Regardless of their assessment, this incident should be a wake-up call to financial institutions hoping to implement mobile financial services (MFS). Security is a main concern to mobile banking users – according to a 2010 survey by audit, tax and advisory firm KPMG LLP, some 54 percent of consumers surveyed said they were very concerned about security when using a mobile device. Although this percentage is actually down from their 2008 survey, it is still an indication that security is a top of mind issue.

The Citigroup incident is considered to be one of only a handful of known security events concerning MFS in the US, but there will surely be more. In light of the recession and the difficulties faced by the financial services industry, MFS is currently eyed as a potential area of growth that can attract new customers and build current customer loyalty. And yet, MFS is growing in the US at a much slower pace than in other parts of the world, such as Africa, India, or China. The success of online personal banking services has also served to limit interest in implementing mobile services.

Now is the time to take control of this issue, and meet security challenges head on. Success really does depend, at least in part, on communicating security efforts to consumers, as well as educating them on ways to keep their information safe. If the KPMG survey is any indication, education is half the battle– nearly half the US respondents indicated they didn’t even know if their bank offered any sort of mobile service. Taking a holistic approach now by incorporating fraud prevention tools and access controls and establishing clear and simple disclosure statements will go a long way toward mitigating future risk.

By Jeremiah Miller
Director of Operations, Investigation and Restoration Center, Kroll Fraud Solutions

1. Myth: A child may never be able to repay the debts that are created by the identity thief.

Fact: Children (and adults) should never be required to pay the debts created by an identity thief – they should dispute the accounts and not agree to pay anything they did not authorize. Although sometimes tedious, these dispute processes are in place to allow the victim to prove the debt is the result of identity theft, and have it disassociated from his or her credit report and eventually removed from the credit history.

2. Myth: Visit annualcreditreport.com to find out if a credit file exists for your child.

Fact: Even if a credit report does exist because your child is a victim of identity theft, a parent will not be able to obtain the credit report there or at any other website. The parent will be asked to provide demographic information and answer questions about credit history – and will only know the authentic details for the child. He or she will not know the address, date of birth, or any account information likely used by the thief to create a synthetic identity – that is, one made of components from various identities. Merely entering the child’s accurate information won’t help, because once the information is entered, the parent will be advised immediately that credit reports do not exist for children under 18, and to contact the credit bureau if they believe there is a problem.

3. Myth: Always contact the bureau directly to inquire whether your child has a credit file.

Fact: There’s a little bit of a gray area here. Parents are urged by the bureaus to contact them in writing to seek more information if they believe there may be a problem. Unfortunately, there is a concern that checking for the existence of a file could potentially create a file for the child if one does not already exist. Kroll recommends checking with the bureaus only when there is evidence that the child is already a victim.

4. Myth: A credit file automatically exists when someone turns 18.

Fact: While it is true that you have to be at least 18 before you can apply for credit, age has nothing to do with the creation of a credit file; a 50-year-old person who has never financed any purchase will not have a credit file.

by Charlotte Rose
CIPP 
Senior Investigator, Kroll Fraud Solutions

The Identity Theft Resource Center (ITRC) recently issued a press release that describes a proposed database called Minors 17-10 Database to be created by the Social Security Administration and used by the national credit reporting agencies to identify SSNs issued to minors up to 17 years and 10 months of age. So, when a creditor tries to pull a credit history associated with the SSN of someone in the Minors 17-10 database, they will receive notification that the SSN was issued to someone who is currently a minor.

Kudos to the ITRC for proposing such a tool. Although it won’t completely prevent the unauthorized use of a minor’s SSN (credit can be issued without review of a credit report and a thief can use a SSN for numerous purposes other than credit), it seems likely to reduce incidents where credit is issued to someone using a minor’s SSN. It remains to be seen if it will be developed and used. In the meantime, financial institutions must make employees aware of this scheme if they don’t already do so – after all, Minors 17-10 is not currently available for use, so what you receive from the credit bureau may in fact be a segregated file created through the use of a CPN. What efforts are being taken by credit issuers now? Are employees trained to recognize “red flags” related to the composition of the nine-digit number that might indicate the applicant’s identity warrants further verification?

by Charlotte Rose
CIPP 
Senior Investigator, Kroll Fraud Solutions

This is not a new scam. However, it has historically involved these “businesses” instructing individuals to obtain Employee Identification Numbers (EINs) through the IRS. What seems to be new is the identity theft twist, which involves using an actual SSN that has already been distributed to someone else.

