Author Archive

As promised when they announced that enforcement would be delayed until August 1st, the FTC has released a Red Flags Program template for low risk businesses.  It is a fairly simple template that does not negate any of the requirements of the Red Flags Rule such as implementing and updating the Program.  Of interest are the questions that the FTC asks to help you determine whether your business is low risk or not:

1. Do you know your clients personally?
2. Do you usually provide service at your customers’ homes?
3. Have you ever experienced an incidence of identity theft?
4. Are you in a business where identity theft is common?

Unfortunately, car dealerships are not at low risk of identity theft; in 2008, fraudulent identity data was used to establish about 3700 automobile loans or leases.

The template is a good starting point but is not terribly specific (”describe how you’ll update your program”) - understandable for a template intended for use in any type of business.  Having a Red Flags Program is only half the battle - you have to get it approved, conduct training, implement the program, and keep it up to date.  If you run an auto dealership, the Red Flags Identity Theft Prevention Program Toolkit is a faster, more complete solution for you.

This is the second time the Federal Trade Commission has delayed enforcement of the Red Flags Rule; it was originally scheduled to start enforcement on Nov 1st, 2008 but that was delayed until the following May 1st when the FTC realized that very few businesses knew about the rule.    The FTC’s press release.

The FTC responded to the American Medical Association’s stance that the Red Flags Rule should not apply to physicians and related health care providers.  That’s right - your trusty GP must have an Identity Theft Prevention Program.  In the FTC’s letter to the AMA, the FTC acknowledges that, yes, doctors take a confidentiality oath, and yes, there’s HIPAA, but that does not cover the “respond to and mitigate identity theft” provision of the Red Flags Rule.  In other words, they focus on two scenarios:

• The doc suffers a data breach and patient data is exposed when it shouldn’t be.
• A thief tries to someone else’s data to fool the doc, thus potentially exposing a real person to the perils of false entries in their medical records or false insurance billing.

To address these scenarios, the FTC suggests that for smaller doctors offices, which are presumably low risk, checking a drivers license and determining what to do if notified of identity theft involving the office would be sufficient.

BancInfoSecurity.com summarizes a study from the Fraud Management Institute. The article focuses on the cost of mailing address change confirmations (estimated at $300 million):

During the current financial crisis, it is critical for institutions to streamline and reduce costs and boost fraud prevention efforts, yet the survey shows that many are still doing address confirmation manually and spending much more time on ID Theft Red Flags Rule compliance that originally predicted by regulators.

FMI is absolutely correct about regulator disconnect on the time needed to comply with the Red Flags Rule.  From the text of the Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 (i.e., the Red Flags Rule):

The Agencies estimate the annual burden per respondent is 41 hours (25 hours to develop a Program, four hours to prepare an annual report, four hours for training, four hours for developing policies and procedures to assess the validity of changes of address, and four hours hours for developing policies and procedures to respond to notices of address discrepancy).

No way.  You can judge for yourself by reading the Red Flags Rule on the FTC’s web site, all 59 single-spaced pages of it.  Further, the estimate does not include actual implementation time - the time it takes to do the checks, keep abreast of methods of identity theft, update the program accordingly, etc.

And the training time estimate is ludicrous.  It takes longer than four hours for a single competent trainer to prepare for a class.  In a typical business, if I want to get funding for a project, I would have to submit an analysis that includes time x labor costs.  If I have a hundred employees who need to be trained for four hours, the burden is four hundred hours, not four.  If I am an auto dealership, the cost of having my sales force off the floor for half a day is certainly significant.

The Providence Journal has a story about a proposed identity theft law in Rhode Island:

The new law, if enacted, would require companies to take reasonable steps — shredding or erasing — to make sure that sensitive information is indecipherable. Such information includes Social Security numbers, passports, bank accounts and drivers’ license numbers.

Businesses found not in compliance would be subject to civil penalties ranging from $500 to $50,000.

The story is notable for its lead-in:

Attorney General Patrick C. Lynch is going after “Dumpster divers,” those bottom-feeding scoundrels who are often involved in identity theft.

