Your Data Breach Doesn't Have to Produce Identity Theft
The odds are against all of us. If you have not already been notified that your personal information was involved in a data breach, then chances are you will be soon or your personal information was, indeed, compromised but it has not been discovered yet.
The unfortunate truth is that this probably doesn’t surprise you. Data breaches have become so common that weexpect our information to be stolen over time. It’s the tradeoff for conveniences such as digital commerce, credit-based transactions and connected devices.
With the widespread resignation to data theft, we have witnessed countless organizations announce data breaches with no answer to the question, “What are you going to do about it?”
Who pays the price when our information is lost or stolen?
The answer is not the organization that lost the information, despite regulations that require them to notify consumers and offer mitigation efforts such as credit monitoring. And the answer is not consumers, despite the number of hours you may spend on the phone disputing fraudulent charges to your bank account.
The biggest breach-related fraud losses are seen by banks, credit card issuers and other service providers that must refund you when fraud is discovered on your accounts. But until recently, there has been little they could do to prevent it.
Credit and Dark Web Monitoring are not the Only Answers
In the U.S. and abroad, regulators have required breached entities to offer “protection” from fraud following a data breach, most often in the form of credit monitoring. Some organizations will also pay extra to monitor the Dark Web to learn if customers’ information or stolen data sets are being sold. However, in order to be considered a preventative measure, credit and Dark Web monitoring come with a few quid pro quos:
- Consumers must opt in to these services in order to be covered, creating a gap in coverage for those who don’t feel it is necessary, are not willing to take the necessary steps or who completely forget to participate after they receive a notification letter.
- Monitoring, by definition, means an action has already occurred. By the time a monitoring service discovers information is being sold or that a new account has been opened with compromised credentials, it may be too late to prevent monetary loss.
- All reporting must fall in line in order for monitoring to be effective. A bank must report account data to credit bureaus; a credit bureau must update credit histories; and a new application must be run against a credit history in order for monitoring to prevent a fraudulent application from being funded.
But what about fraudsters who are able to take control of an existing bank account in order to drain the balance? Or those who open an account for a service that does not run a credit check? There is a whole world of fraud out there that can wreak far more havoc than funding a fraudulent loan.
Close the Gap Between Breaches and Banks
The alternative to waiting on a monitoring service to identify fraudulent activity is to empower breached organizations to take steps beyond the regulatory minimums in order to ensure protection for their customers.
Currently an organization is required to notify consumers when their information has been involved in a data breach. Why are they not required to notify the service providers where those customers have accounts?
Protecting Consumers Will Protect Your Company
No matter what part of the puzzle your business fits into, the common thread that everyone can get on board with is protecting consumers from identity theft. Putting consumers first through every part of the decision-making process ties together strategies to do the most good for everyone.
Breached organizations have the opportunity to retain customers and build goodwill by taking every step possible to protect breach victims from identity theft. For consumers and banks, this protection means that a compromised identity won’t necessarily result in identity theft and fraud. In this scenario, everybody wins.
Go Above and Beyond to Protect People
Data breaches are not new to the business world. They’ve been happening for years and no solution has surfaced to guarantee they won’t continue happening. So it’s time we turn our focus to the aftermath of breaches in order to protect people from the after effects.
Dozens of organizations today are developing privacy enhancing technologies to meet the needs of the growing data economy, including XOR Data Exchange. However, in order to be successful in protecting consumers, it’s time the business world rethinks the way it treats personal information.
Take a look at your data sharing policies and ask yourself these questions:
- Are you collecting, sharing and storing information that you absolutely need?
- Are you keeping information after you use it because you will need it in the future, or because you might need it in the future?
We know that consumer data is valuable to businesses. Many will find every opportunity to make as much money as they can from they data they produce or retain; but we have to remember that when data is collected, processed or stored, we create more opportunities for that information to be stolen.
And if your data is stolen, it’s time to think rethink your cleanup plan. When news breaks, will you brush it off with the usual, “We encourage you to monitor your accounts closely”? Or will you take the steps necessary to ensure your customers don’t fall victim to identity theft, contributing to the billions of dollars lost each year in fraud losses?
Mike Cook is the founder and CEO of XOR Data Exchange, an Austin, Texas-based startup building permission-based data exchanges to solve business challenges in fraud and credit risk. His pride and joy is XOR’s Compromised Identity Exchange, a platform allowing breached organizations to connect their breach with at-risk entities such as banks, lenders and credit card issuers to proactively prevent identity theft and fraud.