Because these numbers—being referred to as CPNs at this point– are relatively new SSNs with no associated credit file, they typically belong to children under the age of 18. What makes them a particularly attractive target is the fact that parents obtain SSNs for their children shortly after birth but the number goes unused for credit purposes for at least 18 years.  If a person uses a CPN that is actually someone else’s SSN, have they committed identity theft? That could be up for debate, as a recent U.S. Supreme Court case on an illegal immigration issue suggests it is not identity theft unless the person knowingly uses another’s SSN. Regardless of the legality, these actions will, in any event, create a credit history and quite possibly a slew of debts to be addressed by the authentic SSN owner-victim once the activity is discovered. In part two, we’ll discuss what can be done to help these individuals.

by Charlotte Rose
CIPP 
Senior Investigator, Kroll Fraud Solutions

This suit is significant for several reasons – for one, it marks the first suit brought by a state AG for violations of HIPAA after the Health Information Technology for Economic and Clinical Health Act (HITECH) gave AGs the authority to do so. Second, the settlement includes a $250,000 payment to the state, which happens to be the maximum penalty that can be fined by state AGs, and Health Net has agreed to an additional $500,000 payment if the missing drive was accessed and the information used improperly. Blumenthal said he felt the settlement “sends a strong message” about the “profound responsibilities to protect medical and financial records.”

If the Health Net suit doesn’t serve as a wake-up call that regulatory agencies mean business, then perhaps the latest notice of proposed rulemaking from HHS will – it is a modification to the Privacy, Security and Enforcement rules that extends the applicability of certain requirements to Business Associates. The proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions, establish new limitations on PHI use and disclosure, prohibit the sale of PHI, and expand the individual’s right to access and control his or her own information.

Additionally, the HHS Office of Civil Rights has updated its breach notification webpage to a new, more accessible format that allows users to search and sort the reported breaches. The format includes brief summaries of breach cases that OCR has investigated and closed, as well as the names of private practice providers who have reported breaches of unsecured PHI to the Secretary.

Is your head spinning? Could the requirements be any tougher? And yet, some privacy and security experts would argue they aren’t enough, because we are playing catch up in a world where risks to PII and PHI far outstrip our security efforts. We’d love to hear your opinion – are the new enforcements a bitter pill or well-deserved medicine?

By Melissa Sandefur
Research Analyst, Kroll Fraud Solutions

Fast forward 30 years, and you would be hard pressed to find a medical group or health care system that used Electronic Health Records (EHRs) to exchange patient data with one another. Most medical records were still in the form of physical documents, stored in a file folder and shared between a few key members in the medical facility.

In today’s digital age, there has been an ever-increasing movement toward the use of EHRs by healthcare systems in the United States. This is due in part to the American Recovery and Reinvestment Act (ARRA) of 2009, which calls for a Nationwide Health Information Network (NIHN), wherein all medical records will be in EHR format, conforming to a nationally recognized standard. The proposed deadline for this transition is 2014.

Many privacy and security experts tend to think that the 2014 deadline for adoption of EHRs could pose significant security risks. Healthcare facilities that rush to meet HITECH’s meaningful use requirements for incentive payments could overlook critical security flaws, leaving systems open to threats. Others, like Latanya Sweeney, PhD, believe new kinds of harm can result from the design of the NHIN. Among other things, Sweeney mentions de-duplication and identity, testing and liability, mechanisms for corrections, and data segmentation as just a few examples from the “large array of trust issues any NHIN design must address to be widely accepted.”

Proponents believe the system’s design is secure. Newly proposed privacy rules were announced on July 8, 2010 by the Department of Health and Human Services (HHS), as well as the launch of the new Health Privacy Website.

The HHS news release quotes Georgina Verdugo, the Director of the Office for Civil Rights at HHS: “The benefits of health IT can only be fully realized if patients and providers are confident that electronic health information is kept private and secure at all times. This proposed rule strengthens the privacy and security of health information, and is an integral piece of the administration’s efforts to broaden the use of health information technology in health care today.”

Do you think current safeguards and new rules aimed at strengthening the privacy and security of health information is enough? Do the potential risks outlined by Dr. Sweeney outweigh the rewards?

by Ryan Abbott
Operations Analyst, Kroll Fraud Solutions

Not only will offices, hospitals and other organizations have the same risks associated with access and transmission that have always existed for electronic data, but this will also be increased in magnitude as access from locations outside the organization’s control becomes easier.   Further, employees within the healthcare system will have to be trained extensively to recognize the risks associated with this new level of interoperability.

Medicare incentives begin to phase out in 2014, followed by reductions in payments by 2015 if requirements are not met. Will most facilities make it in time? By some accounts, there is still quite a journey ahead – according to HHS’ Health Information Technology website, the preliminary estimates from the 2009 National Ambulatory Medical Care Survey indicate that 43.9 percent of physician respondents reported all or partial EMR/EHR systems (not including systems solely for billing) in office-based practices. Of those, about 20.5 percent have met the government criteria of a basic system, with a mere 6.3 percent reporting a fully functional system.

It’s a lot to consider, especially if your organization isn’t counted among that 43.9 percent. But for those that have yet to implement an interoperable system, you won’t exactly have to start from ground zero – the guidance that is slowly emerging from HHS and other government entities will be a helpful starting point. Additionally, there has never been a better time to consider patient data security and privacy, particularly in light of the new breach notification requirements under HITECH. Make this a part of your transition so that you don’t carry any bad security habits with you as you migrate to the digital world.