Actually, it sounds like he’s is going after businesses; there is nothing further in the article about the people who actually commit identity theft related crime.  Lynch cites a recent settlement with CVS/Caremark for $2.5 million for violating HIPAA regulations regarding proper disposal of customer medical and financial information, and a two-year old dumpster diving case, as proof that additional laws are needed.

The Disposal Rule does not already cover this?  Or the Red Flags Rule?  Or the Safeguards Rule?  Lynch does not mention that in the CVS case, not only did the company settle with the Dept of Health and Human Services for $2.5 million, but they were also prosecuted by the FTC:

The FTC’s complaint charges that CVS Caremark failed to implement reasonable and appropriate procedures for handling personal information about customers and employees, in violation of federal laws. In particular, according to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information, did not adequately train employees, did not use reasonable measures to assess compliance with its policies and procedures for disposing of personal information, and did not employ a reasonable process for discovering and remedying risks to personal information.

Wired Magazine reports on the Security Breach Notification seminar in Berkely.  I’m glad somebody is asking this question.  From the article:

It’s clear that the laws have made the public more aware of breaches and the vulnerability of their data, and have exposed poor security practices at many businesses. A 2005 study by the FBI showed that in the absence of a legal requirement to report breaches, only 20 percent of firms would report serious breaches to law enforcement.

…

As notifications have become more ubiquitous — 55 percent of respondents in a survey by the Ponemon Institute last year said they’d received two or more notices within 24 months — many consumers have become inured to them, simply tossing them in the trash rather than acting on them to protect their identity.

The article also links to a study by Alessandro Acquisti of Carnegie Mellon University.  From the summary:

We find no statistically significant effect that [breach notification] laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce.

The study goes on to state that there may be various data quality or quantity reasons for that finding (and ultimately recommends a federal breach notification law to aid in research efforts and reduce conflict among state laws).  The study also cites Javelin Research’s finding that 90% of the cost of identity theft and fraud falls on businesses - merchants, credit card companies, banks - and therefore consumers may not be harmed as much as thought.

Here is an Identity Theft Article from the Phoenix Business Journal, notable for a good quote from Identity Theft 911’s Eduard Goodman:

“Businesses need to treat personal identifiable information like they would money,” Goodman said. “You wouldn’t leave cash lying around.”

Simple, easy to remember, and accurate.  Your employees eyes will glaze over when you start talking about FACTA and the FTC during Red Flags Training, so why not use that analogy before you get to the boring stuff?

RedFlagsMadeEasy has launched a logo design contest on 99Designs and will be accepting entries from graphic artists until February 27th (7:17pm GMT).   Read the design brief and join the contest here!

What if, as part of your strategy to Prevent and Mitigate Identity Theft, you make a business decision to downplay an incident that occurs at your company?  Heartland Payment Systems announced on Jan 20th that they had been hacked by an apparently “global cyber fraud operation”.  Based on the timing of the announcement (inauguration day) and their press releases, they made a clear decision to do exactly that:

• Heartland’s initial press release, from January 20th, is subtitled in bold, “No Merchant Information or Cardholder Social Security Numbers Compromised”.   There is no reason for a payment processor (as opposed to a creditor) to have SSNs; this is akin to announcing that they were hacked, but the Statue of Liberty is still standing.

• They also list a number of items that definitely weren’t compromised - PINs, addresses, etc.  And conversely, they go to some lengths to avoid saying what data was breached.  If they know what wasn’t compromised, then they know what was compromised, but they don’t disclose it.

• They say that they were notified by Visa and MasterCard of “suspicious activity surrounding processed card transactions” rather than detecting the breach internally at first.  Does “suspicious activity surrounding processed card transactions” mean fraudulent charges were appearing on credit cards that had been through their processing system?

• Also from the Jan 20th press release, they had brought in forensic auditors who discovered malware that compromised data “that crossed Heartland’s network” - as opposed to malware installed on Heartland’s network?

• In their next press release, on Jan 23rd, Heartland finally admits, in a roundabout way, that credit card numbers were breached.  “Heartland does not yet know how many card numbers were obtained.”

