Data Breaches

The red flags are coming … and soon! No Really. These are those oft-discussed Red Flag Identity Theft Rules that were initially designed to go into effect in May 2009 then August then November. The date of enforcement was then bumped back to June 1, 2010 both so that organizations had more time to comply and so that people involved with writing the policies could sort out any ambiguities in the language of the regulations. Well, guess what? You got it. The red flag rules were bumped back again with the new compliance date being December 31, 2010.

If you’re not sure what these regulations are and how they affect you, here is the basic gist:
*Red flags, according to the Federal Trade Commission, are defined as “a pattern, practice or specific activity that indicates the possible existence of identity theft.”
*Organizations that deal with sensitive personal information must have a plan in place to deal with these red flags.
*Said plan must include a policy for identifying these red flags and a procedural response.
*The policy must also contain a clause on how to monitor changes, such as new threats that were not present before, like new kinds of identity scams.

Companies subject to these regulations could face severe fines for noncompliance if their disregard leads to an identity theft incident. Just some of the institutions that must pay extra close attention to these regulations are:
*Banks, credit unions and other financial institutions
*Hospitals, health insurance companies and other medical organizations that store personal data
*Commerce companies that store credit information, such as car dealers and real estate agencies
*Any company that keeps sensitive personal data on file for record-keeping or billing purposes

It may seem that these regulations have no real affect on consumers. However, it is exactly the consumer that they were designed to benefit. The hope is that with more streamlined rules in place there will be fewer data breaches and other unintended leaks of company data to identity thieves and others with criminal intentions. While many companies already have robust identity theft prevention policies in place, the red flags are supposed to give a not so gentle push to those that continue to fall behind in this area. Consumers with questions about these rules can contact the Federal Trade Commission to get more information.

One thing to keep in mind is that these regulations can help keep your information safe, but that does not mean that the risk of identity theft isn’t still very real. First of all, there are organizations that are not going to be careful enough no matter how many fines are levied against them. Second of all, a breach is only one way for sensitive data to get out. There are still dozens more.

After all, there have to be a lot of ways … and a lot of identity thieves, for over nine million Americans to become the target of these fraudsters every year. If each American family took the time to watch their credit, shred sensitive documents and buy identity theft protection, this would do more to shrink this number than any laws on the books.

Consumers may soon have a stronger voice when it comes to data breaches. The Senate Judiciary Committee recently approved two bills: the Data Breach Notification Act and the Personal Data Privacy and Security Act, which, if they become law, will require businesses whose data has been compromised to inform all affected consumers of the breach – and in a timely fashion.

Currently, the majority of states have their own data breach laws in effect, but it can be difficult to enforce conflicting standards, especially when a data breach impacts residents of several different states. Also, there is no specific nationwide standard as to what type of breach event warrants consumer notification. For example, do you have to notify a person if his or her address is leaked, or only if it is something more serious, like a Social Security number?

As it stands right now, many companies do not report data breaches that occur, especially if they are smaller ones, such as an employee stealing a 20 patient list from a doctor’s office. This may not seem like a big deal – unless you happen to be one of those 20 patients.

If the Data Breach Notification Act makes it through Congress, the government will have to draft rules regarding privacy when it uses personal information it garners from outside sources. Also, large corporations will have to report significant data breaches to the Secret Service. Finally, any organization that uses personal data would have to report a breach to both the affected persons and law enforcement.

Many people do not know that data brokers, which are companies whose major role is to collect personal information, actually possess their information. If the Personal Data Privacy and Security Act passes, consumers will not only have access to this data; they will be able to make changes to it to correct any errors. People who steal this data will face increased criminal penalties, which will hopefully help to discourage potential identity thieves.

There is no guarantee that either of these laws will make it to the President’s desk, although it is hoped that they do. Even if both pass, this doesn’t mean identity thieves will cease to operate. If anything, they simply highlight the seriousness of the crime, which is not even beginning to wane. According to Javelin Research, one in 10 Americans has already been victimized.

It is still just as important to protect yourself from identity thieves and not rely on the government to do it for you. One easy way is to purchase the best identity theft protection service from a highly rated source. While there is no 100% foolproof way to prevent yourself from becoming a victim, a plan can certainly lower your odds. Since this issue is serious, as evidenced by current political activity, and it’s not going away anytime soon, the time to set yourself up with a plan is now – before this crime happens to you or a loved one.

Think a human stealing your personal information is bad? It’s even worse when a computer does it. Online identity theft is a real threat. While humans can only work for a number of hours a day, computers can be on task 24/7. They also have the potential to pull millions – yes you read that right – of records at a time.

The worst part of all is that the computer that steals your information could be the one that’s sitting on your desk right this minute. If your computer is infected with malware, your machine could be delivering your information to the botnet behind your back.

The botnet is not a small project created by one hacker in his basement either. Researchers from the University of California looked into a Torpig botnet around this time last year and found that the malware associated with it collected 56,000 passwords from infected machines in just one hour’s time. And, over 10 days, they found that the bot received login information for over 8,000 financial accounts, which was delivered to data collectors known as “botnet herders” — really just a fancy name for sophisticated identity thieves.

Some thieves even opened their bots up to others in a rental type relationship to earn more money. Researchers estimated that whomever had access to the other end of the bot could generate up to $8.3 million in profits from disseminating this information alone.

