Businesses devote time and resources to attracting and retaining customers, but these days all it takes is one data breach or other loss or theft of personally-identifying information about customers to lose their business for good. That's why a major concern of businesses entrusted with the custody of personal data about customers or employees or third parties has become preventing identity theft.
Businesses have been stockpiling more and more personally identifiable information (PII) about customers since the advent of the digital age. PII -- including credit card numbers, social security numbers, birth dates, addresses, etc. -- is often collected in the course of sales, applications for credit or loans, and in the course of employment. This information is often maintained by businesses in computer databases or on disks or is transmitted over networks, such as the Internet. Stealing PII often leads to identity theft -- a crime through which someone uses stolen personal information to get credit cards, take out loans, and/or perpetrate other fraud.
In recent years, many U.S. states have adopted laws that put some of the burden of fighting identity theft on businesses. California led the way in 2002 with a law requiring that companies notify customers when their PII is lost, stolen, or has possibly been otherwise compromised. Since then, 45 states, the District of Columbia, and several U.S. territories have passed similar laws.
While large corporations may keep more PII, sometimes smaller firms are targeted by ID thieves because they don't have as rigorous data security. "In in a large business there is typically a well-defined set of people who have responsibility for security of computers and information assets. In small to medium businesses, that activity is not as clearly well defined," says Lawrence R. Rogers, a senior member of the technical staff at the CERT Program of the Software Engineering Institute, part of Carnegie Mellon University. "In Mom-and-Pop businesses that collect personal identifying information, they may have someone who installs patches and secures information. It's the same information a big business would have -- although not as much -- but perhaps it's more vulnerable because it's easier to attack."
The following sections will cover the ways thieves use businesses to perpetrate ID theft, how to use encryption to fight ID theft, and other steps businesses can take to better protect data.
Preventing Identity Theft: How Thieves Use Businesses for ID Theft
The Internet has helped fuel the spread of ID theft. Thieves for decades have sought to profit from identity scams, but it used to be that they had to pilfer paper files from record rooms or sort through your trash to find personal information. Nowadays, business information is aggregated on computers and one stolen or lost laptop computer could compromise the PII of millions of customers. In addition, the Internet can be used by thieves and organized criminal gangs to steal information from a business computer halfway around the world and trade it on an underground black market.
"Fraud is becoming a high tech business. It's also borderless and international. You can commit a fraud against an organization that's not even in your mother country," says Allan Bachman, education manager of the Association of Certified Fraud Examiners (www.acfe.org), an international organization dedicated to fighting fraud and white-collar crime.
Data thieves are just hackers and they are in it to sell this information to others who can use it to carry out financial fraud. "The information has a very short shelf life. Your social security and credit card only goes for about $50 on the black market because it can only use it for a short period of time before it's discovered," Bachman says. That's why thieves are targeting bigger repositories of data. It's like the old adage about asking a criminal why they would rob a bank. The answer is usually because that's where the money is. "That's why data breaches occur," Bachman says. "That's where the data is."
A date breach can be costly for a business. In 2009, the average cost of a data breach rose to $202 from $197 per customer record in 2008, according to The Ponemon Institute, a Michigan-based research center focusing on privacy and data protection. The study found that the average cost of a data breach tallied $6.6 million, ranging from between $613,000 to nearly $32 million.
Here are some of the ways data breaches occur:
How to Use Encryption to Fight ID Theft
The best way to protect PII in digital form is to use encryption. Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are examples of technologies used to encrypt data that is transmitted over networks. Encryption should also be used to protect PII stored on disk, tape, CD-ROM, or any other type of media used to hold data when at rest, Rogers says. "Understand that encryption technologies do not defend against data being captured by the bad guys; rather, its aim is to make any data that falls into the wrong hands unintelligible and therefore useless," he adds.
More specifically, the computing time and resources needed to decipher and then subsequently use encrypted data is presumed to be significantly longer than the lifetime of that data. "It's analogous to using a paper shredder -- someone could get their hands on all those paper scraps, and spend time fitting them back together, but the point is it would take most people way too long for this to be of much use," Rogers says. "The arms race, pitting the sophistication and configuration of encryption technologies against the resources and ingenuity of an adversary, is never-ending, though."
Encryption technology is available for businesses in a variety of products today. But even after you select a product you need to continue to evaluate the market because encryption technologies get stronger and stronger every year, because adversaries continue to look for and find new methods to defeat encryption. This means that a well-researched and informed decision today may turn out to be a poor choice in the not-too-distant future.
With encryption technology, you use what are called keys to decrypt your data, so, secondarily, the management of these keys is also important, Rogers says. Deciding who "owns" these keys and who can access them must reflect the needs of the business, the practicalities of personnel changes, and the awareness of insider threats.
Rogers recommends taking the following steps to protect your business data with encryption:
"The encryption hardware and software selected must be re-evaluated regularly, to make sure they are still providing the required protection," Rogers says. "Remember that encryption technologies can be rendered obsolete by events completely external to the enterprise. This may mean that the entire encryption infrastructure needs to be overhauled rapidly to insure that PII remains appropriately confidential over its useful lifetime."
Similarly, he says, all policies governing its use and all procedures defining its use need to be periodically reviewed to attest to compliance and execution.
Preventing Identity Theft: Additional Steps to Secure Data
In addition to using encryption to protect data, businesses can take other simple steps to help protect them from being used by criminals to perpetrate ID theft. Here are some of the simple steps that experts recommend:
Preventing Identity Theft: Additional Resources
Ten Ways to Prevent Identity Theft from Staples.com
Tips for the business owner on how to secure employee and customer data.
Verizon Business RISK Team 2009 Data Breach Investigations Report
Telecommunications giant had its digital forensics team analyze more than 90 data breaches around the world that compromised more than 285 million records.
Ponemon Institute Fourth Annual Cost of a Data Breach Report
The Ponemon Institute reported that data breaches have a serious financial impact on businesses.
Symantec Internet Security Threat Report
Security software maker Symantec conducts ongoing analyses of threats impacting users of the Internet.
Insider Threat Research
Efforts underway at the CERT Program at the Software Engineering Institute, part of Carnegie Mellon University.