating poor investments as good

Given the above scenario and besides heavy fines, the executives in B and C should go straight to jail -- in my opinion. A fiduciary relationship was abused.

Last week, the Dr. Phil television show broadcast a show to help consumers manage stress, manage their household finances, and deal with the financial, credit, and mortgage crisis affecting the country. According to the Dr. Phil web site:

"Has the current financial crisis left you frightened and confused? Do you know where your money is and if it is safe? Along with top financial experts, Dr. Phil gives advice on protecting your assets and weathering a major money storm!"

I watched part of this show on Thursday evening October 9th, and found it informative. The show included three experts who answered common financial questions:

• Ben Stein, economist and author of How to Ruin the United States of America,
• Amelia Warren Tyagi, personal finance expert and author of All Your Worth, and
• Jim Cramer via satellite from his Mad Money cable TV show

Some of the questions answered during the show:

• How will the economic crisis affect me when I don’t even deal with Wall Street?
• How bad will it get? What’s next?
• What should me and my family do now before it's too late?
• If I have credit card debt, what should I do now?
• If the crisis and credit freeze continues, am I likely to lose my job? What then?
• Do I need to plan on working way past 65 in order to survive?
• If times get tough, which bills should I pay first and why?
• I am scared. How do I cope with the financial stress and fear?

In my opinion, a key message the experts warned was for consumers to pay off any credit card debt as soon as possible. Experts expect banks and credit card issuers to tighten access to credit cards, by using higher interest rates, lower card limits, and more. At the Dr. Phil web site, you can purchase a DVD or transcript of the show.

Some related I've Been Mugged posts:

1. What Causes Credit Card Issuers To Raise Interest Rates
2. Suze Orman And the FDIC Partner To Help Consumers With Determining Bank Account Insurance Status
3. Emerging Identity Fraud Scam: Credit Card Shaving
4. 5 Sneaky Ways To Ruin Your Credit Score

I'd like to thank I've Been Mugged readers for their support. Readership continues to increase. During the last three weeks, readership has increased dramatically:

The State of California often takes the lead in identity theft legislation that benefits consumers. In 2003, it was the first state to require companies to notify consumers of data breaches. Last week, the California legislature voted to ban RFID skimming. According to the InformationWeek Mobility blog:

"The problem is real," said State Sen. Joe Simitian, a Palo Alto Democrat who introduced the legislation. "Millions of Californians use RFID cards to gain access to their office, apartment, condo, day care center or parking garage. Our passports now use the technology, and there is continued discussion about the possible use of RFID in drivers' licenses. Yet, up till now, there's been no law on the books to prevent anyone from skimming your information, and it's surprisingly easy to do." Simitian conducted an experiment in which his access card for the State Capitol was skimmed and cloned by a hacker in a second.

You wouldn't let a stranger go through your purse or wallet, right? RFID skimming of the credit cards and badges in your purse (or wallet) is the same thing. I've written previously about the threat of RFID skimming and reviewed one anti-skimming product I use to protect my RFID cards and badges.

Earlier this year, the State of Washington legislature passed an RFID Anti-skimming law. I wish that my home state, Massachusetts, was as proactive as California and Washington. I encourage you to write to your elected state representatives and demand an RFID skimming law for your state.

While we were focused on the Vice President debate, Governor Palin, and the financial crisis in Washington, last week President Bush signed into law the Identity Theft Enforcement and Restitution Act of 2008. The new law makes it easier for prosecutors to take action against online identity thieves. The Washington Post reported:

Under current federal cybercrime laws, prosecutors must show that the illegal activity caused at least $5,000 in damages before they can bring charges for unauthorized access to a computer. The new law eliminates that requirement. The law makes it a felony, during any one-year period, to damage 10 or more protected computers used by or for the federal government or a financial institution, and directs the U.S. Sentencing Commission to review its guidelines and consider increasing the penalties for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems.

Legislation authored by Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.). The new law also has some new benefits for identity-theft victims - compensation by identity thieves:

"The law requires that in cases where convicted identity thieves are ordered to pay restitution, the victim should get a chunk of that money 'equal to the value of the time reasonably spent by the victim in an attempt to remediate the intended or actual harm incurred by the victim from the offense.' "

All of this is good news, but Congress needs to do more. Two good next steps would be, a) stronger penalties including jail time for corporate executives who fail to implement strong data security measures in their companies, and b) Federal anti-skimming legislation with strong penalties and prosecution of identity thieves who clone consumers' RFID charge cards and badges.

In a follow-up to its June 2008 report, Verizon Business Risk Services performed an analysis of corporate data breaches across several industries. The 2008 Data Breach Investigations Supplemental Report found that some industries are more vulnerable to specific types of threats than other industries. The analysis included data breaches in the finance, food, retail, and technology industries, and identified three types of sources of data breaches:

"External: Intuitively, external threats originate from sources outside the organization. Examples include hackers, organized crime groups, and government entities but also environmental events such as typhoons and earthquakes."

"Internal: Internal threat sources are those originating from within the organization. This encompasses human assets—company executives, employees, and interns—as well as other assets such as physical facilities and information systems."

"Partner—Partners include any third party sharing a business relationship with the organization. This value chain of partners, vendors, suppliers, contractors, and customers is known as the extended enterprise."

In some instances, the data breach was caused by multiple sources, which means that there probably were individuals conspiring from both inside and outside the company. Overall, the analysis found:

"The predominant pattern to note here is that each industry exhibits the same pattern or order (external sources being highest, followed by partner sources, then internal ones) except Tech Services, in which insider breaches were more common than those involving partners."

