Wed, Jan 15, 2014

Data Breach Victims Need the Right Solution, Not the Convenient One

The concern about how a data breach victims are impacted on an individual level is a valid one and, in recent days, has caught the attention of consumers everywhere. The massive breach that impacted Target, not to mention the intimation that there are more retailer announcements to come, has activated our collective consciousness concerning the safety of our personal information. The number of people who have been impacted is staggering, but overshadowing that is the concern about the type of personal information that has been exposed. In general, people are unclear on how to react, or what to do next to protect their identities.

Credit monitoring is the de-facto solution offered by organizations to the impacted population. Public expectation and outcry have increasingly demanded credit monitoring – regardless of what was lost, or how. But the notion that this one solution is a panacea for all data breaches is misguided.

Consider the information that was exposed. According to Target, credit and debit card information, and more recently names, mailing addresses, email addresses, and phone numbers were compromised. Target has offered one year of credit monitoring services to address these risks. However, credit monitoring is not necessarily an effective tool at identifying unauthorized or fraudulent charges on existing credit or debit cards. The question is: How serious is Target about providing a consumer solution that will help alleviate potential harm related to the type of information that was exposed? In their own FAQs (see their FAQs found here), the offer was made because the trust of their guests is important. Instead, fostering a false sense of security may be the outcome.

I’m not saying that credit monitoring isn’t helpful – on the contrary, it is a useful consumer tool when it aligns with the type of data exposed. Individuals can use credit monitoring to keep watch on their credit reports and spot unfamiliar or suspicious credit report-related activity, including when a fraudster might use someone’s stolen identity to open a brand new credit card. But in the case of Target shoppers, it probably won’t offset the primary risk. Yes, there is a chance that the thieves may be able to socially engineer the information they have to commit other types of identity theft. But it makes sense to consider other services, like internet monitoring, to proactively watch for the information being traded online, before crimes like scamming, spamming, and identity theft can begin to occur.

There is an overlooked opportunity for organizations to have a powerful positive impact when mitigating the consumer risk caused by their data breach event. Offering a solution that actually addresses that primary risk and one that doesn’t expose consumers to unwanted solicitations is the right thing to do. Offering risk-specific services, like internet monitoring, is a trend that has been growing since organizations became required to notify nearly 12 years ago. Will it continue? It will be interesting to see how things unfold in an already challenging 2014.

By Jeremy Miller, former Director at Kroll's Identity Theft and Data Breach Notification Practice

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.