protecting your company, employees and customers from identity theft presented by: bill morrow...

Protecting Your Company, Employees and

Customers from Identity Theft

Presented by: Bill Morrow

CSIdentity Chairman and CEO

2 • Proprietary and Confidential

Agenda

• Risks Businesses Face Today

• Identity Theft Overview

• Identity Theft Protection and Data Security

• Questions & Answers


Risk and The Opportunity Cost

• With RISK taking there is an opportunity or payback for a sacrifice OR consequences to pay for not taking a risk. In today’s business environment and with identity theft, there is an opportunity cost -- the cost of doing nothing.

• There is no payback for accepting or allowing the RISK to occur.

• Consequences for inaction are greater than ever before – not just from a lost revenue perspective but also from a legislative point of view with state and federal regulations setting compliance standards.

• Risk: to expose oneself to the chance of injury or loss, to venture upon, take or run the chance of an outcome; put oneself in danger or hazard.


Managing Risk

• Identity theft is ever-evolving and criminals are becoming more sophisticated, scheming ways to infiltrate businesses, find the gaps in security, manipulate the system and discover ways to further deceive consumers.

• Businesses need to be ahead of the curve, and stay ahead of criminals, to protect their assets including revenue, customer base and employees.

• Legislation is established as a result of incidents - reacting to discovered threats. However, today there are unrealized threats and areas where your company is unknowingly unprotected.

• It’s important to be proactive versus reactive when it comes to fraud and identity theft.

• Manage risk & close the gaps.


Identity Theft and Related Fraud Risks

• Hiring employees who use false identity data to mask a criminal history and gain access to your networks and data from the inside

• Retaining employees who have committed criminal offenses after being hired and screened

• Employee errors, loose policies or internal fraud causing data breaches of company, customer and employee data

• Thieves or hackers externally accessing your network and data

• Criminals buying and selling your company and customer data to other criminals who use it to commit more crimes

• Maintaining incomplete current safeguards that may allow for gaps in security


Spear-phishing & Whaling

Do you know who your colleagues report suspicious e-mails to?

Would you or your senior management team recognize a whaling e-mail or use

a USB from an unknown source?


Criminal Chat Room Activity

Identity Theft Overview


Source: Deloitte Research, Identity Theft: Understanding the Experience of Private Sector Organizations, 2006.

Identity Theft Has Evolved And Grown Significantly


The Evolution Of Identity Theft Makes Banks The Number One Target Of Identity Thieves

• Banks are targeted 7 of the top 10 targeted institutions Responsible for more than 25% of complaints

• Why are banks targeted? Consumers only involved in fraud detection on

their personal existing accounts Credit monitoring does not provide information

on debit accounts

• Communication providers are targeted 3 of the top 10 targeted institutions Responsible for 15% of identity theft complaints

• Fraudulent Phone + Fraudulent Bank Reinforces control of identity Both used to verify identity authenticity Creates significant merchant losses


Identity Theft Is Not Simply Credit Card Fraud

Businesses and consumers are targeted in multiple ways.

• Employment Fraud 1.8 M applicants use stolen identities 30% of applicants falsify credentials

• Phone Fraud Service obtained under stolen identity Third parties authenticate using phone

• Government Documents Fraud False DL/Passport defeat verification False IRS, SSA, HHS claims

• Criminal Fraud Crimes committed with false identities Prevents detection during employment or

other screening activities

2006 FTC Identity Fraud & Theft Statistics

FTC Data Clearinghouse 2006. Survey results include some cases of identity theft where the individual was impacted by more than one area (i.e. credit take-over and credit new account). For purposes of presenting in a pie chart, survey results were pro-ratably adjusted for these cases in order that a relative comparison of types of identity theft could be presented.


Credit-related identity theft is declining while non-credit-related identity theft has

increased since 2002. Identifying both types of identity fraud and theft is key.

FTC Data Clearinghouse 2006.

Credit Related

Down

40%

FTC Data Trend Shows Decline In Credit-Related Identity Theft

Non-Credit Related

Up 17%

2002 2003 2004 2005 2006

Credit Related 30% 23% 19% 18% 18%

Non-Credit Related 70% 77% 81% 82% 82%


Identity Theft Crimes Impact Individuals In Countless Ways

• Unable to secure a job

• Wrongly arrested

• Tax liabilities

• IRS audits

• Fraudulent tax refunds

• IRS notice of undeclared income

• Unable to buy a home

• Unable to buy a car

• Unable to pay for college

• Theft/loss of government benefits

• Fraudulent payday loans issued

• Property deeds compromised – property sold fraudulently

• Damage to professional reputation

• Unable to open new bank accounts

• Existing bank accounts shut down

• Existing bank accounts drained

• Unable to open new credit accounts

• Existing credit terminated

• Existing credit used fraudulently

• Unable to take out loans

• Fraudulent loans

• Health insurance used fraudulently

• Erroneous health records due to fraud

• Loss of security clearances


Consumers Are Targeted By Growing And Evolving Identity Theft Crimes

9.1 MVictims

15 MVictims

2002 2006

65% Increase

Identity Theft Is Growing Identity Theft Is Evolving

2.73 M 2.7 M

6.37 M12.3 M

2002 2006

Non-Credit 93% Increase

Credit 1% Decrease

Individual Losses Are Increasing

$1,408

$3,257

2005 2006

131% Increase in One Year

International Black Market Identity Trade

2005 2006 2007 2008 2009 2010

$0.7 B$0.9 B

$1.1 B$1.3 B

$1.5 B$1.6 B

17.3% CAGR

Victims

Victims

Identity-theft-related fraud IDC, 2006

Gartner, 2007

FTC, 2006

IDC, 2006


Businesses Are Targeted Both To Commit Fraud And To Steal Identities

Cost per Record Exposed in Data Breach

$149$197

2006 2007

Source: Ponemon Institute

Aggregate Business Identity Losses (not due to breaches)

Source: Javelin Strategy and Research Survey 2006.

