E-MAIL THIS 
PRINT THIS |
Fighting identity theft, data security breaches and fraud takes
vigilance, tools and a healthy, suspicious nature
 |
Industry experts (l to r) Steve Keen (ChoicePoint),
Joe Osbourne (Anthem Blue Cross & Blue Shield) and Kirk
Herath (Nationwide), comprise the Exchange ID theft panel
segment. |
Closely related to the issue of privacy is that of identity theft,
a crime that is international in scope and growing by leaps and
bounds every day. No organization or individual is immune from
the threat. And considering the potential costs and impacts on
an organization’s good name associated with having to disclose
a breach of data security, whether unwitting or due to criminal
acts, all organization would be well advised to make sure their
data security houses are in order.
Given the risks faced by all organizations in an environment in
which identity theft is epidemic, the issue was a key topic during
the 2005 Nashville Exchange. A panel consisting of Steve Keen,
assistant vice president, Consumer Disclosure, ChoicePoint, Kirk
Herath, associate general counsel and chief privacy officer, Nationwide,
and Joe Osbourne, senior financial investigator, Anthem Blue Cross
Blue Shield, explored the subject from a variety of angles. Colleen
Kelly Laich, customer relations officer, Nationwide, moderated
the panel and guided the discussion.
 |
Steve Keen, assistant vice president,
Consumer Disclosure, ChoicePoint, says, “We’re
committed to doing all that we can to make sure that ChoicePoint
is ensuring complete protection of our data against unauthorized
access and the potential for identity theft.” |
Choicepoint’s Keen knows only too well what a breach can
mean to a responsible and respected company. Within the past year,
ChoicePoint has had to make public disclosures about security breaches
it has suffered due to criminal acts, in this case someone impersonating
an authorized broker. He shared the firm’s experience during
a panel on identity theft.
“Many of you know ChoicePoint mainly due to our insurance
industry products,” Keen said. “However, ChoicePoint
also serves key segments of employment background screening, tenant
screening and has a large involvement in public records database.
We cover a much broader spectrum than just insurance.”
Tracking security breaches yields huge stats
Having been once stung, ChoicePoint now tracks identity theft
data on a nationwide basis through its Internet infrastructure.
Keen noted that during the past year there have been 110 events
striking a variety of organizations and industries across the United
States. Those events resulted in the disclosure of consumer information
affecting more than 56 million records.
“And you need to keep in mind that these are just the ‘disclosed’ events,” Keen
remarked. “Who knows how many more there may have been?”
Keen noted that ChoicePoint’s contributions to these data
breaches have led to a variety of changes that have strengthened
the organization’s data security.
“We went through a process of introspection,” he said. “We
have reviewed all of our policies and have dedicated significant
resources to credentialing not only customers and employees, but
also vendors, even including our cleaning and maintenance vendors.”
Keen noted that ChoicePoint has also become much more active in
the public education arena and external arena, going out to customer
forums and speaking engagements to help people understand what
ChoicePoint does and why data security is so important in the prevention
of identity theft.
Keen reported that ChoicePoint has implemented a number of other
best practices, including cutting-edge technical solutions, that
will help make sure that individuals asking for access to ChoicePoint
are indeed who they say they are.
“Within the framework of technology solutions, we addressed
the issue of security related to password resets,” he said. “We
have now implemented a biometric solution that requires people
to read a brief script to gain a voice print so that they can get
a password reset. We have also instituted a strict U.S. Internet
policy, which recognizes that a lot of fraud comes from overseas.
Now, you have to be situated within U.S. borders to be provided
access.
“We are also engaged in a lot more internal and external server scans,” Keen
said. “We are using more encryption of data products and file transfers.
Finally, we are more tightly controlling data contributions that come to us
via tape or magnetic cartridges. In an environment that still has a lot of
legacy systems, we still get data on tapes. However, we take steps to destroy
the data on those tapes before we return them.”
Keen noted that ChoicePoint has also partnered with the Identity
Theft Resource Center (www.idtheftcenter.org/index.shtml), a website
that contains much helpful information about identity theft and
what individuals can do to prevent it. ChoicePoint has also created
its own privacy issues website.
“We’re committed to doing all that we can to
make sure that ChoicePoint is ensuring complete protection of our
data against unauthorized access and the potential for identity
theft,” Keen said.
 |
“If someone doesn’t need it,
don’t provide it. I don’t want to say don’t
trust anybody … but you can’t trust anybody,” says
Kirk Herath, associate general counsel and chief privacy
officer, Nationwide. |
Data breaches can bring ‘extreme liabilities’
Nationwide’s Herath commented that he often feels like an
internal cop … not that it’s a bad thing in this environment.
