The term ‘data breach’ entered the vocabulary of a large number of people in 2013. Whether consumers were victims of a data breach or seeing it in the headlines, those who were unaffected by a breach were few and far between. This month, Javelin Research & Strategy released the results of their 2014 Data Breach Fraud Impact Report and the results demonstrated the fact that data breaches and the resulting fraud are no longer fringe issues. While data breaches and the related fields of identity theft and information security used to be limited to the knowledge of a relatively small number of technologically savvy individuals, the issue is known to most Americans whether or not they even know how to send an email.
The report, titled “Consumers Shoot the Messenger and Financial Institutions Take the Bullet,” looked at important questions that have certain implications for both consumers and businesses alike.
One of these questions has become increasingly important: What is the relationship between data breaches and identity fraud?
“We’ve been tracking the relationship and it has gotten stronger every year,” said Al Pascual, senior analyst of fraud and security at Javelin Strategy & Research. “In 2010, if you were a victim of a data breach, there was a one in nine chance you would become a fraud victim. Now, as of 2013, it’s grown to a one in three chance.
“Overall, if a consumer is notified of a breach, they are at a considerably greater risk of suffering fraud within a 12-month period.”
At the Identity Theft Resource Center, we work with identity theft victims day in and day out, hence, this question is of great interest to us. We want to be able to tell consumers who call into our call center after receiving a data breach notification just what that means and how it may affect their life. Unfortunately, the picture we will need to portray to data breach victims is both bleak and confusing. Risks and results differ depending upon the type of data compromised. According to the report, data breach victims are almost eight times more likely to suffer from existing card fraud than those consumers who have not been a victim of a data breach. This frightening disparity jumps to an incredibly high level when one looks at the statistics of consumers who have had their Social Security numbers (SSN) compromised in a data breach. The report states that 9.1 percent of consumers who have had their SSN compromised in a data breach suffered a new account being opened using their personal information as compared to .5 percent of those who had not had their SSN stolen.
Data breach notification is an important tool in helping consumers whose information has been stolen to prevent fraud. As far as data breach notification, restaurant or hotel industries came in with the highest levels of data breach notification, while the lowest level of notification came from large retail merchants, large online merchants and alternative payments providers. While data breach notification is governed by state laws, with no federal version of a data breach notification law currently active, it is still hit and miss as to how well companies react to being breached. This is due in part to the high cost and reputational damage caused by a data breach. Those costs affect every party involved, not just the retailer. Financial institutions are impacted by costs associated with breaches and even though many individuals will be able to work out existing card fraud, there is still a cost associated with the fraud resulting from victimization of data breaches. The report states that those who have credit card fraud resulting from compromised information end up with an out of pocket expense of $63 on average. Again, we see a more detrimental effect to those who have their SSN compromised with their out of pocket expenses averaging $289.
While all of this sounds slightly terrifying, and it is, there are a few positive points brought forth in the report. One of these is that criminals are now committing fraud more frequently with existing card data as opposed to the use of social security numbers. The amount of data breaches in which SSN data was compromised was only 14 percent in 2013, compared to 16 percent in 2012. While the drop is not large, this is a positive trend when you look at the implications of the two types of fraud. If a consumer’s card is compromised, they will face the difficulty of having the card replaced and the charges disputed. If the card is linked to a checking account and the criminals were able to obtain PINs, the fraud will be more troublesome with funds perhaps being drained and unavailable to consumers for some time. However, this fraud will be linked to an account rather than to an individual themselves. When a SSN is stolen, the implications are lifelong difficulties for individual’s which cannot be prevented. Having a SSN stolen in a breach opens up an individual not only to financial identity theft, but medical, criminal and governmental, as well, and the near impossibility of changing a SSN leads to that individual dealing with the problem for the rest of their life.
The information gathered in Verizon’s 2014 Data Breach Fraud Impact Report shows that this is a problem that will continue to hinder efforts to thwart fraud for some time to come. However, the fact that such reports are looking at important questions which no doubt affect consumers throughout the world is a good start to understanding and solving the problems.
Eva Velasquez is president and chief executive officer of the .