The industry-specific findings included:

"Tech Services are often in the role of “the partner” to the other industries, providing management, hosting, and other services. It stands to reason that organizations in this industry likely employ a high percentage of tech-savvy staff and grant them high levels of access to numerous systems. Unfortunately, some find that access to sensitive and valuable resources is a temptation too hard to resist. Facing similar temptations, insiders in the Financial Services industry were behind a large proportion of breaches as well."

Findings about data breaches in the Food and Beverage industries:

"... a very different yet striking series of statistics. Insider breaches fall well below other industries, while the percentage for partners is extremely high—nearly equaling that of external sources. At first, this may seem counterintuitive as staff within this industry constantly handle money, checks, and credit cards... The large percentage of partner breaches in the Food and Beverage industry is mostly due to the scenario in which an external attacker compromises a partner and then uses trusted systems and connections as a privileged platform to attack the victim. For Food and Beverage establishments, this is often a vendor supporting the point-of-sale (POS) system using default or shared credentials among many clients."

When analyzing data breaches caused by Internal sources, the analysis found:

"Only in Financial Services are end-users responsible for more breaches than IT administrators. Based on our investigative experience, we associate this with the greater access non-IT employees have to sensitive resources... We also note that Financial Services is the only group with breaches tied to agent/spy activity... IT administrators are behind the vast majority of breaches in the Tech Services industry. This is clearly a function of the services provided by these firms, which often involve a significant IT support, management, or hosting element. The ratio of admins to end-users is more evenly distributed among retail companies. Interestingly, a fair number of investigations pointed to a retail executive as the responsible party."

The types of data hacked and stolen indicated that the attacks are financially motivated. Across all data breaches, the types of data stolen included:

• Payment card data (e.g., credit cards): 84%
• Personally identifiable information (e.g., social security numbers): 32%
• Non-sensitive data: 16%
• Authentication credentials (e.g., passwords & log-in data): 15%
• Other sensitive data: 10%
• Intellectual property: 8%
• Corporate financial data: 5%

Percentages total more than 100% since some attacks included multiple types of data.

A data breach analysis like this is very helpful and instructive, even though it did not mention offshore outsourcing, which is definitely a Partner source. It outlines next steps corporate executives should take to better protect the sensitive personal data their companies archive about consumers. Obviously, data security methods must vary by industry to accommodate the varying sources by industry. A one-size-fits-all data security solution would be inappropriate.

If there is a "to-do" item in this for consumers, it is to be aware and inquire about the data security methods used by the companies you do business with. If the company doesn't have any or provides an answer you feel is dubious, shop elsewhere or use cash. In my opinion, the analysis implies that consumers should spend more time and effort reading and evaluating the Privacy Policies, and Terms & Conditions Policies companies publish in their web sites and printed materials. These policies provide clues about how serious a company is about protecting your sensitive personal data.

To read more, download the Verizon Business Risk report (PDF - 1,049 KB).

Everyone's time is precious. If you are new to identity theft and could only read a few blog posts, listed below are the suggested entries:

15. Mistaken for a car thief, ID-Theft Victim Jailed

14. FTC Seeks Consumers' Comments On Proposed System To Develop Credit-Based Homeowner Insurance Rates

13. Is it wise for credit bureaus to outsource to foreign call centers? (part 1 of a series)

12. What is the personal data you should protect?

11. The data companies keep, and should protect vigorously

10. Treat consumers' personal data like "nuclear fuel"

9. Class Action Lawsuit Filed Against Facebook And Its Affiliates

8. Consumers think their computers are protected when they really aren't

7. What does your C.L.U.E. insurance report say about you?

6. Which is better: debit cards or credit cards?

5. Freezing your credit report is not a cure-all

4. Fraud Alert or Credit Freeze: what's the difference?

3. Credit Monitoring vs. Credit Restoration: What's The Difference?

2. How to find a job while safeguarding your personal data

And the number one blog post I suggest that everyone read:

1. ISPs Begin to Spy and Abuse Consumer Privacy

Last week, the Boston Globe newspaper reported:

"The regulations, issued by the Massachusetts Office of Consumer Affairs and Business Regulation, require companies that handle personal information such as credit card accounts and Social Security numbers to encrypt data stored on laptops, monitor employee access to data, and take other steps to protect customer information, beginning Jan. 1. Governor Deval Patrick also signed an executive order requiring state agencies to take similar measures."

After the TJX Companies / TJ Maxx data breach, in 2007 Governor Patrick signed new legislation for Massachusetts residents requiring companies to notify consumers of data breaches, new data protection and disposal rules for companies and state agencies, and new Security Freeze laws to help consumers. Back in August 2008, the I've Been Mugged blog reported the continual data breach problems nationwide. In June, we discussed the poor state of data security by companies. It's good to see the Boston Globe also summarize the continual problem of data breaches:

"Since then, companies have reported nearly 320 security breaches to the state, affecting more than 625,000 residents. Many involved stolen laptops and hard drives. In three of four cases, the data were not encrypted or protected by a password."

While the new, stronger rules are a step in the right direction, Massachusetts legislators need to do more. Consumers need Anti-Skimming laws for protection against RFID identity theft. The State of Massachusetts should also publish copies of the data breach notifications it receives, so consumers have convenient access to these documents. Online access to these documents has many benefits, including help consumers verify data breach notification letters as authentic and not spam.