According to Herath, the growing trend toward government and regulators
criminalizing security breaches, especially in the HIPAA area,
and the extreme liability around every piece of data, where it
resides and who has access to it has not really sunk in across
the minds of many corporate board members.
“Identity theft is extremely complicated and, at the end
of the day, no matter how many millions you spend on the problem,
every one of your associates is a potential point of failure, either
through stupidity, as a result of being ill-informed or due to
criminal intent,” Herath said.
Herath noted that there are extreme liabilities associated with
the handling of data that no data-intensive organization can afford
to ignore.
“There are now 21 states that have very specific laws requiring
breach notification,” he said. “It is also pretty clear
that attorneys general, whether or not they have a formal breach
notification law, will try to get you under their unfair and deceptive
trade practices acts.
Herath listed a number of the consequences of security breaches:
- Fines, possibly running into the millions.
- Interruptions of normal business activities as you spend time
trying to respond to the breach.
- Enforcement actions by regulators who may not believe your
business activities were up to par.
- Brand damage, an unquantifiable but ever-present danger.
- The impact of breach notifications on customer commitment and
subsequent loss of customers.
- The cost of notification requirements, which can be much more
than the cost of stamps and letters and envelopes … adding
up to millions of dollars even on an average breach.
“We do background checks, pervasive monitoring, pervasive
shredding,” Herath said. “We destroy all hard drives
when they are retired. We use encryption where it is useful to
our business and we have a very good internal investigation process.”
Noting that internal threats – even the handling of office
trash – are the ways that breaches most often occur today,
Herath recommended strict rules on who gets access to data.
“If someone doesn’t need it, don’t provide it,” he
said. “I don’t want to say don’t trust anybody … but
you can’t trust anybody.”
 |
Joe Osbourne, senior financial investigator,
Anthem Blue Cross Blue Shield, shares, “In my experience,
about 10 percent of all employees in a particular group are
honest, 10 percent are dishonest and the other 80 percent,
given motive and opportunity, can find themselves involved
in some type of improper activity.” |
Fighting fraud at the street level
The panel discussion moved from an assistant general counsel who
feels like a cop to a senior special investigator who basically
functions as a cop, earning him commendations by the U.S. Department
of Justice and the Inspector General of the U.S. Department of
Defense for his contributions to fraud busting.
As a senior financial investigator for Anthem, Osbourne knows
the kinds of scams that people try to pull, because he’s
broken more than a few of them.
“I’m one of the people where the rubber meets the
road,” he said. “Special investigators are the ones
who do much of the work finding the people committing fraud and
identity theft today.”
The range of abuses Osbourne has seen is broad indeed, including
healthcare provider theft or fraud, broker fraud, and even employee
misconduct.
“We have 4500 employees in Virginia, which keeps us busy,” he
said. “In my experience, about 10 percent of all employees
in a particular group are honest, 10 percent are dishonest and
the other 80 percent, given motive and opportunity, can find themselves
involved in some type of improper activity. Then you have
policyholders involved in fraud, typically simple in nature, such
as false claims, enrollment fraud, doctor shopping or drug diversion.”
Osbourne outlined several categories of identity theft:
- Use of a stolen or lost insurance card
This is a simple case in which someone gets a card and pretends
to be someone else.
“We had a case of a woman in Norfolk, Va., who stole her
sister’s card because she didn’t have health coverage
for an injury to her hand,” Osbourne said. “When her
sister went to the hospital a couple of days later, the provider
discovered that she was already admitted in another hospital. That’s
a clue…”
This would be a case where, for example, a custodial parent is
given a card by an ex-spouse, only to end up using the card for
his or her other children and spouse.
The result of collusion between a policyholder and a friend or
family member.
Improper use of Social Security Numbers and names of legitimate
individuals. In other words, identity theft.
“The amount of creativity and energy devoted to these schemes
is something to see,” Osbourne commented. “I doubt
that we’ve seen it all.”
And given the constantly escalating trend toward more identity
theft and fraud, now aided and abetted by the speed and power of
the Internet, it is a very good bet that company information security
people and special investigators will have plenty to keep them
busy in the years ahead.
 |
Colleen Kelly Laich, customer relations
officer, Nationwide, moderates the Nashville Exchange ID
theft panel segment. |
CONTACT INFO
Kirk Herath
Nationwide
614.249.4420
Email: herathk@nationwide.com
www.nationwide.com
Steve Keen
ChoicePoint
678.893.9250
Email: steve.keen@choicepoint.com
www.choicepoint.com
Joe Osbourne
Anthem Blue Cross and Blue Shield
804.354.2361
Email: joe.osbourne@anthem.com
www.anthem.com
Colleen Kelly Laich
Nationwide
614.249.6408
Email: laichc@nationwide.com
www.nationwide.com
|
