LifeLock Blog

Somehow consumers aren’t making the connection between receiving a data breach notification and later becoming an identity theft victim, according to a new study. As a result, people whose information has been compromised in a data breach are four times more likely to become victims of either identity theft or credit fraud within the next 12 months.

Yet, when asked later about having become identity theft victims, few of the survey respondents attributed their fraud to the data breach they’d been involved in.

The objective behind sending the data breach notification letters is to let consumers know their personal or financial information has been compromised. The notices should spur credit card and bankcard holders to place fraud alerts or credit freezes on their credit reports, or to enroll in identity theft protection services or credit monitoring services.

Unfortunately, it seems few recipients of the data breach notifications are taking heed. (more…)

Health care related businesses have only two more days to prepare a data breach notification plan. A new rule requiring that health care providers, insurers and clearinghouses must notify individuals whose information has been inappropriately accessed goes into effect September 23.

Additionally, the data breach notification rule applies to any business associates of any entity covered by HIPAA.

The notification is to be made “as soon as reasonably possible,” but in most cases within 60 days of discovery. An exception to this provision is made if law enforcement requests a delay, a common occurrence when an investigation is ongoing, particularly if the breach appears to affect a large number of people or is part of a larger scam.

However, even if notification takes place within 60 days, but the Department of Health and Human Services (HHS) could determine the covered entity failed to meat the provision if notification could have been made sooner.

If the breach involves 500 or more people, HHS and the media have to be notified. All other smaller breaches should be reported annually.

Another exception to the rule is encrypted or destroyed information. If a hacker breaks into a server or database that the health care entity has taken measures to adequately protect, the entity is off the hook and doesn’t have to make any notification.

Data breach is defined as “the acquisition, access, use or disclosure of protected health information in a manner not permitted (by the HIPAA Privacy Rule) that compromises the security or privacy of the protected health information” or that means a “significant risk of financial, reputational or other harm to the individual.”

The rule is part of an alphabet soup of new legislation. It applies to any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), and is part of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

Parents and students in Utah’s new Canyons School District might be looking forward to back to school sales, but this year, 6,000 school employees have to worry that identity thieves might be shopping on their dime.

The district offices sent out notification letters last Friday, telling the employees about a lost USB flash drive that holds 6,000 employees’ addresses, phone numbers, birth dates and Social Security numbers.

Apparently, a district-level employee had a legitimate purpose for storing the data on the flash drive, but maybe has a little bit of a problem with short-term memory. “At, this point we have no reason to believe the information was stolen or used to perpetuate fraud or identity theft,” said Jennifer Toomer-Cook, spokeswoman for the district.

To their credit, the school district mailed the notification letters only two days after the data breach was reported. The letters provided employees with a Web address where they can initiate a 90-day fraud alert or credit freeze, but didn’t mention anything about their paying for their employees’ credit monitoring or identity theft protection services.

And they did try to assuage the concerns of district employees by saying they are working to improve security policies and building a secure network for file transfers.

Unfortunately, those changes are too late for the employees left at risk of identity theft.

“ID theft is the designer crime of the day. Of all the people I trust with my information, my employer is paramount. So, yes, I am concerned,” said Margot McCallum, a middle school teacher.

Visit LifeLock.com to learn more about their innovative tools and strategies for protecting the identities of their nearly 1.5 million customers. Enroll using the LifeLock promo code DEFENSE and pay only $9 a month for comprehensive identity theft protection services, and get 30 days of free protection.

The Identity Theft Resource Center released the results this week of their most recent data breach study, an analysis of data breaches publicly reported so far this year. Little of the news is good, but two of the ITRC’s findings are especially alarming.

Perhaps the most disturbing discovery is that of the roughly 250 reported breaches, only one of the victims could say the stolen information was encrypted.

Almost every state has laws compelling entities to report data breaches, but apparently even the fear of public disclosure and bad publicity still isn’t enough to make businesses and other organizations protect the data they hold.

“It’s a dual problem here undeterred by law or common sense,” said Linda Foley, co-founder of the ITRC. “You’d think if all these organizations have to notify, that they would take some steps to make sure their data doesn’t get exposed in the first place.”

Another surprising finding is that employees are stealing records at the same rate as hackers. Together, the two types of attacks are responsible for 36.4% of the roughly 250 data breaches reported publicly this year as of June 12.

The only good news to be found in the study is that the total number of data breaches is down by roughly 30% from the same time last year when 342 breaches had already been reported.

Unfortunately, even that slight ray of sunshine is dimmed by the fact that at least 12 million businesses and consumers are affected by this year’s data breaches, and the total is probably far greater than that; fewer than half of the entities that reported breaches revealed the number of victims affected.

A recent survey of 3,596 information technology professionals produced findings that 79% of the organizations they represent have had at least one known data breach. The IT pros surveyed revealed even more shocking news; insiders were responsible for 75% of the data breaches, compared to the 1% of data breaches that are conducted by hackers.

“This study shows that both personal and corporate information is flowing out of the organizations entrusted with its confidentiality,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. (more…)

By now just about everyone you know has gotten the dreaded data breach letter: “Dear Customer, we regret to inform you we have become aware…” If you haven’t gotten this letter yet, that doesn’t mean your information hasn’t been exposed.

A recent survey of 300 companies by Logica–an information technology security firm—revealed that only 40% of the companies who experienced data breaches notified their customers. Only 50% of the companies notified police or other authorities. Only 30% of them give their employees training on how to prevent or respond to data breaches. (more…)