IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Cybersecurity & Consumer Data: What's at Risk for the Consumer?

Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
10:00 AM
2123 Rayburn House Office Building 

Mr. Joseph G. Ansanelli
Chairman and CEO
Vontu, Inc.
201 Spear Street, Suite 200
San Francisco, CA, 94105

My name is Joseph Ansanelli and I am the CEO of Vontu, Inc. Our company provides information security software to help organizations protect consumer data by monitoring for the inappropriate distribution of non-public personal information via the internet. I am honored to provide testimony on information security, consumer data and the risks for consumers. Identity Theft is the Risk for Consumers The FTC recently provided an excellent answer to the question "What's at Risk for the Consumer?" They estimate that approximately 10 million people in the last year alone were victims of Identity Theft. These victims reported $5 billion in out-of-pocket expenses and countless hours of lost time repairing their credit histories. In the last five years, almost 30 million people or 10 percent of the US population were victims of identity theft. Clearly, identity theft is what is at risk for consumers. Losing Consumer Trust is the Risk for Business This is not only a risk for consumers, but is a risk for business as well. As part of the same FTC report, the losses to businesses totaled nearly $48 billion.

Additionally, there is a risk that is not mitigated through insurance or other strategies - loss of consumer trust. Vontu recently commissioned a survey of 1000 consumers in the United States to better understand the effect that security of customer data has on consumer trust and commerce. Some of the findings include: Security drives purchasing decisions - More than 75 percent of consumers said security and privacy were important in their decisions from whom they purchase. Consumers will speak with their wallets - Fifty percent said that they would move their business to another company if they did not have confidence in a company's ability to protect their personal data. Insider theft increases concerns about a company's data security efforts - More than 50 percent of the consumers surveyed said an insider breach would cause them to be more concerned about how a company secures their information

Clearly, financial costs and loss of consumer trust, as a result of identity theft, are what is at risk for business. The question is how does cybersecurity play into these risks? The Insider - A Major Cause of Identity Theft While most security testimony has focused on the threats related to hackers breaking into computer networks from the outside, my remarks today will focus a new and growing security threat - insiders. The sad fact is that many identity thieves never have to break through a firewall. Their employer has issued them a username and password that gives them access to a virtual treasure trove of consumer data.

Everyday, companies throughout this country create and store millions of records that contain social security numbers, credit card numbers and other types of non-public personal information. At most of those companies, a significant percentage of employees have legitimate access to this data. This has created a potentially explosive combination of companies storing more consumer information and at the same time providing insiders with more access to that data.

Last year, the volatility of this combination made headlines. A customer service employee of Teledata Communications Inc. who had easy access to consumer credit reports allegedly stole 30,000 customer records. This theft caused millions of dollars in financial losses and demonstrates that even though any computer system can be hacked, it is much easier, and in many cases far more damaging, for information to be stolen from the inside.

Teledata is the single largest identity theft crime ever prosecuted. However, I am convinced that this kind of crime continues today, yet it often goes unrecognized. Insiders use their legitimate access to copy sensitive information and with a few clicks of their mouse, send it outside the company.

Law enforcement and regulators are also starting to raise the issue of the growing danger to consumers from insiders. Special Agent Tim Cadigan testified this summer that the Secret Service has assembled special teams to investigate the growing number of incidents where fraud rings enlist corporate employees in schemes to steal consumer information.

Mr. Howard Beales, Director of the Federal Trade Commission's Bureau of Consumer Protection, said in January that the FTC continues to see evidence that insiders were stealing consumer data at an increasing rate and using it to commit identity crimes. In September, the FTC reported that about a quarter of all consumers who knew that their information had been stolen believed that insiders were responsible.

Lastly, consumer credit information provider TransUnion recently issued a publicly available report stating that the top cause of identity fraud is now theft of records from employers or other businesses.

The problem of better protecting consumer data is no longer just an issue of keeping out the hacker but also one of ensuring that those with access to the data keep the information secure. Consumer Data Security Standard It is clear that we need new efforts to minimize this growing risk to consumers and businesses. However, I do not believe new government regulations alone can solve this problem. Instead, the right solution is to build a partnership of government and industry using both "the carrot and the stick".

