finance

‘Protect, Detect, Respond’

Keeping clients safe from identity theft

By Tracy Barbour

I

dentity theft is one of the fastest-growing crimes in America, and it’s the number one complaint reported to the Federal Trade Commission. Personal identity theft involves using another person’s name and other personal information to steal his or her persona and financial security.

Identity thieves often use a stolen Social Security number to open accounts in someone else’s name and make purchases using that person’s good credit. The perpetrators typically have invoices and bills sent to a phony address—generally a post office box number—so unsuspecting victims often don’t discover the crime for years. Usually, identity theft victims become aware of the problem only when they receive bills for goods and services they didn’t buy, notice suspicious bank account withdrawals, or detect new accounts they didn’t open on their credit report.

Thankfully, identity theft is less prevalent in Alaska than in the Lower 48. Alaska ranks favorably—40th out of 50—in a national comparison of identity theft reports compiled in 2017 by the Federal Trade Commission, according to Assistant Attorney General Cindy Franklin of the Alaska Department of Law’s Consumer Protection Unit. However, identity theft is a devastating crime, she says, adding: “Alaskans can spend years cleaning up the mess made by an identity thief, and the frustration level with this crime is off the charts. Whether it is theft of personal identifying information or business identities, identity theft is a high priority for the AG.”

Legal Protection

Consumers are covered by a number of federal and state laws designed to safeguard their private information. For example, a key protection at the federal level is covered by the Gramm-Leach-Bliley Act. In addition to reforming the financial services industry, the act addresses concerns relating to consumer financial privacy. It includes a Privacy of Consumer Financial Information Rule that requires financial institutions and certain other businesses to notify customers about their information-sharing practices. They also must inform customers about their right to “opt out” if they don’t want their information shared with certain third parties.

Assistant Attorney General Cindy Franklin, AK DOL Consumer Protection Unit

AK DOL Consumer Protection Unit

At the state level, the Alaska Personal Information Protection Act is designed to protect the “personal information” of Alaska consumers. Personal information includes information on an individual that is not encrypted and consists of the individual’s name and one or more of several other pieces of information including a Social Security number, driver’s license number, account number, password, or other access codes.

Passed in 2009, the Alaska Personal Information Protection Act requires businesses and government agencies to expeditiously notify people if their personal information has been compromised. It also restricts the use of Social Security numbers and requires records containing personal information to be destroyed as soon as it is no longer needed. In addition, the law allows individuals to place a security freeze on their credit report, which can prevent a third person from accessing their credit report. And it enables people to petition the court for a declaration of factual innocence after identity theft—if the perpetrator was arrested, cited, or convicted of the crime.

The reporting of breaches by information collectors is a serious matter, according to Franklin. Case in point: Alaska was recently part of the multi-state, multi-million-dollar settlement with ride-sharing giant Uber, which failed to report for a year that its drivers’ personal information was compromised in 2016. “We encourage reporting of identity theft through our consumer complaint process,” she says.

Attacks on Major Entities

When it comes to thwarting identity theft, individuals can take steps to protect themselves by not clicking links or opening attachments from unknown sources and applying unique and complex passwords. However, for businesses, rapidly-growing threats to employee and client information include ransomware, crypto mining, and spear fishing attacks.

Corporate data breaches are happening nationwide—even to the largest entities. For instance, on July 29, 2017, national credit reporting bureau Equifax notified the public about the improper access of consumer information that included names, Social Security numbers, birth dates, addresses, and driver’s license numbers. Credit card numbers and credit report dispute documents were also accessed. Ultimately, the data breach resulted in a class action lawsuit—which included two Alaskans—that sought a permanent injunction against Equifax, a full review of its data security procedures, and restitution to the millions of Americans affected.

Even tech giants like Apple and Amazon allegedly became the targets of hackers. According to a Bloomberg report, Chinese operatives surreptitiously installed tiny microchips onto the Supermicro server motherboards being supplied to dozens of US companies—including Amazon and Apple—in an effort to spy on them. Apple and Amazon officially denied being victims of the microchips.

In Alaska, there have been a number of attacks to steal information. For example, Seattle-based Alaska Airlines was hacked in December 2016, shortly after it acquired Virgin America. A malicious threat actor known to the US Defense Department abused a loophole in Virgin’s security to gain access to the system, according to Avionics International. Resolving the issue cost Alaska Airlines $2.5 million dollars in aggregate and three months—plus, employee information might have been compromised.

In 2015, GCI was also the target of a significant attack. A file containing names and Social Security numbers of employees who worked for GCI as of June 30, 2015, was swiped by an employee of a GCI contractor, the Siegfried Group. All employees of the company at that time—2,200 to 2,300 people in Alaska and the Lower 48—were affected. However, there was no evidence that the Siegfried Group employee disclosed the information to third parties or otherwise used the information for illicit purposes, according to a written statement from GCI.

GCI is constantly and proactively assessing and responding to security risks, says Information Security Officer Michael Strong in a recent interview. While GCI’s IT and network systems were not hacked due to the Siegfried Group-related incident, it did have an impact on the company. “The issue with the Siegfried Group’s contractor didn’t directly cause us to make changes, but rather it caused us to accelerate projects that were already in progress,” Strong explains.

Recently, Alaska has been hit by a business identity thief, Franklin says. The crime occurs when a business identity (corporation or LLC) maintained by the Division of Corporations, Business, and Professional Licensing is stolen by someone entering the online database and filing a report that changes the ownership from the actual owners to themselves or their shell companies. “Because businesses rarely revisit the site other than to file biennial reports, it can be years before the theft is discovered,” she says. “The thief uses the business identity to get credit or for other nefarious purposes.”

How to Protect Information

So what steps do companies need to take to protect the sensitive information of their employees and customers to minimize identity theft?