$57

($ in billions)

$53$53$57

2003 2006


• 85 percent of companies have experienced a data breach in the past two years.

• 1 to 3 data breaches occur daily.

• Approximately 90 percent of most breaches are due to people and policy issues.

• $6.3 million average cost per breach, up from $4.8 million in 2006.

• $197 average cost per record lost.

• Companies suffer legal liabilities, loss of market share (2.67%), brand equity and customers with increased churn.

Protect Your Company From Data Security Breaches

Businesses are also targeted because they control identity data for hundreds of thousands or millions of identities in centralized repositories.

Source: Ponemon Data Breach Study, November 2007.

People, process and policy security breaches

Identity Theft Protection and Data Security


Regulatory Landscape

• Agencies, financial institutions and businesses face a myriad of federal and state regulatory requirements, for example:

Patriot Act

Sarbanes-Oxley

Fair Credit Reporting Act

Fair and Accurate Transactions Act

Gramm-Leach-Bliley Act

State data privacy and security laws


Identity Theft Defense Framework

• Understand environment, criminals, and motives Why would the data you control be desired? How would a criminal conduct transactions with your organization using a stolen identity? Are you vulnerable to internal risks from employees, contractors, and vendors?

• Understand risk areas What types of transactions are high risk and where would they occur? Are their gaps between systems or organization silos that can be exploited?

• Install controls to identify and prevent theft and fraud Who do you hire? Who has access? Who conducts transactions – who authorizes, who overrides, and who is responsible? Who monitors and audits?

• Plan for post-fraud response What constitutes a breach and what defines the severity of breach? Who is notified and how is information conveyed to exposed victims? What victim protection solutions will be extended based on data exposed and severity of breach?


Identity Data Security Requirements

• Thirty-nine states (including Texas) have data security and privacy legislation.

Federal legislation mimicking California data security and privacy legislation is pending

• Define data requiring compliance – Personal Confidential Information (PCI).

Name associated with Social Security number, driver’s license, account data (debit or

credit), usernames and passwords, and other sensitive data

• Protect PCI data from exposure.

Storage – database, desktop, laptop, paper

Transfer – e-mail, other network, backup tape (other medium), physical

Destruction – data storage timelines, physical storage and destruction policies

• Define a policy for responding to data security breaches.

Proactively develop data breach response plan as part of overall disaster recovery efforts

Promptly implement breach plan upon breach identification

Notify consumer victims and extend victim protection services in response to a breach


Properly Created Plans Provide Overlapping Compliance Capabilities: Reducing Risks and Liabilities

ComponentsCompliance Requirements / Satisfaction

1. Verify Employee Identities and Background: Social Security verification confirms only the accuracy of the SSN, not the identity and fails to detect applicants concealing elements of their background

GLBA, FCRA

2. Verify Customer Identities: For all transactions: account origination, transactions, and account changes

GLBA, FCRA, FACTA

3. Employee Awareness: Employee identity protection solutions with identity monitoring and ongoing training reinforce data security awareness

GLBA and State Laws

4. Customer Awareness: Provide identity theft awareness materials and/or retail programs online and in physical environments

GLBA

5. Data Protection: Identify personal confidential information, its location, encryption, access and storage requirements and risk by identity element

GLBA, FACTA

6. Exposure Detection: Detect when accounts or customer identities

have been exposed to reduce fraud losses and protect customer FACTA

7. Incident Response Plan: Prepare an incident response plan based on type of breached data and severity of breach now

GLBA, FACTA, State Laws

8. Victim Protection and Assistance: Deploy the incident response plan promptly to educate victims to their level of risk and protection available

GLBA and State Laws


About CSIdentity


Business: Identity theft and fraud detection, HR Benefits, breach management solutions, data solutions and security tools.

Consumer: Comprehensive identity theft protection and personal security solutions.

Government: Detection of altered, fabricated and stolen identities used by individuals crossing borders and utilizing the United States’ transportation systems.

CSIdentity Targets Identity Fraud Across Industries And Markets


Vendors Employees CustomersCSIdentity Solutions

SAFESM: Security AuthenticationFor Employees & Vendors

CSIdentity ProtectorSM

Data Breach Mitigation Solutions

ID Verification & Monitoring

Multiple Security Layers Provide Comprehensive Fraud Detection and Protection

Enterprise Account Protection: Blanket Solutions


Questions & Answers

protecting your company, employees and customers from identity theft presented by: bill morrow...

Documents

confidential identity

identity theft overview

evolution of identity

confidential risk

false identity data

security slide

data criminals

ceo slide