To begin with, I suggest this committee develop a Consumer Data Security standard - possibly as part of the proposed Consumer Privacy Protection Act of 2003 (HR 1636). This standard would ensure a national, unified and standard approach to protecting consumer information and thereby stop one of the primary sources of identity theft. It should be self-regulating with oversight from appropriate agencies when problems arise and include a requirement for companies to: 1. Protect and ensure the confidentiality of all non-public personal information; 2. Detect potential misuse of consumer information; 3. Ensure compliance by its workforce with their data security policies; 4. Correct problems as they are discovered.

These requirements are similar to those required under Gramm Leach Bliley and HIPAA. Are the industries covered by these regulations unique in their need to protect personal data? It seems that any business that manages sensitive financial or other non-public personal information exposes consumers to identity theft. Whether it is providing your social security number when purchasing a mobile phone or using your credit card to buy groceries, you are exposing your personal information to theft - a cross-industry, unified approach is needed.

Additionally, this committee may want to make notification a part of this standard. In our survey, consumers said they wanted to be notified early and often when security and privacy violations occur. In fact, 80 percent said they want to be notified when companies are 75 percent sure that a violation has occurred.

This Consumer Data Security standard is the "stick" to ensure that there is a base level of responsibility for consumer data protection. Safe Harbor As mentioned earlier, a partnership between government and business is required to better protect consumer information. Unfortunately, today many of the current and proposed Federal and State regulations serve as a disincentive to proactively search for insider breaches or inappropriate disclosures of consumer information. For example, the risk of civil lawsuits or regulatory censure discourages some companies from going beyond what is considered a base requirement. Future legislation should include a regulatory "carrot" through a "safe harbor" to encourage companies to go beyond basic security requirements and aggressively pursue potential leaks of data without fear of severe penalties.

This approach of the "carrot and stick" would not only encourage most companies to adopt new consumer protections quickly, it would free limited government resources to concentrate on the most egregious violations of the standard itself. Additionally, this proposal would help to solve one of the unaddressed issues regarding Identity Theft in both of the current Fair Credit Reporting Act bills approved this year by the House and the Senate.

In closing, the increasing costs of identity theft coupled with consumers' increased demands for security protection are driving these issues to the top of the agenda for consumers, business and government. If more is not done by all parties involved with respect to protecting electronic information, the costs will continue to grow, potentially affecting the country's ability to expand its leading position in the world economy.

I hope these comments will prove helpful to the subcommittee as it continues its deliberations on improving consumer data security. I welcome the opportunity to continue working with you, and am happy to answer any questions you might have.

Thank you.

 

 

2003 Customer Information Trust Survey

Those organizations that sit on the highest perch when it comes to customer trust have the farthest to fall if they lose that trust according to the 2003 Customer Information Trust Survey commissioned by security technology innovator Vontu, Inc.

Consumers have the greatest amount of trust that companies within the health care industry have measures in place to protect personal information from identity thieves. Web retailers and retailers scored near the bottom in consumer trust in a ranking of 14 major industries. However, even the companies that scored well with consumers can face serious financial consequences if security breaches within their organization lead to a loss of consumer trust. Some of the major findings of the survey are:

  • Security is important in the purchasing decision. More than 75 percent of the consumers said security and privacy was important in their decisions from whom they purchase.
  • Not all security breaches are equal in the eye of the customer. More than 54 percent said security breaches by insiders or employees, now one of the fastest growing contributors to identity theft, would have the greatest impact on their trust in an organization.
  • Consumers choose with their wallets. Fifty percent said that they would move their business to another company if they did not have confidence in a company's ability to protect their personal data.

Vontu Information Trust Rankings*

Hospital or Clinic 82%
Pharmacy 79%
Bank 78%
Charity/Religious Org. 78%
Airlines 60%
Car Rental Company 53%
Utility 48%
Credit Card Company 47%
Cable Company 42%
Restaurants 42%
Hotels 41%
Web Retailers 41%
Retail Stores 38%
Grocery Store 25%

 

* The Vontu Information Trust Rankings rate 14 major industries based on the level of trust consumers surveyed said they had that these organizations would protect personal information from identity theft.

Two examples of the questions from the survey are:

  • How important is privacy and security to your purchasing decision?

Very important 19%
Important 57%
Not important 9%
Unsure/No Comment 14%

  • If an insider (such as an employee of the company) stole your data rather than an outsider (such as a computer hacker), would it change your answers to previous question about trust?

Yes - More concerned about insider 54%
Yes - Less concerned about insider 12%
No - No difference 17%
Unsure/No comment 18%

2003 Vontu Inc.