Data Security Threats Evolve: Are You and Your Business Evolving Too?

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: Business NH Magazine
December 20, 2017

How much do you really worry much anymore about a breach of your credit card? If your card is lost or your number is stolen, a thief might make a purchase or two before the fraud is detected and the card is deactivated. Retailers and banks absorb the charges. You should bear no financial loss, promptly receive a new card, and proceed happily in your life of credit.

Credit cards were a big concern in the era of data security 1.0.  Breaches like TJX, Home Depot, and Target made national headlines. Fortunately, the adoption of smart cards with chips and improvements in advanced fraud detection rendered those types of breaches less profitable, and therefore less prevalent.  So, cyber criminals evolved.
Data security 2.0 is the era of identity theft. Breaches topping the headlines now are Equifax, Yahoo! And Anthem.  Such thefts are designed to secure information useful for stealing identities. The commodities of identity theft are:
  • social security numbers
  • governmental identification, like driver’s license and passport numbers
  • usernames and passwords for online accounts
  • health insurance numbers, and medical, dental and counselling information
  • bank, investment, and other financial account numbers, PINs, and passwords
  • biometric and genetic information
  • location and global positioning data
  • consumer patterns and purchasing history
  • personal information, like residential and email addresses, phone and cellular numbers, dates and places of birth, and mother’s maiden name
Identity theft is more lucrative and lasting than credit card fraud. Unlike a card number, identity information is essentially permanent, and cannot be easily replaced. A robust fraudulent identity – particularly with a high credit score – can be used to perpetrate a variety of high value crime before the individual or financial institutions detects and stops it, like obtaining a mortgage or line of credit secured by the individual’s property, incurring large uninsured medical bills, and rapidly obtaining and maxing out credit cards. Also, unlike credit card fraud, victims of identity theft often bear huge financial costs and invariably suffer damaged or destroyed credit.
Theft of a child’s identity is even more traumatic. Because credit bureaus do not release a child’s credit report until the individual is 18 years old, it can be impossible to determine if an identity is stolen while the individual is a child.  In fact, by the time the individual turns 18, the fraudulent identity can be more robust than the real identity, and was typically used for a life of juvenile crime.  It is extraordinarily difficult, costly, and time consuming for the individual to prove that he or she is the real person, stop the thief from using the identity, and expunge the criminal, financial, and other deleterious history from public and private systems that retain such information.
Protecting your Identity
Protecting yourself involves enhancing safeguards for the online accounts, electronic devices, and documents that contain your identity information.  Taking the following five steps will significantly reduce your risk of identity theft.
Clean Credit Report and Freeze Credit: Obtain a copy of your credit report from one of the three major bureaus: Experian, Equifax, and TransUnion. Terminate any account that is inactive and, of course, any that is fraudulent. Then implement a security freeze with each credit bureau. You will receive a PIN to use with each to temporarily unfreeze your credit (like if you apply for a new loan) or adjust the freeze.
Purchase Credit and Identity Insurance: Reputable credit and identity monitoring and theft insurance is available and affordable.  It ensures that you have a sophisticated security network monitoring the Internet to detect malicious activity, and provides you with credit and identity restoration insurance and support services if you become a victim of identity theft.
Secure Mobile Devices and Passwords: Laptops, cellphones, tablets, USB and external hard drives, and other mobile devices are treasure troves of identity information. They should be encrypted. Such technology is widely available, and often already installed and ready to be activated on the device. Using strong passwords that are themselves protected to access your devices and online accounts also is imperative. Using a commercially available password manager is an excellent way to do so.
Monitor Financial Accounts and Report Fraud: Establishing account notifications and carefully reviewing your credit card, bank, investment, and other financial account statements monthly will enable you to detect and report fraudulent activity promptly.
Destroy Documents Properly: Documents you receive from banks, financial advisors, health care providers, insurers, etc. frequently contain account numbers and personal information. Cross-shred all such mail, documents, and historical files before you discard them.
Protecting Your Business
In the era of identity theft, all businesses – not just big companies, banks, and large retailers – are targets for cyber attack. In fact, small and medium size businesses – particularly professionals and service providers – face significant threats, because they often possess large amounts of sensitive identity information related to customers and employees, and commonly have inadequate security measures.
Protecting your business is more involved than protecting yourself. You need an experienced data security attorney to work in collaboration with the operations, finance, IT, and other leaders of your business. Becoming data secure is not just an IT function. It is a process of adopting and implementing business protocols and cultivating a culture of security throughout your business.
Comprehensive Risk Assessment: A comprehensive risk assessment involves preparing an inventory of all the business’ regulated and sensitive information. That information is mapped throughout its life cycle to discover security vulnerabilities with respect to building and physical structures, technology and IT networks, and administrative processes.  The risk assessment yields a report that lists and prioritizes the vulnerabilities and remediation for them.
Remediate Vulnerabilities and Adopt Security Enhancements: Using the report, the business researches and implements measures to remediate the vulnerabilities. Remediation often depends on the availability and affordability of such measures, and commonly takes from six to eighteen months for a business to complete.
Adopt a Written Data Security Policy: A data security policy is created from the information gathered during the risk assessment and the remedies implemented or anticipated.  Policies created without a risk assessment are guesswork, and do not comply with state or federal law or accepted practice.  No two data security policies are the same because no two businesses are the same, and there is no boilerplate policy.
Train Employees: Training your employees is an integral component of data security. Employees handle protected data on a daily basis, and therefore need to be taught about data security generally and the business’ specific policies.
Reassess Periodically: Data security is ever changing, and there is no finish line. Instilling a culture of security for your business necessarily means periodically reassessing and implementing improvements when appropriate.