They also discovered a rather sobering fact: The people that had their login information stolen and distributed for the most part did not maintain their computers well and did not use secure passwords. They also had their computers “remember” the passwords and/or used the same password for more than one account.

While doing such things may be easier for you; as you can tell, it makes the malware’s job easier as well. So always take the time to make smart passwords that contain letters, numbers and special characters if possible, and change them at least twice a year. Be especially careful to do this for ones that are associated with secure accounts, such as anything related to your finances.

Also, make sure you have the latest in antivirus protection on your machine, since this can help to keep the malware from getting installed in the first place. One the malware’s there, it can spread like, well, a virus, infecting other machines associated with yours over the Internet. This means that even if you don’t accidentally download malware yourself you can have it hand delivered to you.

A final thing that you can do to help protect your computer, and ultimately your privacy, is to think about getting identity theft protection. That way you can find out if your personal information is making the rounds without the help of university researchers. You can have your plan email you or text you as soon as it sees something suspicious, or even something potentially suspicious. Be responsible or you may become a victim, like the nearly 10 million Americans that had their identities stolen in 2009.

A December 10 article in the Las Vegas Sun states that patients at University Medical Center do not have to be notified for 60 days if their information is involved in a data breach – which recently happened to at least 21 patients; one of which learned of the breach of his medical records from a local newspaper reporter. While that is bad enough, the article revealed another shocking turn of events at the same time.

According to both a nurse and a paramedic associated with the hospital, they have both been approached by more than one individual and offered cash, dinners and perks in the hopes that they will illegally share personal information. At times, these individuals are attorneys looking to profit off of specific cases. At other times, they may be plain old identity thieves. While both the nurse and paramedic said that they refused the offers, there must be someone who hasn’t, or else why would these actions be so blatant and prominent?

So not only can a hospital employee make off with your information for up to two months without your knowing about it, he or she can also sell your information on the black market, again without your knowing about it. See the Dateline Video on our homepage for more on how identity thieves sell our information, account numbers and passwords illegally.

Well, if you had identity theft protection, this could help keep you out in both of these situations. Even if a hospital, a company, or a relative, doesn’t tell you your information is in the wrong hands, your protection plan can give you a head’s up – and in a much shorter time than 60 days. It can also protect your finances with a guarantee that can help you recoup money lost if identity theft still occurs. This coverage will differ depending on your plan, so it’s important to do some research before purchasing one.

While it can be tough to think that your confidentiality is not really guaranteed when you go in for medical treatment, it can be even tougher to face the consequences of identity theft. I’m sure you’ll find this to be a common response if you ask a few of the 10 million Americans victimized in 2008.

So get hospital care if you need it, even with the risk involved. Just sign up with an identity protection service first. It’s as important for your peace of mind as having a medical policy – and it could even save you more money and time in the long run.

You may have already heard about the August 18 indictment of Albert Gonzales and accomplices, regarding the theft of over 130 million debit and credit card numbers, making it the biggest ID theft case prosecuted in the history of the crime. Gonzales, a former government informant, on the subject of credit card fraud nonetheless, used a vector attack to obtain numbers from large retailers, including 7-Eleven (through third party ATM’s), Hannaford Brother and Heartland Payment Systems, a popular payment processing company. Learn more about the Heartland Payment Systems data breach.

The process involved in these thefts was fairly complex. Gonzales and his “team” would visit various businesses to view their point of sale equipment. Once they were able to find vulnerability in a system, they would attempt to find a way to hack into it. Since retailers are less likely to frequently update their software than, for example, a large technology or medical company, they were able to find a virtual hacker’s paradise.

By using servers and systems located around the world, and assistants in Russia and Eastern Europe, as well as the U.S., Gonzales was able to hack into networks, install malware on the machines in some cases, and get credit information essentially delivered directly to him. This information included cards currently in use and those that had been stored on the system from previous use.

When Gonzales was indicted for his latest crimes, he was already under investigation for hacking the systems of several additional companies. These include such shopping mall staples as Barnes & Noble, the Sports Authority, Forever 21, OfficeMax and Boston Market. Another Gonzales target, T.J. Maxx, told the Securities Exchange Commission that it has lost $200 million due to a similar data breach. For more information on these see our article Identity Theft Ring Busted – Retail Hackers Charged.

If Gonzales is convicted of the charges against him, he faces not only over $1 million in fines, but up to 35 years in prison. This will hopefully keep him out of the picture for quite some time, but there will soon be others who will learn from his experience. There are always plenty of hackers out there that would love to make a quick buck, whether in an ethical way or not.

While it is tough to switch to a cash-only payment system, doing so might seem tempting with all of the information that seems to be floating about. However, you don’t have to if you have an identity theft protection service watching your back. They help to keep your card numbers safe, even if they do end up picked up by a criminal.

Additionally, read your credit card and debit card statements each month. If you notice anything unusual, get your card number changed, and notify your credit card company of the charges that you don’t recognize so you can go through the process to contest them. While companies targeted in the Gonzales case may be out a good deal of money, you do not have to join them in the same boat. These retail companies often have insurance policies to help them out. You can have similar protections for your own accounts for as little as a few nickels a day.