From the press release of Javelin Strategy & Research:
“… nearly 1 in 4 data breach letter recipients became a victim of identity fraud, with breaches involving Social Security numbers to be the most damaging.”
If 1 in 4 become fraud victims, isn’t that even more reason to prohibit entities from writing things like, “We believe the risk is very low…” or “We believe that the laptop was stolen for the hardware, not the data” or “We are sending you this letter in an abundance of caution?” Instead, I think entities should be required to include a statement such as:
“Last year, over 12 million consumers became victims of ID fraud, and for those who had been notified of a breach involving their information, 1 in every 4 became a victim of ID fraud. We urge you to take this notification letter seriously to protect yourself.”
The finding that 1 in 4 become victims of ID fraud also begs the question, “When do they become victims of ID fraud – before they even receive the letter or after they receive it?” If the former, then even though companies are responding more quickly than in the past years, what can we do to promote faster detection of breaches and/or even quicker notification? And if it’s the case that the 1 in 4 are becoming victims of ID fraud after they receive notification letters, then the letters aren’t effective in getting enough people to take steps to protect themselves. Javelin’s statement says:
“almost 1 in 4 consumers that received a data breach letter became a victim of identity fraud, which is the highest rate since 2010. This underscores the need for consumers to take all notifications seriously. Not all breaches are created equal. The study found consumers who had their Social Security number compromised in a data breach were 5 times more likely to be a fraud victim than an average consumer.”
I don’t know if the Javelin report has information on the timing of the fraud relative to the notification letters, but saying consumers need to take notifications seriously suggests that they had an opportunity or warning that could have prevented fraud and they didn’t act on it. Do we actually know that? I’ve e-mailed Javelin to ask if they have data on that point and will update this entry if I get a response.
Some of Javelin’s findings are consistent with the Risk Based Security/Open Security Foundation Quickview report, previously mentioned on this blog, while some of it isn’t:
While credit card numbers remain the most popular item revealed in a data breach, in reality other information can be more useful to fraudsters. Personal information such as online banking login, user name and password were compromised in 10 percent of incidents and 16 percent of incidents included Social Security numbers.
While our data on SSN were comparable at 14.4%, credit card numbers were exposed in only 6.4% of the 2,644 breaches we analyzed, whereas username and password were compromised in approximately half of all the incidents we compiled. In any event, I certainly agree that consumers need to take notification letters seriously.