What do you see as the top privacy and security considerations when transitioning to EHRs? What are the biggest challenges an organization faces?

by Brian Lapidus
COO, Kroll Fraud Solutions

The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.

 A classic example is the testimony of James Davis, CIO at the University of California, to the Senate Subcommittee on Terrorism and Homeland Security in 2007. Davis offers, in painstaking detail, the logistics surrounding call center operations for a large data breach. According to Davis, once the institution had an idea of how many calls to expect, “making arrangements to outsource call center operations was not just on the critical path to notification, but became the critical path: we had never had to do this before, and finding a suitable call center vendor and completing a contract on an expedited basis became mission critical.”

Once individual letters go out, the ability to quickly and accurately respond is mission critical, no question. That ability is only magnified when the organization must provide substitute notification either through their website or a major media outlet, complete with a toll-free telephone number as required by HITECH [§ 164.404(d)(2)(ii)]. The expectation here is that the call center will experience higher volumes than they would with individual notifications, because concerned former patients or customers will call whether their information was included or not.

Which means at the outset of notification, the organization must answer some very tough questions – what percentage of individuals reached by the notification will actually call? How will the call center designate between affected and non-affected individuals? How big will the call center staff need to be? Will they be trained to handle identity theft or fraud related issues?

Davis also noted in his testimony that not only was response more than their original estimates, but a full third of all calls came in the first couple of days, “likely due to email notices and media outreach,” so ability to scale is crucial, too.

The bottom line: this is about more than just compliance with a federal regulation. When a breach occurs, customers expect information provided in a timely manner and they expect someone to be there to answer their questions and, hopefully, provide solutions. Is your organization up to the task?

Click here to view our video  showing how Kroll’s HITECH Hotline can help meet breach notification requirements.

by Brian Lapidus
COO, Kroll Fraud Solutions

Computers and flash drives are lost and stolen every day. Understanding where data is stored on networks and work stations, if and when it is protected by encryption and the rules for its transmission, not only will help the administrator or responsible party enforce data security policy and procedure, but will also help identify whether or not PII may have been stored on a device which was lost or stolen. An organization which has implemented thorough data transmission monitoring, logging and blocking, but has not educated the users about basic computer safety best practices, is not effectively protected. Even when users adopt and take safety procedures seriously, a determined insider rogue user can bypass the policy and procedure, rendering all the best proactive efforts futile.

In March, we posted “Motivate Your Employees to Become Data Privacy Advocates.”  This post discussed engaging the data users of your organization to be active participants in the data security process and to make data loss prevention an active part of the corporate culture. 

Faceless organizations merely store information. However, a “custodian” of data, like a neighborhood librarian, stores it and protects it. An example of this approach is to empower the data owner or user with the responsibility to assign any particular document, spreadsheet, or database a security level and determine its access level. The employees’ supervisors can provide the oversight of this process without jeopardizing the culture of responsibility.

Consumers who provide an organization access to their PII should expect nothing less from the user than a sincere effort to protect the keys to their identity.

• How do your organization’s efforts measure up?
• Have you deployed network safety systems, but haven’t included education for employees?
• How have you addressed the different paths followed by inside versus outside threats? 

Scenarios measuring the threat posed by accidental and intentional loss must also be evaluated.

By Ross Peiser
Senior Investigator, Kroll Fraud Solutions

Furthermore, the authors point to additional research that shows educational efforts tend to focus on threats like online predators or cyberbullying, with little emphasis on information security.  Such efforts are important, but not enough. Kroll’s Licensed Investigators frequently talk to high school students about identity theft and credit awareness topics, so we are very aware that a lack of education may be putting many more young adults at risk than just those who may experience cyberbullying. Identity thieves are getting smarter and can make a lot of money off a little information.

All users of social networking sites must understand the environment in which they are playing. These are networking sites and are not private by design. Everyone with an account on a social networking site should thoroughly review the settings affecting the information they post. Do not act on the assumption that the site is not sharing your information. Assume that all of your data is visible to everyone, and adjust the settings available.

After reviewing a recent complaint filed with the FTC against Facebook, I decided to check my own account privacy settings. As a Research Analyst, I’m embarrassed to admit that it took the better part of the evening to read and understand exactly what could be seen, as well as which application was sending (and selling) my information where. I finally gave up and decided that no one needed to know my hometown, current city, address, email, phone number, family members’ names, relationship status and name of significant other, full name, date of birth, current and past employer, education history, and when I would be visiting my friends in another state (deep breath).

If my mom can piece together what I’m really up to from a social media profile that I thought was private, imagine what an identity thief can do with that stuff! Personally, I would rather restore my dignity with my mom over a long, painful lunch than have to restore my identity.

By Melissa Sandefur
Research Analyst, Kroll Fraud Solutions