Wednesday, December 19, 2007

Are Security Breaches the Cause of Identity Theft?

Frequent news reports in 2007 of data security breaches have heightened the public's and business' concern over the risk of identity theft. The FTC estimates that 9 million Americans will have their identity stolen this year, so there is clearly cause for concern. But in what percentage of these reported incidents does an identity thief actually make use of the information that has been compromised? What if the thief was actually a member of the clan?

Most of the breach incidents reported concern lost or stolen laptops containing sensitive personal information, unencrypted backup data tapes, careless document disposal and destruction, and inadequate security procedures related to database and document protection. In fact, most of these breaches have not resulted in identity theft, as reported in recent testimony by the FTC. The greater risk of identity theft, says the FTC, arises in the case of deliberate criminal action, such as insiders who take a bribe to reveal sensitive personal information or to use it themselves. Companies would be well-advised to focus their attention on their internal security processes by restricting access to personal information of their customers, clients and employees, and adopting other measures to prevent insider abuse. According to some reports, one in three cases of identity theft are the work of employee insiders who have taken workplace records, in most cases of a customer or client.

Certain industries are more vulnerable to identity theft than others. The retail industry holds the highest number of incidents of employee theft, where by some estimates nearly 60% of workers steal personal information to commit identity theft. The financial services industry is second, with 22%. The reason for the difference between the two industries is likely due to the safeguards that are mandated by the Gramm-Leach-Bliley Act and government regulations.

Most of the thieves who have been apprehended did not have a prior criminal history, so that background checks would not provide a solution. The FTC recommends that companies take five security measures to help protect information from insider theft:

1) Take stock of what personal information is in company files and track where it goes within the company
2) Reduce wherever possible the personal data of customers and employees that is stored
3) Protect the information kept by the company by both physical and technological controls
4) Dispose of unneeded information using appropriate means
5) Plan ahead for responding to security incidents, closing off threats to personal information, and evaluating whom to notify in case of an incident.
FTC Guidance

No comments: