Kroll Fraud Solutions Blog – A Dialogue on Data Security

On July 12, the Federal Trade Commission and the Office for Victims of Crime (DOJ Office of Justice Programs) will hold a one-day forum entitled Stolen Futures: A Forum on Child ID Theft. This forum will explore child identity theft from all different aspects, including identity theft within foster care situations and within families.

So what does this have to do with businesses? Isn’t this largely a consumer issue? The FTC says no: according to the Bureau of Consumer Protection Business Center blog, “leaders in the business community play an important role in raising awareness about this issue … any form of identity theft – but especially ID theft involving kids – can have serious economic consequences to companies. Because children can’t legally enter into contracts or incur debt, businesses often wind up taking the loss.”

In our last post, we discussed the data breach threat that vendor employees, contract workers and temporary personnel can pose to your organization. We also examined a couple of initial steps your organization can take, by creating an extended workforce background screening program, to address this issue. There are some additional actions you can execute to help deliver a successful screening program for vendor, temporary and contractor populations.

1. Dispel common fears.

2. Identify the program owner.

3. Define your policy.

It’s an unfortunate reality that many data breaches are caused by malicious insiders. A robust background screening program for your own employees is a critical component to better managing this dangerous risk to your organization. Insider threats can, however, come from sources other than your own employees – consider the vendor personnel and temporary workers who have access to your facilities, data and assets.

According to the 2010 HireRight Employment Screening Benchmarking Report, only about 35 percent of organizations perform background checks on these individuals, representing a critical security risk.

Last week, the Department of Health and Human Services Office of the Inspector General (OIG) released to the public two reports, the Audit of Information Technology Security Included in Health Information Technology Standards, and the Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight. Both reports contain some rather eye-opening revelations about IT security controls in hospitals across the US, as well as the regulations that govern them.

Performing information security due diligence with third party vendors can be an all-too-vital component to ensuring that the information shared by your company is kept secure. But what is unfortunately the case, at times, is that due diligence efforts amount to little more than a good-faith exercise, meant to limit legal liabilities in the event that data is lost.

Certainly limiting liability is an important objective, but it will not necessarily do much of anything to truly lower the risk of loss. Once a potential third party vendor has cleared the initial due diligence hurdle and is awarded the bid, expectations must be clearly defined, and followed with action. Here are a few more items organizations should consider during this process: