Data Protection Requires Preventative Action

With each passing day, data protection becomes increasingly critical, for the more insight shoppers share online, the more they're at risk. Yet, while companies and consumers continuously work to safeguard this sensitive information, many still haven't adopted the best practice procedures necessary to prevent these attacks in the first place.
Data Privacy

With each passing day, data protection becomes increasingly critical, for the more insight shoppers share online, the more they're at risk. Yet, while companies and consumers continuously work to safeguard this sensitive information, many still haven't adopted the best practice procedures necessary to prevent these attacks in the first place.Data breaches are hardly new to the space, but more and more incidents have garnered media attention over the last few years because of their magnitude and the high profile brands affected. But, as Michael Bruemmer, vice president of consumer protection for Experian, explains it's hard to say how criminals choose their specific targets, as there are complex underground networks working to penetrate systems 24/7. "There could be a number of motivations, often being financial gain, so they could be seeking the largest inventory of credit numbers," he says. "Or, simply, they have gained access to a system and want to wreak havoc. However, as we have seen as of late, there are other reasons, too, such as those wanting to harm a company's reputation or foreign government espionage."

Consumers are familiar with the basic tips for personal data protection--change passwords often, shred financial documents before disposing, and review credit report regularly--but true knowledge comes with understanding how to stop fraud before it's ever detected.

Here, we speak with Bruemmer to examine recent data breach trends and how companies and consumers can protect themselves from future safety threats:

1to1 Media: What are some of the most recent data breach trends? What new scams may be on the horizon?

Michael Bruemmer: From a hack perspective, criminals are breaching organizations for reasons other than stealing personal identifiable information (PII) or credit card numbers. Some of the reasons could be that they want to embarrass the company or steal intellectual property. Also, the expanding number of access points to Protected Health Information (PHI) and other sensitive data via electronic medical records and the growing popularity of wearable technology make the healthcare industry a vulnerable and attractive target for cybercriminals. This has proven true with several large healthcare breaches this year already. I expect this number will continue to grow until the industry comes up with a stronger solution to improve its cybersecurity strategies.

Something evolving that could make an impact is the Internet of Things, which is spreading rapidly and offers a wide range of benefits for businesses looking to review data and optimize performance. More devices are being created with Wi-Fi capabilities and sensors that create the opportunity for everyday items to relay information over the Internet and communicate with each other. As more companies adopt interconnected systems and products, cyberattacks also will likely increase via data accessed from third-party vendors.

There are always new tactics criminals are using to penetrate systems and viruses, malware, and phishing scams popping up. Often, after a breach, there are scams via email in which it looks like it comes from the breached company or even imposters calling victims via phone and pretending to be a representative to try and retrieve personal information from the individual. If you are a victim of a breach, follow the directions in the notification letter and do not give out your personal information except to enroll in the offer of free identity theft protection product. The breached organization will never ask you for any information via phone or email.

1to1: How can companies detect, and ultimately prevent, potential data breaches? What signs should consumers remain aware of on their end?

MB: In order to detect an intrusion, companies need to make security a priority. If you wait until your security has been breached, you'll be playing catch-up from day one. Second, companies should identify the area of greatest risk for the business and consider what cybercriminals most likely to want to steal from you. If you're a retailer, that might be customer credit card numbers. If you're a service provider maintaining a high ratio of liquid funds in order to keep products stocked, they may target your bank account. Once you evaluate your situation, establishing achievable security objectives and actionable metrics can help you determine the effectiveness with which you are achieving your security program goals. Third, make sure everyone at the company gets educated about cybersecurity. This is a top to bottom companywide concern, so make sure management and all levels of employees understand the topic.

Consumers should always be vigilant about protecting themselves because they will never know if they will be the victim of a data breach. This means practicing good security habits, monitoring financial transactions regularly, and enrolling in an identity theft protection product that will provide ongoing monitoring of your credit report, among other features. While you can take several steps yourself, it is easy to forget or, simply, be too busy to monitor everywhere your information could be at risk. Getting assistance from a monitoring service is a good investment.

1to1: What measures should companies enact as they go about protecting their customers? What can consumers do to protect themselves?

MB: When a breach occurs, a company should make their customers their number one priority. The first key step is to notify them about the breach. They should issue a very clear and concise letter that details what happened, why it happened, and how consumers can protect themselves. The second key step is to offer identity theft protection. One study by the Ponemon Institute showed that 63 percent of consumers want this kind of remedy. In addition, among respondents that discontinued their relationship with a breached company, the top two ways that would have prevented them from discontinuing the relationship was a sincere apology and an offer of free identity protection and credit monitoring services.

In addition to the aforementioned tips, consumers have been suffering from "breach fatigue" with so many breaches occurring, but they should not let their guard down. When they receive a notification letter from a breached company, they should read the letter thoroughly and follow the instructions. If the consumer is offered free identity theft protection, they should absolutely enroll. There is a misconception that credit monitoring is not useful or beneficial for all breaches. For example, a breach may have exposed debit card numbers or email addresses and passwords. However, these services are still, in fact, critical to Americans being able to actively protect themselves from prolonged identity theft fraud. For most breaches, some, if not all, personal identifiable information gets exposed, such as a name that goes with the credit card number. Any exposed information can be used to try and then piece together your identity. Once a thief has key information, they can try to open new accounts, request a change of address, or to receive medical care that goes unpaid, which can then show up on a person's credit file. A monitoring product alerts the individual of activity in their credit profile so they can check their report to review if it is possibly fraudulent. If they believe it is suspect, they have the ease of contacting fraud resolution agents to assist them in resolving the issue.

While nothing provides 100 percent protection, there is value to identity protection services. Consumers deserve a clear understanding of the benefits, especially if they are offered a free product membership in the wake of a data breach. There is no harm in enrolling, only a benefit. And what is the alternative? Simply, try to catch fraud on your own, which is not much of a remedy.