[BreachExchange] Data Breach Digest: A collective effort is needed to truly protect breach victims

[Audrey McNeil]

http://www.securityinfowatch.com/article/12264806/data-
breach-digest-a-collective-effort-is-needed-to-truly-protect-breach-victims

As most who work in this industry know by now, protecting consumers in the
wake of a data breach should be one of a company’s highest priorities and
is one of the most important aspects of a successful response to an
incident. In fact, according to a consumer study conducted by the Ponemon
Institute in 2014, nearly a third of respondents noted they discontinued
their relationship with a company following a data breach due to the way
the company responded to the breach.

Unfortunately, providing the proper protection to customers following an
incident is more challenging today than ever before. As hackers continue to
evolve their approaches and utilize different types of personally
identifiable information, whether it’s a username and password or medical
insurance number, companies are challenged to keep pace. No two data
breaches are the same, and the incident particulars will determine the
right option for consumers. Just like a game of cat and mouse, as the data
breach ecosystem innovates and adopts best practices to reduce the harm of
incidents, attackers find new ways around them.

With this in mind, I would like to comment on the state of consumer
protection today. Faced with these constantly changing threats and customer
expectations, the entire data breach ecosystem must continue to evolve its
thinking about customer protection following a breach. From identity
protection technology providers to company executives faced with deciding
what protection needs to be offered and the outside experts that advise
them, I believe it’s vital that everyone in the industry better understand
what technology and innovation is needed to provide consumers the right
protection. We must all work to improve the options available and ensure a
better understanding of what specific breach populations most need. It’s
ultimately a collective responsibility that requires more dialogue and
attention to help companies know their options and ensure consumers are
getting the type of protection that will work best.

To start, let’s take a look at the identity protection provider industry.
While credit monitoring is what many think of when it comes to identity
protection, it may not always be best suited for certain types of breaches
we see today. For example, when usernames and passwords are lost, an
internet scanning service that will monitor the trading and selling of this
data is crucial. While exposure of names and social security numbers also
requires that affected consumers have the ability to access to their credit
report from each credit bureau so they can regularly monitor for any new
accounts opened in their name.

The good news is we are continuing to see innovation in this space and
several vendors now have new technologies that help provide remedies beyond
credit monitoring. But we need to do more to develop further choices for
consumer protection, including better ways to monitor for child identity
theft and medical insurance activity so consumers can detect if someone is
getting care using their insurance credentials.

However, innovation in monitoring choices is only one piece of the puzzle.
For companies, today’s plethora of personal information being exposed makes
it even harder to select the right solution as there is no
one-size-fits-all approach as well as various product options in the
marketplace to choose from.

Ultimately, it is the company’s executives in charge of the breach response
who will make the decision of how to protect their affected audience. They
need to be well-informed about the options in the marketplace. Not only
should they be knowledgeable, but consider protecting their customers as a
major priority and not just a last box to be checked off on the list of
response tactics. While a minority, I’ve heard of some cases where
companies have decided to offer no remedy to breach populations. I believe
this is not acceptable, especially given that criminals can piece together
any type of personal information to commit fraud and there are now more
diverse product options that are better tailored toward a wider range of
incident types. While there are certainly some costs with providing
protection, the piece of mind it can provide to breach victims and
subsequent goodwill it provides for a company are well worth it.

Unfortunately, keeping track of the latest threats and remedies can be a
challenge. The good news is that there are several external experts that
companies rely on during an incident that can help in making these critical
decisions. Outside legal counsel, public relations and forensics experts
can provide thoughtful and objective analysis of the right tool for the
job.  They too have an important role in the ecosystem. It is critical that
companies work with advisors who are objective, have critical industry
relationships and are educated on all the types of consumer protection
options.

Even ahead of an incident, it’s important that companies ask their advisors
to help them understand the latest best practice when it comes to
protection. They should look for outside counsel to arrange for briefings
with identity protection providers to understand the latest technology and
even set up pre-breach agreements with a provider that is able to provide
regular updates on developments in the market.

While protecting breach victims is only becoming more difficult, I am
optimistic that we will see steady improvement in addressing this issue to
the satisfaction of companies and consumers.

That said, there is no room for complacency. As sophisticated as criminals
are, those of us fighting to keep them at bay need to stay vigilant about
the right options to mitigate fallout when a breach does occur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161004/adbdab4f/attachment.html>