First and foremost, Franklin says, they should carefully review their credit report. Because identities—both personal and commercial—are stolen primarily to get or use credit cards or bank accounts, a credit report will provide the best picture of whether an identity is being misused.

Business owners should also check the Corporations, Business, and Professional Licensing database in every state their company is registered, Franklin says. And they should do so at least quarterly, as most state business registration portals—like Alaska’s—are open portals that allow anyone to file a report on behalf of the business. “The person making any changes certifies under oath as to their authority to do so,” she says. “For this reason, businesses should periodically check their registrations to make sure that all ownership and member information is in order. This serves the dual purpose of making sure businesses do not slip up on any required reporting or updates.”

The first step to protecting information, Strong says, is so basic that many companies forget to consider it. He explains: “Only ask for the information you truly need, only store it for as long as it’s needed, and then securely destroy it.”

However, once a company has sensitive information to protect, no single protective measure is sufficient. “You need multiple tiers of protection, or what’s known in the cybersecurity industry as ‘defense in-depth,’” he says.

Michael Strong
Chief Information Security Officer, GCI

GCI

The complexity of securing business systems and protecting company data is growing daily; the threats are constantly evolving and the attacks are relentless. Consequently, businesses should enlist the aid of experts to effectively address security issues, Strong says. He adds: “If we look at other aspects of running a company, businesses employ professionals to help them with their accounting and taxes, and now it’s reached a point where companies should look to engage dedicated or external security expertise for help. I don’t expect my dentist or accountant to be able to protect the data I provide them without help from a security professional.”

Steve Gebert, director of enterprise security at Alaska Communications, also thinks that companies should collect the least amount of personal information possible from customers and employees. He says, “They should not gather information the company does not need to have, which can greatly lower risk exposure.”

Once a company has personal information in its possession, it must protect it and have proper data-handling rules in place for how the data is accessed and controlled. For example, access should be highly restricted and encrypted at rest and in transit. Gebert explains: “Businesses should restrict access to only necessary employees. Information classification—which tags different types of information and flags it as critical—allows systems to handle sensitive data differently. Businesses should have data loss prevention systems in place and regularly scan email servers looking for signs that sensitive data may have been exfiltrating the network.”

Protecting customer information should be highest on all companies’ priority list, Gebert says. For this reason, employees of Alaska Communications do not have access to its customers’ credit card information. Also, the company uses a third-party service to house credit card information, which lowers its risk exposure. “Credit card providers, like VISA and MasterCard, are increasingly tightening the criteria required for companies to process their cards,” Gebert says. “Businesses need to tighten up how they handle credit card data to be compliant.”

When it comes to protecting information from employees who may seek to misuse customers’ information, Strong advises starting with the basics. “Establish a clear corporate policy that sets expectations of how confidential data and private client information can be used and the consequences for misuse,” he says.

“Only ask for the information you truly need, only store it for as long as it’s needed, and then securely destroy it.”

—Michael Strong, Information Security Officer, GCI

Franklin says businesses should invest in credit card readers that block all but the last four of credit card numbers, both on the readers and receipts. This protects consumers and the employees. She points out that all businesses that collect combinations of information listed in the Alaska Personal Information Protection Act are obligated to report breaches, including an employee taking the information. “For this reason, businesses should have policies requiring employees to report inadvertent disclosure [such as emailing a Social Security number] and prohibiting the intentional taking of information,” she says. “Shredders should be available and their use should be required if paper forms or information is collected. Finally, encryption should be used on electronic transmission. A combination of technology and good old-fashioned supervision is the best protection.”

A Broad Data Security Strategy

Strong says businesses need to truly understand how their private client information is being gathered, how it flows through the company, where it is stored and for how long, and when it finally gets destroyed. “Then look at how you protect the information along each step, physically securing it and encrypting electronic data,” he says. “Also, don’t forget to think about how you securely dispose of the information. Don’t sell a server or laptop without first securely wiping [data from] the device or rendering the device unusable.”

The emphasis on preventing identity theft often centers on digital data, but it’s equally essential to protect information that’s printed on hardcopies. It’s important to remember how much paper is still used in business, Strong says, and any physical record containing sensitive information needs to be tightly and securely managed. “We don’t want our personal information left on printers in a doctor’s clinic or left out overnight where unauthorized eyes can read it. So we can’t focus solely on the digital information, we must still consider the physical information.”

Strong urges companies that are dealing with identity theft and other data security issues to seek professional assistance—just like they do for tax advice. “Security threats are so complex and evolving so quickly that companies either need dedicated security professionals or should engage expertise from outside companies,” he says.

Gebert encourages businesses to think of security as layers of an onion. Locks and controls are just one layer of defense-in-depth on the onion, he says, adding: “Other needed layers include firewall protection, education of users, encryption at rest and in transit, strong credentials and two-factor authentication, network segmentation, data tagging for data classification, strict governance, and security around passwords and credentials. Companies cannot depend on just one layer of the onion to protect their data.”

Without a cybersecurity strategy even the smallest businesses are at risk. Companies must invest in technologies that minimize the attack surface and reduce exposure to that data, such as encryption, firewalls, and segmentation, Gebert says. Security awareness is also critical to protecting sensitive data. Employers should host recurring and frequent training to keep security awareness at the forefront of employees’ minds.

Security, Gebert says, is everyone’s business and responsibility. Everybody in the company should be concerned and educated about security and protecting themselves, their company, and customers. He adds, “Businesses must have plans in place to protect, detect, and respond.”

Consumers—whether employees or customers—who fall victim to identity theft can turn to IdentityTheft.gov, a one-stop resource from the federal government. The site provides streamlined checklists and sample letters to guide victims through the recovery process.