• On January 26th, Heartland CEO Robert Carr issued a letter that (finally!) included this:

Potentially exposed through this breach are card numbers, expiration dates and other data from the card’s magnetic stripe. In a small percentage of cases, the cardholder name of your customers who used a credit or debit card in your store during part of 2008 may also have been exposed.

Since Heartland processes $55 billion dollars worth of transactions a year (per their Dec 2007 annual report), this is not a small breach.

Heartland President and CFO Robert Baldwin conducted interviews that were somewhat more informative.  With Brian Klebbs, who blogs on security issues for the Washington Post, Baldwin provided more detail:  “”The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”  One thing that jumps out from the Klebbs interview, though:

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

Whoever has the names and numbers can figure out how to do a bulk query on a name and address database, especially if they have the terminal (point of sale) location and can narrow it down by city.  Also, Heartland does not say one way or the other whether the credit card security codes were accessed.

Business Decision to Downplay Impact

Heartland has known about the breach since late October and clearly made an effort to downplay it.  Was this a good decision?  Certainly Carr and Baldwin have a responsibility to their company, their shareholders,  and their customers to not incite a panic.  And they are correct when they point out that credit card customers are not liable for fraudulent charges as long as they report them in a timely manner.

There are two problems, though.

First, Heartland has downplayed the impact to the point where it appears that they’re trying to totally obfuscate it.   Somebody is going to pay for fraudulent charges - the banks, the credit card companies, the merchants - and it would have been helpful for Heartland to say, in their first press release, exactly what data was breached and from what dates.  In fact, there has already been a class-action suit brought against them alleging, among other things, that Heartland “made unreasonably belated and inaccurate statements concerning the breach.”

Second, Heartland’s image and marketing efforts are built around reliability, trust, and transparency.  But their response to this crisis has been neither timely or accurate.  Their company motto, embossed on their logo, is “The highest standards.  The most trusted transactions.”  Heartland’s home page boasts about “peace of mind”.  And in Heartland’s second press release on the 23rd, they continue to assert this while providing absolutely no information that could be considered helpful to consumers, banks, or merchants:  “Our record of candor…is highly valued,” according to Carr.  Not so much, anymore.

Related Articles

BancInfoSecurity’s roundup coverage of the Heartland breach and its aftermath.  Gets a gold star for best and most thorough coverage.

AP News Article on the breach.  It appears AP just copied the press release for the most part, but it’s notable for saying Heartland “asserted that merchant and customer data were not affected,” in one sentence and “the only information breached were card numbers and cardholders’ names” in another.

Information Week Interview with Heartland President Robert Baldwin

Information Week Blogger George Hulme also takes issue with Heartland’s lack of forthrightness.

Anthony Freed wonders if Heartland waited so long because Carr was busy dumping stock.  One of the side effects of a perceived lack of candor.

Evan Schuman of Storefront Backtalk writes about the technical aspects of the breach.

UPDATE 2/17/09

Infoweek follow up.  Three men were arrested in Tallahassee for using some of the credit card data.  From the Tallahassee’s Sheriff’s Office press release:

“…it was determined that Acreus, Frazier and Johns have been using stolen credit card numbers to electronically encode VISA Gift Cards which were then used to make fraudulent purchases at local businesses, including several Tallahassee Wal-Marts. The group would then sell the fraudulently obtained merchandise for cash. The stolen credit card numbers utilized by the group were stolen in an international computer hijacking of records from the Heartland Processing Center in New Jersey. The total actual and declined fraudulent transaction in Leon County is currently in excess of $100,000. This amount is expected to be much higher as this investigation continues.”

It looks like whoever hacked Heartland sold the data to other thieves - I assume, maybe incorrectly, that the people going into WalMart are not the same people who planted the malware.  It will be interesting to see what further arrests happen as this plays out.

The city of Sallisaw rolled out their Red Flags Program and issued a public announcement about it so their customers know what to expect. (While municipalities are not subject to the Red Flags Rule, utilities are).

Before rolling out your program, take a page from Sallisaw’s book and make every effort to set customer expectations in advance.