Good News or Bad News
**************************
Quick Reminder:
For those of you in Columbus
tonight is Security MBA at
“The Elevator”
**************************
Which do you want to hear first? The bad news? OK –
There are now 100,000,000 data breach victims according to the the Privacy Rights Clearinghouse.
The good news? With a number that high, and a little diligence on your part, it’s unlikely that you’ll be one of the victims.
For those of you who might not recall, a control can do one of three things:
- Prevent
- Detect
- Respond
Note that if you can prevent with 100% effectiveness, you don’t need to worry so much about detection or response. If you can detect and respond with 100% effectiveness, you don’t really need to worry about prevention. Building the right ratios there makes the CISO’s job interesting.
For me and you? Well, if you’re a US citizen, odds are better than 1 in 3 that we’ve been part of a privacy breach. And you’ll note that we, as consumers, get very upset when we hear about these things — and rightly so. Part of that frustration is due to the fact that we can allocate a big, fat “0″ towards prevention.
You can probably see where I’m going with this. If we’re unable to do anything to prevent the stolen laptop, we must focus on detection and response. So what detection and response controls do you have in place surrounding your identity?
Similarly, a huge question that privacy advocates should be focusing on right now is this:
What can industry or the government do better to help us detect and respond?
Penalties or no penalties, best practices or no best practices, these things are going to happen. And they’re going to continue to happen in large numbers. The only thing we can do is detect and respond.
Unless you go Amish.
Chris Hayes Dec 18
Interesting post and very valid question. Having been a victim of identity theft in the past and having been notified on two breaches – the sense of feeling vulnerable and being confused as to what resources are available to me is a feeling I do not want have to experience again.
Some feedback:
Detect Controls:
1. Evaluate companies you have financial relations with to gauge their capability in detecting non-normal activity with your accounts. There have been at least two occasions where a banking and a credit card company with whom I have accounts with contacted me about anomaly-like transactions. To their credit, both companies removed the fraudulent charges.
2. Credit monitoring services. There are consumer-level credit monitoring services that consumers can purchase that contact the consumer when credit checks are performed against them.
Respond Controls:
1. Some insurance companies are offering Identity Theft insurance (also available for direct consumer purchase). For a few dollars a month, an individual will have access to professional services that specialize in responding to identity theft to minimize impact to the consumer.
The government should provide some incentive to individual consumers to utilize both detection and response services – like a tax deduction.
Alex Dec 18
Great response!
I’ve got credit monitoring myself, and am considering the insurance options. Have any recommendations?
Adam Dec 19
Government is better positioned to prevent, by banning random collection of the SSN or other government-issued identifiers or authenticators.
Alex Dec 19
Do you really think so Adam? I’d like to think that would be the case, but I’m afraid the cat’s out of the bag - our PII is out there so much, there’s no pulling it back…..
Which, in my mind, leaves “detect” (disclosure laws) and “respond”. And it’s precedent in response that’s somewhat unnerving. IIRC, Choicepoint was given a $15,000,000 fine - 1/3 of which was allocated to reimbursing the consumer hurt by the breach. This, of course, begs the point - where did the other $10,000,000 go? Why (only?) $5,000,000 for those folks? We’re not privy to the thought that went into this “judgment”, nor do I know anyone in our community who was asked for input on those amounts, but it does set precedent for the future.